UNSECURITY Episode 126 Show Notes

Here we are, time for another episode of the UNSECURITY Podcast.

I came across another interesting article this week, “15 Cybersecurity Pitfalls and Fixes for SMBs“. I have a heart for underserved markets, and small to mid-sized businesses (SMBs) are certainly an underserved (or poorly served) market.

NOTE: The other underserved markets I’m especially interested in are state/local government, education (higher education & K12), and individual consumers.

This is a perfect time to talk about SMB information security. As we come out of COVID (Lord, I hope we are!), more and more SMBs are getting back on their feet. As they start on this next (or first) chapter of their SMB journey, it’s imperative they take information security seriously and do things right. The last thing anyone (except for attackers) wants is to start building/rebuilding a business with limited resources only to lose everything from an attack.

Looking forward to dissecting this with Brad on this episode!

Let’s get right to it, show notes for episode 126 of the UNSECURITY Podcast…


SHOW NOTES – Episode 126 – Wednesday April 7th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 126, and the date is April 7th, 2021. Joining me is my good friend, great guy, and infosec expert Brad Nigh. Welcome Brad!

Another good show today. We’re gonna talk about this article I came across the other day. The title of the article is “15 Cybersecurity Pitfalls and Fixes for SMBs”.

15 Cybersecurity Pitfalls and Fixes for SMBs

This article features a roundtable discussion between Timur Kovalev, CTO of Untangle, Erich Kron from KnowBe4 and Greg Murphy, CEO of Order. They give their take on what SMBs think about information security, the common mistakes they make, and how to do thinks better.

As you know, we have no shortage of information security “experts” in our industry. Let’s see if we agree, disagree, and/or have something to add to this discussion.

  1. Think they’re too small to be a target.
  2. Haven’t made a thorough asset inventory assessment.
  3. No network segmentation.
  4. Ignore fundamentals.
  5. Haven’t done a business risk evaluation.
  6. Insecure digital assets.
  7. Don’t know what “normal” activity looks like.
  8. No 2FA.
  9. Misconfigured cloud servers/confusion about move to the cloud.
  10. User security training.
  11. Haven’t evaluated their threat to the supply chain.
  12. Lack of business continuity plan.
  13. Aren’t thinking strategically about asset allocation and budgeting.
  14. Failing to backup.
  15. Lax patching.

NOTE: This is not our list, this is the list from the article.

If you had to pick your 15 most common information security mistakes made by SMBs, what would you pick? This will be a good discussion!

News

As of 9:15AM on 4/5/2021, the number of registered students in the FRSecure CISSP Mentor Program is 5,618!

Three interesting news articles this week:

Wrapping Up – Shout Outs

Good talk. Thank you Brad, and thank you listeners!

Who’s getting shout outs this week?

Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 124 Show Notes

Spring has sprung!

The first day of Spring was Saturday, March 20th. If you’re from Minnesota like Brad and I are, you’re happy about this. Speaking of Brad, he’s back this week!

Let’s get right to it, show notes for episode 124 of the UNSECURITY Podcast…


SHOW NOTES – Episode 124 – Tuesday March 23rd, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 124, and the date is March 23rd, 2021. Back from taking a couple weeks off from the show is my good friend and co-host Brad Nigh. Welcome back Brad!

We’ve got a good show planned for you today. Let’s talk passwords! Yay, right?!

Let’s try to tackle as many common questions about passwords as we can in one show!

Passwords

  • Why do we need passwords?
    • The basics of identity and authentication.
    • A password is proof.
  • What happens when a password is compromised?
  • How are passwords compromised?
    • Caused by you.
      • Disclosed.
      • Weak.
    • Caused by them (someone you shared it with).
  • What’s the risk is a password is compromised?
    • How do we protect against password disclosure?
    • How do we protect against weak passwords?
    • How do we protect against someone else disclosing a password?
  • @SecurityStudio, we just finished a new password strength/score algorithm.
    • Eighteen rules with weights applied according to risk.
    • Length, numbers(only), lowercase(only), uppercase(only), letters(only), letters & numbers(only), known compromise(s), dictionary, dictionary w/simple obfuscation, 80%+ dictionary, 80%+ dictionary w/simple obfuscation, 60%+ dictionary, 60%+ dictionary w/simple obfuscation, doubleword, common numeric sequences, words & numbers appended, and personally common/known things.
  • The average person has how many passwords?
    • How many passwords do you have?
    • How many passwords to Brad and I have?
  • Are passwords secure?
  • Are we stuck with passwords forever?
  • What do we do to protect our passwords?
  • Does anyone like passwords?

Other Things

  • The latest registration count for the FRSecure CISSP Mentor Program was 4,701 as of yesterday (3/22) morning!
    • The 2021 program kicks off in 20 days.
    • Will we top 5,000 registrations?!
    • What do we like best about the program?
  • New features for S2
    • Nested entities within S2Org.
    • S2Me Instant Score (coming soon).
    • S2PCI (coming next month).
  • What else?

News

Three interesting news articles this week:

(PSST… Want a good list of APT groups and their operations?! – https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#)

Wrapping Up – Shout Outs

Good talk. Thank you Brad, and thank you listeners!

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 123 Show Notes

Happy St. Patrick’s Day! For those of you who aren’t into this holiday (for whatever reason), Happy (everyday) Day!

This has been a week full of great experiences and awesome conversations with wonderful people. It’s the people we serve who inspire us to work as hard as we do. Here’s a small sampling:

  • Daytona Bike Week (last week) – if you’ve never been to a bike rally before, I recommend you try it out someday (even if you don’t ride). There are interesting people from all walks of life and the diversity (backgrounds, race, preferences, thought, etc.) would probably surprise you.
  • Co-workers – discussions about everything from mental health (many of us did the Mental Health First Aid certification course together last week), to life challenges (relationships, family, health, etc.), to work challenges, and everything in between. It’s a blessing (to them and to me) when I stop, listen, and invest in others.
  • Customers/peers – had some check-ins this week with a few enterprise CISOs I call friends. Life as a CISO can be extremely DIFFICULT. It’s encouraging to know people care about me, and I them. CISOs are human beings who need love just like all of us do!
  • Everyday people – we’re all beautifully unique. We are similar in some respects, but there are wonderful things that make me me and you you. We’re a hodge podge of emotions, biases, beliefs, perspectives, and experiences. Rather than fight because you think differently than I do, why don’t I embrace the uniqueness and differences? Why not try to understand them and you better?

