M is for Money

Fundamentals are critical to the foundation of an information security program (or strategy). Deficiencies in information security fundamentals are analogous to cracks in a fortress foundation. Fortress defenses won’t stand and neither will your information security protection.

The Information Security ABCs are drawn from information security fundamentals. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

TRUTH: If more people and organizations applied the fundamentals, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

It’s been too long, but the time has come for the letter “M”.

The magnate’s magnitude of moneymotivated myriad manipulation makes mayhem and mess of society’s macrocosmmasqueraded with mentor-less and maladroit management who’s malfunctioning mandates manifest in the malefactor’s monopoly.

The letter “M” is for “money”. It shouldn’t be, but it is.

Our Tribe

Last year (2020) we spent an estimated $123,000,000,000 (that’s $123 billion) on “cybersecurity” worldwide. That’s a helluva sum of money, and it begs to question:

  1. What did we get for all this money?
  2. Was (all/some/any of) this money well spent?
  3. Is this too much money, not enough money, or about right?

At a macro level, these questions are nearly impossible to answer objectively. There isn’t uniformity in how we apply or measure information security effectiveness (although we’re working hard to change that) and we don’t have quality data. When we consider estimated losses (to “cybercrime”), maybe we get an indication of how we’ll we’re doing.

According to estimates/predictions from Cybersecurity Ventures, cybercrime will cost us $6,000,000,000,000 (that’s $6 trillion) this year (2021), up from $3 trillion in 2015. The trend doesn’t appear to reverse anytime soon, with 2025’s losses expected to approach $10.5 trillion.

Are we doing this right? Our cybersecurity investments are growing, but our losses are growing faster.

Who’s getting paid?

Simple. The $123 billion goes into our pockets. The $6 trillion goes into the criminals’ pockets.

The Good.

There are many, many good people making a good living in our industry. They’re “good” people because they do their work for the right reasons, to protect others, and to protect information that’s been entrusted to them.

We all get paid in this industry. I get paid, you get paid, our co-workers get paid, our bosses get paid, the companies we work for get paid, etc., etc. Some of us get paid a lot, some of us get paid less. There’s nothing wrong with getting paid. We have bills and people to support (whether it’s just us, our family, etc.).

According to CyberSeek, there are 956,341 people employed in the U.S. “cybersecurity workforce” and nearly a half million job openings. The supply of talent is “very low” and the demand is high. If you believe the numbers, our job prospects should be good for a long time. According to ZipRecruiter, “the Average Cyber Security Salary”  is $112,974 per year, ranging from $125,664 in New York to $82,936 in North Carolina.

Again, if we agree with these numbers, the average worker in our industry makes good money. We make twice as much as the average U.S. worker. This is good!

The Bad.

The criminals are expected to steal nearly $6 trillion worldwide in 2021. This is a HUGE number, so let’s try to put this into perspective.

  • The worldwide economy (GDP – nominal) is roughly $94 trillion, so cybercrime is costing about 6.38% of the world’s economy.
  • The global pharmaceutical market is roughly $1.27 trillion. Cybercrime has this number beat by a factor of four.
  • Some estimates put the global drug trade at roughly $450 billion. Not even in the same league as cybercrime.
  • Only the United States ($22 T), European Union ($19.2 T), China ($16.6 T), and Japan ($6.2 T) have economies larger than the cybercrime economy.

Cybercrime is expected to grow by as much as 15% annually. There are (at least) three primary reasons why global cybercrime has gotten (and continues to get) out of hand:

  • Lack of accountability. The lack of accountability when it comes to information security is astounding.
    • There’s very little (if any) accountability for the criminals.
    • There’s no accountability for software companies writing crappy code (as long as we keep buying it, they’ll keep selling it).
    • There’s very little accountability for the CEO who ignores his/her responsibility to protect their company’s assets and customers’ data. Compliance is a joke because we stop once the box is checked. As long as nobody really pays the price, there isn’t much motivation to change. Instead of individuals paying the price, the costs are spread across a wide population through higher fees, higher prices, etc.
  • We like our ignorance. Nobody will admit it, but we must not really care. We have the illusion of care, but we don’t really care. If we did, we would nail the basics. We don’t like the basics because the basics are work. The criminals like that we don’t like the basics because they have less work too. We do less work, they do less work. Maybe that’s the twisted win-win here.
  • We adopt technology much faster that our ability to secure it. We live in an easy button, instant gratification, entitlement world where we lust for new features, blinking lights, and hot gadgets. Every day, we add more and more complexity to our lives, pushing good information security further and further out of reach. Complexity is the worst enemy of security.

The cost of cybercrime seems like a cost we’re willing to accept and it’s definitely a cost we’re going to pay. This doesn’t magically go away, and the endgame is actually pretty scary to think about.

The Ugly.

There are the wolves (the criminals) and there are the wolves in sheep’s clothing (those in our industry who take advantage of others in our industry). There’s a population within our industry who doesn’t give two sh*ts about protecting the innocent, but instead prey on their fear and ignorance. These are the vendors and marketers who will keep selling you crap you don’t need, can’t use, or doesn’t work. Some of these players are very big, and I won’t name names, but you know who they are.

The illogical acceptance of vendor BS:

Vendor: “Buy my thing, you need it.”

Ignorant Victim: “OK, if you say so. It looks cool.”

 

Ignorant Victim: “Hey, I think your thing is making me vulnerable.”

Vendor: “Well you have to patch my thing.”

Ignorant Victim: “But it’s your thing, why do I have to patch it?”

Vendor: “Because when you bought it, the liability became your thing.”

Ignorant Victim: “OK. How often do I need to patch your thing.”

Vendor: “We don’t know, maybe monthly.”

 

Ignorant Victim: “Hey, I don’t think your thing works.”

Vendor: “Oh, that’s because you didn’t configure it right.”

