UNSECURITY Podcast – Episode 97 Show Notes

Good morning! Happy Tuesday!

Thinking Brad is back again this week. I dig that because I dig Brad!

Last week, Brad was out feeling sick. This led to a solo recording of the UNSECURITY Podcast; go check out episode 96 if you want to hear me do my most awkward podcast yet.

Busy, Busy, Busy

We’ve been very busy around here, and it sounds like many of you are too. There are many good signs recently that the economy may be rebounding. The positives:

  • Elections – although the next 50ish days are going to be chaotic, there will be some settling in after the elections are complete. Regardless of which way you swing (blue or red), the completion of an election cycle brings a sense of stability.
  • COVID-19 – there’s been a lot of positive news about medical treatments and possible vaccines. The sooner we can put the pandemic behind us, the better. Once the pandemic is behind us (closer with each passing day), the economy should settle.
  • Markets – the stock and housing markets have held there own through all the chaos of 2020. This is a good sign of good things ahead in our opinion.

Busy is good, and it would take a small book to tell you all the good things going on at SecurityStudio and FRSecure! SecurityStudio is well on it’s way to being a very healthy and profitable SaaS company and FRSecure is exploring expansion (acquisition, merger, and/or geographic expansion).

I sincerely hope you and your family are well!

Why Can’t We All Just Get Along?

Today’s topic is about our divisiveness in world today and what it means to our industry. We’ll be careful to be respectful of other people’s opinions as we navigate these waters, and this may be a good segue into a future series we’ve been thinking about recently; “Politics and Information Security”.

Let’s get on it. The show notes…


SHOW NOTES – Episode 97

Date: Tuesday, September 8st, 2020

Episode 97 Topics

  • Opening
  • Catching Up
  • Why Can’t We All Just Along?
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning everyone. Thanks for tuning in. The date is September 15th, 2020 and this is episode 97 of the UNSECURITY Podcast! I’m your host, Evan Francen, and back with me this week is my good friend, Brad Nigh! Good morning Brad.

[Brad] Good things from this dude.

[Evan] Well, you were out ill last week. How you feeling? What’s new?

Catching Up

[Evan] Regular listeners to our show know that Brad and I normally start off with catching up with each other. Let’s do it.

Topics:

[Evan] Did you get a chance to hear last week’s episode? It was definitely awkward doing the show alone for the first time!

Transition

Why Can’t We All Just Get Along?

[Evan] It’s crazy how much information security reflects life and vice versa. I’ve been thinking about what our next series should be, and I’m always interested in tackling serious topics. We’re in the middle of an election cycle right now and I can’t remember a time when our country has been more divided than it is today. Me being me, I want to talk about it with you (Brad).

What are your first thoughts about the divisiveness in our country today?

[Brad] Chimin’ in.

[Evan] Here’s what I’d like to explore with you:

  • General divisiveness (political, social, information security, etc.)
    • Intimidation/bullying for sharing your thoughts, opinions, disagreements, etc.
    • When you find someone being a jerk or speaking/writing nonsense.
  • Outside Influences to Information Security
    • Today’s political climate.
    • Where do we find facts vs. opinions?
  • Within Information Security
    • How do we think our divisiveness affects information security?
    • Putting down others (competition, other professionals, etc.).
    • The divide between us and the business.
  • A couple of podcast reviews.

 

[Evan] I’m thinking about doing a series titled “Politics and Information Security”. We could interview special guests form both sides of the isle and get their opinions on all sorts of things. What would set us apart is respectfulness. We would do this in a way that respects opinions without attacking and bullying. This could be a great opportunity to set an example for others on how to discuss hot topics without beating each other up. What do you think?

[Brad] We’ll see what he thinks…

[Evan] The timing seems right to do a series like this. Alright. More to come on that! Let’s do newsy stuff now.

News

[Evan] Here’s some news I thought was interesting:

Wrapping Up – Shout outs

[Evan] OK. That’s about it. Episode 97 is almost a wrap. Brad, any shout outs this week?

[Brad] Shout out…

[Evan] It’s nice to have you back man. We’re very grateful for our listeners and we love hearing from you. Send us messages by email at unsecurity@protonmail.com or check us out on Twitter, @UnsecurityP.

If you wanna socialize with me or Brad directly, we dare you! I’m @evanfrancen, and Brad’s @BradNigh. We work for people and if you want to follow those people, SecurityStudio is @studiosecurity and FRSecure is @FRSecure.

That’s it, talk you all again next week!

The UNSECURITY Podcast – Episode 93 Show Notes – DEFCON & Team Ambush

Hey reader person, hope you are well!

Today marks the seventh day since I left the 80th annual Sturgis Motorcycle Rally. My wife and I do not show any COVID symptoms, so that’s good news. Only 7 more days of self-isolation and we’ll be back to semi-normal (assuming there is such a thing anymore).

Women In Security Series

Last week was the ninth, and final, installment in the Women in Security Series. It was a great experience for Brad and me. I may post a full write up soon, including the things we learned and places people can go to help (or for help). For now, here was the all-star lineup:

  • Part OneEpisode 84 – Renay Rutter (an information security business/IT executive)
  • Part TwoEpisode 85 – Lori Blair (a 35-year information security veteran)
  • Part ThreeEpisode 86 – Victoria Fogarty (relatively new to the industry)
  • Part FourEpisode 87 – Kristin Judge (founder and CEO of the Cybercrime Support Network, SC Media “Women in IT Security Influencer” in 2017, former Director of Government Affairs at the National Cyber Security Alliance (NCSA), thought leader, and all-around amazing information security expert)
  • Part FiveEpisode 88 – Andrea Hatcher (Senior majoring in Cybersecurity Analytics and Operations at Pennsylvania State University)
  • Part SixEpisode 89 – Judy Hatchett (Information security corporate leader and expert formerly with Accenture, Best Buy, SUPERVALU, 3M, Fairview Health Services, and current VP, Information Security and CISO at Surescripts)
  • Part SevenEpisode 90 – Amy McLaughlin (Information security leader and expert in education, having served with the State of Oregon, the Consortium for School Network (CoSN), Chemeketa Community College, and Oregon State University)
  • Part EightEpisode 91 – Theresa Semmens (Chief Information Security Officer at the Nevada System of Higher Education, former AVP/Chief Information Security Officer at the University of Miami, and former Chief Information Security Officer at North Dakota State University)
  • Part NineEpisode 92 – Lee Ann Villella (Senior Enterprise Security Sales Consultant at FRSecure, Program Director for the Minnesota Chapter of the Information Systems Security Association, and member of the Cyber Security Summit Advisory Board Committee)

A HUGE thanks to all the women who gave their time to talk to us!