We’re not doing this enough in society and we’re not doing this enough in our industry either.

    • Why?
    • Have we lost our respect for other human beings?
    • Have we lost our ability to reason?
    • Are we afraid to share who we really are out of fear? Fear of being marginalized, silenced, and attacked (physically and online)?

I believe people are AMAZING! I believe people are worthy of respect (even if it’s only a little). I believe people should be heard and understood. I believe information security isn’t about information or security as much as it is about people. I believe people are who we serve. I believe we must invest in people more. I believe in understanding people (better). I believe loving people gives us our best chance at doing our (information security) jobs effectively, and I believe loving people gives us our only chance of saving society.

Now on to show notes for episode 123…


SHOW NOTES – Episode 123 – Wednesday March 17th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 123, and the date is March 17th, 2021. Filling in for Brad again this week if my good friend and co-worker Ryan Cloutier. Welcome Ryan, glad to have you back!

  • We’ve got a great show planned today. We’ll start with the importance of reason and logic in information security, our jobs, and in life. There are many parallels between information security (or “cybersecurity” as some people call it) and life.
  • Then, if we have time, we’ll talk about passwords. Everybody hates passwords.
  • We’ll close the show with a few mentions; about the FRSecure CISSP Mentor Program and SecurityStudio’s free S2Me (very quickly growing in popularity).
  • Oh yeah, we’ve got a couple news stories too, but whatever.

Reason

  • Have we lost our ability to reason?
  • What is reason anyway?
  • Why is reason (and logic) critical to information security?
  • Why is reason (and logic) critical to risk (all risk)?
  • Why is reason (and logic) critical to life?
  • There are parallels here, like:
    • Information security is risk management.
    • There’s no such thing as risk elimination or infinite risk; they are two different ends of the spectrum.
    • There’s no such think as 100% reason/logic without emotion or vice versa; two different ends of the spectrum.
    • The goal is management.
  • If we’ve lost our ability to reason, how can we get it back? Or, if we never had the ability to reason, how do we learn it?
    • Ask “Why?” often, almost incessantly, like a three year-old.
    • Ask yourself “Why”.
      • Not in a way that beats yourself up, but in a way that you understand why you’re doing what you’re doing and/or why you believe what you believe.
      • Notice the difference between emotional response and logical response.
      • Learn to use logic and emotion where they are and how they are appropriate. Seems mechanical and awkward at first, but it should become natural/habitual over time.
    • Ask others “Why”.
      • Respectfully out of a desire to understand, and not in a confrontational manner.
      • Learn how to ask without offense. If the person your asking takes offense despite your best efforts, that’s on them.
      • Maybe they need help understanding logic versus emotion? Interesting tells about people who are unable or unwilling to use reason or logic to defend a position (or make a point):
        • They change the subject. You asked a question about one thing, and quickly find yourself in a discussion about something different.
        • They attack your character. This is a classic emotional response where the person you’re questioning probably isn’t sure why he/she believes what they do. Don’t take offense, but recognize this tactic for what it is.
    • Encourage others (especially people you trust) to question you.
      • Be prepared to defend why you believe what you believe. If you can’t (with reason), then maybe you should question what you believe.
      • When other people ask you “why”, view it as an opportunity to state your case.
      • When other people ask you “why”, it’s a great opportunity for you to learn (about perspective and reason).

NOTE: We could talk for a long time about Reason, so we might not get to the topic of “Passwords”. If we don’t get to Passwords in this episode, we’ll get to it in episode 124.

Passwords

  • Why do we need them?
  • What makes a password good versus bad?
  • What do we (Ryan and I) do to practice good password behavior? BTW, neither of us is perfect!

NOTE: Regardless of timing, we will discuss “Mentions” in this episode.

Mentions

  • FRSecure CISSP Mentor Program – We’re less than one month away from the start! I think there are more than 4,000 students signed up, so this is going to be AWESOME!
  • S2Me – the FREE SecurityStudio personal risk management tool has been growing very fast (in terms of popularity). Big news happening here, and we’re making a difference!

News

Wrapping Up – Shout Outs

Good talk. Thank you Ryan, and thank you listeners!

…and we’re done.

L is for Layers

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

So, now the beloved letter “L”.

Lethargic Larry’s lackadaisical use of network layers, and his leisurely approach to security let lazy criminals move laterally throughout the lattice, leaving his league of lawyers lamenting the long laborious litigation laid before them from the lye leaked into the lotic.

For the purposes of the Information Security ABCs, “L” is for “Layers”.

To best apply the word “layer” with our definition of “information security”, let’s review both definitions quick. The word “layer” has several definitions in the English language, and here are two:

  • a thickness of some material laid on or spread over a surface: a layer of soot on the windowsill; two layers of paint.
  • something lying over or under something else; a level or tier: There can be multiple layers of metaphor in a single poem.

You remember our definition of “information security” right? Maybe. Well, in case you forgot, it’s managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

So, what is an “information security layer” or “security layer” for short?

What is a Security Layer?

In the context of information security, we use the term layers to describe the controls, most often preventative controls. A single layer is less strong (or effective) than multiple layers. For multiple layers, we just stack one layer on top of another (logically) to make our security (and protection) stronger. Here’s an analogy:

  • Bullet-resistant glass is constructed using multiple layers of laminated glass. The more layers there are, the more protection we get from the glass. Note, the glass is bullet “resistant” and not bullet “proof”. A projectile that is powerful enough, will get through. The point is, the layers make the protection stronger.

