J is for Jaded

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

And now for “J”.

One is justified in their joy and jubilation from the judicious and just protection of information.

The jibes, jeers, judgement, and jitteriness of losing to jackanapes along our journey through the jargon, jabberwocky, jactitation, jostling and jackassery of our juvenile industry makes us justifiably jaded.

There you have it.

“J” is for Jaded

We’re not all jaded all the time, but too many of us jaded too often.

Feeling jaded seems to come with the territory. As someone who works in this industry, sometimes it feels like we’re fighting a fight that can’t be won, we’re losing ground, and that life has given us the short end of the stick. Given enough time in this industry, you’ll either become jaded or you’ve fought hard against becoming so.

If you’ve done something so much that it doesn’t excite you anymore but just leaves you tired, consider yourself jaded. If someone says you look a little jaded, it just means that you look tired.

https://www.vocabulary.com/dictionary/jaded

The formal definition of “jaded”, courtesy of George Merriam and Noah Webster (not really, these two are long gone and Merriam Webster, Inc. was acquired by Encyclopedia Britannica, Inc. in 1964):

  1. Fatigued by overwork : EXHAUSTED
  2. Made dull, apathetic, or cynical by experience or by having or seeing too much of something.

Being fatigued, exhausted, overworked, dull, apathetic, and cynical are not things we should aspire to.

Jaded is Bad

There is nothing good about being jaded. People who are jaded are live a sad life, or at the very least, a life with less joy than there should be.

Here’s what Dr. Stephen Diamond (a clinical and forensic psychologist) has to say about jaded people:

bitter, jaded people tend to project a self-righteous attitude suggesting they’re justified in feeling resentment. They’re often bored and cynical. They observe and criticize more often than they participate. Because they believe they’ve been burned, they no longer have the trust necessary to build solid, positive relationships. They believe the world is unfair and freely express their impatience and anger. They no longer expect success, but don’t accept responsibility for their failures; instead, they blame others. They’re almost always irritable and frequently express annoyance in most situations.

The highlighted words represent traits that are too common with people in our industry, some of these people we know personally, and maybe one of those people is you.

Jaded people often lash out at others. Bitter sarcasm and criticism are hallmarks. They often feel like they’re victims of what they perceive as injustice. The injustice leads to resentment, anger, and general unhappiness. Jaded people are more likely to suffer from burnout, mental health issues (depression, anxiety, et al.), broken relationships, and chemical dependency (self-medication).

Again, think about people we know in our industry; the people we fight alongside every day. There are people we know personally who have a self-righteous attitude, criticize more than they should, and have lost patience with “dumb users” and/or “incompetent management”. Dialogs such as these are examples:

US: “We need to educate our users and constantly make them aware of information security dangers.”

JADED US: “Why waste our time or money? They don’t get it and they never will. They just keep clicking on links and choosing sh*tty passwords.”

OR:

US: “Let’s figure out a better way to communicate with executive management and the board. If they understood better, we’d be able to secure the budget we need.”

JADED US: “What’s the use? Management doesn’t give two sh*ts about information security!”

Someone who’s jaded has given up, lost hope, and just exists to exist. They’re debilitated and they’re debilitating to the people around them. Someone who isn’t jaded, is still fighting the good fight.  They’re relaxed, rested, energetic, and active. Jaded people have a negative impact. People who aren’t jaded make a positive difference, creatively solving problems and hoping for better outcomes. The truth is, jaded people hurt themselves and others. People who aren’t jaded help themselves and others.

Jaded people hurt themselves and others.

Jaded people are NOT bad people. Please don’t make this mistake. Often, they are good people who care(d) deeply about something. They care(d) so much, they took it personal and suffer(ed) for it.

To simple? Maybe, but the point is this; we need to do everything we can to avoid becoming jaded.

But how?

Start with a simple and honest self-evaluation; are you jaded? If you’re not sure, ask someone close to you. Then decide:

  • If you’re jaded, choose to come back or not.
  • If you’re not jaded, learn how to keep yourself from becoming jaded or not.

The mindset and skills are the same either way.

People who work in our industry often (or always) find our work stressful. When we become jaded, we negatively impact our quality of life and become much less effective in our work. Back to our definition of the word; jaded people are fatigued by being overworked and/or made dull, apathetic, or cynical by experience. Being jaded is not acceptable to me, and it shouldn’t be acceptable to you either. So, let’s do something about it.

Fatigued, Overworked, and Exhausted

People who work in our industry are some of the most passionate, motivated, and intelligent people anywhere in the world. We’re unique and we’re amazing! The passion pushes us to work our tails off, mostly without appreciation beyond our paycheck (we do get paid well though). Some of us work 50, 60, 70+ hour weeks, forgo vacations, and sleep much less than we should. Our passion will work against us when/if we’re not in balance. The constant hard-driving workload can lead to fatigue and exhaustion. Eventually, something has to give.

To make matters worse, it doesn’t matter how many hours we put in, security incidents are inevitable. No matter what we do, we cannot prevent all bad things from happening. When the bad thing happens, then “they” notice; the appreciation we longed for becomes condemnation. Nobody cares about the 1,000s of hours we put in, often while others weren’t watching. They want to know why the bad thing happened and who’s to blame.

Feeling any injustice? Oh, how we need tools to fight against becoming jaded! So, what to do?

