UNSECURITY Podcast – Ep 103 Show Notes – PsyberReslience Project Pt. 2

Happy Tuesday (again)!

There are always 100s of things to talk about each week, and if you’re ADHD like me, you know how hard it can be to stay focused on one thing for too long!

Here are a few things that are top of mind right now:

  • Security ABCs:
  • Election is next week. Please vote. Regardless of who you vote for, you have a voice. The voice might seem insignificant, but when millions of voices speak together, you have something special. This election season has been crazy, just like 2020 has been crazy. I’m looking forward to it being over, so we can return our focus to serious issues facing all of us.
  • Last week on the Security Shit Show, we talked about election security. The title of the show was “Is My Vote Secure?”. This week it’s Chris Roberts‘ topic, and he hasn’t announced it yet. Stay tuned!
  • Business is good – FRSecure is running at or near full capacity and SecurityStudio is serving people well with simple, fundamental, and effective information security risk tools. Good things! FRSecure is hiring BTW.
  • Incidents and calls for our incident response team continue to roll in. There was an incident that occurred this past weekend. Sadly, the way the incident was handled by the client provided good examples of what NOT to do. I’ll right a separate blog post on this story later, but here’s two things you need to do RIGHT NOW. Drop what you’re doing and make sure you’re squared away on:
    1. Check your incident response plan and be sure you know who to call.
      • Double-check the contact information.
      • Is there 24×7 response? Incidents will inevitably happen at the worst time.
      • Who do you call, and who do you call first? Your incident responders, your insurance provider, your legal team, executive management, law enforcement, or…?
    2. Make sure your preferred 3rd-party incident handler/provider is on your insurance provider’s approved list for reimbursement.
      • You waste precious time, energy, and money when you don’t know.
      • Engaging with a 3rd-party incident responder who isn’t on the list will force you into declined reimbursements and/or changed providers (losing more time).
  •  Not a sales push at all, but here’s what FRSecure provides. At a minimum, it makes sense to register with your incident responder (See: IR Registration Services).

  • Not digging the cold weather, but I do live in Minnesota, so…

Episode 102 Quick Recap

Originally, we weren’t planning on making the discussion with Neal O’Farrell into a series, but the talk in episode 102 was too AWESOME! Brad was out sick for the show, but Neal and I had a great talk about his 40(ish) years in our industry, his background growing up in Ireland, his organization (the PsyberResilience Project), our personal mental health issues (stress, burnout, etc.), and mental health in our industry. This is a serious issue in our industry, and we’re not doing a good enough job in tackling our problems.

I’m VERY excited to welcome Neal back again! We’ll talk about resources people can use to improve their lives. Sure to be another great discussion!

These are my (Evan) notes.


SHOW NOTES – Episode 103

Date: Tuesday October 27th, 2020

Episode 103 Topics

  • Opening
  • Special Guest – Neal O’Farrell from the PsyberReslience Project
    • Recap episode 102 – Where we left off.
    • Mental Health Discussion.
    • Specific self-help approaches, what we’ve learned from trying them.
    • Other resources and what you can do to help.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi everybody. Welcome to another episode of the UNSECURITY Podcast! This is episode 103, the date is October 27th, 2020, and I’m Evan Francen, your host. Joining me is my good friend and co-worker, Brad Nigh. Good morning Brad.

[Brad] Cue Brad.

[Evan] Also joining us, for the second week in a row is our good friend and founder of the PsyberResilience Project, Neal O’Farrell. Good morning Neal.

[Neal] Cue Neal.

[Evan] How are you guys today? What’s new?

Quick Catch-up

Discussion about any current events, life or otherwise…

Transition

 

Special Guest – Neal O’Farrell from the PsyberReslience Project

[Evan] Neal, thanks for joining us for the podcast again this week. Last week we had a great talk. So great, in fact, we didn’t leave any time for news stuff. No matter though, people can always read news things for themselves.

Anyway, we talked about your background, both of us shared our personal struggles with mental health, and we talked about your organization (the PsyberResilience Project). This week Brad’s joining us, and we’re going to focus on specific self-help approaches that we’ve tried. Before we jump in, Brad, did you get a chance to listen to last week’s podcast?

[Brad] Cue Brad.

[Evan] What did you think about it?

[Brad] Cue Brad.

[Evan] Great! Let’s dig in.

Begin Discussion

Topics to discuss (or ideas):

  • Recap episode 102 – Where we left off.
  • Mental Health Discussion.
  • Specific self-help approaches, what we’ve learned from trying them.
  • Other resources and what you can do to help.

Discuss whatever else comes to mind.

[Evan] Excellent discussion, and I’m sure our listeners found value in it!

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Neal, please feel free to comment anytime too!

News

[Evan] Some interesting nation-state stuff caught my attention this week. God knows, there’s always plenty of nation-state stuff going on!

Wrapping Up – Shout outs

[Evan] Great! Episode 103 is just about complete. Thanks guys! Neal, it was great having you on the show again this week. I’m looking forward to working together to make our industry better. Brad, always happy when you’re here. Glad you’re feeling better this week!

Any shout outs for either of you?