What’s Up Next

This week, we’re going to catch up with a good friend (fresh back from DEF CON) and then we may delve into another series.

A Good Friend

We’re going to take this week (episode 93) to catch up with FRSecure’s Director of Technical Solutions and Services, Oscar Minks. Oscar leads FRSecure’s Technical Services Team, a group of amazing information security experts who provide world-class incident response and best-in-class technical services (penetration testing, blue teaming, red teaming, purple teaming, research, etc., etc.).

The timing is perfect because Oscar’s back after DEF CON Safe Mode and the team impressed a helluva lot of folks there!

While my wife and I were in Sturgis, FRSecure’s Team Ambush was awake for many, many hours competing at DEF CON Safe Mode. The team competed in four events over the four day online conference; CMD+CTRL, OpenSOC Blue Team Village CTF, Biohacking Device Lab CTF, and Hack the Plan[e]t.

Last year, the team kicked ass in the Warl0ck Gam3s CTF, but that’s old news now. Warl0ck Gam3s CTF is gone this year, and it was time for these guys to switch things up.

CMD+CTRL

A description provided by the organizers:

Learn to see web applications from an attacker’s perspective. CMD+CTRL is an immersive hacking experience designed to teach the fundamentals of web application security. Explore vulnerable web applications, discover security flaws, and exploit those flaws to earn points and climb up the leaderboard.

After attacking an application for yourself, you’ll have a better understanding of the vulnerabilities that put real applications at risk – and you’ll be better prepared to find and fix those vulnerabilities in your own code.

Remember that these websites are intentionally vulnerable, so any information sent to these sites is not secure. Never enter any sensitive information on these sites, including passwords, credit card numbers, or Social Security Numbers.

200 teams competed in this “Security Innovation cyber range” and our guys finished 2nd, only 50 points behind the winning team, n0j,

Full results are here.

OpenSOC Blue Team Village CTF

OpenSOC is a Digital Forensics, Incident Response (DFIR), and Threat Hunting challenge meant to teach and test practical incident response skills in an environment that’s as close to “the real thing” as it gets. This isn’t just another CTF. The platform was built to train real-world responders how to handle real-world situations.

There were more than 800 participants, more than 500 challenges, more than 350 teams, and more than 20 hours of  content in this CTF.

Team Ambush took home 9th place, finishing with the same number of points as the winning team. In a tie, the team that finished first wins.

Biohacking Device Lab CTF

This CTF was a little out of our team’s comfort zone, but this didn’t stop them from excelling! Some of the stats:

  • 30 volunteers building infrastructure, creating challenges, verifying flags, and solving support issues
  • 2 medical devices, connected in a volunteer’s home (not connected TO the volunteer)
  • 1 CTF vulnerability reported, fixed, and disclosed
  • 200+ players on 150+ teams from 15+ countries
  • 14,000+ flag submissions, with 5,700+ solves, on 150+ challenges
  • 150,000+ total points scored over 75 consecutive hours

Team Ambush took 7th! This is amazing considering most of our team had very little experience hacking medical devices.

Hack the Plan[e]t

Hack the Plan[e]t is a first-of-its-kind CTF: a slice of modern city life integrating both Internet of Things (IoT) and ICS environments with interactive components for competitors to test their skills and knowledge. Play for a few minutes or plan to stay for many hours as the challenge grows. The ICS Village will deliver a compelling experience using real IT and industrial equipment for all skill levels and practitioner types.

This CTF had 275 registered users, and Team Ambush placed 16th. The full scoreboard is here; https://hacktheplanet.ctfd.io/scoreboard

Really looking forward to this episode with Oscar. Oh, by the way, Brad Nigh (my co-host) also participated!

Another Series

We’re kicking around some ideas for our next series, and so far the leading candidate is a “Security in Healthcare” series. Stay tuned!

Let’s get to it!

Brad was supposed to lead the show this week, but since he participated at DEF CON with Oscar, I’m (Evan) going to take it. These are my notes.


SHOW NOTES – Episode 93

Date: Monday, August 17th, 2020

Episode 93 Topics

  • Opening
  • Catching Up
  • Closing Out the Women in Security Series
  • DEF CON Safe Mode & Team Ambush
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning. Thanks for tuning into the UNSECURITY Podcast. I’m Evan Francen, my co-host is Mr. Brad Nigh, this is episode 93, and the date is August 17th, 2020. Brad, Good morning!

[Brad] You know and love Brad! Brad will chime in here because he’s cool and stuff.

[Evan] Also joining us is my good friend and FRSecure’s awesome Director of Technical Solutions and Services, Oscar Minks. Good morning and welcome Oscar!

[Oscar] He does what Oscar does.

[Evan] It’s been a while since we had you on the show Oscar, and I’m super excited to talk to you about your team’s performance at DEF CON Safe Mode this year! Before we dive in though, let’s do what we always do first, catch-up a little.

Catching Up

Quick discussion about last week, the weekend, or whatever else comes to mind.

  • How are you guys?
  • Tell me about your weekend quick.
  • Anything in particular that you’re excited about?

[Evan] Brad, what’s up? What have you been up to and how was your weekend?

[Brad] Gives us the skinny…

[Evan] Oscar, your turn brother. Tell us things.

[Oscar] He tells us things.

[Evan] Alright, I guess it’s my turn now. Here’s my update…

Transition

Closing Out the Women in Security Series

[Evan] As you know, we just wrapped up our Women in Security Series. We hope that everyone enjoyed it and we also hope we’re all better off for it. Huge thank you to Renay, Lori, Victoria, Kristin, Andrea, Judy, Amy, Theresa, and Lee Ann! We talked to some incredible people during that series!