Priorities

Somewhere along the line, we might get our priorities messed up. Our job is a job. We do it as well as we can, but we must recognize that work is not life. Work is part of life, but it is NOT life. Good priorities might look something like this:

  1. Faith
  2. Spouse (if you’ve got one)
  3. Family
  4. Work
  5. Friends

Notice how “self” isn’t listed? Self supersedes all priorities. Self-preservation is primal.

You could switch #4 (Work) on the list with #5 (Friends) and still be OK. Regardless, work is NOT in the top three. Bad priorities look like this:

  1. Work
  2. Fame
  3. Money
  4. Spouse
  5. Work
  6. Family
  7. Work
  8. Friends

The first list lends itself to health, the second list lends itself to becoming fatigued, overworked, and exhausted. Couple messed up priorities with the nature of our work; guaranteed failure (if failure is defined as preventing all bad things), and you have a recipe for becoming jaded.

Health (Spiritual, Mental, and Physical)

All health requires maintenance. If we’re not maintaining our health, we can expect it to fail (eventually) and we can expect it to suck.

This isn’t the place or time to preach Jesus to you, but we all need a spiritual “higher power”. This is the place we go when the world doesn’t make sense, and we all know the world doesn’t make any damn sense, right?! If you need help finding a spiritual advisor, reach out to a close personal friend for guidance. If you don’t have a close personal friend to trust for this guidance, you get my advice; seek Jesus! That’s all the preaching you’ll get (for now).

According to the National Institute of Mental Health, nearly one in five U.S. adults live with a mental illness (51.5 million people in 2019), and less than half (44.8% or 23.0 million people in 2019) received mental health services. Think about these numbers for a second. Due to the nature of what we do and the stress related to it, the percentages for us are probably worse than the U.S. population. Most of us rely VERY heavily on our minds, and if our minds our broken, then what? If you need help, or think you might need help, here are some great resources to check out (DO NOT IGNORE THIS):

It’s easy to overlook our physical health, but we can’t. Most of us sit for hours on end at a computer keyboard. This is not healthy. We must get up, get out, exercise more, and eat healthier. There’s nothing glamorous about dying of a heart attack while reverse engineering a piece of code.

Our health has a direct impact upon being jaded. The more unhealthy we are, the more likely we are to become jaded. The inverse is also true.

Dull, Apathetic, and Cynical

The second part to our definition of “jaded” is being dull, apathetic, and cynical by experience or by having or seeing too much of something.

Seriously, how many times have we:

  • Seen someone click a link they shouldn’t have?
  • Witnessed someone fall for a phishing attack after we’ve taught them a kajillion times not to?
  • Read about a breach that should have been prevented?
  • Told people to master the basics, only to see them NOT compile/maintain an asset inventory?
  • Shaken our heads at dumb mistakes people (including “we”) make?
  • Beat our heads against the wall trying to get management to give a sh*t?

After a while, shouldn’t we just give up? What’s the use? People keep doing dumb things and making crappy decisions. Aren’t we tired of it yet?!

Spoken like someone who’s jaded.

Maybe it’s not them. Maybe it’s us.

Expectations

Maybe we’re jaded because we have too many or the wrong expectations. We’re less likely to become jaded when things go well, when we experience things that are good (or exceed our expectations). It’s not like we’d say:

  • “Dammit, Jane in accounting picked a great password again!”, or
  • “Life would be so much better if Joe would just click links without thinking more often.”, or
  • “It just sucks when management always gives us the budget we need for information security.”

Absolutely not. Some (or a lot) of our jadedness comes from being disappointed. We’re setting the wrong or unrealistic expectations, leading to disappointment, leading to frustration, leading to becoming jaded. We think expectations are good, but they’re often not.

What did we expect in the first place? Did we actually expect humans to NOT be human? Did we expect management to treat information security like it was THE issue versus AN issue? Did we expect people to listen to us when we don’t speak their language? Did we expect to not have breaches? Did we expect such a thing as risk elimination, or did we realize this is actually about risk management?

If we set any expectation, we should expect to be disappointed if we have expectations. Expect disappointment, and if it happens often and long enough, it WILL lead to frustration. Frustration is the last step in the path to becoming jaded. This is the “jade cycle” (simplified), see diagram.

The math: (-e + e2) = -d + -j, where e is expectations, e2 is better expectations, d is disappointment and j is jadedness. Essentially, fewer expectations and better expectations = less disappointment and less jadedness. Living life without expectations is NOT the goal, living a life with fewer and more realistic expectations is the goal.

NOTE: The exception is computers and other logical, binary things. We can always expect computers to do what we tell them to do. Care must be taken with emotional and non-binary (analog) things like human beings.

Summary

Beware and be aware of jadedness in yourself and others in our industry. It makes us less effective and it steals our joy. If you need help, ask for it. Being jaded is more common than many of us realize, and it does nothing to help our cause. The cause being better information security, and through it, better lives.

This is no honorable mention for “J” because it’s a letter we don’t use enough. 😉

Next up, “K”. What are some good relevant words for this letter?

I is for If

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

Now for “I”…

“I” is for “if”.*

What if we were less ignorant, imperious, incoherent, irksome and impetuous, but a little more integrous, inoffensive, instrumental, interpersonal, and ingenious? Would we be less inundated with incessant information security incidents?

