FRSecure CISSP Mentor Program Welcome Message

Only 46 more days. It’s almost time to start the FRSecure CISSP Mentor Program!

As of yesterday (2/23/21), we have more than 3,500 registered students for the 2021 class. That’s awesome! (and a little nuts) For context, we started the program in 2010 with six students. At the time, FRSecure was a teeny startup (3 employees), but our size didn’t matter. We started with a simple goal:

Provide quality information security training for free.

No strings. No ulterior motive. No marketing gimmicks. Nothing but helping people on their journey.

Why this goal?

We love people. By proxy, we love people in our industry, and by (another) proxy, we love the people served by our industry. Our mission (“to fix the broken industry”) is born from and rooted in love, and we will always do right by our mission. Makes sense, yeah? We’re all #MissionBeforeMoney around here!

Fast forward, this will be our 12th consecutive year. We’ve been a positive influence (to one degree or another) in the lives of more than 6,000 people through the CISSP Mentor Program in the past two years alone (3,500+ students this year so far, 2,400+ students last year). Everyone is welcome here, regardless of background, experience or education. If you don’t want to take the CISSP exam, or don’t feel ready, join us anyway. You’ll learn more about information security, and maybe you’ll pick up some life skills along the way!

Welcome Message

Posted in the 2021 CISSP Mentor Program Study Group on 2/19/21:

Hello 2021 FRSecure CISSP Mentor Program Class,

I’m Evan Francen, the founder and CEO of FRSecure (and SecurityStudio) and one of the instructors here. We’ll get to know each other once class gets going, but I wanted to introduce myself now and welcome you.

Welcome to the 2021 FRSecure CISSP Mentor Program!

I’m excited that you’re here and honored to be part of your journey.

A little history…

In 2008, we started FRSecure with this mission:

To fix the broken information security industry.

Our mission came from a deep passion to do things right and serve others. You see, information security isn’t about information or security as much as it is about people. People cause the havoc (intentionally or accidentally) and people suffer the consequences. If nobody suffered, nobody would care.

The information security industry is still young. There’s no shortage of work to do, and the sooner we get to work on the right things, the better off everyone will be. Two things are at (or near) the core of our information security industry problems:

  • People take advantage of other people. If there was a single motivator for me, this would be it.Attackers – people who don’t hide their intent to do others harm. Most people think we’re only concerned about the attackers, but there’s much more.Frenemies – people in our industry who sell products and services that are not in the best interests of the buyer and/or do not do what they claim.
    • “Experts” – yes, in quotes. There are people in our industry who are in it for the wrong reasons. They are motivated by selfishness and not to serve others. This wouldn’t seem so bad, but most of these people are charged with securing information that does not belong to them. Inflated egos intimidate and discourage others, ignorance leads to poor decisions, comfort leads to inactivity, etc., etc.
  • Information security fundamentals are not universally understood or applied. This is true in the public sector and private industry. It’s also true at home. If we (as an industry) mastered the application of fundamental information security concepts, we’d reduce the number of breaches by as much as ~80-90% (my conservative estimate) and significantly reduce the impact to society.

Fixing these problems is certainly easier said than done, but the pursuit continues…

So, where does the FRSecure CISSP Mentor Program fit in this equation, and what does it mean for you?

Simple. Our industry needs more good information security people. We need you!

The FRSecure CISSP Mentor Program was born out of our mission. In our first year (2010), there were six students. All six students went on to pass their exams and became CISSPs. Today, they are all working in our industry and making a positive difference in the lives of others. Last year was the 11th consecutive year for the program, and we had more than 2,400 registrations. It’s been an incredible experience for us, and for me personally. We do this because we love people, and we do it for no other reason. No strings, just #MissionBeforeMoney!

The 2021 CISSP Mentor Program

We’re sticking with the formula that works. Due to COVID still being COVID, we will once again teach all classes remotely. We’ve already surpassed last year’s record number of student registrations, and we’re on track for more than 5,000! This will be the best class yet, and I’m VERY excited to get to know some of you along the way! You’ll see me and some of the other FRSecure folks drop in here (the study group) from time to time. We’re here to help you as much as we are able (given day job and family stuff).

Once again, welcome! Thank you for letting us be part of your success. In know I speak for the other instructors (Brad Nigh and Ryan Cloutier) and the entire FRSecure team when I say that.

Let’s do this!

If you’ve thought about signing up, but haven’t yet, go do it. If you know somebody who could use some of this, tell them about it. See, more simple!

UNSECURITY Episode 119 Show Notes

OK, we’re back to writing UNSECURITY Podcast show notes. We took eight weeks off from writing show notes because it was a little tedious and we weren’t sure if anyone cared that much anyway. Turns out people care about the show notes, read them, and they want them back!

To make things less tedious and more valuable, we’ll only tell you the topics we plan to talk about. We won’t do the verbatim stuff anymore. If you like the new show notes, let us know (unsecurity@protonmail.com). If you’d like something different, let us know that too!

On to the notes for episode 119 of the UNSECURITY Podcast…


SHOW NOTES – Episode 119 – Wednesday February 17th, 2021

Opening

[Evan] Good morning and welcome to another episode of the UNSECURITY Podcast! This is episode 119, and the date is February 17th, 2021. I’m your host Evan Francen, and joining me is the right side of my brain, Brad Nigh. Good morning Brad.

Quick Catching Up

  • It’s flippin’ cold in MN (and other parts of the country)
  • We need another vacation.

The Meat

News

Wrapping Up – Shout Outs

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Be sure to follow the places we work and do cool things, SecurityStudio (@studiosecurity) and FRSecure (@FRSecure). That’s it. Talk to you all again next week!

…and we’re done.

L is for Layers

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

So, now the beloved letter “L”.