  • Attacker-resistant networks are constructed following the same concept, but using multiple layers of network protection (segmentation and isolation, maybe provided by firewalls) instead of multiple layers of laminate glass. The more layers there are, the more protection we get from the network. Like the bullet resistant glass, attacker resistant networks are never attacker “proof”.

Multiple layers make protections stronger, they compliment and compensate for each other. Here are a couple more examples:

  • The most common control for authentication is a username and password, a single layer (or often referred to as “factor”). If we add another layer to the authentication, maybe a hardware token (like YubiKey or RSA SecureID), a biometic (like Face ID), or a software token (like Google Authenticator or SMS text), we’ve significantly strengthened the control. We call this multi-factor authentication (MFA), but it’s also multiple layers.
  • A building is protected by exterior controls (walls, windows, doors, etc.). A single layer of protection might be provided by the walls and a single entry door. Once an attacker breaches the door (or wall or window) and gains entry to the building interior, there would be nothing left to stop them from taking anything they wanted or assaulting anyone inside. A simple multi-layer approach might employ additional locked doors between the single exterior entry point and office spaces, between office spaces and mail rooms, between office spaces and data closets, etc., etc.

Layers are important for safety

As one who lives in a cold weather climate, I can assure you that layers are an essential part of staying safe in cold weather. As with all things, having the appropriate number of layers is critical, too many layers and you overheat and struggle to move, not enough layers and you will freeze.

When it comes to using layers in security the same principal applies, too many layers prevents effective use and not enough layers leads to unnecessary risk and danger.

Layers are part of defense in depth

We like to use the analogy that security is like an onion, we say this because an onion has many layers and each layer is needed to make a whole onion, in security it is no different. You may need many layers to make the whole security program effective.

Layers are the cornerstone of defense in depth, defense in depth is a security concept that states; security should be implemented in overlapping layers that provide the three elements needed to secure assets, prevention, detection and response, while seeking to offset the weakness of one security layer by strengthening it with two or more additional layers. This is the #1 reason for using Multi Factor Authentication (MFA) to strengthen the security of your username and password.

Let’s take a deeper look at the various security layers, we encounter most often.

Physical

The physical layer consists of the things you can touch, fences, locked doors, surveillance cameras, man in the middle traps (a room that one door locks behind you before the door in front of you can be opened) security guards, etc. This is the fist layer of any security program; all the other layers are ineffective if the systems can be physically accessed by bad actors. Having an appropriate level of physical controls in place is critical to ensuring the rest of the security layers are effective. After all,

“It doesn’t matter if your server runs the greatest security software of all time when someone steals the server.”  

Access Control

The access control layer comes in two forms physical access and logical access, both serve the same purpose, to limit access to sensitive systems and data to authorized personnel (approved users only). The most common physical access controls are door locks, and the most common logical access controls are passwords (used in combination with a username).

Access control gives us the ability to restrict and monitor who is accessing what, and physical and logical access controls can have many sublayers. For example a locked door could have additional layers (controls) of security such as a surveillance camera or security guard. Logical examples include multi-factor authentication (MFA) covered earlier, or performing logical access audits on a periodic basis.

Application

The application security layer is all about providing protection to applications and the data applications use. Security controls on the application layer require additional consideration, as poorly configured security controls can degrade the performance, stability, and overall usability of an application. Inadequate or missing security controls at the application layer present significant risks, such as data loss, data integrity issues, backdoors/malware, additional unauthorized network access and service interruption.

Ransomware, Distributed Denial of Service (DDoS) attacks, SQL injection and cross site scripting are some of the attacks targeted at the application layer.

Taking a multi-layered approach to application security is a best practice. Using a Web Application Firewall (WAF) for web facing applications, secure web gateway services for Internet access, logging and monitoring of application activities and training aimed at improving user behaviors are a great starting points to consider for a multi-layered approach to application security.

Network

The network layer is responsible for connecting systems together. Systems within an organization are likely to need communication capabilities with each other to operate, and connectivity to the Internet may also be required. This is the layer where a standard firewall lives. You know, that thing we traditionally think of when we talk about cybersecurity (BTW, cybersecurity is not information security. They’re like cousins)?

Think of the network layer as your first chance and last chance; it is your first chance to detect suspicious traffic/behaviors, and it’s your last chance to stop data from leaving your network. The network layer has two directions that must be considered in your protection approach, inbound (sometimes called “ingress”) and outbound (sometimes called “egress”). Controlling and monitoring data and traffic in both directions are critical, although this contrary to current practice in many organizations.

The Crunch Shell and Gooey Center

Most networks are secured (poorly) with a “crunchy shell” and “gooey center”. Traditionally, we’ve focused so much on establishing a strong perimeter (“crunchy shell”) that we neglect to account for what happens when an attacker get’s through the perimeter. There are few restrictions in place, and we’re left with our “gooey center”. In most networks, once an attacker gets through the perimeter (trivial in many cases), they have free reign to move laterally throughout the network until they find valuable data. Once the attacker finds valuable data, they are rarely restricted in exfiltrating the data because of ineffective egress traffic restrictions.

The two most common mistakes in network security layering include:

  • Too much focus on the perimeter.
  • Too much focus on restricting traffic inbound and no (or very little) focus on traffic outbound.

An important note about the “perimeter”, especially with the explosion of remote work due to COVID-19, is there is no perimeter. At the very least, there are many perimeters. All the more reason for a layered approach.

Some of the tools used to secure the network layer are firewalls, security incident and event management (SIEM) tools, network intrusion prevention systems (NIPS), network intrusion detection systems (NIDS), logging and packet capture devices, network-based data loss prevention (DLP), email filtering, and web filtering.

The better the network layer is secured and monitored the higher the your chances of seeing something in time to stop the “something” from being very bad. Some of the controls we use to secure the network layer are physical and some are logical. The best approaches are usually a blend of both. When it comes to the securing the network layer, less is more and, more is less.

Whoa, did I just blow your mind?! How can it be both more and less you might ask.