What if we were less inept and imprudent with the technology that’s so intertwined with every aspect of our daily lives? Would it even be possible to become impenetrable, impregnable and impervious to interminable attacks?

What if?

If we do more of the right things right, and less of the wrong things wrong, just think how much better off we’d be. The people we serve would be safer, we would be saner, and the world would be a better place!

The keys to making “if” closer to reality are less ignorance and more integrity.

What if we were less ignorant?

Ignorance is the lack of knowledge, understanding, or information about something.

Ignorance runs rampant within our industry and amongst the people we serve. People don’t know what information security is or what their personal responsibilities are.

If we were less ignorant, we’d know what information security is, and we’d know that it cannot be separated from privacy or physical safety. We’d know the importance of information security basics, and we’d practice them religiously.  If we were less ignorant, we’d know how vulnerable we are and we’d demand better of ourselves. We’d know what we’re responsible for and what we should hold others accountable for. If we were less ignorant, we’d think twice before plugging that new sexy gadget into our home network. We’d demand more protection in the products and technologies marketed and sold to us incessantly.

By definition, we’re all ignorant. Nobody knows everything, but this isn’t the issue. The issue is being ignorant of something we shouldn’t be ignorant of.

Is it OK to be ignorant of:

  • computer security best practices if you use a computer?
  • Internet security best practices if you use the Internet?
  • what things are running on your home network if you have a home network?
  • online safety best practices if you have loved ones (kids, spouse, et al.) who are online?
  • the most significant organizational security risks if you’re the leader of the organization?
  • information security basics if you’re in charge of information security?

The answer in all these circumstances is “NO”. It’s NOT OK to be ignorant of things you are responsible for.

In today’s world, we can no longer separate information security from privacy or safety; even personal, physical safety. Everything is integrated. A single information security incident has the potential to expose private information, but even worse, it has the potential to kill someone. The truth is, information security is a life skill that all people should must learn. Everyone has responsibilities, so what are yours?

Accepting ignorance is a default response when people are confronted with something that seems too complex, too confusing, too technical, or too anything. The key to fighting ignorance is simplification and mastering the basics. The basics are boring, the basics aren’t sexy, but despite these things, the basics are absolutely necessary.

So, what are the unsexy basics?

The first basic principle is to define rules for the game.

At Home
  • If you’re the head of your household, you’re the boss and you make the rules. It’s NOT OK to accept ignorance in this role. Learn what good information security behaviors are, lead by example, and expect others to follow. Ultimately, every bit of data that traverses your home network, every website visited by you and your family members, every device you plug in, everything is your responsibility.
  • If you’re not the head of your household, your job is to follow the rules and provide respectful feedback. No rules? Go see the head of your household and help them define the rules.

Go check out S2Me, it’s a FREE and SIMPLE personal information security risk management tool.

At Work
  • If you’re the CEO (or whatever title sits at the top of the org chart), you’re like the head of the household (above) for your organization.
  • If you’re not the CEO, your job is to follow the rules and provide respectful feedback. No rules? Go see the CEO (or his/her assistant) and help them define the rules.

Quick sidenote: This isn’t the article about writing rules for you, but maybe “R” will stand for rules (later).

No rules = chaos, anarchy, confusion, and disorder. There must be rules. You either define the rules and follow them, or you follow them and provide feedback. Now that you’ve read this, you cannot claim ignorance. You have knowledge, and now you must act.

Knowledge without action is negligence.

I’m not a lawyer, so I won’t give legal advice. The generic definition of negligence is “failure to take proper care in doing something”.  Are you negligent if someone suffers because:

  • you don’t know the right thing to do, but you should?
  • you know the right thing to do, but fail to do it?

Ignorance isn’t bliss, it’s breach.

More than once, I’ve heard the comment “ignorance is bliss”. Ignorance for something you shouldn’t be is nothing more than an excuse for laziness and genuinely not giving a sh*t.

What if we were more integrous?

Integrous is the adjective form of integrity.

Integrity is an oft-used word in our industry, and here’s the definition:

  • the quality of being honest and having strong moral principles that you refuse to change
  • someone’s high artistic standards or standards of doing their job, and that person’s determination not to lower those standards:
  • the quality of being whole and complete

Integrity applies to our industry in (at least) two ways; the integrity of data and the integrity of personnel responsible for protecting data.

Integrity of Data

If you’ve been in our industry for any amount of time, you’ve surely heard of the CIA triad. It’s an acronym for a fundamental concept; we protect the Confidentiality, Integrity, and Availability of data. Our “I” in CIA refers to the wholeness, completeness, and accuracy of the data we try to protect.

Simple. It’s important to remember that our job goes beyond making sure data is kept secret; we also need to make sure it’s accurate and available (to those who are authorized to access it).

Integrity of Personnel

On this point, it’s hard not to rant. To keep us honest, we’ll over-simplify.

In our industry, there are the practitioners who work their tails off to protect people, and there are suppliers who make things practitioners use to protect people. Practitioners and suppliers; integrity is paramount to both. A lack of integrity in either is terrible and sad.

Practitioners

The person behind the keyboard is an integral part of any information protection strategy. Their integrity must be rock solid and continually verified. Background checks, character references, solid OSINT, etc., are all encouraged before hiring anyone. Address the questionable things before hiring, and not after you’ve given them the keys to the kingdom. Depending upon your comfort level, sensitivity of the job, etc., questionable things should be questioned, but they don’t always need to be a disqualifier. Giving people the opportunity to address the questionable things from their past might be good, given that people change (hopefully for the better).