Lethargic Larry’s lackadaisical use of network layers, and his leisurely approach to security let lazy criminals move laterally throughout the lattice, leaving his league of lawyers lamenting the long laborious litigation laid before them from the lye leaked into the lotic.

For the purposes of the Information Security ABCs, “L” is for “Layers”.

To best apply the word “layer” with our definition of “information security”, let’s review both definitions quick. The word “layer” has several definitions in the English language, and here are two:

  • a thickness of some material laid on or spread over a surface: a layer of soot on the windowsill; two layers of paint.
  • something lying over or under something else; a level or tier: There can be multiple layers of metaphor in a single poem.

You remember our definition of “information security” right? Maybe. Well, in case you forgot, it’s managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

So, what is an “information security layer” or “security layer” for short?

What is a Security Layer?

In the context of information security, we use the term layers to describe the controls, most often preventative controls. A single layer is less strong (or effective) than multiple layers. For multiple layers, we just stack one layer on top of another (logically) to make our security (and protection) stronger. Here’s an analogy:

  • Bullet-resistant glass is constructed using multiple layers of laminated glass. The more layers there are, the more protection we get from the glass. Note, the glass is bullet “resistant” and not bullet “proof”. A projectile that is powerful enough, will get through. The point is, the layers make the protection stronger.

  • Attacker-resistant networks are constructed following the same concept, but using multiple layers of network protection (segmentation and isolation, maybe provided by firewalls) instead of multiple layers of laminate glass. The more layers there are, the more protection we get from the network. Like the bullet resistant glass, attacker resistant networks are never attacker “proof”.

Multiple layers make protections stronger, they compliment and compensate for each other. Here are a couple more examples:

  • The most common control for authentication is a username and password, a single layer (or often referred to as “factor”). If we add another layer to the authentication, maybe a hardware token (like YubiKey or RSA SecureID), a biometic (like Face ID), or a software token (like Google Authenticator or SMS text), we’ve significantly strengthened the control. We call this multi-factor authentication (MFA), but it’s also multiple layers.
  • A building is protected by exterior controls (walls, windows, doors, etc.). A single layer of protection might be provided by the walls and a single entry door. Once an attacker breaches the door (or wall or window) and gains entry to the building interior, there would be nothing left to stop them from taking anything they wanted or assaulting anyone inside. A simple multi-layer approach might employ additional locked doors between the single exterior entry point and office spaces, between office spaces and mail rooms, between office spaces and data closets, etc., etc.

Layers are important for safety

As one who lives in a cold weather climate, I can assure you that layers are an essential part of staying safe in cold weather. As with all things, having the appropriate number of layers is critical, too many layers and you overheat and struggle to move, not enough layers and you will freeze.

When it comes to using layers in security the same principal applies, too many layers prevents effective use and not enough layers leads to unnecessary risk and danger.

Layers are part of defense in depth

We like to use the analogy that security is like an onion, we say this because an onion has many layers and each layer is needed to make a whole onion, in security it is no different. You may need many layers to make the whole security program effective.

Layers are the cornerstone of defense in depth, defense in depth is a security concept that states; security should be implemented in overlapping layers that provide the three elements needed to secure assets, prevention, detection and response, while seeking to offset the weakness of one security layer by strengthening it with two or more additional layers. This is the #1 reason for using Multi Factor Authentication (MFA) to strengthen the security of your username and password.

Let’s take a deeper look at the various security layers, we encounter most often.

Physical

The physical layer consists of the things you can touch, fences, locked doors, surveillance cameras, man in the middle traps (a room that one door locks behind you before the door in front of you can be opened) security guards, etc. This is the fist layer of any security program; all the other layers are ineffective if the systems can be physically accessed by bad actors. Having an appropriate level of physical controls in place is critical to ensuring the rest of the security layers are effective. After all,

“It doesn’t matter if your server runs the greatest security software of all time when someone steals the server.”  

Access Control

The access control layer comes in two forms physical access and logical access, both serve the same purpose, to limit access to sensitive systems and data to authorized personnel (approved users only). The most common physical access controls are door locks, and the most common logical access controls are passwords (used in combination with a username).

Access control gives us the ability to restrict and monitor who is accessing what, and physical and logical access controls can have many sublayers. For example a locked door could have additional layers (controls) of security such as a surveillance camera or security guard. Logical examples include multi-factor authentication (MFA) covered earlier, or performing logical access audits on a periodic basis.

Application

The application security layer is all about providing protection to applications and the data applications use. Security controls on the application layer require additional consideration, as poorly configured security controls can degrade the performance, stability, and overall usability of an application. Inadequate or missing security controls at the application layer present significant risks, such as data loss, data integrity issues, backdoors/malware, additional unauthorized network access and service interruption.

Ransomware, Distributed Denial of Service (DDoS) attacks, SQL injection and cross site scripting are some of the attacks targeted at the application layer.

Taking a multi-layered approach to application security is a best practice. Using a Web Application Firewall (WAF) for web facing applications, secure web gateway services for Internet access, logging and monitoring of application activities and training aimed at improving user behaviors are a great starting points to consider for a multi-layered approach to application security.

Network

The network layer is responsible for connecting systems together. Systems within an organization are likely to need communication capabilities with each other to operate, and connectivity to the Internet may also be required. This is the layer where a standard firewall lives. You know, that thing we traditionally think of when we talk about cybersecurity (BTW, cybersecurity is not information security. They’re like cousins)?

Think of the network layer as your first chance and last chance; it is your first chance to detect suspicious traffic/behaviors, and it’s your last chance to stop data from leaving your network. The network layer has two directions that must be considered in your protection approach, inbound (sometimes called “ingress”) and outbound (sometimes called “egress”). Controlling and monitoring data and traffic in both directions are critical, although this contrary to current practice in many organizations.