Brad, what’s one thing that sticks out for you?

[Brad] Gives us his one thing. 🙂

[Evan] Yeah, the one thing that sticks out for me is how important it is for us all to help each other, regardless of gender, race, background or anything else. People who shut others out or make them at all feel uncomfortable are jerks.

DEF CON Safe Mode & Team Ambush

[Evan] Alright, on to you Oscar! Tell us about DEF CON Safe Mode. You too Brad, I hear you did some work with the team also.

Open discussion about DEF CON, Team Ambush, the process, the results, etc.

30 minutes(ish)

[Evan] I’m so proud of you guys and the team! You’re not only VERY skilled, but you all do things right. We need to have you back on a future show so you can share how you build teams. People could really learn from you about how to build an incredible team and how to keep them together!

How about some quick news stuff? A few stories to cover quick. Oscar, you got chops, you can stay and comment if you’d like. Just chime in.

News

[Evan] Alright, here’s some newsy things that I thought were interesting this past week:

Wrapping Up – Shout outs

[Evan] Alright, it’s that time again. We’re at the end of the show and we get time to give a shout out or two.

Do either of you have shout outs to give this week?

[Brad and/or Oscar] We’ll see.

[Evan] Oscar, thanks for joining us again! Team Ambush kicked ass this year and I’m pumped to see what the team does over the next year.

Got questions or suggestions for us? Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Mr. Nigh is @BradNigh.

Oscar, you’re a relatively quiet guy online. Is there a particular way you want people to find you?

Lastly, be sure to follow our show on Twitter (@UnsecurityP), and follow the companies we work for, SecurityStudio (@studiosecurity) and FRSecure (@FRSecure).

That’s it, talk you all again next week!

The UNSECURITY Podcast – Episode 69 Show Notes – Who does what?

After last week’s BSOD on Brad’s laptop…

We were 50+ minutes into last week’s podcast when Windows said no more. The operating system crash brought episode 68 to a dead halt before we had a chance to cover the last part of our Roles and Responsibilities series. So, instead of two parts, we’re doing three. This is how it all worked out:

I’m excited about this episode because it hits close to home. It should hit close to home with everyone!

RSA Conference

We’ll also talk about last week’s RSA Conference in this show. SecurityStudio sent seven people to the conference this year, and here are some highlights we will discuss:

  • The theme for the conference this year was “Human Element”.

  • Roughly 36,000 attendees this year.
  • San Francisco’s State of Emergency, mid-conference
  • The money grab was alive and well (literally).

This slideshow requires JavaScript.

  • SecurityStudio’s first appearance as a sponsor.

This slideshow requires JavaScript.

    • Gave away 1,000 free, signed copies of UNSECURITY.

This slideshow requires JavaScript.

    • We became known as counterculture (which was super cool).
    • The theme “Mission before $” was born and etched onto each book.
    • We made (at least) 961 new friends.

This slideshow requires JavaScript.

Overall, the RSA Conference was a great experience for everyone and a huge success for SecurityStudio.

On to this week’s show notes…


SHOW NOTES – Episode 69

Date: Monday, March 2nd, 2020

Show Topics:

Our topics this week:

  • Opening
    • What’s up?
    • One thing.
  • RSA Conference
  • Information Security Roles and Responsibilities (Part 3 of 3)
    • Last week, quick recap of roles and responsibilities (at work).
    • People are creatures of habit.
    • SIMPLIFY – What are things we can do?
    • At home:
      • Information security, privacy, and safety cannot be separated.
      • Parent
      • Spouse
      • Children
    • What should every “normal” person know about information security?
    • The importance of definition, formality, and communication.
  • News
Opening

[Evan] Hi again UNSECURITY podcast listeners! My name is Evan Francen and this is episode 69. The date is March 2nd, 2020. Joining me in studio is my co-host, Brad Nigh. Good morning Brad!

[Brad] Rumor has it, he’s been working hard on some IR work. Let’s see if he’s in the mood to talk this morning.

[Evan] It’s great to be back in the office and good to be here. We have a really good show for our listeners this week, but before we dive in, let’s catch up. Brad, tell me about your week.

Catching up

Some back and forth happens here.

[Evan] I’m behind on just about everything. Hoping for a good catch-up week!

RSA Conference

[Evan] So, there was this RSA Conference thingy last week. Let’s talk about it.

RSA Conference discussion. What we learned and what we wish we hadn’t.

[Evan] We’ll invite some of the interesting people from RSA to join us a future guests.

Information Security Roles and Responsibilities (Part 3 of 3) – Micro Level (at home)

[Evan] OK. So last week, we had a nice visit from the BSOD genie. Probably a good thing because we were going sort of long anyway. We originally planned two episode for Roles and Responsibilities, but instead we’ve got three now. No big deal. I’m looking forward to this talk with you Brad! What do you think about the series thus far?

[Brad] His opinions…

Last week, quick recap of roles and responsibilities (at work).

[Evan] We’ve talked about roles and responsibilities at a macro level and we’ve talked about roles and responsibilities within an organization. Now, let’s talk about roles and responsibilities at home. I know that you and I both are very conscious of information security at home.

Roles and Responsibilities at Home:

  • People are creatures of habit.
  • SIMPLIFY – What are things we can do?
  • Information security, privacy, and safety cannot be separated.
  • Roles
    • Parent
    • Spouse
    • Children
  • What should every “normal” person know about information security?
  • The importance of definition, formality, and communication.

[Evan] Great conversation. These things will all be covered in our book, and I’m really looking forward to finishing it with you. This book could help tons of people! Alright, as usual, let’s get to some news.

News

[Evan] Here’s what we’ve got for news this week:

Bonus, maybe a future episode; This breast cancer advocate says she discovered a Facebook flaw that put the health data of millions at riskhttps://www.cnn.com/2020/02/29/health/andrea-downing-facebook-data-breach-wellness-trnd/index.html

Closing

[Evan] There you have it. Episode 69. It’s good to be home this week.

[Evan] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet sometimes. I’m @evanfrancen, and Brad’s @BradNigh. Check out @studiosecurity and @FRSecure frequently. They’re always posting good things! Is FRSecure out at SecureWorld North Carolina this week? Lots going on and lots of chatter!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 68 Show Notes – Who does what?