Verify integrity constantly. At work, a practitioner shouldn’t mind having his/her activities monitoring continually. They should see the value in it.

Suppliers

What’s worse, an attacker stealing $100,000 from your organization’s bank account or someone selling you security software that doesn’t work, or you can’t use, or you don’t need, or…? They’re both bad and either way you’re out a hundred grand. Stolen (or wasted) money is money your organization can’t use for better things; market expansion, employee benefits, innovation, etc. Suppliers who sell something to a practitioner when they know it’s not the right thing are like wolves in sheep’s clothing; almost worse than an attacker because at least you know the attacker is bad.

There are many suppliers who operate with integrity in our industry, but we must do a better job weeding out the ones who aren’t.

Summary

There you have it. “I” is for “if”. What if we were less ignorant and more integrous? Things would be much better around here.

*NOTE: “If” was inspired by my good friend Chris Roberts. Thanks!

2020 Holiday Shopping Safety Checklist

Just finished putting together this shopping safety checklist. Share freely and enjoy.

Wishing everyone a SAFE, HEALTHY, and HAPPY holiday season!

Direct download link: https://bit.ly/3qkq5uT

Click to access SecurityStudio_HolidayShoppingChecklist.pdf

Episode 107 Show Notes – Happy Thanksgiving

Hey there, it’s time for episode 107 of the UNSECURITY Podcast!

Just when you think you can’t get any busier…

You get busier.

Maybe if I learned to say “no” a little more often. My dilemma is 1) mostly brought on by myself and 2) is a blessing. It’s better to be busy than to have nothing to do, especially when you’re helping people. I’m grateful.

Short introduction today. Too much going on to elaborate much (for now).

On to the show notes…

This is Evan, I’ll lead the discussion today, and these are my notes…


SHOW NOTES – Episode 107

Date: Tuesday November 24th, 2020

Episode 107 Topics

  • Opening
  • Catching Up
    • What’s new?
    • “Information Security @ Home”
  • Happy Thanksgiving
    • What are your grateful for?
    • What’s different this year?
    • What’s the same?
    • Holiday shopping tips for EVERYONE
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 107, the date is November 24th 2020, and I’m your host, Evan Francen. Sadly, Brad won’t be joining me today. He’s out of commission fighting a bout of labyrinthitis. The prognosis is good, so we expect him to be back soon!

So, this means you’re all stuck with me. I’ll do my best to provide some value for your ears and brain.

Quick Catchup

[Evan] The catchup time is a little different without Brad, so I’ll just give you a quick recap of what I’ve been up to.

Topics:

  • 4th quarter is notoriously busy, like VERY busy, for us. Everyone is running at 100% capacity right now, which is good, but also stressful.
  • Security Sh*t Show – this is live on YouTube every week; Thursday nights at 10pm CST.
    • Last week Chris Roberts and I did the Paqui One Chip Challenge online with a couple fans.
    • We also unveiled a new sticker (see below). If you’d like one, just subscribe to the Sh*t Show YouTube channel and let us know.

  • Information security hobbies – I’ve been working on a Raspberry Pi home network security device, including Kismet, pfsense, and Pi-hole. More to come on this next week.
  • Maybe another thing or two.

Transition

Happy Thanksgiving!

[Evan] Originally, Brad and I were going to continue our discussion about information security at home, then I realized that this is Thanksgiving week! Instead of talking about our original topic, I’m going to talk about protecting yourself (and your family) from holiday shopping scams. For many Americans, Friday marks the beginning of the holiday shopping season, and it’s important for all of us to be careful! Lots of things have changed this year, it is 2020, but some things haven’t. The scammers are still scamming, and a most of the scams are the same this year as they’ve been in years past.

Some interesting stats/information:

  • 61% of Americans have already started holiday shopping (before Thanksgiving)
  • 22% of Americans start their holiday shopping on (or after) Thanksgiving
  • 15% of Americans start their holiday shopping in December
  • 2% of Americans start their holiday shopping in January (hopefully for next year)
  • Last year:
    • $730 billion was spent on holiday shopping
    • $135.5 billion was spent holiday shopping online
    • $71.3 billion was spent holiday shopping using a mobile device
  • Online holiday shopping (in terms of dollars spent) is expected to increase by 35.8%

More online shopping coupled with the fact that most of us are more distracted (than ever), means attackers could have a heyday.

Opportunity + Distraction = Success (for scammers)

Tips to protect yourself and your loved ones (we will make this into a checklist soon):

Most important – situational awareness. It’s the umbrella for all other protection activities/behaviors.

  1. Ship to a secure location – avoid shipping to places where merchandise could sit unattended and insecure for long periods.
  2. If you decide to use a mobile app for shopping, use official retailer apps only.
  3. Don’t save payment card (debit or credit) information in any shopping accounts
  4. Using Apple Pay or Google Pay for payments wherever it’s available.
  5. If you’re unfamiliar with a retailer, do your research before buying. Make sure the site and retailer are legitimate.
  6. Don’t rush to purchase at the lowest price. Slow down and think about security risks first.
  7. Never make purchases on public Wi-Fi – Never.
  8. Use a VPN when shopping (or doing anything sensitive) online.
  9. Always use strong passwords and a password manager.
  10. Check security and/or privacy policies, especially for retailers you’re unfamiliar with.
  11. A legitimate retailers will NEVER ask for your Social Security number, so don’t give it out.
  12. Make purchases with credit cards over debit cards.
  13. Make purchases with prepaid debit cards over credit cards or regular debit cards.
  14. Review all your accounts and bank statements regularly. You should be doing this all year.