Ignorant Victim: “How do I configure it right?”

Vendor: “You can try reading the manual or you can attend our training. Attending our training is recommended, and it’s only $5,000.”

Ignorant Victim: “OK, so I should pay $5,000 to learn how to use your thing that I paid you for?”

Vendor: “Yep, that’s how it works.”

 

Ignorant Victim: “Hey, a criminal hacked your thing and stole a ton of stuff from us.”

Vendor: “That sucks. Oooh. Looks like you didn’t have our other thing that would protect the first thing from criminals.”

Ignorant Victim: “So I need to buy another thing from you to protect your first thing that was supposed to protect me?”

Vendor: “Yep. Times change and we gotta keep up.”

 

Ignorant Victim: “Hey, me again. Looks like somebody compromised the first thing again, even though we had the second thing.”

Vendor: “Yeah, that’s because we don’t support the first thing anymore. You should have gotten the nextgen first thing.”

Ignorant Victim: “But it seems like the first thing should have done the things that the nextgen thing does now.”

Vendor: “Well, not really. The nextgen thing uses this new proprietary technology that nobody knows about or can explain.”

 

Ignorant Victim: “I don’t think the nextgen thing is serving our needs anymore. It’s really hard to use and I can’t afford the manpower to run it.”

Vendor: “Lucky you! We’ve got a new cloud nextgen managed service thing! You’ll love it.”

Ignorant Victim: “Cool! Do I still need the nextgen first thing and the second thing?”

Vendor: “We can get rid of the the nextgen first thing because we moved that to the cloud, but you should keep the second thing. One more thing, we need to add a third thing so we can talk to the cloud through it.”

 

Vendor: “So how you liking this cloud thing? We just released the hypergen version, and I’d like to show it to you. Oh, and by the way you’re still patching the first thing and third thing, right?”

Ignorant Victim: “Patching? Um, yeah, we’re doing that. Tell me more about this hypergen thing.”

 

Vendor: “Oh crap! Our nextgen cloud thing got it. You suffered because you weren’t in our hypergen thing yet. We’ve added a new feature to the hypergen thing that you’ll need too. It’s super cool, it’s a feature that can think for itself! We call it “artificial intelligence”. It’s finally the easy button we’ve all been looking for!

…and the insanity never ends.

 

Some marketers and vendors in our industry are top notch, but there are far too many who will sell you anything to get your money. They don’t care if it’s the thing you should buy or if it’s a thing you can even use. Just buy it.

Somehow, someday, we need to hold information security product and service vendors accountable for:

  • Making sure their products and/or services do what they say they do. False advertising needs to go.
  • Making sure they don’t sell things that aren’t the right fit. Stop selling customers (or victims) things they can’t use, aren’t ready to use, or shouldn’t use.
  • Making sure they’re held liable for damages caused in full or in part because of their faulty products and/or services.

The truth is, any organization who doesn’t understand and practice information security fundamentals is the PERFECT victim for the criminal AND the wolf in sheep’s clothing. What are the fundamentals? Good you asked.

Information Security Fundamentals

I won’t spend a ton of time on this because we could write a book on this. Wait a second. I did, and so have others.

Briefly…

  1. Roles and responsibilities. Who’s responsible for what and what’s expected of them? Once defined, motivate and hold people accountable.
  2. Asset management. You can’t possibly protect the things you don’t know you have. If asset management seems too complex, it’s probably because your environment is too complex, and something’s out of whack. Assets come in three flavors; hardware, software, and data. You could add “people” as an asset too, but you know, people are hard.
  3. Control. Only now can you determine what controls are adequate. You can’t secure what you can’t control, and there’s lots to do here. Configuration control, access control, change control, etc.
  4. Wrap all this is risk management. Information security IS risk management.

Don’t know what risk management is, or not certain? Make it simple:

  • Assess, Decide, Implement/Do, Assess, Decide, Implement/Do, etc.
    • Risk Assessment – good assessments are objective, measurable, comprehensive, and actionable.
    • Decide – only four choices here: accept the risk, mitigate the risk, transfer the risk, or avoid the risk.
    • Implement/Do – do the work it takes to make the decision a reality.
  • Risk is likelihood something bad will happen and the impact if it did. Likelihood and impact are driven by threats and vulnerabilities. (note: you won’t know your vulnerabilities without asset management).
  • If we’re talking “information security”, we’re talking about operational/administrative controls, physical controls, and technical controls. This is NOT an IT issue.

In Conclusion

M is for money. Lots of money.

Some people say this is a dog eat dog world. I like dogs. They’re wonderful creatures. Often the difference between what makes a good dog and a bad dog is how they were raised. I believe all dogs were good at the start, but some got stuck with sh!tty owners.

The good dog – The good dog serves others. They’re loyal, selfless, dependable, loving, etc. Most people in our industry are “good dogs”, myself included. We’re in this for the right reasons, and we make money as a reward for the good honest work we do.

The bad dog – The bad dogs serve themselves. They steal, fight, hurt others, etc. The criminals are “bad dogs”, but sadly so are some people in our industry. They make money by taking advantage of others. Most bad dogs know they’re bad, but some lack the self-awareness to know any better.

Be a good dog. Make lots of honest money AND make a positive difference in the lives of the people we serve!

UNSECURITY Episode 133 Show Notes

We’re back with another amazing guest this week! It’s our treat to welcome Gabriel Friedlander from Wizer to the show!

The guests from the last month (or so) have been incredible. There are so many great people in our industry who are in this for the right reasons, primarily to serve other people!

If you missed any of these shows, you can find them here:

This week, episode 133, we’re joined by a really cool guy with a huge heart for serving the underserved, Gabriel Friedlander from Wizer!

A quick introduction to Gabriel and Wizer is in the show notes (below).

This will be a GREAT episode for sure!