The Crunch Shell and Gooey Center

Most networks are secured (poorly) with a “crunchy shell” and “gooey center”. Traditionally, we’ve focused so much on establishing a strong perimeter (“crunchy shell”) that we neglect to account for what happens when an attacker get’s through the perimeter. There are few restrictions in place, and we’re left with our “gooey center”. In most networks, once an attacker gets through the perimeter (trivial in many cases), they have free reign to move laterally throughout the network until they find valuable data. Once the attacker finds valuable data, they are rarely restricted in exfiltrating the data because of ineffective egress traffic restrictions.

The two most common mistakes in network security layering include:

  • Too much focus on the perimeter.
  • Too much focus on restricting traffic inbound and no (or very little) focus on traffic outbound.

An important note about the “perimeter”, especially with the explosion of remote work due to COVID-19, is there is no perimeter. At the very least, there are many perimeters. All the more reason for a layered approach.

Some of the tools used to secure the network layer are firewalls, security incident and event management (SIEM) tools, network intrusion prevention systems (NIPS), network intrusion detection systems (NIDS), logging and packet capture devices, network-based data loss prevention (DLP), email filtering, and web filtering.

The better the network layer is secured and monitored the higher the your chances of seeing something in time to stop the “something” from being very bad. Some of the controls we use to secure the network layer are physical and some are logical. The best approaches are usually a blend of both. When it comes to the securing the network layer, less is more and, more is less.

Whoa, did I just blow your mind?! How can it be both more and less you might ask.

The answer is painfully simple, the more restrictive you are with what you allow on the network without the knowledge of what it does or why, the less issues you will have to chase down later. Knowing what something is, why it’s on the network, why it’s important to the business and how it works/behaves during normal operation are invaluable when it comes to securing the network layer. The better you understand what’s on the network and how it operates the better your firewall rules, IPS, IDS, WAF, log data, SIEM and other security controls can be configured. This always results in less things to chase and less time elapsed between detection and response.

Remember when it comes to network access Less is More! (concept of least privilege)

While the network layer has traditionally gotten the most attention from security professionals over the years, and is where the concept of perimeter defense is rooted, it is only one of the many layers you need to design and manage an effective information security program.

Host / Platform

The host layer is where virtualization happens and where operating systems live, virtual or not. This is also the layer that computers/servers/Internet of Things (IoT) and all other devices (with a unique IP address) reside. When we discuss this layer, in the cloud as IaaS or other, we refer to it as the platform layer and there are some distinct differences in how to secure it. Securing this layer comes with the challenge that most devices need to interact with many applications and services hosted locally and remotely. When we consider all the various other layers and systems at play, we must consider virtualization, application stacks, code libraries, 3rd party services, integrations and data movements, security patches, upgrades, cloud services and on and on.

Adding to the challenge, we must do this while balancing the needs of the business and risk.

The WORST ENEMY of security is complexity; therefore, we must combat complexity at all times. This is a huge challenge when dealing with the (sometime unreasonable) demands of the business. Using a simplified approach whenever possible, and leveraging a layered approach to information security will make your life easier and your protections more effective. Believe it or not, the fundamentals are still the most effective security controls out there.

Honorable mentions for “L”

  • Lag
  • LAMP
  • LAN
  • Laptop
  • Laser Printer
  • Latency
  • Lazy Loading
  • LCD
  • LDAP
  • Lead
  • Leaderboard
  • Leading
  • Leaf
  • LED
  • Let
  • Left-Click
  • Leopard
  • LFN
  • LIFO
  • Lightning
  • Link
  • LinkedIn
  • Linux
  • Lion
  • LISTSERV
  • Live Streaming
  • Load Balancing
  • Localhost
  • Log File
  • Log On
  • Logic Error
  • Logic Gate
  • Login
  • Long
  • Loop
  • Lossless
  • Lossy
  • Low-Level Language
  • LPI
  • LTE
  • Lua
  • LUN

So, there it is folks. The letter “L” is for “Layers”.

The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics). APPLY THE BASICS!

On to “M”!

K is for Key

In kindergarten (or thereabouts) we learned the ABCs of the English language (assuming we’re from the U.S.). Learning the ABCs provided the foundation necessary to form words. Before long, words became sentences, sentences became paragraphs, and paragraphs became chapters, reports and books.

The ABCs of Information Security are important in much the same way the ABCs for English are. We start with learning and mastering basic concepts. Basic concepts begin to combine with other basic concepts to form the foundation of an information security program. In time, advanced techniques are applied on top of the solid foundation, and a world class information security program is born.

The Information Security ABCs are written as education for people who don’t speak information securitynese yet, and they’re good reminders for people who already speak information securitynese fluently.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

And here we are, ready for “K”. “K” doesn’t get much respect in the English language, appearing with a frequency of only 1.1% (compared to “E” and its 11.16%). All letters deserve respect, and “K” can brag that it isn’t as lonely as poor “Q” (.196%).

Some alliteration…

Our kindhearted kin are kayoed, watching their kingdom go kaput while losing the kitty to knave knuckleheads, all because they didn’t know key concepts, built knotty networks, and failed to kindle interest from kleptocratic leaders.

For the purposes of the Information Security ABCs, “K” is for “Key”.

The word “key” has many applications in information security. It’s one of a few words that fit across the spectrum of what information security is:

Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

There are physical keys, logical (or technical) keys, and all the “other” keys.

Physical Keys

Physical keys are used to open physical locks. Physical locks are used to secure physical things. Physical “things” might be a locker, a door, a window, a safe, or any number of other “things”. Don’t confuse physical key locks with other physical locks. Combination locks and keypad locks aren’t physical key locks, but they have keys too. The key in these locks is the combination.

