UNSECURITY Episode 125 Show Notes

A news article caught my eye this morning while getting ready for this episode of the UNSECURITY Podcast.

US Strategic Command Twitter account accessed by child: report

Link: https://www.foxnews.com/us/us-strategic-command-twitter-account-accessed-by-small-child-report

My first thought was “oh, that’s funny and sorta cute.” Then I thought some more. It seems innocent(ish) to walk away from your computer while you’re at home. What could happen? Well, this could happen, but it could have been much worse!

This is the Twitter account of the U.S. Strategic Command (“USSTRATCOM”). For those of you who don’t know what USSTRATCOM is, or what they do, here’s information from their “About” page:

“USSTRATCOM integrates and coordinates the necessary command and control capability to provide support with the most accurate and timely information for the President, the Secretary of Defense, other national leadership and combatant commanders.

The mission of USSTRATCOM is to deter strategic attack and employ forces, as directed, to guarantee the security of our Nation and our Allies. The command’s assigned responsibilities include strategic deterrence; nuclear operations; space operations; joint electronic spectrum operations; global strike; missile defense; and analysis and targeting. USSTRATCOM’s forces and capabilities underpin and enable all other Joint Force operations.

USSTRATCOM combines the synergy of the U.S. legacy nuclear command and control mission with responsibility for space operations, global strike, and global missile defense. This dynamic command gives national leadership a unified resource for greater understanding of specific threats around the world and the means to respond to those threats rapidly.”

Sounds pretty damn important! Social media is used by organizations (public and private) to disseminate information to the public and their customers. What if the information disseminated is harmful to others? In this particular case, a child typed “;l;gmlxzssaw”. The message was broadcast all over the world and caused a stir. Caused a stir, but not panic.

What if this wasn’t a child and/or the message was more nefarious. What is someone typed:

“The United States of America is under current attack. The President has raised our alert condition to DEFCON 1. THIS IS NOT A DRILL. DO NOT panic, but please be aware. Additional details forthcoming, including further instruction for protection of U.S. citizens and our assets.”

Now, you may know that USSTRATCOM would never issue such a warning on Twitter, but do others? Even if others do know this, you’ve seen how some people throw logic and reason out the window when something panicky happens, right? What if the alert was more thought out with direct instructions to do certain things that could be destructive. Would this cause a panic? On the surface, this particular instance may seem funny. In reality, it’s sad. It’s sad that people often use computers without thinking of consequences and that we are STILL trying to get people to lock their computers when they step away.

Anyway, we’ve got a show to do. Let’s get right to it, show notes for episode 125 of the UNSECURITY Podcast…


SHOW NOTES – Episode 125 – Tuesday March 30th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 125, and the date is March 30th, 2021. Back again is my good friend and security ninja Brad Nigh. Welcome Brad!

Another good show today. We’re gonna talk about this FRSecure CISSP Mentor Program think you might have heard about.

FRSecure CISSP Mentor Program

  • What is it?
  • Who’s it for?
  • The history of the FRSecure CISSP Mentor Program
    • 1st class in 2010 – six students
    • 11th class in 2020 – ~2,400 students
    • 12th class this year (2021) – 5,300+ students
  • Why did we start this thing?
  • Why do we keep doing this thing?
  • Next class starts on April 12th (2021)
    • What are we expecting?
    • Who’s teaching?
    • Is there time to sign up still?
  • Is it really FREE?!
    • What strings are attached?
    • Will I be marketed to?
    • Will I be sold something?
    • Will you sell my information?
  • What’s the future of the FRSecure CISSP Mentor Program?
  • Where can I sign up?
  • Can I refer others?
  • What if I’m not planning to take the test?

And whatever other question we can think of. We’ll be transparent as we talk about the program and our experiences with it.

Want to know more? GO HERE: https://frsecure.com/cissp-mentor-program/

News

Three interesting news articles this week:

Wrapping Up – Shout Outs

Good talk. Thank you Brad, and thank you listeners!

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 124 Show Notes

Spring has sprung!

The first day of Spring was Saturday, March 20th. If you’re from Minnesota like Brad and I are, you’re happy about this. Speaking of Brad, he’s back this week!

Let’s get right to it, show notes for episode 124 of the UNSECURITY Podcast…


SHOW NOTES – Episode 124 – Tuesday March 23rd, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 124, and the date is March 23rd, 2021. Back from taking a couple weeks off from the show is my good friend and co-host Brad Nigh. Welcome back Brad!

We’ve got a good show planned for you today. Let’s talk passwords! Yay, right?!

Let’s try to tackle as many common questions about passwords as we can in one show!