NOTE: We’re looking for people from other walks of life to share their perspectives too, especially men and women of color. Let us know at unsecurity@protonmail.com if you have suggestions.

Let’s get to the episode 133 show notes, shall we?


SHOW NOTES – Episode 133 – Tuesday May 25th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 133, and the date is May 25th, 2021. My buddy Brad is here, as usual. Good morning Brad!

[Evan] I’m excited to welcome our guest this week. He’s someone I greatly admire, and a true asset to our community, Gabriel Friedlander from Wizer. Welcome Gabe!

Getting to know Gabriel Friedlander

An open and honest dialog with Gabriel about his background, ObserveIT, Wizer, and whatever else comes up in our conversation.

About Gabe – From His LinkedIn Profile

I founded wizer-training.com in early 2019 with a mission to make basic security awareness training free for everyone. Since then Wizer has been rapidly growing with over 6000 organization who signed up for our free training. And in 2020 we partnered with several local counties to offer free Citizen Training. We believe that in this day an age, security awareness should be a basic human skill.

Prior to founding Wizer I was the co-founder of ObserveIT (acquired by ProofPoint) , a company specializing in the detection and prevention of insider threats. I am also the co-author of the book, “Insider Threat Program: Your 90-Day Plan”. For more than a decade I have researched insider threat and trained numerous organizations on how to avoid and mitigate the risk it poses.

About Wizer

Did you know the average human attention Span is 8 Seconds – that’s just 1 Second Less Than A Goldfish! So we created training videos to be around 1 min long, entertaining, and to the point.  Our goal is to train employees on how to avoid today’s most common cyber attacks and to help create a “Human Firewall”.  Since there are officially more mobile devices than people in the world, we made Wizer mobile-friendly so you can access it from anywhere, anytime, with or without sound. Happy learning!  

Gabriel didn’t need another job (or necessarily the income) when he started Wizer. He started Wizer because he saw a need, wanted to help, and was looking for something fun to do. At first, everything Wizer did was free, and Gabriel didn’t have a plan for making money. Since then, things have taken off and he’s had a tremendous positive impact on our community.

News

Guessing we’ll use up the entire hour talking to Gabriel. Maybe we’ll cover some news next week.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Gabriel, how do you want people to find you?

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 129 Show Notes

We have another great guest for episode 129, and we’re excited to get his take on things!

Special Guest – Ron Woerner

In this episode of the UNSECURITY Podcast, we’re joined by another good friend of ours, Ron Woerner.

Ron and I (Evan) first met at the RSA Conference last year (2020) after being introduced to each other by Ryan Cloutier, another good friend. Ron is a no nonsense, plain English-speaking information security expert with a heart for helping people from all walks protect themselves better. I love this guy and I’m excited to chat with him on the show!

Things about Ron:

We’re in for a treat in this episode!

Other Guests – Past, Present, and Future
  • Episode 128 Special Guest – Roger Grimes (0n 4/20)
  • Episode 129 Special Guest – Ron Woerner (this week)
  • Episode 130 Special Guest – John Strand (on 5/4)
    • Believe it or not, I have never met John in person. Despite running in some of the same circles for many years, this will be the first time I meet him.
    • John also has a laundry list of accomplishments. He’s the Founder and Owner of Black Hills Information Security, Senior Instructor with the SANS Institute, teaches SEC504: Hacker Techniques, Exploits, and Incident Handling; SEC560: Network Penetration Testing and Ethical Hacking; SEC580: Metasploit Kung Fu for Enterprise Pen Testing; and SEC464: Hacker Detection for System Administrators. John is the course author for SEC464: Hacker Detection for System Administrators and the co-author for SEC580: Metasploit Kung Fu for Enterprise Pen Testing. He’s also presented at the FBI, NASA, NSA, DefCon, and lots of other places.
  • Episode 131 Special Guest – Chris Roberts (on 5/11)
  • Episode 132 Special Guest – Gabriel Friedlander (on 5/18)

Lots of GREAT conversations with lots of GREAT information security folks!


SHOW NOTES – Episode 129 – Tuesday April 27th, 2021

Recorded Monday April 26th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 129, and the date is April 27th, 2021. Joining me is my good friend, solid partner, and and top infosec expert Brad Nigh. Welcome Brad!

Also joining the UNSECURITY Podcast is our special guest, Mr. Ron Woerner! Welcome Ron. It’s an honor to have you on our show!

Introducing Ron Woerner

It’s great to have Ron on our show! He gets information security and he always has an interesting perspective on things.

  • Open Discussion.
  • Top of mind things.
  • Current projects.
  • Current events.

Pretty sure we’ll get to talk about Ron’s talks at RSA, his work/lectures at Bellevue University, social engineering things, information security as a life skill, and other goodies!

News

We’ll probably skip news in this show. Guessing that Brad, Ron, and myself will have no problem filling the entire show with good discussion.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! HUGE thank you to Ron for joining us. If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Ron can be reached on LinkedIn, Twitter (@RonW123), and other places he’ll probably share during the show.

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 128 Show Notes

Oh boy. Chalk last week up as “the lost week”.

I live in a suburb of Minneapolis, Minnesota (MN). The same Minneapolis, MN where George Floyd died last May, sparking civil unrest around the world. The same Minneapolis, MN where the eyes of the world are anxiously awaiting the verdict in the trial of former police officer Derek Chauvin, charged with second-degree murder in George Floyd’s death. The same Minneapolis, MN where Daunte Wright lost his life on April 11th, at the hands of 26-year veteran police officer Kimberly Ann Potter.

Minneapolis seems like ground zero for crazy.

Me being me, I don’t like when things don’t make sense. Despite knowing it’s best to let some things go, I decided to embark on a journey of self reflection and sense-making.

The result?