[Brad and/or Neal] We’ll see.

[Evan] Always grateful for our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Neal, remind our listeners again how they can get in touch with you.

[Neal] Cue Neal.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

God Showed Up to My Pity Party

Yes, God showed up. Uninvited and unwelcomed.

NOTE/WARNING:

The subject of “God” is touchy for many people. I acknowledge this, and won’t go down the rabbit hole (now). I’ll preface my story with two simple points:

  1. This story isn’t about religion. This is about relationship. Two vastly different things. If it helps, I don’t like religion either, or at all.
  2. Nobody is forcing you to read this. Feel free to stop reading this at any time.

OK, back to my personal pity party.

Pity Party!

This was my party. All mine.

I invited the most important person in my life (me), and I was sure he was coming (again, me.). The best time for me to have a pity party is early in the morning. Mornings are great times for pity parties because it’s easier for me to be alone.

This particular party took place one morning a couple weeks ago. I woke up in a pissy mood, so it was the perfect time to hold my pity party!

I even had a theme. “2020 Sucks!” In my mind, I replayed all the crappy things about this year, and I found I had lots of things to celebrate:

  • COVID-19, and all the disruption it brought to daily life
    • Closed offices.
    • Closed schools.
    • Economic hardships.
    • Fear.
    • Uncertainty.
    • Politicization
    • The saddest/hardest stuff:
      • Sick people.
      • Deaths.
      • Closed businesses (some permanently).
    • Etc.
  • Social (in)Justice:
    • Riots.
    • Cities burning.
    • Systemic racism.
    • Hatred.
    • Killing.
  • 2020 Election:
    • Disinformation.
    • Division.
    • Hatred.

This country I love seems like it’s falling apart. I grew up in a Marine Corps family (Oorah!), so this hits hard and personal. People around me who used to love each other are now at each other’s throats. Damn, this pity party was in full swing!

Wait though, I can kick this thing up a notch!

I haven’t even started to grumble and take the “woe is me” look at my personal issues in 2020:

  • Frustration in my own home.
  • Loneliness and isolation.
  • Hit a deer while riding my motorcycle in May ($11K in damage).
  • Lost my little buddy (dog named “Vike”) in July.
  • Child struggling with school (social issues, lack of routine, etc.)
  • Work stresses from being CEO of two companies. The wind blows the strongest at the top of the mountain.
  • Lost my little sweetheart (dog named “Maizee”) first week in October. Two dogs in one year?! WTF?
  • General insecurities that come with working in the information security industry (yes, we all have them).
  • Etc., etc., and the list could continue.

The party was going great! I was feeling comfortable being shitty. I had a solid shitty attitude. To boot, I felt like I had plenty of blame to toss around and anger to express.

Woop! Woop! Party!

Then “He” showed up.

He showed up like He has before. Subtle. Almost sneaky. No grand entrance or anything.

Upon reflection, I realized He was actually there when the party started. I didn’t know He was there, but He was. At just the right time, He made his presence known to me, with a subtleness I can’t compare to anything else.

He whispered with in a gentle loving voice, “Did you forget?

The whisper wasn’t audible, at least I don’t think it was. There was nobody else in the room to confirm a “yes” or “no”/my sanity. Regardless, whether His voice was audible or not, I’m certain I heard Him.

I responded (not audibly, I don’t think), “Forget what?

He replied, “Forget the blessings. Did you forget the blessings?

I thought for a second. “What blessings?

With more gentleness, and without anger, He reminded me:

  • This was the year I gave you Ryan Cloutier to work with.
  • This was the year I gave you the amazing SecurityStudio team experience at RSA. Remember #MissionBeforeMoney? That was Me.
  • This was the year I gave you a wonderful vacation with your wife and friends. You know that seven-day cruise and everything that came with it?
  • This was the year I gave you 2,500+ students in the FRSecure CISSP Mentor Program. I even let you take credit for it.
  • This was the year I gave you unity and progress at FRSecure; amongst the executive leadership team, the senior management team, and the employees who get the real work done.
  • This was the year I gave you a new motorcycle after you crashed the last one.
  • This was the year I gave you a stronger bond with your wife.
  • This was the year I have you a second vacation, one to the Black Hills of South Dakota with your wife and friends.
  • This was the year I made SecurityStudio profitable for the first time.
  • This was the year I gave you a new puppy with an amazing and vibrant lust for life.
  • This was the year I taught you what unconditional love feels like.
  • This was the year I introduced you to working more closely with Chris Roberts (BTW, I’m using him too) on the Security Shit Show, multiple talks/panels, and business collaboration on My mission (to fix the broken industry).
  • This was the year I gave you new and deeper experiences with co-workers and friends.
  • This was the year I gave you the Daily inSANITY Checkin and new relationships with many wonderful people there (Josh, Jared, Steve, Tony, Richie, Amy, Marlyce, Dwight, Jim, Raul, Shelley, Olga, Jason, Brian, Rod, Caleb, Jeff, Lisa, etc.)

Shall I go on?

Through tears running down my face, I responded, “Thank you. Thank you for coming to my pity party to remind me who I am and what You have done for me.