Passwords

  • Why do we need passwords?
    • The basics of identity and authentication.
    • A password is proof.
  • What happens when a password is compromised?
  • How are passwords compromised?
    • Caused by you.
      • Disclosed.
      • Weak.
    • Caused by them (someone you shared it with).
  • What’s the risk is a password is compromised?
    • How do we protect against password disclosure?
    • How do we protect against weak passwords?
    • How do we protect against someone else disclosing a password?
  • @SecurityStudio, we just finished a new password strength/score algorithm.
    • Eighteen rules with weights applied according to risk.
    • Length, numbers(only), lowercase(only), uppercase(only), letters(only), letters & numbers(only), known compromise(s), dictionary, dictionary w/simple obfuscation, 80%+ dictionary, 80%+ dictionary w/simple obfuscation, 60%+ dictionary, 60%+ dictionary w/simple obfuscation, doubleword, common numeric sequences, words & numbers appended, and personally common/known things.
  • The average person has how many passwords?
    • How many passwords do you have?
    • How many passwords to Brad and I have?
  • Are passwords secure?
  • Are we stuck with passwords forever?
  • What do we do to protect our passwords?
  • Does anyone like passwords?

Other Things

  • The latest registration count for the FRSecure CISSP Mentor Program was 4,701 as of yesterday (3/22) morning!
    • The 2021 program kicks off in 20 days.
    • Will we top 5,000 registrations?!
    • What do we like best about the program?
  • New features for S2
    • Nested entities within S2Org.
    • S2Me Instant Score (coming soon).
    • S2PCI (coming next month).
  • What else?

News

Three interesting news articles this week:

(PSST… Want a good list of APT groups and their operations?! – https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#)

Wrapping Up – Shout Outs

Good talk. Thank you Brad, and thank you listeners!

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 123 Show Notes

Happy St. Patrick’s Day! For those of you who aren’t into this holiday (for whatever reason), Happy (everyday) Day!

This has been a week full of great experiences and awesome conversations with wonderful people. It’s the people we serve who inspire us to work as hard as we do. Here’s a small sampling:

  • Daytona Bike Week (last week) – if you’ve never been to a bike rally before, I recommend you try it out someday (even if you don’t ride). There are interesting people from all walks of life and the diversity (backgrounds, race, preferences, thought, etc.) would probably surprise you.
  • Co-workers – discussions about everything from mental health (many of us did the Mental Health First Aid certification course together last week), to life challenges (relationships, family, health, etc.), to work challenges, and everything in between. It’s a blessing (to them and to me) when I stop, listen, and invest in others.
  • Customers/peers – had some check-ins this week with a few enterprise CISOs I call friends. Life as a CISO can be extremely DIFFICULT. It’s encouraging to know people care about me, and I them. CISOs are human beings who need love just like all of us do!
  • Everyday people – we’re all beautifully unique. We are similar in some respects, but there are wonderful things that make me me and you you. We’re a hodge podge of emotions, biases, beliefs, perspectives, and experiences. Rather than fight because you think differently than I do, why don’t I embrace the uniqueness and differences? Why not try to understand them and you better?

We’re not doing this enough in society and we’re not doing this enough in our industry either.

    • Why?
    • Have we lost our respect for other human beings?
    • Have we lost our ability to reason?
    • Are we afraid to share who we really are out of fear? Fear of being marginalized, silenced, and attacked (physically and online)?

I believe people are AMAZING! I believe people are worthy of respect (even if it’s only a little). I believe people should be heard and understood. I believe information security isn’t about information or security as much as it is about people. I believe people are who we serve. I believe we must invest in people more. I believe in understanding people (better). I believe loving people gives us our best chance at doing our (information security) jobs effectively, and I believe loving people gives us our only chance of saving society.

Now on to show notes for episode 123…


SHOW NOTES – Episode 123 – Wednesday March 17th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 123, and the date is March 17th, 2021. Filling in for Brad again this week if my good friend and co-worker Ryan Cloutier. Welcome Ryan, glad to have you back!

  • We’ve got a great show planned today. We’ll start with the importance of reason and logic in information security, our jobs, and in life. There are many parallels between information security (or “cybersecurity” as some people call it) and life.
  • Then, if we have time, we’ll talk about passwords. Everybody hates passwords.
  • We’ll close the show with a few mentions; about the FRSecure CISSP Mentor Program and SecurityStudio’s free S2Me (very quickly growing in popularity).
  • Oh yeah, we’ve got a couple news stories too, but whatever.

Reason

  • Have we lost our ability to reason?
  • What is reason anyway?
  • Why is reason (and logic) critical to information security?
  • Why is reason (and logic) critical to risk (all risk)?
  • Why is reason (and logic) critical to life?
  • There are parallels here, like:
    • Information security is risk management.
    • There’s no such thing as risk elimination or infinite risk; they are two different ends of the spectrum.
    • There’s no such think as 100% reason/logic without emotion or vice versa; two different ends of the spectrum.
    • The goal is management.
  • If we’ve lost our ability to reason, how can we get it back? Or, if we never had the ability to reason, how do we learn it?
    • Ask “Why?” often, almost incessantly, like a three year-old.
    • Ask yourself “Why”.
      • Not in a way that beats yourself up, but in a way that you understand why you’re doing what you’re doing and/or why you believe what you believe.
      • Notice the difference between emotional response and logical response.
      • Learn to use logic and emotion where they are and how they are appropriate. Seems mechanical and awkward at first, but it should become natural/habitual over time.
    • Ask others “Why”.
      • Respectfully out of a desire to understand, and not in a confrontational manner.
      • Learn how to ask without offense. If the person your asking takes offense despite your best efforts, that’s on them.
      • Maybe they need help understanding logic versus emotion? Interesting tells about people who are unable or unwilling to use reason or logic to defend a position (or make a point):
        • They change the subject. You asked a question about one thing, and quickly find yourself in a discussion about something different.
        • They attack your character. This is a classic emotional response where the person you’re questioning probably isn’t sure why he/she believes what they do. Don’t take offense, but recognize this tactic for what it is.
    • Encourage others (especially people you trust) to question you.
      • Be prepared to defend why you believe what you believe. If you can’t (with reason), then maybe you should question what you believe.
      • When other people ask you “why”, view it as an opportunity to state your case.
      • When other people ask you “why”, it’s a great opportunity for you to learn (about perspective and reason).