Trying to get back to posting show notes on Fridays. We’ll see…

The Week

It’s been another amazing week at SecurityStudio and FRSecure! I was in the office all week, so I got to see some of the magic first hand. You’d be amazed, truly.

OUR PEOPLE ARE INCREDIBLE! (yes, I shouted that).

Some of the things that come to mind right now:

  • Discussions and meetings with awesome people like Chris Roberts, Steve Hawkins, Mike Johnson, Augustine Doe, Jeremy Swenson, and Devin Harris this week. Each of them is awesome in their own way. Had lots of meetings this week, but these are the ones that stand out right now. Giving them all shout outs. They are wonderful people.
  • Brad’s kickin’ butt on some new service offerings, including a new CMMC readiness assessment. Checked out his executive summary report mock-up, and it’s sweet!
  • One of our analysts, “Ben” (he’s been on the podcast show before) has discovered some (16ish) significant potential/confirmed breaches of data in his research. Learning a ton about responsible disclosure. 😉
  • Lunch with John Harmon, FRSecure’s president on Thursday was incredible. We ate some sweet BBQ and talked strategy. This dude has some great ideas and I’m pumped about what he’s up to!
  • Ryan (“cola”) Cloutier is a machine. Opening doors, making a difference in education (K-12 & higher ed), and taking things global (UK, Australia, APAC, etc.). Letting this guy do his thing.
  • The marketing stuff and coordination for RSA next week is all set, thanks to the leadership of Andy Forsberg. This dude’s got in under control! There are seven SecurityStudio people heading out to RSA next week and we’ve all got brand new blue Nike’s and brand new blue branded T-shirts, not to mention 1,000 books to give away, and all the details. Excited to go have some fun with this group next week! (P.S. I think I got Andy hooked on Rockstar Energy drinks. I’m a bad influence, and I’m sorry.)

I could write something about every person here. The ALL pour their heart and soul into our mission of fixing this broken industry. They ALL understand that information security isn’t about information or security as much as it is about people. There are no words to describe the experience of working on this mission with this amazing group!

Breathe

OK, enough braggin’ for now, we got a podcast to do.

In last week’s show, Brad and I discussed the topic of information security roles and responsibilities at a macro level. We gave our opinions about the role of government, the role of business, the role of schools, etc. This week, we’re going to take the same topic and apply it at a micro level.

This is sure to be a great discussion!


SHOW NOTES – Episode 68

Date: Monday, February 24th, 2020

Show Topics:

Our topics this week:

  • Opening
    • What’s up?
    • One thing.
  • Information Security Roles and Responsibilities (Part 2 of 2)
    • Last week, quick recap of roles and responsibilities at a macro level.
    • The importance of definition, formality, and communication.
    • SIMPLIFY and operationalize.
    • At work:
      • Executive Management
      • CISO (or similar), two jobs.
      • IT
      • Legal
      • Everyone else.
    • At home:
      • Information security, privacy, and safety cannot be separated.
      • Parent
      • Spouse
      • Children
    • What are things we can do to simplify and operationalize?
    • What should every “normal” person know about information security?
  • News
Opening

[Brad] Good morning UNSECURITY podcast listeners! I’m Brad Nigh and this is episode 68. The date is February 24th, 2020. Joining me in studio is my co-host, Brad Nigh. Good morning Evan!

[Evan] Stuff and things…

[Brad] We have a great show planned today. Before we dive in, let’s catch up. Crazy week behind us and another crazy one ahead! What’s going on?

Catching up

Some back and forth happens here.

[Brad] Wow! Alright, let’s shift gears now a little. Last week, we talked about information security roles and responsibilities. Not the most exciting topic, but an absolutely critical one for sure! We’re approaching this topic from two different perspectives, from a macro level and a micro level. Last week was part one, the macro level. This week is part two, the micro level. You ready to get started?

[Evan] For sure.

Information Security Roles and Responsibilities (Part 1 of 2) – Micro Level

[Brad] You mentioned that we’re working on this book together. It’s a book focused on simplifying and operationalizing information security for underserved markets like state/local government, schools (K-12 and higher ed), small businesses, and individuals. Part of all this is understanding who does what, or at least who should be doing what. We started last week with our opinions about the importance of defining roles and responsibilities for governments, businesses, schools, etc. Now, let’s take it down to a more practical level.

We’ll share our opinions this week on the following:

  • How important is it to define, formalize, and communicate information security roles and responsibilities?
  • If we haven’t defined, formalized, or communicated information security roles and responsibilities, where should we start?
  • Why is it important to simplify information security, and how can I do it?
  • What does operationalizing information security look like and how can I accomplish this?
  • Roles and Responsibilities at Work:
    • Executive Management
    • CISO (or similar), two jobs.
    • IT
    • Legal
    • Everyone else.
  • Roles and Responsibilities at Home:
    • Information security, privacy, and safety cannot be separated.
    • Parent
    • Spouse
    • Children
  • What are things we can do to simplify and operationalize information security at home?
  • What should every “normal” person know about information security?

[Brad] Great conversation. We could have taken any one of these subtopics and devoted an entire show to it. I’m really looking forward to finishing this book with you. This book could help tons of people! Alright, as usual, let’s get to some news.

News

[Brad] Here’s what we’ve got for news this week:

Closing

[Brad] There you have it. Episode 68. Good talk today. Got any parting words?

[Evan] It’s a secret.

[Brad] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet sometimes. I’m @BradNigh and Evan’s @evanfrancen. Be sure to watch social media for news from RSA! SecurityStudio will be tweeting and LinkedInning all week! Check out @studiosecurity frequently. FRSecure’s Twitter handle is @FRSecure, and they’re sure to have some good things too. Especially the week after next when FRSecure is out at SecureWorld North Carolina. Lots going on and lots of chatter!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 67 Show Notes – Who does what?

Did you even notice that I skipped posting show notes for last week’s podcast? Time got away from us. Sometimes our day job gets in the way. No matter. We recorded a pretty good show for you last week anyway, and you can catch a listen here.

We’re almost back on track this week.