I learned how I process things. I learned I love people. I learned I’m not crazy. I learned we have significant problems facing our society, and not enough people willing to solve them. Even worse, the leaders we elect to solve problems, selfishly use problems to score popularity points and ignorant votes. If our leaders wanted to solve problems, they would. Simple as that.

More to come, but we have a podcast to do!

Special Guest – Roger Grimes

In this episode of the UNSECURITY Podcast, we’re joined by a good friend, a bona fide information security authority, renowned author (of 12 books), and all around awesome human being, Roger Grimes. This is a man I respect deeply and hold in very high esteem. We are information security kindred spirits in a way, and we’re honored to welcome him on our show!

Things about Roger:

  • LinkedIn Profile – https://www.linkedin.com/in/rogeragrimes/
  • Information technology and/or information security expert since the mid-late 1980s
  • Written more than 1,200 national magazine articles on information security and was the weekly computer security columnist for InfoWorld/CSO magazines from 2005 to 2019
  • His “goal in life is to get more people and companies to use data and the scientific method to improve their computer security.” He goes on to state, “If I leave this world without having made the Internet a safer place for all people to compute, I have failed.See, my kind of guy!
  • Spent more than 11 years as Microsoft’s Principal Security Architect.
  • Written 12 books (and working on two now), including:
    • Hacking Multifactor Authentication
    • Cryptography Apocalypse
    • A Data-Driven Computer Defense
    • Hacking the Hacker
    • Malicious Mobile Code
    • And more…

Seriously dig this guy, and pumped that he’s joining us this week!

Other Guests Coming

Roger is our first special guest in a series of special guests. We might keep hosting special guests indefinitely. Here’s what’s coming soon:

  • Episode 129 Special Guest – Ron Woerner
    • I met Ron through my good friend Ryan Cloutier, and I’m very grateful for it.
    • Ron has a laundry list of accolades. He’s the CEO and President of Cyber-AAA, Professor of CyberSecurity Studies at Bellevue University, featured speaker at the RSA conference for more than 12 years, and much more.
  • Episode 130 Special Guest – John Strand
    • Believe it or not, I have never met John in person. Despite running in some of the same circles for many years, this will be the first time I meet him.
    • John also has a laundry list of accomplishments. He’s the Founder and Owner of Black Hills Information Security, Senior Instructor with the SANS Institute, teaches SEC504: Hacker Techniques, Exploits, and Incident Handling; SEC560: Network Penetration Testing and Ethical Hacking; SEC580: Metasploit Kung Fu for Enterprise Pen Testing; and SEC464: Hacker Detection for System Administrators. John is the course author for SEC464: Hacker Detection for System Administrators and the co-author for SEC580: Metasploit Kung Fu for Enterprise Pen Testing. He’s also presented at the FBI, NASA, NSA, DefCon, and lots of other places.

We’re finalizing details with guests for episode 131 and 132 too. Lots of GREAT conversations to come!

Let’s get right to it, show notes for episode 128 of the UNSECURITY Podcast…


SHOW NOTES – Episode 128 – Tuesday April 20th, 2021

Recorded Friday April 16th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 128, and the date is April 20th, 2021. Joining me is my good friend, great guy, and infosec expert Brad Nigh. Welcome Brad!

Also joining the UNSECURITY Podcast is our special guest, Mr. Roger Grimes! Welcome Roger. It’s an honor to have you on our show!

Introducing Roger Grimes

Some of our listeners may not know Roger. That’s about to change! He has a fascinating information security mind, and we’re all sure to learn some things.

  • Open Discussion.
  • Top of mind things.
  • Current projects.
  • Current events.

Roger and I first met through a friend, Steve Marsden, a few years ago. Almost immediately it became clear that we see information security the same way. Soon after our first conversation, I flew out to see Roger give his talk at the RSA conference and have lunch with him and his wife. It confirmed that he is the “real deal” and I flew on to my next destination immediately after lunch. Since then, we’ve kept in touch, and he even served on SecurityStudio’s board of directors for a time.

This will be a fun conversation, guaranteed!

News

We’ll probably skip news in this show. Guessing that Brad, Roger, and myself will have no problem filling the entire show with good discussion.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Closing – Thank you to all our listeners! HUGE thank you to Roger for joining us. If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Roger, where would you like people to connect with you? (his Twitter handle is @rogeragrimes). Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 126 Show Notes

Here we are, time for another episode of the UNSECURITY Podcast.

I came across another interesting article this week, “15 Cybersecurity Pitfalls and Fixes for SMBs“. I have a heart for underserved markets, and small to mid-sized businesses (SMBs) are certainly an underserved (or poorly served) market.

NOTE: The other underserved markets I’m especially interested in are state/local government, education (higher education & K12), and individual consumers.

This is a perfect time to talk about SMB information security. As we come out of COVID (Lord, I hope we are!), more and more SMBs are getting back on their feet. As they start on this next (or first) chapter of their SMB journey, it’s imperative they take information security seriously and do things right. The last thing anyone (except for attackers) wants is to start building/rebuilding a business with limited resources only to lose everything from an attack.

Looking forward to dissecting this with Brad on this episode!

Let’s get right to it, show notes for episode 126 of the UNSECURITY Podcast…


SHOW NOTES – Episode 126 – Wednesday April 7th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 126, and the date is April 7th, 2021. Joining me is my good friend, great guy, and infosec expert Brad Nigh. Welcome Brad!

Another good show today. We’re gonna talk about this article I came across the other day. The title of the article is “15 Cybersecurity Pitfalls and Fixes for SMBs”.

15 Cybersecurity Pitfalls and Fixes for SMBs

This article features a roundtable discussion between Timur Kovalev, CTO of Untangle, Erich Kron from KnowBe4 and Greg Murphy, CEO of Order. They give their take on what SMBs think about information security, the common mistakes they make, and how to do thinks better.

As you know, we have no shortage of information security “experts” in our industry. Let’s see if we agree, disagree, and/or have something to add to this discussion.