NOTE: We could talk for a long time about Reason, so we might not get to the topic of “Passwords”. If we don’t get to Passwords in this episode, we’ll get to it in episode 124.

Passwords

  • Why do we need them?
  • What makes a password good versus bad?
  • What do we (Ryan and I) do to practice good password behavior? BTW, neither of us is perfect!

NOTE: Regardless of timing, we will discuss “Mentions” in this episode.

Mentions

  • FRSecure CISSP Mentor Program – We’re less than one month away from the start! I think there are more than 4,000 students signed up, so this is going to be AWESOME!
  • S2Me – the FREE SecurityStudio personal risk management tool has been growing very fast (in terms of popularity). Big news happening here, and we’re making a difference!

News

Wrapping Up – Shout Outs

Good talk. Thank you Ryan, and thank you listeners!

…and we’re done.

UNSECURITY Episode 121 Show Notes

Happy Tuesday! It’s time to get ready for another episode (#121) of the UNSECURITY Podcast!

Not sure if you caught it last week, but there was an open U.S. Senate hearing on Tuesday (2/23). The hearing was titled “Hearing on the Hack of U.S. Networks by a Foreign Adversary” and lasted about two and a half hours. The hearing was about the events surrounding the SolarWinds Orion Hack, and what we can do to prevent (or at least reduce the likelihood of) similar events in the future. Witnesses included some well-known people in our industry:

  • Kevin Mandia, CEO of FireEye
  • Sudhakar Ramakrishna, CEO of Solarwinds
  • Brad Smith, President of Microsoft
  • George Kurtz, President and CEO of CrowdStrike

This hearing was a big deal because U.S. policymakers are trying to figure out what to do, and how “to make sure this doesn’t happen again.” If policy makers draft policy based solely on what these witnesses said, we might be in some serious trouble!

There were some really interesting things said during the hearing, and we’re going to share our thoughts on today’s show.

So, let’s do this! These are the notes for episode 121 of the UNSECURITY Podcast.


SHOW NOTES – Episode 121 – Tuesday March 1st, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 121, the date is March 2nd, 2021, and joining me as usual is my good friend, Brad Nigh. Good morning Brad!

Quick Catching Up

  • What’s new?
    • Working on S2Org r3, IR assessment, and other things.
    • The Gray Matter Society
    • Who would make a good guest next week?
  • Anything else new at FRSecure and/or SecurityStudio?

The Meat

Open Hearing: Hearing on the Hack of U.S. Networks by a Foreign Adversary – https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary

  • Kevin Mandia’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-022321.pdf
  • Sudhakar Ramakrishna’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-sramakrishna-022321.pdf
  • Brad Smith’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-bsmith-022321.pdf
  • George Kurtz’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-gkurtz-022321.pdf
  • The hearing went ~2 1/2 hours, did you make it through it all?
  • So, Amazon Web Services didn’t show up. They haven’t been forthcoming or helpful
  • An interesting Q&A (starting at 1:22:08) from Senator Wyden (D-OR)
    • Senator Wyden: The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?
    • Mr. Ramakrishna: Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring,  system monitoring, application monitoring on premises of our customers.
    • Senator Wyden: Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world  is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.
    • Mr. Mandia: And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.
    • Senator Wyden: I don’t want to use up all my time. We’ll say that your response to NSA and the National Institute of Standards is “it depends”. Let’s just go down the row.
    • Mr. Ramakrishna: So my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules.
    • Senator Wyden: Very good.
    • Mr. Smith: I’m squarely in the “it depends” camp.
    • Senator Wyden: OK.
    • Mr. Smith: For the same reasons that Kevin said.
    • Senator Wyden: OK, I think we have one other person, don’t we?
    • Mr. Kurtz: Yes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys.
    • Senator Wyden: I’m going to close, and uh, my colleagues are all waiting. Bottom line for me is that multiple agencies were still breached under your watch by hackers exploiting techniques that experts had warned about for years. So, in the days ahead it’s gonna be critical that you give this committee assurances that spending billions of dollars more after there weren’t steps to prevent disastrous attacks that experts had been warning about was a good investment. So, that discussion is something we’ll have to continue, thank you Mr. Chairman.
  • Other thoughts and discussion about the hearing.
  • There was general consensus amongst the witnesses that there’s a strong need for mandatory reporting of cyber attacks

News

News stories to cover this week, include:

Wrapping Up – Shout Outs

Good talk! It will be interesting to see what legislation comes out of Washington in response to SolarWinds.