It was here I realized I’m not cursed. Far, far from it. I’m blessed. Beyond everything that’s been done for me and given to me, I’m blessed by a God who always shows up, even to my pity parties He isn’t invited to.

2020 has been a weird year. It’s been much worse for some than for others, but regardless of how bad it’s been, there’s hope. There’s hope that God will show up for you as He did for me. There’s hope that God will restore what we destroy. I can’t help but wonder how much of what we’ve destroyed was destroyed because we take things for granted. It’s easy to take things for granted when we are given things without 1) earning them (called grace) and 2) realizing where they came from.

Wishing and praying for all brothers and sisters who are struggling today. I pray that you’ll find God, His grace and your blessings.

UNSECURITY Podcast – Ep 102 Show Notes – PsyberReslience Project

Happy Tuesday (again)!

There are always 100s of things to talk about each week, and if you’re ADHD* like me, you know how hard it can be to stay focused on one thing for too long!

Here are a few things that are top of mind right now:

  • Security ABCs – I’ve been writing the information security ABCs the last week or two. This is a journey through the basics and fundamentals of information security. The “experts” can use the reminders and the inexperienced can use the direction (I think). The reception has been great so far, and I love the comments I’ve been getting, in my LinkedIn feed and on Twitter! So far, I’m through “D”. Stay tuned for “E” and “F” which are both scheduled for this week.
  • Election is only two weeks away – Have you already voted or are you planning to? If not, shame. Every U.S. citizen should voice their support for who they want leading this country. If you’re like me, I’m not wild about either of the two leading candidates, but it won’t stop me from casting a vote for who I think is best (out of my limited options). Last week, we talked about election security in episode 101. The notes for that episode have some good resources in them.
  • Disinformation is rampant – Last Thursday, Ryan Cloutier, Chris Roberts, and I opened our three-part series about election disinformation on the Security Shit Show. This first episode was titled “Disunited States of America (Election Disinformation)” and despite our share of technical difficulties, it was a great talk!
  • Business is good – FRSecure is running at near full capacity and SecurityStudio is serving people well with simple, fundamental, and effective information security risk tools. Good things! FRSecure is hiring BTW.
  • Cold/Winter

Lot’s of blessings, despite the crazy society we’re living in.

*Speaking of ADHD, mental health is a serious issue in our society and our industry. Helping people with mental health disorders is important for all of us, and it’s a cause that I’m deeply committed to. This is the topic for today’s show.

I’m VERY excited to welcome a special guest this week. He’s the Founder of the PsyberReslience Project, and a long time information security advisor and expert; Neal O’Farrell!

On to the show! Brad is out with a sinus infection (or something), so it’s just me and our guest. These are my notes.


SHOW NOTES – Episode 102

Date: Tuesday October 20th, 2020

Episode 102 Topics

  • Opening
  • Special Guest – Neal O’Farrell from the PsyberReslience Project
    • Introduction to Neal
    • About the PsyberReslience Project
    • Mental Health Discussion
    • What can we do to help?
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi everybody. Welcome to another episode of the UNSECURITY Podcast! This is episode 102, the date is October 20th, 2020, and I’m Evan Francen, your host.

Unfortunately, Brad Nigh, my good friend and regular co-host, is out with a sinus infection (I think) today. So, it’s me flying solo, but not really.

I’m REALLY excited to introduce you to a great guy and tremendous asset to the information security community; Neal O’Farrell.

Hi Neal.

[Neal] Cue Neal.

Special Guest – Neal O’Farrell from the PsyberReslience Project

[Evan] Neal, thanks for joining us for the podcast. Tell us about you and your journey through the information security industry.

Begin Discussion

Topics to discuss (or ideas):

  • Neal’s background.
  • The PsyberResilience Project
    • Its purpose.
    • Why Neal started it.
    • What makes it different?
    • Current initiatives and goals.
    • How can people find you?
  • Mental Health
    • What’s wrong with our industry, in terms of mental health?
    • Have problems gotten worse, especially with today’s current events?
    • Have we fixed/solved anything?
    • Personal mental health issues.
    • What do we need to do?
  • What we’re doing together (SecurityStudio and the PsyberResilience Project

Discuss whatever else comes to mind.

[Evan] Thank you Neal! Great discussion and I’m thrilled to be doing good things with you.

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Neal, please feel free to comment anytime too!

News

[Evan] Just one large news reference for this week. From the Register:

First, Patch Tuesday. Now, Oh Hell, Monday: Microsoft emits bonus fixes for Visual Studio, Windows 10 security bugshttps://www.theregister.com/2020/10/19/security_in_brief/

[Evan] For the most part, I like reading the Register for news. Neal, do you have a favorite news source in our industry?

[Neal] Cue Neal.

Wrapping Up – Shout outs

[Evan] Great! Episode 102 is just about complete. Thanks Neal! It was great having you join us this week and I’m very happy to have you fighting on the good side. Once again, how can we help?

[Neal] Cue Neal.

[Evan] Always grateful for our listeners! We’re behind on email still, but we’ll get there! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Neal, do you have a way you prefer people get in touch with you?