Here we go…


SHOW NOTES – Episode 67

Date: Monday, February 17th, 2020

Show Topics:

Our topics this week:

  • Opening
    • What’s up?
    • One thing.
  • Information Security Roles and Responsibilities (Part 1 of 2)
    • How important are information security roles and responsibilities?
    • Is it important to define them formally, or do people just know?
    • Roles and responsibilities at a macro level.
      • Government(s).
      • Business(es).
        • B2C.
        • Employer(s).
      • School(s).
      • Consumer(s)/citizen(s)
    • Ideas for making things better.
    • Part 2 – Information Security Roles and Responsibilities (micro-level).
  • News
Opening

[Evan] Howdy. Welcome to episode 67 of the UNSECURITY Podcast. Today is February 17th, 2020 and this angelic voice you’re hearing is me, Evan Francen. Joining me in studio today is my security bestie, Brad Nigh. Good morning Brad!

[Brad] Hopefully he got some sleep and he’s ready to impart some of his wisdom!

[Evan] We have a great show planned today. Before we dive in, let’s catch up. As usual, I want to know how you’re doing and what you’re up to. Give it to me.

Catching up

Some back and forth happens here.

[Evan] Let’s see if you prepped for today’s show. I want you to share one information security truth. Pick any one you want.

[Brad] Shares a truth.

[Evan] Boom! Hashtag truth. Here’s one that’s on my mind…

[Evan] This weekend I was doing some work on our book. For those of you who don’t know yet, we are writing a really cool book. There are two purposes for the book. The first is to simplify information security, and the second is to operationalize information security in underserved markets. Underserved markets are state/local government, schools (K-12 and higher ed), small businesses, and individuals. How do we embed information security in such a way that it becomes a normal part of everyday life and a competitive advantage?

This book is being written by me, Brad, and Ryan (aka “cola”).

I’m just about done with my initial outline, which are really just thoughts. Soon, we’ll get going full speed with these guys. We’ll be collaborating big time!

Anyway, here’s why this is relevant to today’s podcast. As I was writing, I had a thought. One of the foundational components of information security is understanding and implementing roles and responsibilities. This leads to an idea of doing a two-part series. In part one (today), I’d like to discuss information security roles and responsibilities at a macro level. In part two (next week), we can discuss information security roles and responsibilities at a micro level. You game?

[Brad] Brad’s almost always game. He’s one of the most collaborative and easy-going security guys I know!

Information Security Roles and Responsibilities (Part 1 of 2) – Macro Level

We’ll share opinions on these things:

  • How important are information security roles and responsibilities?
  • Is it important to define them formally, or do people just know?
  • Roles and responsibilities at a macro level.
    • Government(s).
    • Business(es).
      • B2C.
      • Employer(s).
    • School(s).
    • Consumer(s)/citizen(s)
  • Ideas for making things better.
  • Part 2 – Information Security Roles and Responsibilities (micro-level).

[Evan] Good discussion man! We take so many of these things for granted. Good things for us to keep in mind as we continue down the path of writing our book.

[Brad] Brad is Brad.

[Evan] Let’s cover some news now.

News

[Evan] I’ve got a few goodies today:

Closing

[Evan] There you have it. Episode 67. Always great chatting with you Brad! Got any parting words?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet sometimes. I’m @evanfrancen and Brad’s @BradNigh. If you like company stuff, we work for SecurityStudio (@studiosecurity) and FRSecure (@FRSecure). The company people post good things from time to time too!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 65 Show Notes – Money Grab

Another week down. Damn, a whole month is down! January is already in the books.

While I’ve got you here, help us out with our mission. We’re busting our tails off doing our part to fix the broken information security industry. We’re striving and doing these things:

  • Setting a common information security language that can be spoken by everyone; the S2Score.
  • Developing and delivering simple (but effective and credible) information security risk assessments for the under-served (SMBs, state and local government, K-12, etc.):
  • Developing and delivering simple (but effective and credible) tools to help the under-served do information security better.
  • Teaching and mentoring others for free. The FRSecure CISSP Mentor Program is in it’s 11th year! We started with six students in 2010, last year we had 532, and this year we had more than 540 enrollments within the first 24 hours! Check it out and enroll here.

What can you do to help? Simple. You can help in (at least) three ways:

  • Do your own S2Org and S2Me assessments.
  • Contribute your opinions and feedback (after all, we’re all in this together).
  • Spread the word. Tell others. Tell them about the S2Org and S2Me assessments and tell them about the FREE FRSecure CISSP Mentor Program!

OK, on to the show…

February is already upon us, and RSA is just around the corner. Speaking of RSA, let’s talk about our industry’s money grab in this week’s episode. Let’s also discuss tips for talking to the board of directors about information security stuff .

This will be fun!

Alright, on to the show notes. This is my (Evan) show to lead and these (below) are my notes.


SHOW NOTES – Episode 65

Date: Monday, February 2nd, 2020

Show Topics:

Our topics this week:

  • Opening
    • Normal Stuff
    • Got Mail?
  • The Money Grab
    • It’s alive and well – everybody wants your $$$.
    • The Bad Guys Of Course
    • The “Good Guys” Too?
  • Talking to the Board
    • Tips
    • Recent Experiences
  • News
Opening

[Evan] Alright, welcome! This is Evan Francen, this is episode 65 of the UNSECURITY Podcast, and the date is February 3rd, 2020. In studio with me is none other than Mr. Brad Nigh. Howdy Brad.

[Brad] We’ll see how awake he is on an early Monday morning.

[Evan] I’m curious, are you a morning person or a night person?

[Brad] I don’t know what he’ll say here…

[Evan] We’ve got a great show planned for you today. Lots to talk about, for sure! We’re going to talk about this industry’s money grab and we’ll cover some tips for speaking to the board of directors. Before we dig in, Brad, how you doing?

Quick Catch-up Talk

[Evan] Alright. Well, let’s get to it. Let’s talk about the money grab in this industry. In case you didn’t know, I’m referring to the information security industry. You have the something that everybody wants. The bad guys, the good guys, and everyone in between. They all want your money. Collectively, I call this the “money grab” and we’re going to discuss this. I want to discuss this because I don’t want you losing your hard earned money to some crook and I don’t want you to piss it away on something that doesn’t do what you thought.