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

FRSecure CISSP Mentor Program Welcome Message

Only 46 more days. It’s almost time to start the FRSecure CISSP Mentor Program!

As of yesterday (2/23/21), we have more than 3,500 registered students for the 2021 class. That’s awesome! (and a little nuts) For context, we started the program in 2010 with six students. At the time, FRSecure was a teeny startup (3 employees), but our size didn’t matter. We started with a simple goal:

Provide quality information security training for free.

No strings. No ulterior motive. No marketing gimmicks. Nothing but helping people on their journey.

Why this goal?

We love people. By proxy, we love people in our industry, and by (another) proxy, we love the people served by our industry. Our mission (“to fix the broken industry”) is born from and rooted in love, and we will always do right by our mission. Makes sense, yeah? We’re all #MissionBeforeMoney around here!

Fast forward, this will be our 12th consecutive year. We’ve been a positive influence (to one degree or another) in the lives of more than 6,000 people through the CISSP Mentor Program in the past two years alone (3,500+ students this year so far, 2,400+ students last year). Everyone is welcome here, regardless of background, experience or education. If you don’t want to take the CISSP exam, or don’t feel ready, join us anyway. You’ll learn more about information security, and maybe you’ll pick up some life skills along the way!

Welcome Message

Posted in the 2021 CISSP Mentor Program Study Group on 2/19/21:

Hello 2021 FRSecure CISSP Mentor Program Class,

I’m Evan Francen, the founder and CEO of FRSecure (and SecurityStudio) and one of the instructors here. We’ll get to know each other once class gets going, but I wanted to introduce myself now and welcome you.

Welcome to the 2021 FRSecure CISSP Mentor Program!

I’m excited that you’re here and honored to be part of your journey.

A little history…

In 2008, we started FRSecure with this mission:

To fix the broken information security industry.

Our mission came from a deep passion to do things right and serve others. You see, information security isn’t about information or security as much as it is about people. People cause the havoc (intentionally or accidentally) and people suffer the consequences. If nobody suffered, nobody would care.

The information security industry is still young. There’s no shortage of work to do, and the sooner we get to work on the right things, the better off everyone will be. Two things are at (or near) the core of our information security industry problems:

  • People take advantage of other people. If there was a single motivator for me, this would be it.Attackers – people who don’t hide their intent to do others harm. Most people think we’re only concerned about the attackers, but there’s much more.Frenemies – people in our industry who sell products and services that are not in the best interests of the buyer and/or do not do what they claim.
    • “Experts” – yes, in quotes. There are people in our industry who are in it for the wrong reasons. They are motivated by selfishness and not to serve others. This wouldn’t seem so bad, but most of these people are charged with securing information that does not belong to them. Inflated egos intimidate and discourage others, ignorance leads to poor decisions, comfort leads to inactivity, etc., etc.
  • Information security fundamentals are not universally understood or applied. This is true in the public sector and private industry. It’s also true at home. If we (as an industry) mastered the application of fundamental information security concepts, we’d reduce the number of breaches by as much as ~80-90% (my conservative estimate) and significantly reduce the impact to society.

Fixing these problems is certainly easier said than done, but the pursuit continues…

So, where does the FRSecure CISSP Mentor Program fit in this equation, and what does it mean for you?

Simple. Our industry needs more good information security people. We need you!

The FRSecure CISSP Mentor Program was born out of our mission. In our first year (2010), there were six students. All six students went on to pass their exams and became CISSPs. Today, they are all working in our industry and making a positive difference in the lives of others. Last year was the 11th consecutive year for the program, and we had more than 2,400 registrations. It’s been an incredible experience for us, and for me personally. We do this because we love people, and we do it for no other reason. No strings, just #MissionBeforeMoney!

The 2021 CISSP Mentor Program

We’re sticking with the formula that works. Due to COVID still being COVID, we will once again teach all classes remotely. We’ve already surpassed last year’s record number of student registrations, and we’re on track for more than 5,000! This will be the best class yet, and I’m VERY excited to get to know some of you along the way! You’ll see me and some of the other FRSecure folks drop in here (the study group) from time to time. We’re here to help you as much as we are able (given day job and family stuff).

Once again, welcome! Thank you for letting us be part of your success. In know I speak for the other instructors (Brad Nigh and Ryan Cloutier) and the entire FRSecure team when I say that.

Let’s do this!

If you’ve thought about signing up, but haven’t yet, go do it. If you know somebody who could use some of this, tell them about it. See, more simple!

UNSECURITY Episode 119 Show Notes

OK, we’re back to writing UNSECURITY Podcast show notes. We took eight weeks off from writing show notes because it was a little tedious and we weren’t sure if anyone cared that much anyway. Turns out people care about the show notes, read them, and they want them back!

To make things less tedious and more valuable, we’ll only tell you the topics we plan to talk about. We won’t do the verbatim stuff anymore. If you like the new show notes, let us know (unsecurity@protonmail.com). If you’d like something different, let us know that too!