  1. Think they’re too small to be a target.
  2. Haven’t made a thorough asset inventory assessment.
  3. No network segmentation.
  4. Ignore fundamentals.
  5. Haven’t done a business risk evaluation.
  6. Insecure digital assets.
  7. Don’t know what “normal” activity looks like.
  8. No 2FA.
  9. Misconfigured cloud servers/confusion about move to the cloud.
  10. User security training.
  11. Haven’t evaluated their threat to the supply chain.
  12. Lack of business continuity plan.
  13. Aren’t thinking strategically about asset allocation and budgeting.
  14. Failing to backup.
  15. Lax patching.

NOTE: This is not our list, this is the list from the article.

If you had to pick your 15 most common information security mistakes made by SMBs, what would you pick? This will be a good discussion!

News

As of 9:15AM on 4/5/2021, the number of registered students in the FRSecure CISSP Mentor Program is 5,618!

Three interesting news articles this week:

Wrapping Up – Shout Outs

Good talk. Thank you Brad, and thank you listeners!

Who’s getting shout outs this week?

Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 124 Show Notes

Spring has sprung!

The first day of Spring was Saturday, March 20th. If you’re from Minnesota like Brad and I are, you’re happy about this. Speaking of Brad, he’s back this week!

Let’s get right to it, show notes for episode 124 of the UNSECURITY Podcast…


SHOW NOTES – Episode 124 – Tuesday March 23rd, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 124, and the date is March 23rd, 2021. Back from taking a couple weeks off from the show is my good friend and co-host Brad Nigh. Welcome back Brad!

We’ve got a good show planned for you today. Let’s talk passwords! Yay, right?!

Let’s try to tackle as many common questions about passwords as we can in one show!

Passwords

  • Why do we need passwords?
    • The basics of identity and authentication.
    • A password is proof.
  • What happens when a password is compromised?
  • How are passwords compromised?
    • Caused by you.
      • Disclosed.
      • Weak.
    • Caused by them (someone you shared it with).
  • What’s the risk is a password is compromised?
    • How do we protect against password disclosure?
    • How do we protect against weak passwords?
    • How do we protect against someone else disclosing a password?
  • @SecurityStudio, we just finished a new password strength/score algorithm.
    • Eighteen rules with weights applied according to risk.
    • Length, numbers(only), lowercase(only), uppercase(only), letters(only), letters & numbers(only), known compromise(s), dictionary, dictionary w/simple obfuscation, 80%+ dictionary, 80%+ dictionary w/simple obfuscation, 60%+ dictionary, 60%+ dictionary w/simple obfuscation, doubleword, common numeric sequences, words & numbers appended, and personally common/known things.
  • The average person has how many passwords?
    • How many passwords do you have?
    • How many passwords to Brad and I have?
  • Are passwords secure?
  • Are we stuck with passwords forever?
  • What do we do to protect our passwords?
  • Does anyone like passwords?

Other Things

  • The latest registration count for the FRSecure CISSP Mentor Program was 4,701 as of yesterday (3/22) morning!
    • The 2021 program kicks off in 20 days.
    • Will we top 5,000 registrations?!
    • What do we like best about the program?
  • New features for S2
    • Nested entities within S2Org.
    • S2Me Instant Score (coming soon).
    • S2PCI (coming next month).
  • What else?

News

Three interesting news articles this week:

(PSST… Want a good list of APT groups and their operations?! – https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#)

Wrapping Up – Shout Outs

Good talk. Thank you Brad, and thank you listeners!

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 123 Show Notes

Happy St. Patrick’s Day! For those of you who aren’t into this holiday (for whatever reason), Happy (everyday) Day!

This has been a week full of great experiences and awesome conversations with wonderful people. It’s the people we serve who inspire us to work as hard as we do. Here’s a small sampling:

  • Daytona Bike Week (last week) – if you’ve never been to a bike rally before, I recommend you try it out someday (even if you don’t ride). There are interesting people from all walks of life and the diversity (backgrounds, race, preferences, thought, etc.) would probably surprise you.
  • Co-workers – discussions about everything from mental health (many of us did the Mental Health First Aid certification course together last week), to life challenges (relationships, family, health, etc.), to work challenges, and everything in between. It’s a blessing (to them and to me) when I stop, listen, and invest in others.
  • Customers/peers – had some check-ins this week with a few enterprise CISOs I call friends. Life as a CISO can be extremely DIFFICULT. It’s encouraging to know people care about me, and I them. CISOs are human beings who need love just like all of us do!
  • Everyday people – we’re all beautifully unique. We are similar in some respects, but there are wonderful things that make me me and you you. We’re a hodge podge of emotions, biases, beliefs, perspectives, and experiences. Rather than fight because you think differently than I do, why don’t I embrace the uniqueness and differences? Why not try to understand them and you better?

We’re not doing this enough in society and we’re not doing this enough in our industry either.

    • Why?
    • Have we lost our respect for other human beings?
    • Have we lost our ability to reason?
    • Are we afraid to share who we really are out of fear? Fear of being marginalized, silenced, and attacked (physically and online)?

I believe people are AMAZING! I believe people are worthy of respect (even if it’s only a little). I believe people should be heard and understood. I believe information security isn’t about information or security as much as it is about people. I believe people are who we serve. I believe we must invest in people more. I believe in understanding people (better). I believe loving people gives us our best chance at doing our (information security) jobs effectively, and I believe loving people gives us our only chance of saving society.

Now on to show notes for episode 123…


SHOW NOTES – Episode 123 – Wednesday March 17th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 123, and the date is March 17th, 2021. Filling in for Brad again this week if my good friend and co-worker Ryan Cloutier. Welcome Ryan, glad to have you back!