[Neal] Cue Neal.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 101 Show Notes – Election Security

Well, it’s already mid-October and the election is 21 days (three weeks) away. Things have never seemed crazier or more divided, at least not in my lifetime. Good fodder for discussion in episode 101 of the UNSECURITY Podcast!

Work-wise things are also crazy, but good. Fourth quarter is always nuts for an information security company, and doesn’t matter is it’s consulting (FRSecure) or SaaS (SecurityStudio). Everyone is running at full capacity and finding life margin is a challenge!

Hope you’re happy and healthy! On the the show; I’m (Evan) leading this show and these are my notes.


SHOW NOTES – Episode 101

Date: Wednesday October 14th, 2020

Episode 101 Topics

  • Opening
  • Catching Up (as per usual)
  • Election Security
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there, thank you for tuning into this episode of the UNSECURITY Podcast. The date is October 14th, 2020 and this is episode 101. I’m Evan Francen, your host for this show. Joining me is my good friend and co-host Brad Nigh. Good morning Brad.

[Brad] Brad does Brad.

[Evan] I know we’re a day late getting the podcast out again this week, but holy cow we’ve been busy! We’ll try to get back on track next week.

Brad, I want to reiterate how I enjoyed our discussion the past couple of weeks about the social dilemma, a Netflix documentary about social media and its effects on society. Lots to think about. In fact, I’m planning to watch it again this week.

[Brad] He might comment here.

Catching Up

[Evan] So, what’s new? Tell us what a day in the life of Brad looks like.

[Brad] Cue Brad.

[Evan] I’ll share some stuff too (probably).

Transition

Election Security

[Evan] As you know, we’re only 20 days from the election. If you haven’t registered to vote yet, you should. Go to vote.gov and check it out. Brad have you registered to vote?

[Brad] Cue Brad.

[Evan] I’m registered and ready to cast my ballot! The date is November 3rd.

There’s been much said about election security. A simple Google search of “election security” produces over 2.2 million results! Election security isn’t a new thing, even though it’s been front and center the past few election cycles.

There’s more to election security than protecting voting machines, so let’s talk about this.

Resources

[Evan] There’s a lot more to election security than infrastructure. What about voter intimidation, disinformation, and security after election night? We’re talking about disinformation on Thursday night’s Security Sh*t Show because this is a significant issue in today’s society.

Election Security Discussion

Open discussion

[Evan] Good discussion! Securing an election has never been more difficult. Let’s catchup on some news quick.

News

[Evan] Here are some recent and interesting news stories to talk about.

Wrapping Up – Shout outs

[Evan] Great! Episode 101 is just about complete. Thanks Brad, do you have any shout outs this week?

[Brad] We’ll see.

[Evan] Always grateful for our listeners! We’re behind on email, but we’ll promise to respond soon. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 100 Show Notes – The Social Dilemma Pt2

Hard to believe that this is episode 100 already! I’ll have to write a recap of the journey sometime soon.

Crazy things all over the place here at FRSecure and SecurityStudio. If you’ve been an information security consultant, or if you know one, you know that 4th quarter is a crazy time of year. Turns out, COVID-19 and 2020 is NOT the exception. We’re happily swamped.

Having said all that, we’re a day late getting the podcast out again this week. Not because we didn’t try, but because life and work get in the way sometimes.

Hope you’re happy and healthy! On the the show; Brad’s leading and these are Brad’s notes.


SHOW NOTES – Episode 100

Date: Wednesday October 7th, 2020

Episode 100 Topics

  • Opening
  • Catching Up (as per usual)
  • the social dilemma, Part Two
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 100 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is October 6th, and joining me this morning as usual is Evan Francen.

[Evan] Talks about how busy things have been

[Brad] Last week we had a really good discussion about The Social Dilemma and we didn’t get to everything so we are doing part 2 today. But before we get going let’s recap our week.

Catching Up

[Evan] Evan’s cool story

[Brad] A recap of my week

Transition

the social dilemma, Part Two

[Brad] Okay let’s pick up where we left off. There are no shortage of takes on the movie, here are some I found interesting.

[Brad] Great discussion here are some news stories

News

[Brad] Here are news stories that caught me eye this week:

Wrapping Up – Shout outs

[Brad] That’s it for episode 100. Thank you Evan, do you have any shout outs this week?

[Evan] We’ll see.

[Brad] Thank you to all our listeners! Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh, and Evan is @evanfrancen.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.
That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 99 Show Notes – The Social Dilemma

Happy Tuesday! Here we are again, and lots going on…

The big news (sort of) is the first presidential debate is tonight. I wonder how many people will tune in. Personally, I’m not sure if I will. We’ll see.

A few weeks ago my wife asked me to watch the social dilemma with her on Netflix, so I did. I’d heard about the documentary/movie from some friends, but didn’t get around to watching it until then. Wow!

The opening quote from the movie:

Nothing vast enters the life of mortals without a curse

-Sophocles

He was right. Today, Brad and I will give your our reviews about the social dilemma and talk about our thoughts. These are my (Evan) show notes for episode 99.