On to the notes for episode 119 of the UNSECURITY Podcast…


SHOW NOTES – Episode 119 – Wednesday February 17th, 2021

Opening

[Evan] Good morning and welcome to another episode of the UNSECURITY Podcast! This is episode 119, and the date is February 17th, 2021. I’m your host Evan Francen, and joining me is the right side of my brain, Brad Nigh. Good morning Brad.

Quick Catching Up

  • It’s flippin’ cold in MN (and other parts of the country)
  • We need another vacation.

The Meat

News

Wrapping Up – Shout Outs

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Be sure to follow the places we work and do cool things, SecurityStudio (@studiosecurity) and FRSecure (@FRSecure). That’s it. Talk to you all again next week!

…and we’re done.

L is for Layers

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

So, now the beloved letter “L”.

Lethargic Larry’s lackadaisical use of network layers, and his leisurely approach to security let lazy criminals move laterally throughout the lattice, leaving his league of lawyers lamenting the long laborious litigation laid before them from the lye leaked into the lotic.

For the purposes of the Information Security ABCs, “L” is for “Layers”.

To best apply the word “layer” with our definition of “information security”, let’s review both definitions quick. The word “layer” has several definitions in the English language, and here are two:

  • a thickness of some material laid on or spread over a surface: a layer of soot on the windowsill; two layers of paint.
  • something lying over or under something else; a level or tier: There can be multiple layers of metaphor in a single poem.

You remember our definition of “information security” right? Maybe. Well, in case you forgot, it’s managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

So, what is an “information security layer” or “security layer” for short?

What is a Security Layer?

In the context of information security, we use the term layers to describe the controls, most often preventative controls. A single layer is less strong (or effective) than multiple layers. For multiple layers, we just stack one layer on top of another (logically) to make our security (and protection) stronger. Here’s an analogy:

  • Bullet-resistant glass is constructed using multiple layers of laminated glass. The more layers there are, the more protection we get from the glass. Note, the glass is bullet “resistant” and not bullet “proof”. A projectile that is powerful enough, will get through. The point is, the layers make the protection stronger.

  • Attacker-resistant networks are constructed following the same concept, but using multiple layers of network protection (segmentation and isolation, maybe provided by firewalls) instead of multiple layers of laminate glass. The more layers there are, the more protection we get from the network. Like the bullet resistant glass, attacker resistant networks are never attacker “proof”.

Multiple layers make protections stronger, they compliment and compensate for each other. Here are a couple more examples:

  • The most common control for authentication is a username and password, a single layer (or often referred to as “factor”). If we add another layer to the authentication, maybe a hardware token (like YubiKey or RSA SecureID), a biometic (like Face ID), or a software token (like Google Authenticator or SMS text), we’ve significantly strengthened the control. We call this multi-factor authentication (MFA), but it’s also multiple layers.
  • A building is protected by exterior controls (walls, windows, doors, etc.). A single layer of protection might be provided by the walls and a single entry door. Once an attacker breaches the door (or wall or window) and gains entry to the building interior, there would be nothing left to stop them from taking anything they wanted or assaulting anyone inside. A simple multi-layer approach might employ additional locked doors between the single exterior entry point and office spaces, between office spaces and mail rooms, between office spaces and data closets, etc., etc.

Layers are important for safety

As one who lives in a cold weather climate, I can assure you that layers are an essential part of staying safe in cold weather. As with all things, having the appropriate number of layers is critical, too many layers and you overheat and struggle to move, not enough layers and you will freeze.

When it comes to using layers in security the same principal applies, too many layers prevents effective use and not enough layers leads to unnecessary risk and danger.

Layers are part of defense in depth

We like to use the analogy that security is like an onion, we say this because an onion has many layers and each layer is needed to make a whole onion, in security it is no different. You may need many layers to make the whole security program effective.

Layers are the cornerstone of defense in depth, defense in depth is a security concept that states; security should be implemented in overlapping layers that provide the three elements needed to secure assets, prevention, detection and response, while seeking to offset the weakness of one security layer by strengthening it with two or more additional layers. This is the #1 reason for using Multi Factor Authentication (MFA) to strengthen the security of your username and password.

Let’s take a deeper look at the various security layers, we encounter most often.

Physical

The physical layer consists of the things you can touch, fences, locked doors, surveillance cameras, man in the middle traps (a room that one door locks behind you before the door in front of you can be opened) security guards, etc. This is the fist layer of any security program; all the other layers are ineffective if the systems can be physically accessed by bad actors. Having an appropriate level of physical controls in place is critical to ensuring the rest of the security layers are effective. After all,

“It doesn’t matter if your server runs the greatest security software of all time when someone steals the server.”  

Access Control

The access control layer comes in two forms physical access and logical access, both serve the same purpose, to limit access to sensitive systems and data to authorized personnel (approved users only). The most common physical access controls are door locks, and the most common logical access controls are passwords (used in combination with a username).

Access control gives us the ability to restrict and monitor who is accessing what, and physical and logical access controls can have many sublayers. For example a locked door could have additional layers (controls) of security such as a surveillance camera or security guard. Logical examples include multi-factor authentication (MFA) covered earlier, or performing logical access audits on a periodic basis.