  • We’ve got a great show planned today. We’ll start with the importance of reason and logic in information security, our jobs, and in life. There are many parallels between information security (or “cybersecurity” as some people call it) and life.
  • Then, if we have time, we’ll talk about passwords. Everybody hates passwords.
  • We’ll close the show with a few mentions; about the FRSecure CISSP Mentor Program and SecurityStudio’s free S2Me (very quickly growing in popularity).
  • Oh yeah, we’ve got a couple news stories too, but whatever.

Reason

  • Have we lost our ability to reason?
  • What is reason anyway?
  • Why is reason (and logic) critical to information security?
  • Why is reason (and logic) critical to risk (all risk)?
  • Why is reason (and logic) critical to life?
  • There are parallels here, like:
    • Information security is risk management.
    • There’s no such thing as risk elimination or infinite risk; they are two different ends of the spectrum.
    • There’s no such think as 100% reason/logic without emotion or vice versa; two different ends of the spectrum.
    • The goal is management.
  • If we’ve lost our ability to reason, how can we get it back? Or, if we never had the ability to reason, how do we learn it?
    • Ask “Why?” often, almost incessantly, like a three year-old.
    • Ask yourself “Why”.
      • Not in a way that beats yourself up, but in a way that you understand why you’re doing what you’re doing and/or why you believe what you believe.
      • Notice the difference between emotional response and logical response.
      • Learn to use logic and emotion where they are and how they are appropriate. Seems mechanical and awkward at first, but it should become natural/habitual over time.
    • Ask others “Why”.
      • Respectfully out of a desire to understand, and not in a confrontational manner.
      • Learn how to ask without offense. If the person your asking takes offense despite your best efforts, that’s on them.
      • Maybe they need help understanding logic versus emotion? Interesting tells about people who are unable or unwilling to use reason or logic to defend a position (or make a point):
        • They change the subject. You asked a question about one thing, and quickly find yourself in a discussion about something different.
        • They attack your character. This is a classic emotional response where the person you’re questioning probably isn’t sure why he/she believes what they do. Don’t take offense, but recognize this tactic for what it is.
    • Encourage others (especially people you trust) to question you.
      • Be prepared to defend why you believe what you believe. If you can’t (with reason), then maybe you should question what you believe.
      • When other people ask you “why”, view it as an opportunity to state your case.
      • When other people ask you “why”, it’s a great opportunity for you to learn (about perspective and reason).

NOTE: We could talk for a long time about Reason, so we might not get to the topic of “Passwords”. If we don’t get to Passwords in this episode, we’ll get to it in episode 124.

Passwords

  • Why do we need them?
  • What makes a password good versus bad?
  • What do we (Ryan and I) do to practice good password behavior? BTW, neither of us is perfect!

NOTE: Regardless of timing, we will discuss “Mentions” in this episode.

Mentions

  • FRSecure CISSP Mentor Program – We’re less than one month away from the start! I think there are more than 4,000 students signed up, so this is going to be AWESOME!
  • S2Me – the FREE SecurityStudio personal risk management tool has been growing very fast (in terms of popularity). Big news happening here, and we’re making a difference!

News

Wrapping Up – Shout Outs

Good talk. Thank you Ryan, and thank you listeners!

…and we’re done.

L is for Layers

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

So, now the beloved letter “L”.

Lethargic Larry’s lackadaisical use of network layers, and his leisurely approach to security let lazy criminals move laterally throughout the lattice, leaving his league of lawyers lamenting the long laborious litigation laid before them from the lye leaked into the lotic.

For the purposes of the Information Security ABCs, “L” is for “Layers”.

To best apply the word “layer” with our definition of “information security”, let’s review both definitions quick. The word “layer” has several definitions in the English language, and here are two:

  • a thickness of some material laid on or spread over a surface: a layer of soot on the windowsill; two layers of paint.
  • something lying over or under something else; a level or tier: There can be multiple layers of metaphor in a single poem.

You remember our definition of “information security” right? Maybe. Well, in case you forgot, it’s managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

So, what is an “information security layer” or “security layer” for short?

What is a Security Layer?

In the context of information security, we use the term layers to describe the controls, most often preventative controls. A single layer is less strong (or effective) than multiple layers. For multiple layers, we just stack one layer on top of another (logically) to make our security (and protection) stronger. Here’s an analogy:

  • Bullet-resistant glass is constructed using multiple layers of laminated glass. The more layers there are, the more protection we get from the glass. Note, the glass is bullet “resistant” and not bullet “proof”. A projectile that is powerful enough, will get through. The point is, the layers make the protection stronger.

  • Attacker-resistant networks are constructed following the same concept, but using multiple layers of network protection (segmentation and isolation, maybe provided by firewalls) instead of multiple layers of laminate glass. The more layers there are, the more protection we get from the network. Like the bullet resistant glass, attacker resistant networks are never attacker “proof”.

Multiple layers make protections stronger, they compliment and compensate for each other. Here are a couple more examples:

  • The most common control for authentication is a username and password, a single layer (or often referred to as “factor”). If we add another layer to the authentication, maybe a hardware token (like YubiKey or RSA SecureID), a biometic (like Face ID), or a software token (like Google Authenticator or SMS text), we’ve significantly strengthened the control. We call this multi-factor authentication (MFA), but it’s also multiple layers.
  • A building is protected by exterior controls (walls, windows, doors, etc.). A single layer of protection might be provided by the walls and a single entry door. Once an attacker breaches the door (or wall or window) and gains entry to the building interior, there would be nothing left to stop them from taking anything they wanted or assaulting anyone inside. A simple multi-layer approach might employ additional locked doors between the single exterior entry point and office spaces, between office spaces and mail rooms, between office spaces and data closets, etc., etc.

Layers are important for safety

As one who lives in a cold weather climate, I can assure you that layers are an essential part of staying safe in cold weather. As with all things, having the appropriate number of layers is critical, too many layers and you overheat and struggle to move, not enough layers and you will freeze.