SHOW NOTES – Episode 99

Date: Tuesday, September 29th, 2020

Episode 99 Topics

  • Opening
  • Catching Up
  • the social dilemma
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning everyone. Thanks for tuning in to episode 99 of the UNSECURITY Podcast. Today is September 29th, 2020 and joining me is my co-host and friend Brad Nigh.

Good morning Brad.

[Brad] Cue Brad.

[Evan] We’ve got a special show planned for our listeners this week. Brad, you and I both watched the social dilemma on Netflix. It’s a documentary about social media in our society that was released in January. Funny how neither of us had watched it until recently, and now (as of this morning) it’s trending as the #6 most popular video on Netflix. I guess it’s better late to the party than not showing up at all!

Before we jump in, I’m dying to hear your thoughts, let’s catch up quick. This is customary.

Catching Up

[Evan] Brad, how you doing? What’s new?

[Brad] Cue Brad.

[Evan] Cue Evan.

Transition

the social dilemma

[Evan] You watched the social dilemma, right?

[Brad] Cue Brad.

[Evan] What did you think?

Our review and discussion

  • What if I’m not a social media user/addict, why should I care?
  • We see different realities? Different news feeds?
  • Data (you and I) sold to the highest bidder.
  • Where does this all end if we don’t act (now)?

Any sufficiently advanced technology is indistinguishable from magic

-Arthur C. Clarke

[Evan] If you haven’t seen the social dilemma yet, I highly suggest you do. Sit down, spend the hour and a half, and consider it all. If you’ve got a spouse, invite them to watch it with you. If you’ve got teenage kids, see if you can peel them away from their phones long enough too.

We’ve got to do more about this, and we’ve got to move much quicker than we are.

[Evan] OK, news. Let’s do some quick news stories.

News

[Evan] Three news stories to talk about briefly this week:

Wrapping Up – Shout outs

[Evan] OK. That’s about it. Episode 99 is almost a wrap. Brad, any shout outs this week?

[Brad] Shout out…

[Evan] We’re very grateful for our listeners and we love hearing from you. Send us messages by email at unsecurity@protonmail.com or check us out on Twitter, @UnsecurityP.

If you wanna socialize with me or Brad directly, we dare you! I’m @evanfrancen, and Brad’s @BradNigh. We work for people and if you want to follow those people, SecurityStudio is @studiosecurity and FRSecure is @FRSecure.

That’s it, talk you all again next week!

FACTS and OPINIONS

They’re not the same and treating either as the other has consequences.

  • FACT: something that has actual existence, or the quality of being actual.
  • OPINION: a view, judgment, or appraisal formed in the mind about a particular matter.

Facts seem to be in short supply, but the shelves in the warehouse of human discourse are overflowing with opinions. Opinions are easy and they’re cheap (short-term). People like easy and cheap, so they opinions sell like hotcakes.

But, there’s trouble.

Opinions, especially biased ones, can easily lead us to make decisions that are restrained, irrational, and even foolish. Facts are rooted in reality, and reality, although (sometimes) harsh, leads to better decisions and better outcomes.

We’re not sheep. We can think. We have the gift of logic. We can discern fact from opinion, but it might require work. Work isn’t easy and it’s expensive. The expense has a certain long-term payoff, but many of us are short-term thinkers.

Finding facts requires seeking facts. Some facts are harder to find than others, but they are out there!

  • Before you buy the next blinky light someone told you to buy, do the work. Find the facts to support or dispute the matter.
  • Before you take someone’s advice at face value, seek or ask for facts. Anyone with a foot to stand on should be able to defend their position (hopefully with facts).
  • Before you believe what you read, in the news or elsewhere, seek facts. Do your research.

Whatever you do, don’t spread your opinion as fact. You’re only hurting yourself and others who buy what your selling.

UNSECURITY Podcast – Episode 96 Show Notes

Hope you had a fantastic Labor Day weekend! Personally, it was nice to get away with family and disconnect for a while!

Did you know the history of Labor Day?

It’s always the first Monday in September, ad it’s dedicated to the social and economic achievements of American workers. The first state to recognize the holiday was Oregon in 1887, and it became a federal holiday in 1894. So, this year we celebrate more than 125 years of American work!

Read more about the history of Labor Day on the U.S. Department of Labor website.

Brad’s out today.

Like most weeks, I’m writing the show notes last minute. On the way into work this morning (2:30am), Brad sent me a text message informing me that he is not feeling well. We think it might be a bout of food poisoning, so he should be OK with some rest. Please keep him in your thoughts and prayers.

No Brad today, so this means I’m left to my own devices. This will be the first episode I’ve done by myself. We’ll see how this shakes out.

Let’s get on with it! These are my (Evan) notes.


SHOW NOTES – Episode 96

Date: Tuesday, September 8st, 2020

Episode 96 Topics

  • Opening
  • Catching Up
  • Context Means Everything A Lot
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning everyone. Thanks for tuning in. The date is September 8th, 2020 and this is episode 96 of the UNSECURITY Podcast! I’m your host, Evan Francen, and my buddy is out sick today. Normally Brad Nigh joins me as co-host, but he informed me early this morning that he might have a case of some food poisoning.

Wishing Brad a fast and full recovery!

Be warned. Without Brad, I might end up rambling a bit!