The answer is painfully simple, the more restrictive you are with what you allow on the network without the knowledge of what it does or why, the less issues you will have to chase down later. Knowing what something is, why it’s on the network, why it’s important to the business and how it works/behaves during normal operation are invaluable when it comes to securing the network layer. The better you understand what’s on the network and how it operates the better your firewall rules, IPS, IDS, WAF, log data, SIEM and other security controls can be configured. This always results in less things to chase and less time elapsed between detection and response.

Remember when it comes to network access Less is More! (concept of least privilege)

While the network layer has traditionally gotten the most attention from security professionals over the years, and is where the concept of perimeter defense is rooted, it is only one of the many layers you need to design and manage an effective information security program.

Host / Platform

The host layer is where virtualization happens and where operating systems live, virtual or not. This is also the layer that computers/servers/Internet of Things (IoT) and all other devices (with a unique IP address) reside. When we discuss this layer, in the cloud as IaaS or other, we refer to it as the platform layer and there are some distinct differences in how to secure it. Securing this layer comes with the challenge that most devices need to interact with many applications and services hosted locally and remotely. When we consider all the various other layers and systems at play, we must consider virtualization, application stacks, code libraries, 3rd party services, integrations and data movements, security patches, upgrades, cloud services and on and on.

Adding to the challenge, we must do this while balancing the needs of the business and risk.

The WORST ENEMY of security is complexity; therefore, we must combat complexity at all times. This is a huge challenge when dealing with the (sometime unreasonable) demands of the business. Using a simplified approach whenever possible, and leveraging a layered approach to information security will make your life easier and your protections more effective. Believe it or not, the fundamentals are still the most effective security controls out there.

Honorable mentions for “L”

  • Lag
  • LAMP
  • LAN
  • Laptop
  • Laser Printer
  • Latency
  • Lazy Loading
  • LCD
  • LDAP
  • Lead
  • Leaderboard
  • Leading
  • Leaf
  • LED
  • Let
  • Left-Click
  • Leopard
  • LFN
  • LIFO
  • Lightning
  • Link
  • LinkedIn
  • Linux
  • Lion
  • LISTSERV
  • Live Streaming
  • Load Balancing
  • Localhost
  • Log File
  • Log On
  • Logic Error
  • Logic Gate
  • Login
  • Long
  • Loop
  • Lossless
  • Lossy
  • Low-Level Language
  • LPI
  • LTE
  • Lua
  • LUN

So, there it is folks. The letter “L” is for “Layers”.

The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics). APPLY THE BASICS!

On to “M”!

The Burn(out)

If you work in this field (information security) long enough, burn out is something you’re sure to encounter. You will fight against burn out yourself, meet somebody who is on the verge of burn out, or sadly, meet someone who has already burned out.

We work our asses off. The hours are long. The stress is real. Isolation comes with the territory.

If you are on the verge of burning out, please seek help (from me, a colleague, a friend, a counselor, etc.). We need you. We need you to fight beside us. We need your ideas. We need your perspectives. We need your wisdom. We need your support. We need your passion. We need your skill. We have serious information security problems in society. In fact, we’ve created more problems than we’ve solved.

WE NEED YOU FOR THE CREATION AND IMPLEMENTATION OF SOLUTIONS TO SOCIETY’S INFORMATION SECURITY PROBLEMS.

The letter below is hypothetical. It’s not written to anyone in particular or with anyone in mind (except the information security professional). It’s a raw dump of frustrations I’ve heard over the years from my brothers and sisters in arms.


Dear <INSERT NAME OR TITLE>,

I’m tired.

You may not care, but you should. I’m holding shit together while you focus on life. Some of my frustration stems from your view that information security (or “cybersecurity”) isn’t part of life. The truth is, information security IS part of life. It’s a damn life skill!

Before you ask why I’m tired, I’ll tell you. I’m tired because:

  • I work 80+ hours a week to protect you and all that you are responsible for.
  • I’m fighting a fight I cannot win, especially without your help.
  • I’m asking you to help, but you aren’t listening.
  • We’re under relentless attack, but you don’t see it, so you don’t care.
  • You think “it won’t happen to me” and I’m afraid it already has.
  • I’m losing support from my family because they’re sacrificing their time with me while I protect you (and worse, they don’t understand why I’m doing it).
  • You won’t step up and take responsibility for what’s yours.
  • I need you to help me solve problems, but I can’t get you to participate.
  • You think this is my responsibility, but it’s not, it’s yours.
  • I tell you things with honesty and transparency, but I don’t think you trust me.
  • We’re understaffed and underfunded, but you keep telling me to do more with less.
  • I need you to champion this cause, but you do nothing more than tolerate it.
  • I want to teach you about information security, but you are too smart or too busy for education.
  • You don’t see the value in me because I’m nothing more than a cost center to you.
  • You will blame me when things go wrong, but you don’t notice when things seem OK.
  • Your demands for more technology and gadgetry makes protecting you harder than it already was.
  • I sit behind a screen all day and my physical health is declining.
  • I deal with the dark shit of this world, mostly alone, and my mental health is at risk too.

Despite all this, believe it or not, I LOVE what I do. I love what I do because I love doing good, fighting against evil, and protecting people like you. It scares me to think of doing anything else for a living. You pay me well, so I’m not complaining about money.

You know this isn’t about money, right?!

My work and passion runs deeper than money. Money provides the means to my cause, but it’s not the cause. I do what I do because I want to make a positive difference in your life and I want you to be healthy. I do this because I care about you, obviously more than I care about myself sometimes. I’m here to serve. I am here to help. I answer the phone when you call. I’m here to respond when things go wrong, even if it means I take the blame.

This is my duty and my promise to you.

Sometimes I ask myself if it’s worth it. Is the frustration worth the reward? Is this all worth it, knowing that I’m destined to fail?

You might be inclined to ask “what do you mean, destined to fail?!”