Confused? Don’t be. Here are the most common types of physical key locks.

Types of Keyed Locks

IMPORTANT: Every physical key lock is susceptible to compromise (picking, bumping, impressioning, etc.), but some are much harder than others to bypass.

  • Pin cylinder (or pin tumbler) locks – a lock with pins that must be aligned with a shear line to turn the cylinder (open the lock). The key is specifically shaped to lift the pins to align with the shear line. The number of pins in these locks vary, but the most common are 5 and 6-pin locks.

  • Lever (or lever tumbler) locks – the key lifts each of the levers to the exact height required to move the locking bolt. The most common lever lock is one with three levers, but you’ll need a five-lever lock (or more) to get home insurance in many cases.

  • Wafer (or wafer tumbler) locks – like the pin tumbler lock but uses flat wafers instead of pins.

  • Warded locks – obstructions are used within the lock to prevent anything but the correct key to turn. One of the oldest lock designs, and only used in low security applications today.

  • Disc detainer (or disc tumbler) locks – uses slotted rotating rings where the slots must be aligned to unlock. Harder to pick and sometimes sold as “high security” locks.

Keys open locks. Simple, right?

Again, don’t forget that ALL physical locks susceptible to picking or bypass. Here’s a look at a couple of pick sets.

Logical Keys

Logical keys are very commonly used to protect assets too. The three most widely used references to logical keys in information security are:

  • Secret Key – this often refers to a type of cryptography (“secret-key” encryption, or algorithm) and the key itself. Secret-key encryption is also referred to as symmetric encryption (not to confuse anyone). In this type of encryption, the same key (secret key) is used to encrypt and decrypt data. The key can take the form of a simple password, a passphrase, or any other combination of bits/bytes. Popular symmetric-key algorithms include AES (Rijndael), Twofish, DES, 3DES RC4, and others.
  • Public Key – this term refers to a type of encryption and the key itself too. Public-key cryptography is also referred to as asymmetric cryptography because one key is used to encrypt the data and a separate (but related) key is used to decrypt the data. If the public key is used to encrypt, only the private key can decrypt, and vice versa. The public key is often freely distributed while the private key is kept, you guessed it, private. Common asymmetric-key algorithms include RSA, Diffie-Hellman (key exchange), Elliptic Curve Cryptography, and others.
  • Private Key – private keys are paired with public keys in asymmetric encryption algorithms. These are sometimes referred to as secret keys, but not the same secret keys as those used in symmetric encryption (because we like to reuse words and confuse people I guess).

It’s common to use asymmetric encryption to establish communications and exchange secret keys, then use symmetric encryption to exchange data. This is because symmetric encryption is stronger (per bit of key length) and faster.

Other Uses of “Key”

The word key and security (and information security) are like second cousins. They’re different but related to each other. The image of a key (or padlock with keyhole) is often used symbolically to reference information security, like the graphic below.

Then there are information security “key” concepts, like:

  • Information security is risk management.
  • Information security protects the confidentiality, integrity, and availability of information.
  • Information security is a business issue, not an IT issue.
  • You can’t prevent all bad things from happening (eliminate risk), so you must have something in place to detect the bad things and something in place to respond appropriately too.
  • And many, many more…

More use of the word “key”:

  • Key Chain
  • Key Distribution Center (KDC)
  • Key Escrow
  • Key Fob
  • Key Generator (Keygen)
  • Key Length
  • Key Performance Indicators (KPI)
  • Key Risk Indicators (KRI)
  • Key Value Store
  • Key-Value Pair (KVP)
  • Keyboard
  • Keyboard Buffer
  • Keyboard Macro
  • Keyboard Shortcut
  • Keycap
  • Keygen
  • Keylogger
  • Keypad
  • Keystroke
  • Keystroke Logger
  • Keyword
  • Keyword Stuffing

So, there you go. The letter “K” is for “Key”. The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics).

On to “L”!

J is for Jaded

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

And now for “J”.

One is justified in their joy and jubilation from the judicious and just protection of information.

The jibes, jeers, judgement, and jitteriness of losing to jackanapes along our journey through the jargon, jabberwocky, jactitation, jostling and jackassery of our juvenile industry makes us justifiably jaded.

There you have it.

“J” is for Jaded

We’re not all jaded all the time, but too many of us jaded too often.

Feeling jaded seems to come with the territory. As someone who works in this industry, sometimes it feels like we’re fighting a fight that can’t be won, we’re losing ground, and that life has given us the short end of the stick. Given enough time in this industry, you’ll either become jaded or you’ve fought hard against becoming so.

If you’ve done something so much that it doesn’t excite you anymore but just leaves you tired, consider yourself jaded. If someone says you look a little jaded, it just means that you look tired.

https://www.vocabulary.com/dictionary/jaded

The formal definition of “jaded”, courtesy of George Merriam and Noah Webster (not really, these two are long gone and Merriam Webster, Inc. was acquired by Encyclopedia Britannica, Inc. in 1964):

  1. Fatigued by overwork : EXHAUSTED
  2. Made dull, apathetic, or cynical by experience or by having or seeing too much of something.

Being fatigued, exhausted, overworked, dull, apathetic, and cynical are not things we should aspire to.

Jaded is Bad

There is nothing good about being jaded. People who are jaded are live a sad life, or at the very least, a life with less joy than there should be.

Here’s what Dr. Stephen Diamond (a clinical and forensic psychologist) has to say about jaded people:

bitter, jaded people tend to project a self-righteous attitude suggesting they’re justified in feeling resentment. They’re often bored and cynical. They observe and criticize more often than they participate. Because they believe they’ve been burned, they no longer have the trust necessary to build solid, positive relationships. They believe the world is unfair and freely express their impatience and anger. They no longer expect success, but don’t accept responsibility for their failures; instead, they blame others. They’re almost always irritable and frequently express annoyance in most situations.