Discussion about the Money Grab

The money grab is alive and well. Everybody wants your $$$. Everybody.

  • The Bad Guys Of Course
    • The 2018 cybercrime industry was worth at least $1.5 trillion
    • There is no low that’s too low.

This slideshow requires JavaScript.

  • The “Good Guys” Too?
    • Gartner estimated that 2019 industry spending was $124 billion in 2019, and by some estimated it’s expected to grow to more than $170 billion by 2022. NOTE: this is for context only and not to imply that this is wasted spending.
    • FUD (scare the sh*t out of you) and Sex Sell (buzzwords, new blinky lights, etc.)
    • Seems like everybody is fighting for your money.
      • Conferences (RSA, Black Hat, etc.)
      • Companies (borderline extortion, crappy advise, etc.)
    • We’re (FRSecure and SecurityStudio) human too. Mission over money, does it keep us honest?

[Evan] It’s a dangerous world and people (non-information security people are confused). I wonder how much of this is on purpose. The enterprise organizations can afford to make mistakes, but the smaller players are left in the cold and they’re suffering because they often miss the basics, the fundamentals. I feel bad for the under-served markets, especially SMBs. This is our primary focus. OK, on that note…

Discussion about talking boards of directors and executive management

[Evan] Brad, you and I have had the privilege on many occasions to talk to boards and executives. What tips do we have?

Some good back and forth discussion I’m sure…

After a while, let’s do some news.

News

[Evan] I’ve only got two stories to discuss today, but I think they’re interesting ones:

Closing

[Evan] OK, that’s it. Episode 65 is in the bag. Brad, you’ve got any ideas for next week’s show yet?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet sometimes. I’m @evanfrancen and Brad’s @BradNigh. If you like company stuff, we work for SecurityStudio (@studiosecurity) and FRSecure (@FRSecure). The company people post good things from time to time too!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 48 Show Notes

OK. Late again. I’ve been busy, and so has Brad.

Most of my highlights from last week are written/posted in #S2Roashow Recap – Week One. If you haven’t read it yet, you should. 😉 There’s a recap of the BSides Harrisburg Conference (their first one ever), a recap of the Cybersecurity Awareness Summit, and our reviews of some of the best BBQ in Central PA. You need to check out who the winner was!

As far as Brad is concerned, I haven’t seen him much lately. I’ve been on the road, and I think he’s been on the road too. Actually, he’s on the road during this week’s show! It’s a very busy time of year for all of us at SecurityStudio (me) and FRSecure (Brad).

Let’s get to it, eh?


SHOW NOTES – Episode 48

Date: Monday, October 7th, 2019

Show Topics:

Our topics this week:

  • Roadshow Recap – Week One
  • More vCISO Talk
  • This Week & The News

[Evan] – Hey oh. It’s me, Evan Francen. This is episode 48 of the UNSECURITY Podcast and the date is Monday, October 7th, 2019. Brad’s on a plane somewhere maybe, or maybe he’s in a hotel somewhere. I don’t know. All, I know if that he couldn’t make it because he’s really, really busy. In Brad’s place this morning is my good friend, John Harmon. Care to say “hi” John?

[John] John is a leader and has the liberty to say what he wants. 😉

[Evan] So, this was sort of last minute. I texted Brad on Friday night to ask if he wanted me to write the show notes. He responded that he’s going to be in San Diego, doing a board of directors presentation for a customer. Planning isn’t my strong suit, so I went to my bullpen. There I find my ace reliever, John Harmon. Glad you’re here John!

[John] John’s probably glad to be here, but it’s early. He might not be awake yet.

[Evan] Last week was week one of the SecurityStudio Roadshow (#S2Roadshow). You and I were in Pennsylvania, spreading some security love/truth. I wrote about the week on my blog, but who reads anymore? Let’s talk about it here. Cool?

[John] You’ll love John. He’s agreeable and great at rolling with it.

Roadshow Recap – Week One Discussion

Refer to https://evanfrancen.com/the-securitystudio-roadshow-week1/ for more information.

[Evan] It was a fun week, a productive week, and a very successful week. One of the most popular topics on the show is the topic of vCISO, or virtual Chief Information Security Officer. We receive emails every week from listeners asking good questions. This past week was no exception.

The questions were:

  1. Can you help me with some vCISO materials? 
  2. Like a framework of where to start?

This is a good opportunity to discuss this because we have a guest too. John has hired numerous vCISOs over the years, so his perspective will be great!

Maybe we’ll mention the book that Brad and I are starting…

More vCISO Talk

[Evan] Let’s talk briefly about where the SecurityStudio Roadshow takes us this week, then get to some news.

This Week & The News

[Evan] Where are you going to be this week John?

[John] John will tell us about his week (and hopefully where he might grab some BBQ). He might ask me about mine. We’ll see.

News

Only three news articles to talk about this week, even though there are 1000s to choose from:

Closing

[Evan] There you have it. We’ve got another busy week ahead! Fixing a broken industry is a helluva lot of work. I’ll see if Brad is up for talking about the Cybersecurity Maturity Model Certification (CMMC) next week. Interesting stuff happening there.

Thank you to our loyal listeners! Thank you for your tips and feedback. Send us your wisdom, questions, advice, whatever, by email  at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and John’s @HarmonJohn. Also, follow SecurityStudio (@studiosecurity) and the #S2Roadshow hashtag.

That’s it! Talk to you all again next week!

#S2Roadshow Recap – Week One

Central Pennsylvania

We’re happy to report that the information security community in Central Pennsylvania is alive and well!

Partners

One goal of the SecurityStudio Roadshow is to get out and meet new partners. We want to meet them, understand their businesses, and help them grow their information security consulting practices using simple, fundamental, and compliant solutions (S2Score, S2Org, S2Vendor, and S2Team/S2Me).

We met some amazing people and companies this week. We’re expecting as many as four new partners from Central Pennsylvania coming from this leg of the roadshow! Stay tuned for the announcements coming soon!

Keep up with our progress on Twitter, using the #S2Roadshow hashtag. We’re entertaining dammit!