I’m destined to fail because you ask me (directly or indirectly) to do the impossible, you won’t enable me to succeed even it were possible, and you have expectations of me that can’t be met

You ask me to keep you “out of the news,” but I can’t promise you that. No matter what I do, I can’t protect you from all the bad things that can/will happen. I’ve always told you the goal is risk management, and not risk elimination. Risk elimination just isn’t possible.

I don’t want you to take pity on me, and I don’t want any outward acknowledgement. I want you to own what’s yours! I want you to get in this game and play ball. You can delegate all sorts of things to me and others, but you will never be able to absolve yourself of your ultimate responsibility. The wolves in our industry will fool you into thinking they can solve all your problems without your attention or worry, just your money. They can’t. It’s a lie. They prey on your ignorance to mislead you and steal your money, not unlike the attackers we’re trying to fight against in the first place!

All of us need you to step up. We need you to own what’s yours. We need you to lead. Ultimately, the security and safety of all things and people under your control is your responsibility. It’s time to step up before I give up. I’m your best hope, but we’re hopeless without each other.

-Information Security Professional (on the verge of burnout)

K is for Key

In kindergarten (or thereabouts) we learned the ABCs of the English language (assuming we’re from the U.S.). Learning the ABCs provided the foundation necessary to form words. Before long, words became sentences, sentences became paragraphs, and paragraphs became chapters, reports and books.

The ABCs of Information Security are important in much the same way the ABCs for English are. We start with learning and mastering basic concepts. Basic concepts begin to combine with other basic concepts to form the foundation of an information security program. In time, advanced techniques are applied on top of the solid foundation, and a world class information security program is born.

The Information Security ABCs are written as education for people who don’t speak information securitynese yet, and they’re good reminders for people who already speak information securitynese fluently.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

And here we are, ready for “K”. “K” doesn’t get much respect in the English language, appearing with a frequency of only 1.1% (compared to “E” and its 11.16%). All letters deserve respect, and “K” can brag that it isn’t as lonely as poor “Q” (.196%).

Some alliteration…

Our kindhearted kin are kayoed, watching their kingdom go kaput while losing the kitty to knave knuckleheads, all because they didn’t know key concepts, built knotty networks, and failed to kindle interest from kleptocratic leaders.

For the purposes of the Information Security ABCs, “K” is for “Key”.

The word “key” has many applications in information security. It’s one of a few words that fit across the spectrum of what information security is:

Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

There are physical keys, logical (or technical) keys, and all the “other” keys.

Physical Keys

Physical keys are used to open physical locks. Physical locks are used to secure physical things. Physical “things” might be a locker, a door, a window, a safe, or any number of other “things”. Don’t confuse physical key locks with other physical locks. Combination locks and keypad locks aren’t physical key locks, but they have keys too. The key in these locks is the combination.

Confused? Don’t be. Here are the most common types of physical key locks.

Types of Keyed Locks

IMPORTANT: Every physical key lock is susceptible to compromise (picking, bumping, impressioning, etc.), but some are much harder than others to bypass.

  • Pin cylinder (or pin tumbler) locks – a lock with pins that must be aligned with a shear line to turn the cylinder (open the lock). The key is specifically shaped to lift the pins to align with the shear line. The number of pins in these locks vary, but the most common are 5 and 6-pin locks.

  • Lever (or lever tumbler) locks – the key lifts each of the levers to the exact height required to move the locking bolt. The most common lever lock is one with three levers, but you’ll need a five-lever lock (or more) to get home insurance in many cases.

  • Wafer (or wafer tumbler) locks – like the pin tumbler lock but uses flat wafers instead of pins.

  • Warded locks – obstructions are used within the lock to prevent anything but the correct key to turn. One of the oldest lock designs, and only used in low security applications today.

  • Disc detainer (or disc tumbler) locks – uses slotted rotating rings where the slots must be aligned to unlock. Harder to pick and sometimes sold as “high security” locks.

Keys open locks. Simple, right?

Again, don’t forget that ALL physical locks susceptible to picking or bypass. Here’s a look at a couple of pick sets.

Logical Keys

Logical keys are very commonly used to protect assets too. The three most widely used references to logical keys in information security are:

  • Secret Key – this often refers to a type of cryptography (“secret-key” encryption, or algorithm) and the key itself. Secret-key encryption is also referred to as symmetric encryption (not to confuse anyone). In this type of encryption, the same key (secret key) is used to encrypt and decrypt data. The key can take the form of a simple password, a passphrase, or any other combination of bits/bytes. Popular symmetric-key algorithms include AES (Rijndael), Twofish, DES, 3DES RC4, and others.
  • Public Key – this term refers to a type of encryption and the key itself too. Public-key cryptography is also referred to as asymmetric cryptography because one key is used to encrypt the data and a separate (but related) key is used to decrypt the data. If the public key is used to encrypt, only the private key can decrypt, and vice versa. The public key is often freely distributed while the private key is kept, you guessed it, private. Common asymmetric-key algorithms include RSA, Diffie-Hellman (key exchange), Elliptic Curve Cryptography, and others.
  • Private Key – private keys are paired with public keys in asymmetric encryption algorithms. These are sometimes referred to as secret keys, but not the same secret keys as those used in symmetric encryption (because we like to reuse words and confuse people I guess).

It’s common to use asymmetric encryption to establish communications and exchange secret keys, then use symmetric encryption to exchange data. This is because symmetric encryption is stronger (per bit of key length) and faster.

Other Uses of “Key”

The word key and security (and information security) are like second cousins. They’re different but related to each other. The image of a key (or padlock with keyhole) is often used symbolically to reference information security, like the graphic below.