Application

The application security layer is all about providing protection to applications and the data applications use. Security controls on the application layer require additional consideration, as poorly configured security controls can degrade the performance, stability, and overall usability of an application. Inadequate or missing security controls at the application layer present significant risks, such as data loss, data integrity issues, backdoors/malware, additional unauthorized network access and service interruption.

Ransomware, Distributed Denial of Service (DDoS) attacks, SQL injection and cross site scripting are some of the attacks targeted at the application layer.

Taking a multi-layered approach to application security is a best practice. Using a Web Application Firewall (WAF) for web facing applications, secure web gateway services for Internet access, logging and monitoring of application activities and training aimed at improving user behaviors are a great starting points to consider for a multi-layered approach to application security.

Network

The network layer is responsible for connecting systems together. Systems within an organization are likely to need communication capabilities with each other to operate, and connectivity to the Internet may also be required. This is the layer where a standard firewall lives. You know, that thing we traditionally think of when we talk about cybersecurity (BTW, cybersecurity is not information security. They’re like cousins)?

Think of the network layer as your first chance and last chance; it is your first chance to detect suspicious traffic/behaviors, and it’s your last chance to stop data from leaving your network. The network layer has two directions that must be considered in your protection approach, inbound (sometimes called “ingress”) and outbound (sometimes called “egress”). Controlling and monitoring data and traffic in both directions are critical, although this contrary to current practice in many organizations.

The Crunch Shell and Gooey Center

Most networks are secured (poorly) with a “crunchy shell” and “gooey center”. Traditionally, we’ve focused so much on establishing a strong perimeter (“crunchy shell”) that we neglect to account for what happens when an attacker get’s through the perimeter. There are few restrictions in place, and we’re left with our “gooey center”. In most networks, once an attacker gets through the perimeter (trivial in many cases), they have free reign to move laterally throughout the network until they find valuable data. Once the attacker finds valuable data, they are rarely restricted in exfiltrating the data because of ineffective egress traffic restrictions.

The two most common mistakes in network security layering include:

  • Too much focus on the perimeter.
  • Too much focus on restricting traffic inbound and no (or very little) focus on traffic outbound.

An important note about the “perimeter”, especially with the explosion of remote work due to COVID-19, is there is no perimeter. At the very least, there are many perimeters. All the more reason for a layered approach.

Some of the tools used to secure the network layer are firewalls, security incident and event management (SIEM) tools, network intrusion prevention systems (NIPS), network intrusion detection systems (NIDS), logging and packet capture devices, network-based data loss prevention (DLP), email filtering, and web filtering.

The better the network layer is secured and monitored the higher the your chances of seeing something in time to stop the “something” from being very bad. Some of the controls we use to secure the network layer are physical and some are logical. The best approaches are usually a blend of both. When it comes to the securing the network layer, less is more and, more is less.

Whoa, did I just blow your mind?! How can it be both more and less you might ask.

The answer is painfully simple, the more restrictive you are with what you allow on the network without the knowledge of what it does or why, the less issues you will have to chase down later. Knowing what something is, why it’s on the network, why it’s important to the business and how it works/behaves during normal operation are invaluable when it comes to securing the network layer. The better you understand what’s on the network and how it operates the better your firewall rules, IPS, IDS, WAF, log data, SIEM and other security controls can be configured. This always results in less things to chase and less time elapsed between detection and response.

Remember when it comes to network access Less is More! (concept of least privilege)

While the network layer has traditionally gotten the most attention from security professionals over the years, and is where the concept of perimeter defense is rooted, it is only one of the many layers you need to design and manage an effective information security program.

Host / Platform

The host layer is where virtualization happens and where operating systems live, virtual or not. This is also the layer that computers/servers/Internet of Things (IoT) and all other devices (with a unique IP address) reside. When we discuss this layer, in the cloud as IaaS or other, we refer to it as the platform layer and there are some distinct differences in how to secure it. Securing this layer comes with the challenge that most devices need to interact with many applications and services hosted locally and remotely. When we consider all the various other layers and systems at play, we must consider virtualization, application stacks, code libraries, 3rd party services, integrations and data movements, security patches, upgrades, cloud services and on and on.

Adding to the challenge, we must do this while balancing the needs of the business and risk.

The WORST ENEMY of security is complexity; therefore, we must combat complexity at all times. This is a huge challenge when dealing with the (sometime unreasonable) demands of the business. Using a simplified approach whenever possible, and leveraging a layered approach to information security will make your life easier and your protections more effective. Believe it or not, the fundamentals are still the most effective security controls out there.

Honorable mentions for “L”

  • Lag
  • LAMP
  • LAN
  • Laptop
  • Laser Printer
  • Latency
  • Lazy Loading
  • LCD
  • LDAP
  • Lead
  • Leaderboard
  • Leading
  • Leaf
  • LED
  • Let
  • Left-Click
  • Leopard
  • LFN
  • LIFO
  • Lightning
  • Link
  • LinkedIn
  • Linux
  • Lion
  • LISTSERV
  • Live Streaming
  • Load Balancing
  • Localhost
  • Log File
  • Log On
  • Logic Error
  • Logic Gate
  • Login
  • Long
  • Loop
  • Lossless
  • Lossy
  • Low-Level Language
  • LPI
  • LTE
  • Lua
  • LUN

So, there it is folks. The letter “L” is for “Layers”.