BSides Harrisburg

In addition to meeting new potential SecurityStudio partners, John (Harmon) and I attended the inaugural BSides Harrisburg Conference on Wednesday (10/2). The event was held at the Harrisburg University of Science and Technology downtown, and the organizers did a great job!

SPECIAL SHOUTOUT to Julie Goolsby. Julie is the Director of Professional Development Programs at Harrisburg University of Science and Technology, and she was instrumental in coordinating everything for the event. She is patient, responsive, and incredibly effective.

I’m sure there were others who helped Julie, but we coordinated with her the most.

There were ~300 – 400 people at the conference (my guess), and maybe a dozen vendors. I didn’t speak until 10am, so John and I took in the Opening Remarks and the Keynote. The Keynote was presented by Ken Bechtel, a very well-respected Malware/Threat Researcher with more than 30 years under his belt. I shuddered when he mentioned boot sector viruses of the 90s. I started my (paid) career cleaning boot sector viruses from Windows 3.1 machines.

Ken has been around for a long time and he’s got a boatload of wisdom to share. Crazy how much he’s seen and how many malware packages he’s reversed. Most people haven’t heard of Ken because he’s one of those behind the scenes kind of guys. Sort of like me. He and I are both most comfortable in a dark room behind a keyboard somewhere. After his talk, we spent 30 minutes or so sharing stories and laughs.

NOTE: Ken informed me that he’s in the market for more/new work. Get in touch with him if you’d like to inquire. Here’s his LinkedIn Profile.

My Talk

This was one of those talks where I didn’t choose the title, but one of our marketing folks did. The title was “WANTED – People Committed to Solving our Information Security Language Problem”. Alright, let’s do it!

Finished my slides in a small coffee shop in Columbia, PA. SHOUTOUT to Café 301 in Columbia, a great little coffee shop in downtown. Good coffee and a great place to finish presentation slides.

My talk was in the event auditorium. There’s this slight fear of giving a talk in a large room (or in this case auditorium) and having a small audience. Thankfully, attendance was good, and it looked like the place was almost full. Phew! The talk was also livestreamed I hear.

This slideshow requires JavaScript.

SIDE NOTE: The very first talk I gave after starting FRSecure in 2008(ish) was at a conference in Bloomington, MN. This was my first ever talk, so I prepped thoroughly. I was early to the venue. I got to my room early. I got setup early. I was raring to go! One problem. Nobody came. Zero attendance. A good dose of humble pie, but ever since that day, I’ve said to myself, “as long as there’s more than zero, it’s a good day for a talk”.

I think the talk went well. There were awesome questions, and there was a dozen or so people who came up to talk with me afterwards. If you’re interested, a copy of my presentation can be downloaded here. If you want to watch the video, BSides live-streamed it, and you can also see it here.

Back to the Conference

We spent the remainder of the conference roaming the floor, striking up conversations, and attending other people’s talks. The two talks that I particularly enjoyed, so more SHOUTOUTS:

  • Rae Baker’s Open Source Intelligence 101: Finding Information on Anyone was a great introduction to OSINT. Really enjoyable presentation, and she nailed it!
  • Brandon Keath’s Hacking Yourself First, Penetration Testing for the Blue Teams: Part 2 was great. I had to miss Part 1 because I was in Rae’s talk. Brandon knows what he’s talking about and I really liked his dry humor. Good stuff.

We wrapped up the day with a few more introductions to potential partners, then headed off for BBQ (reviews below) and hotel work.

BSides Harrisburg was a GREAT CONFERENCE.

Cybersecurity Awareness Summit

Thursday’s agenda included attendance at the Cybersecurity Awareness Summit. This summit was also held at Harrisburg University of Science and Technology. The theme for this conference was “Caring and Sharing to Safeguard Our Citizens. Cross-collaboration Among Government & Education Makes Pennsylvania Safer & More Secure.

I sat through the following:

  • Welcome– Eric Darr, PhD, President Harrisburg University
  • Opening Remarks– John MacMillan, Deputy Secretary for Information Technology and Chief Information Officer, Commonwealth of PA
  • Security Challenges Confronting Government and Schools and Benefits to Collaboration & NASCIO’s Cybersecurity State of the States Report– Erik Avakian, CISSP, CRISC, CISA, CISM, CGCIO, ITILv3, Chief Information Security Officer Commonwealth of Pennsylvania and Srini Subramanian, Risk and Financial Advisory Lead, Deloitte
  • CISA: Cybersecurity Resources for State and Local Governments– Benjamin Gilbert, Cybersecurity Advisor, Cybersecurity and Infrastructure Security Agency

I will be PC in my feedback, although I don’t really want to. Mr. MacMillan is a very sharp dresser. Mr. Avakian has a nearly impossible job and needs more help. If Mr. Subramanian would have said “cyber” one more time, my head would have exploded. Mr. Gilbert was a good guy who used a helluva lot of acronyms.

I have a ton of respect for state CISOs. They do very hard work in a (sometimes) very hostile environment with less support.

RANT: Somehow, we’ve gone from using the words information security to cybersecurity to just “cyber”. Information security is NOT “cyber”. I get it, “cyber” sounds a lot cooler. Maybe using “cyber” helps you sell more $*!%. Certainly, the hipsters are impressed by the word. The truth is, using “cyber” as a reference to information security is NOT helping. Words matter. Use a dictionary.

I’m a stickler for this because I’ve been part of this army, and we’ve fought very hard to make information security a business issue, NOT just an IT issue.

OK, off the soap box now.

Benjamin Gilbert did a great job showing us all that CISA has to offer. They are trying to do everything for everyone though. This will get very expensive (to taxpayers) and will be less than optimal (wait lists, skill shortages, etc.). CISA provides a lot of value, but it would be nicer to see them do one or two things really well versus doing a whole bunch of things sort of half-assed.

This conference was very well attended and overall it was great. Seriously, it was.

BBQ Reviews

A roadshow isn’t a roadshow without a heathy dose of BBQ, or lots of doses of BBQ. John and I promise to eat at all the best BBQ places we can find during our travels and provide you with the lowdown. It’s the toughest part of our job, but you can count on us. We’re in it to win it!

We rate each BBQ joint we try on four characteristics on a scale of 1 (sucks) – 10 (best); Atmosphere, Service, Portions/Value, and Taste. The overall rating is the average of the four.