Please be careful this holiday season. DO NOT let scammers steal ANY of your joy or hope!

Transition

[Evan] Alright. That’s that. On to some news…

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] That’s it for episode 107. Gonna give my shout outs…

[Evan] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 104 Show Notes – Stigma Against Healthy

Last week was nuts. Is “nuts” the norm? God, I hope not.

The week started off with what seemed like a run of the mill ransomware attack against a healthcare client. The investigation led us to threat hunting with another client. During the threat hunting exercise, Brian Krebs called. He claimed to have information about 427 healthcare organizations who could be attacked by Wednesday (10/28). This led us down all sorts of paths with a few renowned researchers, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Secret Service (don’t ask), and others.

Eventually, CISA issued a joint cybersecurity advisory with the FBI and Department of Health and Human Services (HHS). See: Ransomware Activity Targeting the Healthcare and Public Health Sector.

On Friday, FRSecure issued their own statement and hosted a very well-attended webinar. See: Situation Update: RYUK Ransomware in Healthcare.

One thing we learned is that incident response in the United States, in terms of our readiness across the public/private sector is in bad shape. It shouldn’t take 3+ days to legitimize a threat and coordinate a response. Thank God we didn’t witness a coordinated attack against 427 hospitals at once. Had this been a real attack against 427 hospitals, we would have been in a world of hurt!

Other things that happened last week include:

  • Episode 103 of the UNSECURITY Podcast, Part Two with Neal O’Farrell of the PsyberResilience Project was awesome! If you missed it, you should go check it out.
  • FRSecure is rocking it! We’re running on all cylinders and making a positive difference in our industry. I’m very proud and humbled at the same time.
  • SecurityStudio finished another incredible month! People are buying into the concept of focusing on the fundamentals and simplification. In case you didn’t know, complexity is the worst enemy of information security.
  • The Security Shit Show was awesome on Thursday night! Personally, I needed the time to talk shit with my peers, Ryan Cloutier and Chris Roberts. It’s like therapy. The title for our discussion was “Kiss and Make Up?” and we talked about what life might look like after the election.

There was probably other important stuff sprinkled in last week too, but the brain can only handle so much!

On to the show!

Episode 104 Topic and Special Guest

A few important things about this episode:

  • This is episode 104, the two-year anniversary of the UNSECURITY Podcast! Holy crap, where did the time go?! It’s been an incredible ride so far, and we’ve met 100s of amazing people along the way.
  • Our topic (or, I guess title) is “The security industry’s stigma against healthy stuff“. Is there a stigma against healthy stuff in our industry? Maybe. We’ll look into it in this episode.
  • We have another special guest, and he’s a good one! We call him Richie Breathe, and he’s a great guy with interesting perspectives on wellness. He’s the perfect guest to wrap up what turned into another semi-series about us and our health.
  • Next week, we’re going to dive back in to incident response. We’ve seen some very interesting (and alarming) trends, and it’ll be good to share with you.

Let’s get on to the notes…

Oh yeah, one more thing before we forget.

GO VOTE!


SHOW NOTES – Episode 104

Date: Tuesday November 3rd, 2020

Episode 104 Topics

  • Opening
  • Happy Anniversary (to us)
    • What’s been your favorite thing about the UNSECURITY Podcast?
    • What’s been your favorite moment or episode?
  •  Special Guest Richie Breathe and the security industry’s stigma against healthy stuff
    • Who’s Richie Breathe?
    • Is there a stigma? If so, how bad do we think it is?
    • Ideas for improving wellness in our industry.
    • Where to go next.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi again everyone. Welcome to another episode of the UNSECURITY Podcast! This is episode 104, the date is November 3rd, 2020, and I’m Evan Francen, your host. Joining me is my good friend and co-worker, Brad Nigh. Good morning Brad.

[Brad] Cue Brad.

[Evan] Also joining us, is a good friend Richie Breathe. Good morning Richie.

[Richie] Cue Richie.

[Evan] First things first. Today is election day. Did you guys vote?

[Brad & Richie] Well, did they?

Happy Anniversary (to us)

[Evan] This is our 104th episode in a row, meaning 104 weeks in a row, meaning two years! I can hardly believe it. Seems like yesterday we did our first episode together Brad. Happy anniversary!

[Brad] Cue Brad

[Evan] I gotta tell you man. I’ve loved every minute of this with you. Sincere gratitude for being my pal in this journey.

[Brad] Cue Brad

[Evan] Now, Richie. You’ve been listening for a while, and we actually met through the podcast, didn’t we?

[Richie] Cue Richie

[Evan] I’ve met 100s of amazing people over the past two years from this show. So many incredible memories. Brad, what’s your favorite thing about the UNSECURITY Podcast?

[Brad] Cue Brad

[Evan] How about you Richie?

[Richie] Cue Richie

[Evan] My favorite thing.

I couldn’t have imagined so much and I’m VERY grateful. How about a favorite moment or episode? Brad?

[Brad] Cue Brad

[Evan] Richie?