The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics). APPLY THE BASICS!

On to “M”!

The Burn(out)

If you work in this field (information security) long enough, burn out is something you’re sure to encounter. You will fight against burn out yourself, meet somebody who is on the verge of burn out, or sadly, meet someone who has already burned out.

We work our asses off. The hours are long. The stress is real. Isolation comes with the territory.

If you are on the verge of burning out, please seek help (from me, a colleague, a friend, a counselor, etc.). We need you. We need you to fight beside us. We need your ideas. We need your perspectives. We need your wisdom. We need your support. We need your passion. We need your skill. We have serious information security problems in society. In fact, we’ve created more problems than we’ve solved.

WE NEED YOU FOR THE CREATION AND IMPLEMENTATION OF SOLUTIONS TO SOCIETY’S INFORMATION SECURITY PROBLEMS.

The letter below is hypothetical. It’s not written to anyone in particular or with anyone in mind (except the information security professional). It’s a raw dump of frustrations I’ve heard over the years from my brothers and sisters in arms.


Dear <INSERT NAME OR TITLE>,

I’m tired.

You may not care, but you should. I’m holding shit together while you focus on life. Some of my frustration stems from your view that information security (or “cybersecurity”) isn’t part of life. The truth is, information security IS part of life. It’s a damn life skill!

Before you ask why I’m tired, I’ll tell you. I’m tired because:

  • I work 80+ hours a week to protect you and all that you are responsible for.
  • I’m fighting a fight I cannot win, especially without your help.
  • I’m asking you to help, but you aren’t listening.
  • We’re under relentless attack, but you don’t see it, so you don’t care.
  • You think “it won’t happen to me” and I’m afraid it already has.
  • I’m losing support from my family because they’re sacrificing their time with me while I protect you (and worse, they don’t understand why I’m doing it).
  • You won’t step up and take responsibility for what’s yours.
  • I need you to help me solve problems, but I can’t get you to participate.
  • You think this is my responsibility, but it’s not, it’s yours.
  • I tell you things with honesty and transparency, but I don’t think you trust me.
  • We’re understaffed and underfunded, but you keep telling me to do more with less.
  • I need you to champion this cause, but you do nothing more than tolerate it.
  • I want to teach you about information security, but you are too smart or too busy for education.
  • You don’t see the value in me because I’m nothing more than a cost center to you.
  • You will blame me when things go wrong, but you don’t notice when things seem OK.
  • Your demands for more technology and gadgetry makes protecting you harder than it already was.
  • I sit behind a screen all day and my physical health is declining.
  • I deal with the dark shit of this world, mostly alone, and my mental health is at risk too.

Despite all this, believe it or not, I LOVE what I do. I love what I do because I love doing good, fighting against evil, and protecting people like you. It scares me to think of doing anything else for a living. You pay me well, so I’m not complaining about money.

You know this isn’t about money, right?!

My work and passion runs deeper than money. Money provides the means to my cause, but it’s not the cause. I do what I do because I want to make a positive difference in your life and I want you to be healthy. I do this because I care about you, obviously more than I care about myself sometimes. I’m here to serve. I am here to help. I answer the phone when you call. I’m here to respond when things go wrong, even if it means I take the blame.

This is my duty and my promise to you.

Sometimes I ask myself if it’s worth it. Is the frustration worth the reward? Is this all worth it, knowing that I’m destined to fail?

You might be inclined to ask “what do you mean, destined to fail?!”

I’m destined to fail because you ask me (directly or indirectly) to do the impossible, you won’t enable me to succeed even it were possible, and you have expectations of me that can’t be met

You ask me to keep you “out of the news,” but I can’t promise you that. No matter what I do, I can’t protect you from all the bad things that can/will happen. I’ve always told you the goal is risk management, and not risk elimination. Risk elimination just isn’t possible.

I don’t want you to take pity on me, and I don’t want any outward acknowledgement. I want you to own what’s yours! I want you to get in this game and play ball. You can delegate all sorts of things to me and others, but you will never be able to absolve yourself of your ultimate responsibility. The wolves in our industry will fool you into thinking they can solve all your problems without your attention or worry, just your money. They can’t. It’s a lie. They prey on your ignorance to mislead you and steal your money, not unlike the attackers we’re trying to fight against in the first place!

All of us need you to step up. We need you to own what’s yours. We need you to lead. Ultimately, the security and safety of all things and people under your control is your responsibility. It’s time to step up before I give up. I’m your best hope, but we’re hopeless without each other.

-Information Security Professional (on the verge of burnout)

K is for Key

In kindergarten (or thereabouts) we learned the ABCs of the English language (assuming we’re from the U.S.). Learning the ABCs provided the foundation necessary to form words. Before long, words became sentences, sentences became paragraphs, and paragraphs became chapters, reports and books.

The ABCs of Information Security are important in much the same way the ABCs for English are. We start with learning and mastering basic concepts. Basic concepts begin to combine with other basic concepts to form the foundation of an information security program. In time, advanced techniques are applied on top of the solid foundation, and a world class information security program is born.