The highlighted words represent traits that are too common with people in our industry, some of these people we know personally, and maybe one of those people is you.

Jaded people often lash out at others. Bitter sarcasm and criticism are hallmarks. They often feel like they’re victims of what they perceive as injustice. The injustice leads to resentment, anger, and general unhappiness. Jaded people are more likely to suffer from burnout, mental health issues (depression, anxiety, et al.), broken relationships, and chemical dependency (self-medication).

Again, think about people we know in our industry; the people we fight alongside every day. There are people we know personally who have a self-righteous attitude, criticize more than they should, and have lost patience with “dumb users” and/or “incompetent management”. Dialogs such as these are examples:

US: “We need to educate our users and constantly make them aware of information security dangers.”

JADED US: “Why waste our time or money? They don’t get it and they never will. They just keep clicking on links and choosing sh*tty passwords.”

OR:

US: “Let’s figure out a better way to communicate with executive management and the board. If they understood better, we’d be able to secure the budget we need.”

JADED US: “What’s the use? Management doesn’t give two sh*ts about information security!”

Someone who’s jaded has given up, lost hope, and just exists to exist. They’re debilitated and they’re debilitating to the people around them. Someone who isn’t jaded, is still fighting the good fight.  They’re relaxed, rested, energetic, and active. Jaded people have a negative impact. People who aren’t jaded make a positive difference, creatively solving problems and hoping for better outcomes. The truth is, jaded people hurt themselves and others. People who aren’t jaded help themselves and others.

Jaded people hurt themselves and others.

Jaded people are NOT bad people. Please don’t make this mistake. Often, they are good people who care(d) deeply about something. They care(d) so much, they took it personal and suffer(ed) for it.

To simple? Maybe, but the point is this; we need to do everything we can to avoid becoming jaded.

But how?

Start with a simple and honest self-evaluation; are you jaded? If you’re not sure, ask someone close to you. Then decide:

  • If you’re jaded, choose to come back or not.
  • If you’re not jaded, learn how to keep yourself from becoming jaded or not.

The mindset and skills are the same either way.

People who work in our industry often (or always) find our work stressful. When we become jaded, we negatively impact our quality of life and become much less effective in our work. Back to our definition of the word; jaded people are fatigued by being overworked and/or made dull, apathetic, or cynical by experience. Being jaded is not acceptable to me, and it shouldn’t be acceptable to you either. So, let’s do something about it.

Fatigued, Overworked, and Exhausted

People who work in our industry are some of the most passionate, motivated, and intelligent people anywhere in the world. We’re unique and we’re amazing! The passion pushes us to work our tails off, mostly without appreciation beyond our paycheck (we do get paid well though). Some of us work 50, 60, 70+ hour weeks, forgo vacations, and sleep much less than we should. Our passion will work against us when/if we’re not in balance. The constant hard-driving workload can lead to fatigue and exhaustion. Eventually, something has to give.

To make matters worse, it doesn’t matter how many hours we put in, security incidents are inevitable. No matter what we do, we cannot prevent all bad things from happening. When the bad thing happens, then “they” notice; the appreciation we longed for becomes condemnation. Nobody cares about the 1,000s of hours we put in, often while others weren’t watching. They want to know why the bad thing happened and who’s to blame.

Feeling any injustice? Oh, how we need tools to fight against becoming jaded! So, what to do?

Priorities

Somewhere along the line, we might get our priorities messed up. Our job is a job. We do it as well as we can, but we must recognize that work is not life. Work is part of life, but it is NOT life. Good priorities might look something like this:

  1. Faith
  2. Spouse (if you’ve got one)
  3. Family
  4. Work
  5. Friends

Notice how “self” isn’t listed? Self supersedes all priorities. Self-preservation is primal.

You could switch #4 (Work) on the list with #5 (Friends) and still be OK. Regardless, work is NOT in the top three. Bad priorities look like this:

  1. Work
  2. Fame
  3. Money
  4. Spouse
  5. Work
  6. Family
  7. Work
  8. Friends

The first list lends itself to health, the second list lends itself to becoming fatigued, overworked, and exhausted. Couple messed up priorities with the nature of our work; guaranteed failure (if failure is defined as preventing all bad things), and you have a recipe for becoming jaded.

Health (Spiritual, Mental, and Physical)

All health requires maintenance. If we’re not maintaining our health, we can expect it to fail (eventually) and we can expect it to suck.

This isn’t the place or time to preach Jesus to you, but we all need a spiritual “higher power”. This is the place we go when the world doesn’t make sense, and we all know the world doesn’t make any damn sense, right?! If you need help finding a spiritual advisor, reach out to a close personal friend for guidance. If you don’t have a close personal friend to trust for this guidance, you get my advice; seek Jesus! That’s all the preaching you’ll get (for now).

According to the National Institute of Mental Health, nearly one in five U.S. adults live with a mental illness (51.5 million people in 2019), and less than half (44.8% or 23.0 million people in 2019) received mental health services. Think about these numbers for a second. Due to the nature of what we do and the stress related to it, the percentages for us are probably worse than the U.S. population. Most of us rely VERY heavily on our minds, and if our minds our broken, then what? If you need help, or think you might need help, here are some great resources to check out (DO NOT IGNORE THIS):

It’s easy to overlook our physical health, but we can’t. Most of us sit for hours on end at a computer keyboard. This is not healthy. We must get up, get out, exercise more, and eat healthier. There’s nothing glamorous about dying of a heart attack while reverse engineering a piece of code.