When it comes to using layers in security the same principal applies, too many layers prevents effective use and not enough layers leads to unnecessary risk and danger.

Layers are part of defense in depth

We like to use the analogy that security is like an onion, we say this because an onion has many layers and each layer is needed to make a whole onion, in security it is no different. You may need many layers to make the whole security program effective.

Layers are the cornerstone of defense in depth, defense in depth is a security concept that states; security should be implemented in overlapping layers that provide the three elements needed to secure assets, prevention, detection and response, while seeking to offset the weakness of one security layer by strengthening it with two or more additional layers. This is the #1 reason for using Multi Factor Authentication (MFA) to strengthen the security of your username and password.

Let’s take a deeper look at the various security layers, we encounter most often.

Physical

The physical layer consists of the things you can touch, fences, locked doors, surveillance cameras, man in the middle traps (a room that one door locks behind you before the door in front of you can be opened) security guards, etc. This is the fist layer of any security program; all the other layers are ineffective if the systems can be physically accessed by bad actors. Having an appropriate level of physical controls in place is critical to ensuring the rest of the security layers are effective. After all,

“It doesn’t matter if your server runs the greatest security software of all time when someone steals the server.”  

Access Control

The access control layer comes in two forms physical access and logical access, both serve the same purpose, to limit access to sensitive systems and data to authorized personnel (approved users only). The most common physical access controls are door locks, and the most common logical access controls are passwords (used in combination with a username).

Access control gives us the ability to restrict and monitor who is accessing what, and physical and logical access controls can have many sublayers. For example a locked door could have additional layers (controls) of security such as a surveillance camera or security guard. Logical examples include multi-factor authentication (MFA) covered earlier, or performing logical access audits on a periodic basis.

Application

The application security layer is all about providing protection to applications and the data applications use. Security controls on the application layer require additional consideration, as poorly configured security controls can degrade the performance, stability, and overall usability of an application. Inadequate or missing security controls at the application layer present significant risks, such as data loss, data integrity issues, backdoors/malware, additional unauthorized network access and service interruption.

Ransomware, Distributed Denial of Service (DDoS) attacks, SQL injection and cross site scripting are some of the attacks targeted at the application layer.

Taking a multi-layered approach to application security is a best practice. Using a Web Application Firewall (WAF) for web facing applications, secure web gateway services for Internet access, logging and monitoring of application activities and training aimed at improving user behaviors are a great starting points to consider for a multi-layered approach to application security.

Network

The network layer is responsible for connecting systems together. Systems within an organization are likely to need communication capabilities with each other to operate, and connectivity to the Internet may also be required. This is the layer where a standard firewall lives. You know, that thing we traditionally think of when we talk about cybersecurity (BTW, cybersecurity is not information security. They’re like cousins)?

Think of the network layer as your first chance and last chance; it is your first chance to detect suspicious traffic/behaviors, and it’s your last chance to stop data from leaving your network. The network layer has two directions that must be considered in your protection approach, inbound (sometimes called “ingress”) and outbound (sometimes called “egress”). Controlling and monitoring data and traffic in both directions are critical, although this contrary to current practice in many organizations.

The Crunch Shell and Gooey Center

Most networks are secured (poorly) with a “crunchy shell” and “gooey center”. Traditionally, we’ve focused so much on establishing a strong perimeter (“crunchy shell”) that we neglect to account for what happens when an attacker get’s through the perimeter. There are few restrictions in place, and we’re left with our “gooey center”. In most networks, once an attacker gets through the perimeter (trivial in many cases), they have free reign to move laterally throughout the network until they find valuable data. Once the attacker finds valuable data, they are rarely restricted in exfiltrating the data because of ineffective egress traffic restrictions.

The two most common mistakes in network security layering include:

  • Too much focus on the perimeter.
  • Too much focus on restricting traffic inbound and no (or very little) focus on traffic outbound.

An important note about the “perimeter”, especially with the explosion of remote work due to COVID-19, is there is no perimeter. At the very least, there are many perimeters. All the more reason for a layered approach.

Some of the tools used to secure the network layer are firewalls, security incident and event management (SIEM) tools, network intrusion prevention systems (NIPS), network intrusion detection systems (NIDS), logging and packet capture devices, network-based data loss prevention (DLP), email filtering, and web filtering.

The better the network layer is secured and monitored the higher the your chances of seeing something in time to stop the “something” from being very bad. Some of the controls we use to secure the network layer are physical and some are logical. The best approaches are usually a blend of both. When it comes to the securing the network layer, less is more and, more is less.

Whoa, did I just blow your mind?! How can it be both more and less you might ask.

The answer is painfully simple, the more restrictive you are with what you allow on the network without the knowledge of what it does or why, the less issues you will have to chase down later. Knowing what something is, why it’s on the network, why it’s important to the business and how it works/behaves during normal operation are invaluable when it comes to securing the network layer. The better you understand what’s on the network and how it operates the better your firewall rules, IPS, IDS, WAF, log data, SIEM and other security controls can be configured. This always results in less things to chase and less time elapsed between detection and response.

Remember when it comes to network access Less is More! (concept of least privilege)

While the network layer has traditionally gotten the most attention from security professionals over the years, and is where the concept of perimeter defense is rooted, it is only one of the many layers you need to design and manage an effective information security program.

Host / Platform

The host layer is where virtualization happens and where operating systems live, virtual or not. This is also the layer that computers/servers/Internet of Things (IoT) and all other devices (with a unique IP address) reside. When we discuss this layer, in the cloud as IaaS or other, we refer to it as the platform layer and there are some distinct differences in how to secure it. Securing this layer comes with the challenge that most devices need to interact with many applications and services hosted locally and remotely. When we consider all the various other layers and systems at play, we must consider virtualization, application stacks, code libraries, 3rd party services, integrations and data movements, security patches, upgrades, cloud services and on and on.