Catching Up

[Evan] Regular listeners to our show know that Brad and I normally start off with catching up with each other. No Brad today, so I’ll bore you with some of the stuff I’ve been up to:

  • Great weekend camping with my wife, my daughter, my good friend Ryan Cloutier, and his wife Aimee
  • Bunch of meetings last week, including 11 last Tuesday; Chubb, the Cybercrime Support Network, Schneider Downs (makers of Red Lure), etc.
  • Lots of great work going on at both companies; FRSecure and SecurityStudio.
    • New service offerings at both companies.
    • S2Org – working on a global S2Score, integrating S2Team, S2Vendor, and new deeper-dive risk assessments.
    • S2Vendor – working on customized workflows, custom due dates, integration of something called the “Cowbell Factor”, vendor breach data/news, etc.
    • S2Me – Redesign based on user feedback, definition of four new “normal” language dialects, and the introduction of “Sam”.
  • The Security Shit Show last Thursday night; topic was “Negativity is Bullsh*t”.
  • Some other miscellaneous things…

Crazy week, but it appears as though business is really picking up and market sentiment is positive(r).

[Evan] Alright, again, no Brad to catch up with. Hoping he had a great week and weekend, minus the food poisoning thing. Now on to the topic for today’s show.

Transition

Context Means Everything A Lot

[Evan] If you know me, you know I use many sayings/themes to try to get my point across. One saying I’ve muttered many times:

One of the easiest tells for determining a good information security advice from bad is using context.

Context is critical. Think about it. You make decisions all day, from the seemingly insignificant ones to the critical ones, and everything in between. How does the lack of context effect your decision-making? Without context, the quality of your decisions will suffer.

Without context people make crappy decisions

Recent conversation with “James”:

  • [James] We get the importance of a risk assessment, but we’re just not focusing on that right now. We’re focusing on partnering with firms with forensics capabilities and setting up a security operations center (or “SOC”).
  • [Mike] Are these our most significant risks to focus on right now?
  • [James] We think so. We don’t have any forensics capabilities and we don’t feel like we’re able to identify events happening in our environment.
  • [Mike] What’s the environment look like? How many servers, how many systems, how many applications, etc.?
  • [James] We’ve probably got 100(ish) servers and a couple hundred applications I’d guess.
  • [Mike] You guess?

A recent article “Most cyber-security reports only focus on the cool threats

A recent conversation with “Bill”. Bill is the CEO:

  • [Bill] Hey Mike. We need to stop everything we’re working on and take care of this exploit I heard about from a friend.
  • [Mike] I’ve never heard of this exploit. Why do we need to stop everything and focus on it?
  • [Bill] My buddy over at XYZ company was just telling me about how his company got hit.
  • [Mike] OK, we’ll get right on it.

Regulators and auditors are notorious for missing context and often take us down the road of compliance management versus risk management.

Penetration testers, especially those who are newer to our industry are notorious for getting things out of context. Context is critical.

Same concept applies to the world Around Us

The information security industry is unique, but it’s not unique in the fact that human beings are the ones making decisions. Context works the same way.

Take COVID-19 for instance:

  • The headline reads “South Dakota dismisses ‘elite class of so-called experts,’ carries on with state fair after Sturgis rally fueled COVID-19 surge” – The words “Sturgis rally fueled COVID-19 surge” is troubling. If we made a decision based on these words it might be different than a decision with some context. The article goes on to say (buried in 6th paragraph) “Nationally, about 300 cases have been linked to the rally.” For context, there were an estimated 460,000 attendees. 300 cases out of 460,000 attendees works out to about .065%. Granted, there will likely be more, but the rally was a month ago now.
  • Another headline reads “New challenges in US battle against Covid-19 come with the approaching fall season” – This article goes on to say “The holiday crowds mark the unofficial end to a devastating summer across the country, with Covid-19 infections surging to more than 6.3 million and deaths topping 189,000.” The word “devastating” is not only subjective, but it lacks context. A single infection and a single death is bad, but in context it seems a little less devastating. 6.3 million people is about 1.91% of the U.S. population. More than 640,000 people die each year from heart disease and almost 600,000 die from cancer.

IMPORTANT: COVID-19 is a pandemic and it is VERY serious. I don’t mean to minimize the coronavirus in any way, but I do want to put it into context. Be courteous to others. Wear a mask and follow the CDC’s guidance. Speaking of the CDC, this is a great source for context!

Racism and police violence is another hot button issue. Judging from some of the news and reactions from some of the public, you’d certainly think this was worth burning down the “establishment”. I’m someone who wants to fix broken things, so if I’m interested in fixing broken things, I need to make good decisions in context. Here’s some context.

Spend some time reviewing the statistics and graph above. Don’t jump to any conclusions yet! There is a significant issue here, but I’d prefer to use logic versus emotion to drive my reaction.

Now, here’s a couple more things to think about:

Interesting information for sure, and I’m NOT going to draw any conclusions for you. Racism is a thing and it’s a very bad thing. Decisions about what we’re going to do about the problem will be more effective with context.

IMPORTANT: Racism is real and I’m praying for constructive solutions to end it versus destructive solutions that will probably make it worse.