Then there are information security “key” concepts, like:

  • Information security is risk management.
  • Information security protects the confidentiality, integrity, and availability of information.
  • Information security is a business issue, not an IT issue.
  • You can’t prevent all bad things from happening (eliminate risk), so you must have something in place to detect the bad things and something in place to respond appropriately too.
  • And many, many more…

More use of the word “key”:

  • Key Chain
  • Key Distribution Center (KDC)
  • Key Escrow
  • Key Fob
  • Key Generator (Keygen)
  • Key Length
  • Key Performance Indicators (KPI)
  • Key Risk Indicators (KRI)
  • Key Value Store
  • Key-Value Pair (KVP)
  • Keyboard
  • Keyboard Buffer
  • Keyboard Macro
  • Keyboard Shortcut
  • Keycap
  • Keygen
  • Keylogger
  • Keypad
  • Keystroke
  • Keystroke Logger
  • Keyword
  • Keyword Stuffing

So, there you go. The letter “K” is for “Key”. The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics).

On to “L”!

J is for Jaded

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

And now for “J”.

One is justified in their joy and jubilation from the judicious and just protection of information.

The jibes, jeers, judgement, and jitteriness of losing to jackanapes along our journey through the jargon, jabberwocky, jactitation, jostling and jackassery of our juvenile industry makes us justifiably jaded.

There you have it.

“J” is for Jaded

We’re not all jaded all the time, but too many of us jaded too often.

Feeling jaded seems to come with the territory. As someone who works in this industry, sometimes it feels like we’re fighting a fight that can’t be won, we’re losing ground, and that life has given us the short end of the stick. Given enough time in this industry, you’ll either become jaded or you’ve fought hard against becoming so.

If you’ve done something so much that it doesn’t excite you anymore but just leaves you tired, consider yourself jaded. If someone says you look a little jaded, it just means that you look tired.

https://www.vocabulary.com/dictionary/jaded

The formal definition of “jaded”, courtesy of George Merriam and Noah Webster (not really, these two are long gone and Merriam Webster, Inc. was acquired by Encyclopedia Britannica, Inc. in 1964):

  1. Fatigued by overwork : EXHAUSTED
  2. Made dull, apathetic, or cynical by experience or by having or seeing too much of something.

Being fatigued, exhausted, overworked, dull, apathetic, and cynical are not things we should aspire to.

Jaded is Bad

There is nothing good about being jaded. People who are jaded are live a sad life, or at the very least, a life with less joy than there should be.

Here’s what Dr. Stephen Diamond (a clinical and forensic psychologist) has to say about jaded people:

bitter, jaded people tend to project a self-righteous attitude suggesting they’re justified in feeling resentment. They’re often bored and cynical. They observe and criticize more often than they participate. Because they believe they’ve been burned, they no longer have the trust necessary to build solid, positive relationships. They believe the world is unfair and freely express their impatience and anger. They no longer expect success, but don’t accept responsibility for their failures; instead, they blame others. They’re almost always irritable and frequently express annoyance in most situations.

The highlighted words represent traits that are too common with people in our industry, some of these people we know personally, and maybe one of those people is you.

Jaded people often lash out at others. Bitter sarcasm and criticism are hallmarks. They often feel like they’re victims of what they perceive as injustice. The injustice leads to resentment, anger, and general unhappiness. Jaded people are more likely to suffer from burnout, mental health issues (depression, anxiety, et al.), broken relationships, and chemical dependency (self-medication).

Again, think about people we know in our industry; the people we fight alongside every day. There are people we know personally who have a self-righteous attitude, criticize more than they should, and have lost patience with “dumb users” and/or “incompetent management”. Dialogs such as these are examples:

US: “We need to educate our users and constantly make them aware of information security dangers.”

JADED US: “Why waste our time or money? They don’t get it and they never will. They just keep clicking on links and choosing sh*tty passwords.”

OR:

US: “Let’s figure out a better way to communicate with executive management and the board. If they understood better, we’d be able to secure the budget we need.”

JADED US: “What’s the use? Management doesn’t give two sh*ts about information security!”

Someone who’s jaded has given up, lost hope, and just exists to exist. They’re debilitated and they’re debilitating to the people around them. Someone who isn’t jaded, is still fighting the good fight.  They’re relaxed, rested, energetic, and active. Jaded people have a negative impact. People who aren’t jaded make a positive difference, creatively solving problems and hoping for better outcomes. The truth is, jaded people hurt themselves and others. People who aren’t jaded help themselves and others.

Jaded people hurt themselves and others.

Jaded people are NOT bad people. Please don’t make this mistake. Often, they are good people who care(d) deeply about something. They care(d) so much, they took it personal and suffer(ed) for it.

To simple? Maybe, but the point is this; we need to do everything we can to avoid becoming jaded.

But how?

Start with a simple and honest self-evaluation; are you jaded? If you’re not sure, ask someone close to you. Then decide:

  • If you’re jaded, choose to come back or not.
  • If you’re not jaded, learn how to keep yourself from becoming jaded or not.

The mindset and skills are the same either way.

People who work in our industry often (or always) find our work stressful. When we become jaded, we negatively impact our quality of life and become much less effective in our work. Back to our definition of the word; jaded people are fatigued by being overworked and/or made dull, apathetic, or cynical by experience. Being jaded is not acceptable to me, and it shouldn’t be acceptable to you either. So, let’s do something about it.

Fatigued, Overworked, and Exhausted

People who work in our industry are some of the most passionate, motivated, and intelligent people anywhere in the world. We’re unique and we’re amazing! The passion pushes us to work our tails off, mostly without appreciation beyond our paycheck (we do get paid well though). Some of us work 50, 60, 70+ hour weeks, forgo vacations, and sleep much less than we should. Our passion will work against us when/if we’re not in balance. The constant hard-driving workload can lead to fatigue and exhaustion. Eventually, something has to give.

To make matters worse, it doesn’t matter how many hours we put in, security incidents are inevitable. No matter what we do, we cannot prevent all bad things from happening. When the bad thing happens, then “they” notice; the appreciation we longed for becomes condemnation. Nobody cares about the 1,000s of hours we put in, often while others weren’t watching. They want to know why the bad thing happened and who’s to blame.

Feeling any injustice? Oh, how we need tools to fight against becoming jaded! So, what to do?