[Richie] Cue Richie

[Evan] My favorite moment/episode.

Like I said, it’s been an amazing ride. Here’s to many more episodes and lots more memories!

Transition

Special Guest –  Richie Breathe and the security industry’s stigma against healthy stuff

[Evan] Richie, thanks for being here man. I know we talked about this a while back, and the time has finally come. You first learned about me and Brad through the UNSECURITY Podcast, then started coming to the Daily inSANITY Checkin, right?

[Richie] Cue Richie.

[Evan] The Daily inSANITY Checkin is another HUGE blessing for me. I’ve met some incredible people there and I love sharing life with them. Shout out to you guys!

For people who want to know more, the Daily inSANITY Checkin is just what it says. It’s a daily informal meeting with people who care about each other. It’s a safe place to come, share thoughts, share ideas, or share whatever else comes to mind. The only real rules are to show respect and be yourself. Simple.

We started the Daily inSANITY Checkin immediately after the COVID-19 lockdowns started in March and we’ve been going strong ever since. It’s been incredible. So, Richie. You’re there almost every day, and I’m grateful to have gotten to know you. I know you, but tell the listeners a little about yourself.

[Richie] Cue Richie.

Begin Discussion

The security industry’s stigma against healthy stuff

  • Who’s Richie Breathe?
  • Is there a stigma? If so, how bad do we think it is?
  • Ideas for improving wellness in our industry.
  • Where to go next.

[Evan] Awesome! Great discussion. Thanks again Richie!

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Richie, please feel free to comment anytime too!

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] Great! Episode 104 is just about complete. Thanks guys! Next week we’re going to tackle some incident response stuff. Things like what’s going on, what people are doing wrong, and how to do things better. Episode 105 will be great, and maybe we’ll invite a guest to boot!

Richie, loved having you join us this week. Thank you!

Any shout outs for either of you?

[Brad and/or Richie] We’ll see.

[Evan] Always grateful for our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Richie, how can listeners find you?

[Richie] Cue Richie.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 103 Show Notes – PsyberReslience Project Pt. 2

Happy Tuesday (again)!

There are always 100s of things to talk about each week, and if you’re ADHD like me, you know how hard it can be to stay focused on one thing for too long!

Here are a few things that are top of mind right now:

  • Security ABCs:
  • Election is next week. Please vote. Regardless of who you vote for, you have a voice. The voice might seem insignificant, but when millions of voices speak together, you have something special. This election season has been crazy, just like 2020 has been crazy. I’m looking forward to it being over, so we can return our focus to serious issues facing all of us.
  • Last week on the Security Shit Show, we talked about election security. The title of the show was “Is My Vote Secure?”. This week it’s Chris Roberts‘ topic, and he hasn’t announced it yet. Stay tuned!
  • Business is good – FRSecure is running at or near full capacity and SecurityStudio is serving people well with simple, fundamental, and effective information security risk tools. Good things! FRSecure is hiring BTW.
  • Incidents and calls for our incident response team continue to roll in. There was an incident that occurred this past weekend. Sadly, the way the incident was handled by the client provided good examples of what NOT to do. I’ll right a separate blog post on this story later, but here’s two things you need to do RIGHT NOW. Drop what you’re doing and make sure you’re squared away on:
    1. Check your incident response plan and be sure you know who to call.
      • Double-check the contact information.
      • Is there 24×7 response? Incidents will inevitably happen at the worst time.
      • Who do you call, and who do you call first? Your incident responders, your insurance provider, your legal team, executive management, law enforcement, or…?
    2. Make sure your preferred 3rd-party incident handler/provider is on your insurance provider’s approved list for reimbursement.
      • You waste precious time, energy, and money when you don’t know.
      • Engaging with a 3rd-party incident responder who isn’t on the list will force you into declined reimbursements and/or changed providers (losing more time).
  •  Not a sales push at all, but here’s what FRSecure provides. At a minimum, it makes sense to register with your incident responder (See: IR Registration Services).

  • Not digging the cold weather, but I do live in Minnesota, so…

Episode 102 Quick Recap

Originally, we weren’t planning on making the discussion with Neal O’Farrell into a series, but the talk in episode 102 was too AWESOME! Brad was out sick for the show, but Neal and I had a great talk about his 40(ish) years in our industry, his background growing up in Ireland, his organization (the PsyberResilience Project), our personal mental health issues (stress, burnout, etc.), and mental health in our industry. This is a serious issue in our industry, and we’re not doing a good enough job in tackling our problems.

I’m VERY excited to welcome Neal back again! We’ll talk about resources people can use to improve their lives. Sure to be another great discussion!

These are my (Evan) notes.


SHOW NOTES – Episode 103

Date: Tuesday October 27th, 2020

Episode 103 Topics

  • Opening
  • Special Guest – Neal O’Farrell from the PsyberReslience Project
    • Recap episode 102 – Where we left off.
    • Mental Health Discussion.
    • Specific self-help approaches, what we’ve learned from trying them.
    • Other resources and what you can do to help.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi everybody. Welcome to another episode of the UNSECURITY Podcast! This is episode 103, the date is October 27th, 2020, and I’m Evan Francen, your host. Joining me is my good friend and co-worker, Brad Nigh. Good morning Brad.

[Brad] Cue Brad.