Context is VERY important for decision-making and problem-solving.

Here’s another saying I use often:

Empty spaces get filled.

Without context, what do we rely on to make our decisions? Usually it’s assumptions, bias, and/or emotions. Where we lack information to make a good decisions, some of us have a tendency to make up our own information to fill the gap. You know what they say about assumptions, right? Bias is prejudice in favor of or against one thing, person, or group compared with another, usually in a way considered to be unfair, and this doesn’t sound like a good base for decision-making. Emotions are variable and always play a role in decision-making, but it can become a problem when it’s the dominant role. Emotions like fear, anger, and frustration can easily be played against you and drive you to make a decision you’ll come to regret.

So, what to do?

First, understand that information security is about risk management. Risk is the likelihood of something bad happening and the impact if it did. This requires context!

Slow down. Think about the data your consuming and ask yourself if there’s more to the story. Is the new exploit your boss read about the most critical thing you should be attending to? If someone asks you what your most significant risk is, would you have an answer? Could you defend your answer if challenged?

About the world stuff, in short:

  • Will COVID-19 be the end of the world? – No, it’s highly unlikely. COVID-19 is a pandemic and all pandemics come to an end.
  • Is COVID-19 serious? – Absolutely! People get sick and people die. It’s 100% serious and we should all do what we can to help ourselves and each other be safe.
  • If you’re a black man in America, are you going to die at the hands of police? – Even by the most credible research I could find, there’s a 99.9% chance that this will NOT happen. Even .1% is way too high! We need to do everything we can to drive this number much lower. In context, the problem goes beyond the police though.

Well, I hope this helped. Remember to put things into context as much as you are able.

[Evan] Let’s move on to some news topics.

News

[Evan] Here’s some news I thought was interesting:

Wrapping Up – Shout outs

[Evan] OK. That’s about it. Episode 96 is coming to an end. Lonely without Brad, but hopefully useful to our listeners.

[Evan] Shout out…

[Evan] We’re very grateful for our listeners and we love hearing from you. Send us messages by email at unsecurity@protonmail.com or check us out on Twitter, @UnsecurityP.

If you wanna socialize with me or Brad directly, we dare you! I’m @evanfrancen, and Brad’s @BradNigh. We work for people and if you want to follow those people, SecurityStudio is @studiosecurity and FRSecure is @FRSecure.

That’s it, talk you all again next week!

Information Security Isn’t About Information or Security

NOTE: Throughout this article, I’ll refer to “we” and “us”. This collective is defined as me, FRSecure employees, SecurityStudio employees, our families, our customers, our partners, and everyone else who thinks in similar ways.

We have a strong belief that:

Information security isn’t about information or security as much as it is about people.

The fact is, if people didn’t suffer when things go wrong (cybersecurity incident, data breach, etc.), then nobody would (or should) care. Obviously, people do suffer, and we DO care.

There’s a second point related to our belief, it’s the fact that people (NOT technology) pose the greatest risk (to themselves and to each other). Technology only does what we tell it to do, but it’s people who tell technology to do the things that are risky (click links, download files, misconfigure settings, etc.).

We’ve held fast to this belief for years, and it’s not just a catchy saying. This is a deep belief we apply every day, in all that we do. For example, our sales team only sells what people need*, our analysts pour their heart and soul into every project, we’re committed to being product agnostic, and we always sleep well knowing we did right by the people who count on us.

*A rumor has been circulating for years at FRSecure; if you sell something that a customer doesn’t need (i.e. money-motivated BS solutions) I’ll run you over with my truck. I want to dispel this rumor. I will NOT run you over with my F250 (officially). Unofficially, this is a good rumor. For the record, I’ve never run anyone over (yet).

Why am I bringing this up again, and why now? Simple, I think it’s relevant.

People who love other people make the best information security people.

When making information security decisions, it’s important to feel the weight of those decisions. Especially when the information you’re protecting isn’t yours, meaning you’re not the one who suffers when it’s lost or stolen.

Relevance to Current Events

We’ve lived our belief (about people) for years, and it’s as relevant today as it’s ever been. People are suffering, directly and/or indirectly from the results of information security incidents. These are people from all walks, regardless of race, religious beliefs, economic backgrounds, political affiliations, or sexual or gender preferences.

Risk doesn’t discriminate, and neither do threats (attackers).

This is true in general terms. There are always specific threats targeting specific groups; however, in general, risk by itself doesn’t discriminate. Even if you’re not specifically targeted, you’ll still encounter some degree of consequence. In today’s world, most of us are digitally connected. In fact, most of us are digitally connected through a mesh of associations; networks, applications (SaaS platforms, social media, online shopping, and other shared services), etc.

The truth is we are all at risk, and people DO suffer. When people suffer, we shouldn’t roll over an take it. We all should get a little (or a lot) pissed off! People taking advantage of others should raise an ire in all of us. Playing the victim helps no one.

Beyond the non-discriminatory nature of information security, there’s additional relevance related to focus, emotions and lack of personal accountability.