Our health has a direct impact upon being jaded. The more unhealthy we are, the more likely we are to become jaded. The inverse is also true.

Dull, Apathetic, and Cynical

The second part to our definition of “jaded” is being dull, apathetic, and cynical by experience or by having or seeing too much of something.

Seriously, how many times have we:

  • Seen someone click a link they shouldn’t have?
  • Witnessed someone fall for a phishing attack after we’ve taught them a kajillion times not to?
  • Read about a breach that should have been prevented?
  • Told people to master the basics, only to see them NOT compile/maintain an asset inventory?
  • Shaken our heads at dumb mistakes people (including “we”) make?
  • Beat our heads against the wall trying to get management to give a sh*t?

After a while, shouldn’t we just give up? What’s the use? People keep doing dumb things and making crappy decisions. Aren’t we tired of it yet?!

Spoken like someone who’s jaded.

Maybe it’s not them. Maybe it’s us.

Expectations

Maybe we’re jaded because we have too many or the wrong expectations. We’re less likely to become jaded when things go well, when we experience things that are good (or exceed our expectations). It’s not like we’d say:

  • “Dammit, Jane in accounting picked a great password again!”, or
  • “Life would be so much better if Joe would just click links without thinking more often.”, or
  • “It just sucks when management always gives us the budget we need for information security.”

Absolutely not. Some (or a lot) of our jadedness comes from being disappointed. We’re setting the wrong or unrealistic expectations, leading to disappointment, leading to frustration, leading to becoming jaded. We think expectations are good, but they’re often not.

What did we expect in the first place? Did we actually expect humans to NOT be human? Did we expect management to treat information security like it was THE issue versus AN issue? Did we expect people to listen to us when we don’t speak their language? Did we expect to not have breaches? Did we expect such a thing as risk elimination, or did we realize this is actually about risk management?

If we set any expectation, we should expect to be disappointed if we have expectations. Expect disappointment, and if it happens often and long enough, it WILL lead to frustration. Frustration is the last step in the path to becoming jaded. This is the “jade cycle” (simplified), see diagram.

The math: (-e + e2) = -d + -j, where e is expectations, e2 is better expectations, d is disappointment and j is jadedness. Essentially, fewer expectations and better expectations = less disappointment and less jadedness. Living life without expectations is NOT the goal, living a life with fewer and more realistic expectations is the goal.

NOTE: The exception is computers and other logical, binary things. We can always expect computers to do what we tell them to do. Care must be taken with emotional and non-binary (analog) things like human beings.

Summary

Beware and be aware of jadedness in yourself and others in our industry. It makes us less effective and it steals our joy. If you need help, ask for it. Being jaded is more common than many of us realize, and it does nothing to help our cause. The cause being better information security, and through it, better lives.

This is no honorable mention for “J” because it’s a letter we don’t use enough. 😉

Next up, “K”. What are some good relevant words for this letter?

I is for If

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

Now for “I”…

“I” is for “if”.*

What if we were less ignorant, imperious, incoherent, irksome and impetuous, but a little more integrous, inoffensive, instrumental, interpersonal, and ingenious? Would we be less inundated with incessant information security incidents?

What if we were less inept and imprudent with the technology that’s so intertwined with every aspect of our daily lives? Would it even be possible to become impenetrable, impregnable and impervious to interminable attacks?

What if?

If we do more of the right things right, and less of the wrong things wrong, just think how much better off we’d be. The people we serve would be safer, we would be saner, and the world would be a better place!

The keys to making “if” closer to reality are less ignorance and more integrity.

What if we were less ignorant?

Ignorance is the lack of knowledge, understanding, or information about something.

Ignorance runs rampant within our industry and amongst the people we serve. People don’t know what information security is or what their personal responsibilities are.

If we were less ignorant, we’d know what information security is, and we’d know that it cannot be separated from privacy or physical safety. We’d know the importance of information security basics, and we’d practice them religiously.  If we were less ignorant, we’d know how vulnerable we are and we’d demand better of ourselves. We’d know what we’re responsible for and what we should hold others accountable for. If we were less ignorant, we’d think twice before plugging that new sexy gadget into our home network. We’d demand more protection in the products and technologies marketed and sold to us incessantly.

By definition, we’re all ignorant. Nobody knows everything, but this isn’t the issue. The issue is being ignorant of something we shouldn’t be ignorant of.

Is it OK to be ignorant of:

  • computer security best practices if you use a computer?
  • Internet security best practices if you use the Internet?
  • what things are running on your home network if you have a home network?
  • online safety best practices if you have loved ones (kids, spouse, et al.) who are online?
  • the most significant organizational security risks if you’re the leader of the organization?
  • information security basics if you’re in charge of information security?

The answer in all these circumstances is “NO”. It’s NOT OK to be ignorant of things you are responsible for.

In today’s world, we can no longer separate information security from privacy or safety; even personal, physical safety. Everything is integrated. A single information security incident has the potential to expose private information, but even worse, it has the potential to kill someone. The truth is, information security is a life skill that all people should must learn. Everyone has responsibilities, so what are yours?

Accepting ignorance is a default response when people are confronted with something that seems too complex, too confusing, too technical, or too anything. The key to fighting ignorance is simplification and mastering the basics. The basics are boring, the basics aren’t sexy, but despite these things, the basics are absolutely necessary.

So, what are the unsexy basics?

The first basic principle is to define rules for the game.

At Home
  • If you’re the head of your household, you’re the boss and you make the rules. It’s NOT OK to accept ignorance in this role. Learn what good information security behaviors are, lead by example, and expect others to follow. Ultimately, every bit of data that traverses your home network, every website visited by you and your family members, every device you plug in, everything is your responsibility.
  • If you’re not the head of your household, your job is to follow the rules and provide respectful feedback. No rules? Go see the head of your household and help them define the rules.