The Information Security ABCs are written as education for people who don’t speak information securitynese yet, and they’re good reminders for people who already speak information securitynese fluently.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

And here we are, ready for “K”. “K” doesn’t get much respect in the English language, appearing with a frequency of only 1.1% (compared to “E” and its 11.16%). All letters deserve respect, and “K” can brag that it isn’t as lonely as poor “Q” (.196%).

Some alliteration…

Our kindhearted kin are kayoed, watching their kingdom go kaput while losing the kitty to knave knuckleheads, all because they didn’t know key concepts, built knotty networks, and failed to kindle interest from kleptocratic leaders.

For the purposes of the Information Security ABCs, “K” is for “Key”.

The word “key” has many applications in information security. It’s one of a few words that fit across the spectrum of what information security is:

Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

There are physical keys, logical (or technical) keys, and all the “other” keys.

Physical Keys

Physical keys are used to open physical locks. Physical locks are used to secure physical things. Physical “things” might be a locker, a door, a window, a safe, or any number of other “things”. Don’t confuse physical key locks with other physical locks. Combination locks and keypad locks aren’t physical key locks, but they have keys too. The key in these locks is the combination.

Confused? Don’t be. Here are the most common types of physical key locks.

Types of Keyed Locks

IMPORTANT: Every physical key lock is susceptible to compromise (picking, bumping, impressioning, etc.), but some are much harder than others to bypass.

  • Pin cylinder (or pin tumbler) locks – a lock with pins that must be aligned with a shear line to turn the cylinder (open the lock). The key is specifically shaped to lift the pins to align with the shear line. The number of pins in these locks vary, but the most common are 5 and 6-pin locks.

  • Lever (or lever tumbler) locks – the key lifts each of the levers to the exact height required to move the locking bolt. The most common lever lock is one with three levers, but you’ll need a five-lever lock (or more) to get home insurance in many cases.

  • Wafer (or wafer tumbler) locks – like the pin tumbler lock but uses flat wafers instead of pins.

  • Warded locks – obstructions are used within the lock to prevent anything but the correct key to turn. One of the oldest lock designs, and only used in low security applications today.

  • Disc detainer (or disc tumbler) locks – uses slotted rotating rings where the slots must be aligned to unlock. Harder to pick and sometimes sold as “high security” locks.

Keys open locks. Simple, right?

Again, don’t forget that ALL physical locks susceptible to picking or bypass. Here’s a look at a couple of pick sets.

Logical Keys

Logical keys are very commonly used to protect assets too. The three most widely used references to logical keys in information security are:

  • Secret Key – this often refers to a type of cryptography (“secret-key” encryption, or algorithm) and the key itself. Secret-key encryption is also referred to as symmetric encryption (not to confuse anyone). In this type of encryption, the same key (secret key) is used to encrypt and decrypt data. The key can take the form of a simple password, a passphrase, or any other combination of bits/bytes. Popular symmetric-key algorithms include AES (Rijndael), Twofish, DES, 3DES RC4, and others.
  • Public Key – this term refers to a type of encryption and the key itself too. Public-key cryptography is also referred to as asymmetric cryptography because one key is used to encrypt the data and a separate (but related) key is used to decrypt the data. If the public key is used to encrypt, only the private key can decrypt, and vice versa. The public key is often freely distributed while the private key is kept, you guessed it, private. Common asymmetric-key algorithms include RSA, Diffie-Hellman (key exchange), Elliptic Curve Cryptography, and others.
  • Private Key – private keys are paired with public keys in asymmetric encryption algorithms. These are sometimes referred to as secret keys, but not the same secret keys as those used in symmetric encryption (because we like to reuse words and confuse people I guess).

It’s common to use asymmetric encryption to establish communications and exchange secret keys, then use symmetric encryption to exchange data. This is because symmetric encryption is stronger (per bit of key length) and faster.

Other Uses of “Key”

The word key and security (and information security) are like second cousins. They’re different but related to each other. The image of a key (or padlock with keyhole) is often used symbolically to reference information security, like the graphic below.

Then there are information security “key” concepts, like:

  • Information security is risk management.
  • Information security protects the confidentiality, integrity, and availability of information.
  • Information security is a business issue, not an IT issue.
  • You can’t prevent all bad things from happening (eliminate risk), so you must have something in place to detect the bad things and something in place to respond appropriately too.
  • And many, many more…

More use of the word “key”:

  • Key Chain
  • Key Distribution Center (KDC)
  • Key Escrow
  • Key Fob
  • Key Generator (Keygen)
  • Key Length
  • Key Performance Indicators (KPI)
  • Key Risk Indicators (KRI)
  • Key Value Store
  • Key-Value Pair (KVP)
  • Keyboard
  • Keyboard Buffer
  • Keyboard Macro
  • Keyboard Shortcut
  • Keycap
  • Keygen
  • Keylogger
  • Keypad
  • Keystroke
  • Keystroke Logger
  • Keyword
  • Keyword Stuffing

So, there you go. The letter “K” is for “Key”. The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics).

On to “L”!