Focus

While we’re focusing on VERY legitimate racial injustices in our society, the attackers are still attacking. Attackers know that we’re not paying as much attention to them, and they’re crafting attacks that are more likely to succeed given our emotional state.

Attackers are taking down (DDoS) local and state government websites and services, using language like “Black Lives Matter”, “Peaceful Protest”, and “Support Racial Injustice” as click bait (opposed to legitimate causes), and setting up fake fundraising sites to lure people into giving money for fake causes.

Attackers always use current, well-known, and emotion-laden events to take advantage of panic, fear, and compassion. The attacks happen every time these types of events, and it’s because they work. The attacks work so well that attackers don’t even bother changing their tactics.

Do your best to maintain (at least some) focus on information security. Easier said than done for some of us, but you can do it if you try!

Emotions

When emotions run high, we are quicker to react, and more likely to find ourselves in bad situations. This is due to the way our brain works. Our left brain is more pragmatic and tells us to act logically, while our right brain tells us to follow our heart. In a “normal” state, the left brain and right brain wrestle for control of a decision and the result is a compromise between the two. In highly emotional states, the right brain tends to dominate our decisions and logic takes a back seat. We think less and react more.

People are beautiful. Human beings are delicate and intricate systems, yet we come with this magnificent resilience that seems to defy logic. Most (or maybe it’s many, I don’t know) of us posses empathy, compassion, and love that are interwoven perfectly together. While these things are true, sometimes our emotions get the best of us, and we do things we wouldn’t normally do. It almost seems like things get a little jumbled when we’re in a highly emotional state.

There are at least two important tendencies that are more common for us when we’re in a highly emotional state:

  1. We make more mistakes. In our rush to act, we’re more likely to act before thinking things through to a logical conclusion. The right brain sorta kicks our left brain’s ass.
  2. We open ourselves more to manipulation. If an attacker knows you’re in a highly emotional state, it’s easier to use these emotions against you. Let’s say that you’re torn up about racial injustice. You feel the need to do something about it, driven by your deep compassion for others. If an attacker makes up a compelling story about how you can help right some of the wrongs in our society, don’t you think you’d be more likely to act on it? In a less heightened emotional state, you might be more logical about it the decision to help, be skeptical, and even do some research first.

If you can learn to recognize where your decisions are coming from, you’ll be better prepared to make good decisions. This takes self-discipline and honest introspection. For the time being, it might make sense to put off important decisions until after you’ve had time to process your emotions. Maybe take some time off.

Personal Accountability

During tense and emotional times, there is a much stronger desire to hold people accountable (for something or anything). We’re quicker to assign blame, point fingers, and lash out at anyone we perceive to be going against our personal version of right. This is true in societal issues like racial inequality and to some extent it’s also true with information security. In our rush to hold someone externally accountable, we lessen (even more) our own personal accountability.

Sadly, a great number of people think that their information security is somebody else’s responsibility. The truth is, you’re the one who’s primarily responsible for your own information security, privacy, and safety. Nobody cares about (or should care about) your information security more than you. If information security doesn’t motivate you, maybe your privacy will. If that still doesn’t work, maybe your own safety, and the safety of your loved ones will motivate you to act. In today’s world, safety, privacy, and information security can’t be separated.

Sure, there are others who play a role too, but you are responsible for all parts of information security for which you can control. You can control what your children are accessing online. You can control patching of your home network equipment. You can control which passwords you choose, what applications you run, and which websites you visit for entertainment.

What to Do

So, I covered a lot of stuff. Mostly educational stuff. Now, the practical stuff (hopefully).

The best thing you and I can work on is our habits. If we take the time to learn and form good information security habits, we’ll be in a much better spot to protect ourselves from attackers, especially in light of world-shaking events. Habits form a mindset of default actions, and default actions form a baseline that’s less likely to change, even in response to high stress situations.

In Organizations

Develop an information security program that fits with your culture and master the fundamentals. A good security program is built around risk management and risk management starts with:

  1. An intimate understanding of what “risk” is.
  2. Management commitment, not just endorsement.
  3. An objective and measurable risk assessment.
  4. A roadmap built from the unacceptable risks discovered in the risk assessment.
  5. Execution of the roadmap using creative solutions and processes that fit your culture.
  6. Re-assessment and repetition. This builds the habits.

If your information security program is counter-culture it won’t result in good habit forming. If you can’t secure management commitment, you’re just going through the motions.

At Home

You are the CEO at home, you make the calls, and you are ultimately responsible. The same process outlined above for businesses applies at home. You will need management commitment (you), an objective and measurable risk assessment (see below), a roadmap for improvements, action to implement the improvements, and repetition.

At SecurityStudio we’ve built all of these steps into a simple and FREE tool called S2Me. The only thing we couldn’t build into the tool is your commitment. That’s on you.

Quick Conclusion

There’s too much hate in the world, and we don’t want to make problems worse. I can only think of one thing I hate, and it’s people taking advantage of other people. For me, it’s the lowest of the low. Today, we’re witnessing riots all across the country (and world). They’re not about information security, but they’re about people taking advantage of other people. It’s all bullshit, and it needs to stop! Learn and play your role in information security, and don’t let yourself be a helpless victim.