Go check out S2Me, it’s a FREE and SIMPLE personal information security risk management tool.

At Work
  • If you’re the CEO (or whatever title sits at the top of the org chart), you’re like the head of the household (above) for your organization.
  • If you’re not the CEO, your job is to follow the rules and provide respectful feedback. No rules? Go see the CEO (or his/her assistant) and help them define the rules.

Quick sidenote: This isn’t the article about writing rules for you, but maybe “R” will stand for rules (later).

No rules = chaos, anarchy, confusion, and disorder. There must be rules. You either define the rules and follow them, or you follow them and provide feedback. Now that you’ve read this, you cannot claim ignorance. You have knowledge, and now you must act.

Knowledge without action is negligence.

I’m not a lawyer, so I won’t give legal advice. The generic definition of negligence is “failure to take proper care in doing something”.  Are you negligent if someone suffers because:

  • you don’t know the right thing to do, but you should?
  • you know the right thing to do, but fail to do it?

Ignorance isn’t bliss, it’s breach.

More than once, I’ve heard the comment “ignorance is bliss”. Ignorance for something you shouldn’t be is nothing more than an excuse for laziness and genuinely not giving a sh*t.

What if we were more integrous?

Integrous is the adjective form of integrity.

Integrity is an oft-used word in our industry, and here’s the definition:

  • the quality of being honest and having strong moral principles that you refuse to change
  • someone’s high artistic standards or standards of doing their job, and that person’s determination not to lower those standards:
  • the quality of being whole and complete

Integrity applies to our industry in (at least) two ways; the integrity of data and the integrity of personnel responsible for protecting data.

Integrity of Data

If you’ve been in our industry for any amount of time, you’ve surely heard of the CIA triad. It’s an acronym for a fundamental concept; we protect the Confidentiality, Integrity, and Availability of data. Our “I” in CIA refers to the wholeness, completeness, and accuracy of the data we try to protect.

Simple. It’s important to remember that our job goes beyond making sure data is kept secret; we also need to make sure it’s accurate and available (to those who are authorized to access it).

Integrity of Personnel

On this point, it’s hard not to rant. To keep us honest, we’ll over-simplify.

In our industry, there are the practitioners who work their tails off to protect people, and there are suppliers who make things practitioners use to protect people. Practitioners and suppliers; integrity is paramount to both. A lack of integrity in either is terrible and sad.

Practitioners

The person behind the keyboard is an integral part of any information protection strategy. Their integrity must be rock solid and continually verified. Background checks, character references, solid OSINT, etc., are all encouraged before hiring anyone. Address the questionable things before hiring, and not after you’ve given them the keys to the kingdom. Depending upon your comfort level, sensitivity of the job, etc., questionable things should be questioned, but they don’t always need to be a disqualifier. Giving people the opportunity to address the questionable things from their past might be good, given that people change (hopefully for the better).

Verify integrity constantly. At work, a practitioner shouldn’t mind having his/her activities monitoring continually. They should see the value in it.

Suppliers

What’s worse, an attacker stealing $100,000 from your organization’s bank account or someone selling you security software that doesn’t work, or you can’t use, or you don’t need, or…? They’re both bad and either way you’re out a hundred grand. Stolen (or wasted) money is money your organization can’t use for better things; market expansion, employee benefits, innovation, etc. Suppliers who sell something to a practitioner when they know it’s not the right thing are like wolves in sheep’s clothing; almost worse than an attacker because at least you know the attacker is bad.

There are many suppliers who operate with integrity in our industry, but we must do a better job weeding out the ones who aren’t.

Summary

There you have it. “I” is for “if”. What if we were less ignorant and more integrous? Things would be much better around here.

*NOTE: “If” was inspired by my good friend Chris Roberts. Thanks!

Episode 109 Show Notes – Information Security @ Home

This is Episode 109, and we’re continuing our Information Security @ Home series.

We’re smack dab in the middle of the holiday season. Lots of people are going to receive neat, new electronic gadgets as Christmas gifts. Who doesn’t like cool new gadgets?! Your refrigerator can order milk before you’re out of milk, your dishwasher can send you messages when the dishes are done, your television can remind you it’s time to veg out on the couch for the latest episode of The Undoing, and your doorbell can show you who’s at the door while you’re away. We LOVE gadgets! (even if they end up killing us)

But wait! What about information security? What about privacy? What about safety?

Herein lies some problems. Problems that we (infosec folks) want to help you avoid.

Information security is an afterthought, if it’s ever a thought at all! We continue to connect more devices, install more apps, and stream more things. Home networks become more complex, and most people don’t even know what they’re trying to protect. This is your home network, and it’s your responsibility to use it responsibly. Nobody cares about the protection of you and your family more than you. It’s time to step up and learn some basics before this gets any more out of hand. (it’s already out of hand, but it’s not too late)

So…

In case you didn’t know, we’re less than 16 days from Christmas!

…and less than 23 days left in 2020!

I’m not sure what I’m more excited for at this point, Christmas or 2021. 2020 can suck it. Well, I guess it already has. Here’s to an awesome end to an ______ year!

I’ll (Evan) be leading the discussion this week, and these are my notes.


SHOW NOTES – Episode 109

Date: Wednesday December 9th, 2020

Episode 109 Topics

  • Opening
  • Catching Up
  • Information Security @ Home
    • Picking up where we left off in episode 108
    • Demonstration – The router/firewall
      • Finding your router.
      • Logging into your router.
      • Changing the default password.
      • Poking around a little bit.
    • What’s on your network anyway? You can’t possibly protect the things you don’t know you have.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey oh! Welcome to episode 109 of the UNSECURITY Podcast. We’re glad you’ve joined us. The date is December 9th, 2020 and I’m your host Evan Francen. Joining me is my pal and co-worker, Brad Nigh. Good morning Brad!