Priorities

Somewhere along the line, we might get our priorities messed up. Our job is a job. We do it as well as we can, but we must recognize that work is not life. Work is part of life, but it is NOT life. Good priorities might look something like this:

  1. Faith
  2. Spouse (if you’ve got one)
  3. Family
  4. Work
  5. Friends

Notice how “self” isn’t listed? Self supersedes all priorities. Self-preservation is primal.

You could switch #4 (Work) on the list with #5 (Friends) and still be OK. Regardless, work is NOT in the top three. Bad priorities look like this:

  1. Work
  2. Fame
  3. Money
  4. Spouse
  5. Work
  6. Family
  7. Work
  8. Friends

The first list lends itself to health, the second list lends itself to becoming fatigued, overworked, and exhausted. Couple messed up priorities with the nature of our work; guaranteed failure (if failure is defined as preventing all bad things), and you have a recipe for becoming jaded.

Health (Spiritual, Mental, and Physical)

All health requires maintenance. If we’re not maintaining our health, we can expect it to fail (eventually) and we can expect it to suck.

This isn’t the place or time to preach Jesus to you, but we all need a spiritual “higher power”. This is the place we go when the world doesn’t make sense, and we all know the world doesn’t make any damn sense, right?! If you need help finding a spiritual advisor, reach out to a close personal friend for guidance. If you don’t have a close personal friend to trust for this guidance, you get my advice; seek Jesus! That’s all the preaching you’ll get (for now).

According to the National Institute of Mental Health, nearly one in five U.S. adults live with a mental illness (51.5 million people in 2019), and less than half (44.8% or 23.0 million people in 2019) received mental health services. Think about these numbers for a second. Due to the nature of what we do and the stress related to it, the percentages for us are probably worse than the U.S. population. Most of us rely VERY heavily on our minds, and if our minds our broken, then what? If you need help, or think you might need help, here are some great resources to check out (DO NOT IGNORE THIS):

It’s easy to overlook our physical health, but we can’t. Most of us sit for hours on end at a computer keyboard. This is not healthy. We must get up, get out, exercise more, and eat healthier. There’s nothing glamorous about dying of a heart attack while reverse engineering a piece of code.

Our health has a direct impact upon being jaded. The more unhealthy we are, the more likely we are to become jaded. The inverse is also true.

Dull, Apathetic, and Cynical

The second part to our definition of “jaded” is being dull, apathetic, and cynical by experience or by having or seeing too much of something.

Seriously, how many times have we:

  • Seen someone click a link they shouldn’t have?
  • Witnessed someone fall for a phishing attack after we’ve taught them a kajillion times not to?
  • Read about a breach that should have been prevented?
  • Told people to master the basics, only to see them NOT compile/maintain an asset inventory?
  • Shaken our heads at dumb mistakes people (including “we”) make?
  • Beat our heads against the wall trying to get management to give a sh*t?

After a while, shouldn’t we just give up? What’s the use? People keep doing dumb things and making crappy decisions. Aren’t we tired of it yet?!

Spoken like someone who’s jaded.

Maybe it’s not them. Maybe it’s us.

Expectations

Maybe we’re jaded because we have too many or the wrong expectations. We’re less likely to become jaded when things go well, when we experience things that are good (or exceed our expectations). It’s not like we’d say:

  • “Dammit, Jane in accounting picked a great password again!”, or
  • “Life would be so much better if Joe would just click links without thinking more often.”, or
  • “It just sucks when management always gives us the budget we need for information security.”

Absolutely not. Some (or a lot) of our jadedness comes from being disappointed. We’re setting the wrong or unrealistic expectations, leading to disappointment, leading to frustration, leading to becoming jaded. We think expectations are good, but they’re often not.

What did we expect in the first place? Did we actually expect humans to NOT be human? Did we expect management to treat information security like it was THE issue versus AN issue? Did we expect people to listen to us when we don’t speak their language? Did we expect to not have breaches? Did we expect such a thing as risk elimination, or did we realize this is actually about risk management?

If we set any expectation, we should expect to be disappointed if we have expectations. Expect disappointment, and if it happens often and long enough, it WILL lead to frustration. Frustration is the last step in the path to becoming jaded. This is the “jade cycle” (simplified), see diagram.

The math: (-e + e2) = -d + -j, where e is expectations, e2 is better expectations, d is disappointment and j is jadedness. Essentially, fewer expectations and better expectations = less disappointment and less jadedness. Living life without expectations is NOT the goal, living a life with fewer and more realistic expectations is the goal.

NOTE: The exception is computers and other logical, binary things. We can always expect computers to do what we tell them to do. Care must be taken with emotional and non-binary (analog) things like human beings.

Summary

Beware and be aware of jadedness in yourself and others in our industry. It makes us less effective and it steals our joy. If you need help, ask for it. Being jaded is more common than many of us realize, and it does nothing to help our cause. The cause being better information security, and through it, better lives.

This is no honorable mention for “J” because it’s a letter we don’t use enough. 😉

Next up, “K”. What are some good relevant words for this letter?

I is for If

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

Now for “I”…

“I” is for “if”.*

What if we were less ignorant, imperious, incoherent, irksome and impetuous, but a little more integrous, inoffensive, instrumental, interpersonal, and ingenious? Would we be less inundated with incessant information security incidents?

What if we were less inept and imprudent with the technology that’s so intertwined with every aspect of our daily lives? Would it even be possible to become impenetrable, impregnable and impervious to interminable attacks?

What if?

If we do more of the right things right, and less of the wrong things wrong, just think how much better off we’d be. The people we serve would be safer, we would be saner, and the world would be a better place!

The keys to making “if” closer to reality are less ignorance and more integrity.

What if we were less ignorant?

Ignorance is the lack of knowledge, understanding, or information about something.

Ignorance runs rampant within our industry and amongst the people we serve. People don’t know what information security is or what their personal responsibilities are.