Sweet Lucy’s Smokehouse – Overall: 6.75

  • Atmosphere – 9
  • Service – 6
  • Portion/Value – 6
  • Taste – 6

Our first stop after landing in Philadelphia was Sweet Lucy’s Smokehouse. The BBQ was good, but not great. The best thing about the place was the really cool atmosphere.

Mission BBQ – Overall: 8

  • Atmosphere – 7
  • Service – 10
  • Portion/Value – 7
  • Taste – 8

We ate at Mission BBQ in Harrisburg in the evening of the first day. I wasn’t that excited for it because I knew it was part of a chain, but it was the closest BBQ joint to where we were staying. The staff was AMAZING. I can’t remember ever getting better service that we did at this place.

The cashier asked us if this was our first time at Mission BBQ. We said it was, then she proceeded to tell us all about the menu and how they make their BBQ.

Once our order was ready, the lady behind the counter asked us if it was our first time at Mission BBQ. We said it was, then she proceeded to tell us all about the sauces and how to help ourselves.

After we sat down to eat, another lady came by our table three or four times to make sure we had everything we needed. She cleared our table for us too (even though this was a self-service joint).

The service was exceptional, so I rate it a 10. The food was good too, the best being the jalapeno cheddar sausage.

This slideshow requires JavaScript.

Redd’s BBQ – Overall: 7.25

  • Atmosphere – 8
  • Service – 5
  • Portion/Value – 9
  • Taste – 7

After almost 24 hours without BBQ, we made the drive from Harrisburg to Carlisle on Wednesday night. We enjoyed some good (again, not great) BBQ at Redd’s BBQ. The atmosphere was pretty good and the portions were large. Service was so-so; the waitresses spent more time chatting with each other than they did helping their customers. Overall, this was good BBQ and it was worth the drive.

This slideshow requires JavaScript.

Shakedown BBQ – Overall: N/A

  • Atmosphere – N/A
  • Service – N/A
  • Portion/Value – N/A
  • Taste – N/A

The disappointment of our BBQ adventure came when we made the drive out to Grantville only to find the Shakedown BBQ was closed. This was one place that came most recommended from the people we talked to at BSides. Before making the drive, we confirmed that the place would be open, both online and through a friend of the owner. They were supposed to open at 11am on Thursday, and we got there at 11:15. A paper plate was hung on the front door saying they were closed. Ugh.

Divine Swine – Overall: 8.5 – #S2Roadshow Week 1 Champ

  • Atmosphere – 7
  • Service – 8
  • Portion/Value – 10
  • Taste – 9

After the Shakedown BBQ disappointment, we swung over to Manheim, where we found Divine Swine. This place takes the crown as the #S2Roadshow Week 1 BBQ Champ. The best tasting BBQ we had on the trip and huge portions. If you’re in the area, you have to visit this place!

This slideshow requires JavaScript.

Maybe we’re BBQ snobs, maybe not. One thing is certain, we enjoyed all of the BBQ we ate, and we’re pumped for next week’s adventures.

Next Week’s #S2Roadshow

I’ll be heading to Orange County, California. I’m speaking to the fine folks at the Orange County Chapter of ISACA on Tuesday. I’ve got a bunch of great meetings on Wednesday and Thursday with some potential partners and other security folks. If you’re in the area, let’s hook up. We can talk security and grab some BBQ. If you’ve got some BBQ recommendations, let me have ‘em!

John will be in Madison, Wisconsin speaking at an event hosted by Applied Tech. He’s going to be joined by Steve Krause, SecurityStudio’s Partner Manager. If you’re in that area, go hang out with John. I think he’s funner than I am.

Stay tuned for next week’s #S2Roadshow update! You can follow us on Twitter (@evanfrancen, @HarmonJohn, @StudioSecurity, and the #S2Roadshow hashtag) and on LinkedIn.

The SecurityStudio Roadshow

Introduction

OK, we’re doing this roadshow. Publicly, we call it the SecurityStudio Roadshow. Internally, we call it “Project Bacon”. Who doesn’t like bacon?

This is a short article to tell you about the SecurityStudio Roadshow and what we’re trying to accomplish with it. The first phase of the #S2Roadshow kicks off at the BSides Harrisburg (PA) Conference on October 2nd and ends with the RSA Conference in February, 2020.

Purpose

We’re on a mission. Our mission is to fix the broken information security industry. Say what?! Yeah, we know. It’s a big mission. Two things come to mind right away:

  1. Where do we start?
  2. How do we start?

We need to start where we’ll have the greatest positive impact on our industry and we need to start with people who are closest to the problem.

Where do we start

We start with information security fundamentals. If you hired me as your CISO, the very first thing I would do is an information security risk assessment. Considering that maybe ~90% of organizations in the United States fail to do this fundamental exercise reinforces the notion that this is where we’ll start.

SecurityStudio developed the S2Org information security risk assessment, and it’s already been used by more than 1,500 companies. We’ll start with the S2Org assessment and we’ll offer it for free.

The S2Org is SIMPLE, FUNDAMENTLAL, and COMPLIANT. More about this later.

How do we start

We start by making friends. We’ll get on the road and we’ll meet them where they are. The #S2Roadshow! We’ll travel the country recruiting people for our cause. We’re recruiting partners and end users. Partners use our tools to attract new customers and help their existing ones. End users can use our tools for free to address their fundamental information security needs.

Keep Up

We invite you to join us on the road, either in person or online. If you’ll be at one of the various events we’ll be at, come say “hi”! Tell us how we can help you and/or join us. For those of you who can’t be where we are, follow us on my personal blog, on Twitter, and/or LinkedIn.

It’s going to be one helluva ride, and we’re excited to share it with you! We’ll meet a bunch of cool people, establish some great new relationships, and make a lot of progress on the mission!

I’ll post daily updates here. This will sort of be my #S2Roadshow journal.

Want to know more about SecurityStudio, check us out online; https://securitystudio.com. Get your S2Score, become a partner, or help us with our mission!

Oh yeah, one more thing.  We’ll be hunting down the best BBQ joints while we’re on the road. We’ll eat and we’ll review. It’s hard to be a security guy on the road.