[Brad] Cue Brad.

[Evan] It’s nice to come up for air this morning, and it’s nice to hang out with you man. How you doing?

Quick Catchup

It’s 4th quarter, I’m now a week and a half behind and it’s only getting busier. Hopefully Evan is in a better mood than episode 106.

We’ll discuss a thing or two…

Topics:

Transition

Information Security @ Home

[Evan] Last week, we got into some of the important things we should be doing at home. When I say “we” I mean everybody, security people and non-security people alike. We mentioned that step #1 should be to change the default password on your home router. We talked about it, gave some advice, and pointed people in the right direction. Today, I’d like for you and I to demonstrate how to change a router password and talk about it while we’re doing it. After this, we’ll poke around a little inside the router’s configuration. Once we’re done with that, we can move on to the next task; finding out what’s on your network.

Sound good?

[Brad] Cue Brad.

Begin discussion

Information Security @ Home Discussion

  • Picking up where we left off in episode 108
  • Demonstration – The router/firewall
    • Finding your router.
    • Logging into your router.
    • Changing the default password.
    • Poking around a little bit.
  • What’s on your network anyway?
    • Why is this important?
    • What you should do next…

Transition

[Evan] Alright. Good stuff. Hopefully our listeners learned a thing or two. For those who already knew this stuff, hopefully they’ll share with others.

That’s that. On to some news…

News

[Evan] Crazy stuff going on in this industry. What’s new? Well, here’s a few things that caught our eye this week:

[Evan] That’s a lot of news for one day, and that’s only the tip of the iceberg.

Wrapping Up – Shout outs

[Evan] That’s it for episode 109. Thank you to all our listeners. We dig you. Also, thank you Brad! Who you got a shoutout for today?

[Brad] We’ll see.

[Evan] Next week, we’ll continue the Information Security @ Home discussion. We’ll dig in a little more on identifying system on your home network and talk about patching. In the meantime, send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and this other guy is on Twitter at @BradNigh. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

2020 Holiday Shopping Safety Checklist

Just finished putting together this shopping safety checklist. Share freely and enjoy.

Wishing everyone a SAFE, HEALTHY, and HAPPY holiday season!

Direct download link: https://bit.ly/3qkq5uT

Click to access SecurityStudio_HolidayShoppingChecklist.pdf

Episode 108 Show Notes – Information Security @ Home

NOTE: We’ll be a day late this week, recording on Wednesday. Work stuff and personal stuff, you probably know what it’s like.

It’s time for episode 108 of the UNSECURITY Podcast!

Brad and I (Evan) hope you had a wonderful Thanksgiving (assuming you’re in the U.S.). 2020 is a funky year to say the least. So many things that were “normal” before, aren’t so normal anymore. Despite the craziness of this year, we still found MANY things to be thankful for:

  • Our faith, and knowing that everything is going to be OK (eventually).
  • Our family.
  • Our friends.
  • Our co-workers.
  • Our community (the infosec community and our home community).
  • The people we serve.

While acknowledging that some of us have suffered significant losses this year, there’s always something to be thankful for. If you ever need support in dealing with loss or you’re just struggling, reach out to people around you. Here are some resources you might find helpful:

Love truly heals.

Some of us had a couple days off work last week. Monday we jumped right back in. The emails were still there (and maybe more of them), the projects are still in full swing, reports are still due, etc., etc. Assuming you recovered from the Monday onslaught, here we are! It’s Wednesday, and it’s time for episode 108!

Brad’s back, he’s leading the discussion today, and these are his notes. Welcome back Brad!


SHOW NOTES – Episode 108

Date: Wednesday December 2nd, 2020

Episode 108 Topics

  • Opening
  • Catching Up
    • What’s new?
    • Thanksgiving hangover?
  • Information Security @ Home
    • Picking up where we left off in episode 106
    • Why is this a big deal (personally and for employers)
    • What can we do about it?
    • Intro to what Brad and Evan do.
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 108, the date is December 2nd, 2020, and I’m your host, Brad Nigh. Joining me as usual is my good friend and co-worker, Evan Francen. Good morning Evan.

[Evan] Cue Evan.

[Brad] This will be first time I actually get to talk to you about why yesterday was my first day back since 11/17.  I have no idea what you’ve been up to because I was basically totally offline.

Quick Catchup

It’s 4th quarter, I’m now a week and a half behind and it’s only getting busier. Hopefully Evan is in a better mood than episode 106.

We’ll discuss a thing or two…

Topics:

  • 4th quarter is notoriously busy, like VERY busy, for us. Everyone is running at 100% capacity right now, which is good, but also stressful.
  • What’s going on at work? Any cool developments or announcements? Heck yeah there are!
  • Security Sh*t Show – no show last week. It was Thanksgiving!
  • Back to book writing…

Transition

Information Security @ Home

[Brad] Well, we had planned to do this last week, but 2020 won’t stop 2020’ing.

[Brad] We are going to go into more details about some of the things we do, hopefully without giving away too much, to try and help others. I feel like this could end up just about anywhere, so it should be fun!

Begin discussion

Topic Ideas:

  • Picking up where we left off in episode 106
  • Why is this a big deal (personally and for employers)
  • What can we do about it?
  • Intro to what Brad and Evan do.
  • Maybe we’ll show some examples and stuff while we’re here.

Transition

[Brad] Alright. That’s that. On to some news…

News

[Brad] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Brad] That’s it for episode 108. Thank you Evan! Who you got a shoutout for today?

[Evan] We’ll see.

[Brad] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan can be found at @evanfrancen. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!