Adding to the challenge, we must do this while balancing the needs of the business and risk.

The WORST ENEMY of security is complexity; therefore, we must combat complexity at all times. This is a huge challenge when dealing with the (sometime unreasonable) demands of the business. Using a simplified approach whenever possible, and leveraging a layered approach to information security will make your life easier and your protections more effective. Believe it or not, the fundamentals are still the most effective security controls out there.

Honorable mentions for “L”

  • Lag
  • LAMP
  • LAN
  • Laptop
  • Laser Printer
  • Latency
  • Lazy Loading
  • LCD
  • LDAP
  • Lead
  • Leaderboard
  • Leading
  • Leaf
  • LED
  • Let
  • Left-Click
  • Leopard
  • LFN
  • LIFO
  • Lightning
  • Link
  • LinkedIn
  • Linux
  • Lion
  • LISTSERV
  • Live Streaming
  • Load Balancing
  • Localhost
  • Log File
  • Log On
  • Logic Error
  • Logic Gate
  • Login
  • Long
  • Loop
  • Lossless
  • Lossy
  • Low-Level Language
  • LPI
  • LTE
  • Lua
  • LUN

So, there it is folks. The letter “L” is for “Layers”.

The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics). APPLY THE BASICS!

On to “M”!

The Burn(out)

If you work in this field (information security) long enough, burn out is something you’re sure to encounter. You will fight against burn out yourself, meet somebody who is on the verge of burn out, or sadly, meet someone who has already burned out.

We work our asses off. The hours are long. The stress is real. Isolation comes with the territory.

If you are on the verge of burning out, please seek help (from me, a colleague, a friend, a counselor, etc.). We need you. We need you to fight beside us. We need your ideas. We need your perspectives. We need your wisdom. We need your support. We need your passion. We need your skill. We have serious information security problems in society. In fact, we’ve created more problems than we’ve solved.

WE NEED YOU FOR THE CREATION AND IMPLEMENTATION OF SOLUTIONS TO SOCIETY’S INFORMATION SECURITY PROBLEMS.

The letter below is hypothetical. It’s not written to anyone in particular or with anyone in mind (except the information security professional). It’s a raw dump of frustrations I’ve heard over the years from my brothers and sisters in arms.


Dear <INSERT NAME OR TITLE>,

I’m tired.

You may not care, but you should. I’m holding shit together while you focus on life. Some of my frustration stems from your view that information security (or “cybersecurity”) isn’t part of life. The truth is, information security IS part of life. It’s a damn life skill!

Before you ask why I’m tired, I’ll tell you. I’m tired because:

  • I work 80+ hours a week to protect you and all that you are responsible for.
  • I’m fighting a fight I cannot win, especially without your help.
  • I’m asking you to help, but you aren’t listening.
  • We’re under relentless attack, but you don’t see it, so you don’t care.
  • You think “it won’t happen to me” and I’m afraid it already has.
  • I’m losing support from my family because they’re sacrificing their time with me while I protect you (and worse, they don’t understand why I’m doing it).
  • You won’t step up and take responsibility for what’s yours.
  • I need you to help me solve problems, but I can’t get you to participate.
  • You think this is my responsibility, but it’s not, it’s yours.
  • I tell you things with honesty and transparency, but I don’t think you trust me.
  • We’re understaffed and underfunded, but you keep telling me to do more with less.
  • I need you to champion this cause, but you do nothing more than tolerate it.
  • I want to teach you about information security, but you are too smart or too busy for education.
  • You don’t see the value in me because I’m nothing more than a cost center to you.
  • You will blame me when things go wrong, but you don’t notice when things seem OK.
  • Your demands for more technology and gadgetry makes protecting you harder than it already was.
  • I sit behind a screen all day and my physical health is declining.
  • I deal with the dark shit of this world, mostly alone, and my mental health is at risk too.

Despite all this, believe it or not, I LOVE what I do. I love what I do because I love doing good, fighting against evil, and protecting people like you. It scares me to think of doing anything else for a living. You pay me well, so I’m not complaining about money.

You know this isn’t about money, right?!

My work and passion runs deeper than money. Money provides the means to my cause, but it’s not the cause. I do what I do because I want to make a positive difference in your life and I want you to be healthy. I do this because I care about you, obviously more than I care about myself sometimes. I’m here to serve. I am here to help. I answer the phone when you call. I’m here to respond when things go wrong, even if it means I take the blame.

This is my duty and my promise to you.

Sometimes I ask myself if it’s worth it. Is the frustration worth the reward? Is this all worth it, knowing that I’m destined to fail?

You might be inclined to ask “what do you mean, destined to fail?!”

I’m destined to fail because you ask me (directly or indirectly) to do the impossible, you won’t enable me to succeed even it were possible, and you have expectations of me that can’t be met

You ask me to keep you “out of the news,” but I can’t promise you that. No matter what I do, I can’t protect you from all the bad things that can/will happen. I’ve always told you the goal is risk management, and not risk elimination. Risk elimination just isn’t possible.

I don’t want you to take pity on me, and I don’t want any outward acknowledgement. I want you to own what’s yours! I want you to get in this game and play ball. You can delegate all sorts of things to me and others, but you will never be able to absolve yourself of your ultimate responsibility. The wolves in our industry will fool you into thinking they can solve all your problems without your attention or worry, just your money. They can’t. It’s a lie. They prey on your ignorance to mislead you and steal your money, not unlike the attackers we’re trying to fight against in the first place!

All of us need you to step up. We need you to own what’s yours. We need you to lead. Ultimately, the security and safety of all things and people under your control is your responsibility. It’s time to step up before I give up. I’m your best hope, but we’re hopeless without each other.

-Information Security Professional (on the verge of burnout)