[Evan] Also joining us, for the second week in a row is our good friend and founder of the PsyberResilience Project, Neal O’Farrell. Good morning Neal.

[Neal] Cue Neal.

[Evan] How are you guys today? What’s new?

Quick Catch-up

Discussion about any current events, life or otherwise…

Transition

 

Special Guest – Neal O’Farrell from the PsyberReslience Project

[Evan] Neal, thanks for joining us for the podcast again this week. Last week we had a great talk. So great, in fact, we didn’t leave any time for news stuff. No matter though, people can always read news things for themselves.

Anyway, we talked about your background, both of us shared our personal struggles with mental health, and we talked about your organization (the PsyberResilience Project). This week Brad’s joining us, and we’re going to focus on specific self-help approaches that we’ve tried. Before we jump in, Brad, did you get a chance to listen to last week’s podcast?

[Brad] Cue Brad.

[Evan] What did you think about it?

[Brad] Cue Brad.

[Evan] Great! Let’s dig in.

Begin Discussion

Topics to discuss (or ideas):

  • Recap episode 102 – Where we left off.
  • Mental Health Discussion.
  • Specific self-help approaches, what we’ve learned from trying them.
  • Other resources and what you can do to help.

Discuss whatever else comes to mind.

[Evan] Excellent discussion, and I’m sure our listeners found value in it!

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Neal, please feel free to comment anytime too!

News

[Evan] Some interesting nation-state stuff caught my attention this week. God knows, there’s always plenty of nation-state stuff going on!

Wrapping Up – Shout outs

[Evan] Great! Episode 103 is just about complete. Thanks guys! Neal, it was great having you on the show again this week. I’m looking forward to working together to make our industry better. Brad, always happy when you’re here. Glad you’re feeling better this week!

Any shout outs for either of you?

[Brad and/or Neal] We’ll see.

[Evan] Always grateful for our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Neal, remind our listeners again how they can get in touch with you.

[Neal] Cue Neal.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 102 Show Notes – PsyberReslience Project

Happy Tuesday (again)!

There are always 100s of things to talk about each week, and if you’re ADHD* like me, you know how hard it can be to stay focused on one thing for too long!

Here are a few things that are top of mind right now:

  • Security ABCs – I’ve been writing the information security ABCs the last week or two. This is a journey through the basics and fundamentals of information security. The “experts” can use the reminders and the inexperienced can use the direction (I think). The reception has been great so far, and I love the comments I’ve been getting, in my LinkedIn feed and on Twitter! So far, I’m through “D”. Stay tuned for “E” and “F” which are both scheduled for this week.
  • Election is only two weeks away – Have you already voted or are you planning to? If not, shame. Every U.S. citizen should voice their support for who they want leading this country. If you’re like me, I’m not wild about either of the two leading candidates, but it won’t stop me from casting a vote for who I think is best (out of my limited options). Last week, we talked about election security in episode 101. The notes for that episode have some good resources in them.
  • Disinformation is rampant – Last Thursday, Ryan Cloutier, Chris Roberts, and I opened our three-part series about election disinformation on the Security Shit Show. This first episode was titled “Disunited States of America (Election Disinformation)” and despite our share of technical difficulties, it was a great talk!
  • Business is good – FRSecure is running at near full capacity and SecurityStudio is serving people well with simple, fundamental, and effective information security risk tools. Good things! FRSecure is hiring BTW.
  • Cold/Winter

Lot’s of blessings, despite the crazy society we’re living in.

*Speaking of ADHD, mental health is a serious issue in our society and our industry. Helping people with mental health disorders is important for all of us, and it’s a cause that I’m deeply committed to. This is the topic for today’s show.

I’m VERY excited to welcome a special guest this week. He’s the Founder of the PsyberReslience Project, and a long time information security advisor and expert; Neal O’Farrell!

On to the show! Brad is out with a sinus infection (or something), so it’s just me and our guest. These are my notes.


SHOW NOTES – Episode 102

Date: Tuesday October 20th, 2020

Episode 102 Topics

  • Opening
  • Special Guest – Neal O’Farrell from the PsyberReslience Project
    • Introduction to Neal
    • About the PsyberReslience Project
    • Mental Health Discussion
    • What can we do to help?
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi everybody. Welcome to another episode of the UNSECURITY Podcast! This is episode 102, the date is October 20th, 2020, and I’m Evan Francen, your host.

Unfortunately, Brad Nigh, my good friend and regular co-host, is out with a sinus infection (I think) today. So, it’s me flying solo, but not really.

I’m REALLY excited to introduce you to a great guy and tremendous asset to the information security community; Neal O’Farrell.

Hi Neal.

[Neal] Cue Neal.

Special Guest – Neal O’Farrell from the PsyberReslience Project

[Evan] Neal, thanks for joining us for the podcast. Tell us about you and your journey through the information security industry.

Begin Discussion

Topics to discuss (or ideas):

  • Neal’s background.
  • The PsyberResilience Project
    • Its purpose.
    • Why Neal started it.
    • What makes it different?
    • Current initiatives and goals.
    • How can people find you?
  • Mental Health
    • What’s wrong with our industry, in terms of mental health?
    • Have problems gotten worse, especially with today’s current events?
    • Have we fixed/solved anything?
    • Personal mental health issues.
    • What do we need to do?
  • What we’re doing together (SecurityStudio and the PsyberResilience Project

Discuss whatever else comes to mind.