If we were less ignorant, we’d know what information security is, and we’d know that it cannot be separated from privacy or physical safety. We’d know the importance of information security basics, and we’d practice them religiously.  If we were less ignorant, we’d know how vulnerable we are and we’d demand better of ourselves. We’d know what we’re responsible for and what we should hold others accountable for. If we were less ignorant, we’d think twice before plugging that new sexy gadget into our home network. We’d demand more protection in the products and technologies marketed and sold to us incessantly.

By definition, we’re all ignorant. Nobody knows everything, but this isn’t the issue. The issue is being ignorant of something we shouldn’t be ignorant of.

Is it OK to be ignorant of:

  • computer security best practices if you use a computer?
  • Internet security best practices if you use the Internet?
  • what things are running on your home network if you have a home network?
  • online safety best practices if you have loved ones (kids, spouse, et al.) who are online?
  • the most significant organizational security risks if you’re the leader of the organization?
  • information security basics if you’re in charge of information security?

The answer in all these circumstances is “NO”. It’s NOT OK to be ignorant of things you are responsible for.

In today’s world, we can no longer separate information security from privacy or safety; even personal, physical safety. Everything is integrated. A single information security incident has the potential to expose private information, but even worse, it has the potential to kill someone. The truth is, information security is a life skill that all people should must learn. Everyone has responsibilities, so what are yours?

Accepting ignorance is a default response when people are confronted with something that seems too complex, too confusing, too technical, or too anything. The key to fighting ignorance is simplification and mastering the basics. The basics are boring, the basics aren’t sexy, but despite these things, the basics are absolutely necessary.

So, what are the unsexy basics?

The first basic principle is to define rules for the game.

At Home
  • If you’re the head of your household, you’re the boss and you make the rules. It’s NOT OK to accept ignorance in this role. Learn what good information security behaviors are, lead by example, and expect others to follow. Ultimately, every bit of data that traverses your home network, every website visited by you and your family members, every device you plug in, everything is your responsibility.
  • If you’re not the head of your household, your job is to follow the rules and provide respectful feedback. No rules? Go see the head of your household and help them define the rules.

Go check out S2Me, it’s a FREE and SIMPLE personal information security risk management tool.

At Work
  • If you’re the CEO (or whatever title sits at the top of the org chart), you’re like the head of the household (above) for your organization.
  • If you’re not the CEO, your job is to follow the rules and provide respectful feedback. No rules? Go see the CEO (or his/her assistant) and help them define the rules.

Quick sidenote: This isn’t the article about writing rules for you, but maybe “R” will stand for rules (later).

No rules = chaos, anarchy, confusion, and disorder. There must be rules. You either define the rules and follow them, or you follow them and provide feedback. Now that you’ve read this, you cannot claim ignorance. You have knowledge, and now you must act.

Knowledge without action is negligence.

I’m not a lawyer, so I won’t give legal advice. The generic definition of negligence is “failure to take proper care in doing something”.  Are you negligent if someone suffers because:

  • you don’t know the right thing to do, but you should?
  • you know the right thing to do, but fail to do it?

Ignorance isn’t bliss, it’s breach.

More than once, I’ve heard the comment “ignorance is bliss”. Ignorance for something you shouldn’t be is nothing more than an excuse for laziness and genuinely not giving a sh*t.

What if we were more integrous?

Integrous is the adjective form of integrity.

Integrity is an oft-used word in our industry, and here’s the definition:

  • the quality of being honest and having strong moral principles that you refuse to change
  • someone’s high artistic standards or standards of doing their job, and that person’s determination not to lower those standards:
  • the quality of being whole and complete

Integrity applies to our industry in (at least) two ways; the integrity of data and the integrity of personnel responsible for protecting data.

Integrity of Data

If you’ve been in our industry for any amount of time, you’ve surely heard of the CIA triad. It’s an acronym for a fundamental concept; we protect the Confidentiality, Integrity, and Availability of data. Our “I” in CIA refers to the wholeness, completeness, and accuracy of the data we try to protect.

Simple. It’s important to remember that our job goes beyond making sure data is kept secret; we also need to make sure it’s accurate and available (to those who are authorized to access it).

Integrity of Personnel

On this point, it’s hard not to rant. To keep us honest, we’ll over-simplify.

In our industry, there are the practitioners who work their tails off to protect people, and there are suppliers who make things practitioners use to protect people. Practitioners and suppliers; integrity is paramount to both. A lack of integrity in either is terrible and sad.

Practitioners

The person behind the keyboard is an integral part of any information protection strategy. Their integrity must be rock solid and continually verified. Background checks, character references, solid OSINT, etc., are all encouraged before hiring anyone. Address the questionable things before hiring, and not after you’ve given them the keys to the kingdom. Depending upon your comfort level, sensitivity of the job, etc., questionable things should be questioned, but they don’t always need to be a disqualifier. Giving people the opportunity to address the questionable things from their past might be good, given that people change (hopefully for the better).

Verify integrity constantly. At work, a practitioner shouldn’t mind having his/her activities monitoring continually. They should see the value in it.

Suppliers

What’s worse, an attacker stealing $100,000 from your organization’s bank account or someone selling you security software that doesn’t work, or you can’t use, or you don’t need, or…? They’re both bad and either way you’re out a hundred grand. Stolen (or wasted) money is money your organization can’t use for better things; market expansion, employee benefits, innovation, etc. Suppliers who sell something to a practitioner when they know it’s not the right thing are like wolves in sheep’s clothing; almost worse than an attacker because at least you know the attacker is bad.

There are many suppliers who operate with integrity in our industry, but we must do a better job weeding out the ones who aren’t.

Summary

There you have it. “I” is for “if”. What if we were less ignorant and more integrous? Things would be much better around here.

*NOTE: “If” was inspired by my good friend Chris Roberts. Thanks!

2020 Holiday Shopping Safety Checklist

Just finished putting together this shopping safety checklist. Share freely and enjoy.

Wishing everyone a SAFE, HEALTHY, and HAPPY holiday season!

Direct download link: https://bit.ly/3qkq5uT

Click to access SecurityStudio_HolidayShoppingChecklist.pdf