[Evan] Thank you Neal! Great discussion and I’m thrilled to be doing good things with you.

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Neal, please feel free to comment anytime too!

News

[Evan] Just one large news reference for this week. From the Register:

First, Patch Tuesday. Now, Oh Hell, Monday: Microsoft emits bonus fixes for Visual Studio, Windows 10 security bugshttps://www.theregister.com/2020/10/19/security_in_brief/

[Evan] For the most part, I like reading the Register for news. Neal, do you have a favorite news source in our industry?

[Neal] Cue Neal.

Wrapping Up – Shout outs

[Evan] Great! Episode 102 is just about complete. Thanks Neal! It was great having you join us this week and I’m very happy to have you fighting on the good side. Once again, how can we help?

[Neal] Cue Neal.

[Evan] Always grateful for our listeners! We’re behind on email still, but we’ll get there! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Neal, do you have a way you prefer people get in touch with you?

[Neal] Cue Neal.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 101 Show Notes – Election Security

Well, it’s already mid-October and the election is 21 days (three weeks) away. Things have never seemed crazier or more divided, at least not in my lifetime. Good fodder for discussion in episode 101 of the UNSECURITY Podcast!

Work-wise things are also crazy, but good. Fourth quarter is always nuts for an information security company, and doesn’t matter is it’s consulting (FRSecure) or SaaS (SecurityStudio). Everyone is running at full capacity and finding life margin is a challenge!

Hope you’re happy and healthy! On the the show; I’m (Evan) leading this show and these are my notes.


SHOW NOTES – Episode 101

Date: Wednesday October 14th, 2020

Episode 101 Topics

  • Opening
  • Catching Up (as per usual)
  • Election Security
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there, thank you for tuning into this episode of the UNSECURITY Podcast. The date is October 14th, 2020 and this is episode 101. I’m Evan Francen, your host for this show. Joining me is my good friend and co-host Brad Nigh. Good morning Brad.

[Brad] Brad does Brad.

[Evan] I know we’re a day late getting the podcast out again this week, but holy cow we’ve been busy! We’ll try to get back on track next week.

Brad, I want to reiterate how I enjoyed our discussion the past couple of weeks about the social dilemma, a Netflix documentary about social media and its effects on society. Lots to think about. In fact, I’m planning to watch it again this week.

[Brad] He might comment here.

Catching Up

[Evan] So, what’s new? Tell us what a day in the life of Brad looks like.

[Brad] Cue Brad.

[Evan] I’ll share some stuff too (probably).

Transition

Election Security

[Evan] As you know, we’re only 20 days from the election. If you haven’t registered to vote yet, you should. Go to vote.gov and check it out. Brad have you registered to vote?

[Brad] Cue Brad.

[Evan] I’m registered and ready to cast my ballot! The date is November 3rd.

There’s been much said about election security. A simple Google search of “election security” produces over 2.2 million results! Election security isn’t a new thing, even though it’s been front and center the past few election cycles.

There’s more to election security than protecting voting machines, so let’s talk about this.

Resources

[Evan] There’s a lot more to election security than infrastructure. What about voter intimidation, disinformation, and security after election night? We’re talking about disinformation on Thursday night’s Security Sh*t Show because this is a significant issue in today’s society.

Election Security Discussion

Open discussion

[Evan] Good discussion! Securing an election has never been more difficult. Let’s catchup on some news quick.

News

[Evan] Here are some recent and interesting news stories to talk about.

Wrapping Up – Shout outs

[Evan] Great! Episode 101 is just about complete. Thanks Brad, do you have any shout outs this week?

[Brad] We’ll see.

[Evan] Always grateful for our listeners! We’re behind on email, but we’ll promise to respond soon. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 100 Show Notes – The Social Dilemma Pt2

Hard to believe that this is episode 100 already! I’ll have to write a recap of the journey sometime soon.

Crazy things all over the place here at FRSecure and SecurityStudio. If you’ve been an information security consultant, or if you know one, you know that 4th quarter is a crazy time of year. Turns out, COVID-19 and 2020 is NOT the exception. We’re happily swamped.

Having said all that, we’re a day late getting the podcast out again this week. Not because we didn’t try, but because life and work get in the way sometimes.

Hope you’re happy and healthy! On the the show; Brad’s leading and these are Brad’s notes.


SHOW NOTES – Episode 100

Date: Wednesday October 7th, 2020

Episode 100 Topics

  • Opening
  • Catching Up (as per usual)
  • the social dilemma, Part Two
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 100 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is October 6th, and joining me this morning as usual is Evan Francen.

[Evan] Talks about how busy things have been

[Brad] Last week we had a really good discussion about The Social Dilemma and we didn’t get to everything so we are doing part 2 today. But before we get going let’s recap our week.

Catching Up

[Evan] Evan’s cool story

[Brad] A recap of my week

Transition

the social dilemma, Part Two

[Brad] Okay let’s pick up where we left off. There are no shortage of takes on the movie, here are some I found interesting.

[Brad] Great discussion here are some news stories

News

[Brad] Here are news stories that caught me eye this week:

Wrapping Up – Shout outs

[Brad] That’s it for episode 100. Thank you Evan, do you have any shout outs this week?

[Evan] We’ll see.

[Brad] Thank you to all our listeners! Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh, and Evan is @evanfrancen.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.
That’s it! Talk to you all again next week!