UNSECURITY Podcast – Ep 99 Show Notes – The Social Dilemma

Happy Tuesday! Here we are again, and lots going on…

The big news (sort of) is the first presidential debate is tonight. I wonder how many people will tune in. Personally, I’m not sure if I will. We’ll see.

A few weeks ago my wife asked me to watch the social dilemma with her on Netflix, so I did. I’d heard about the documentary/movie from some friends, but didn’t get around to watching it until then. Wow!

The opening quote from the movie:

Nothing vast enters the life of mortals without a curse

-Sophocles

He was right. Today, Brad and I will give your our reviews about the social dilemma and talk about our thoughts. These are my (Evan) show notes for episode 99.


SHOW NOTES – Episode 99

Date: Tuesday, September 29th, 2020

Episode 99 Topics

  • Opening
  • Catching Up
  • the social dilemma
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning everyone. Thanks for tuning in to episode 99 of the UNSECURITY Podcast. Today is September 29th, 2020 and joining me is my co-host and friend Brad Nigh.

Good morning Brad.

[Brad] Cue Brad.

[Evan] We’ve got a special show planned for our listeners this week. Brad, you and I both watched the social dilemma on Netflix. It’s a documentary about social media in our society that was released in January. Funny how neither of us had watched it until recently, and now (as of this morning) it’s trending as the #6 most popular video on Netflix. I guess it’s better late to the party than not showing up at all!

Before we jump in, I’m dying to hear your thoughts, let’s catch up quick. This is customary.

Catching Up

[Evan] Brad, how you doing? What’s new?

[Brad] Cue Brad.

[Evan] Cue Evan.

Transition

the social dilemma

[Evan] You watched the social dilemma, right?

[Brad] Cue Brad.

[Evan] What did you think?

Our review and discussion

  • What if I’m not a social media user/addict, why should I care?
  • We see different realities? Different news feeds?
  • Data (you and I) sold to the highest bidder.
  • Where does this all end if we don’t act (now)?

Any sufficiently advanced technology is indistinguishable from magic

-Arthur C. Clarke

[Evan] If you haven’t seen the social dilemma yet, I highly suggest you do. Sit down, spend the hour and a half, and consider it all. If you’ve got a spouse, invite them to watch it with you. If you’ve got teenage kids, see if you can peel them away from their phones long enough too.

We’ve got to do more about this, and we’ve got to move much quicker than we are.

[Evan] OK, news. Let’s do some quick news stories.

News

[Evan] Three news stories to talk about briefly this week:

Wrapping Up – Shout outs

[Evan] OK. That’s about it. Episode 99 is almost a wrap. Brad, any shout outs this week?

[Brad] Shout out…

[Evan] We’re very grateful for our listeners and we love hearing from you. Send us messages by email at unsecurity@protonmail.com or check us out on Twitter, @UnsecurityP.

If you wanna socialize with me or Brad directly, we dare you! I’m @evanfrancen, and Brad’s @BradNigh. We work for people and if you want to follow those people, SecurityStudio is @studiosecurity and FRSecure is @FRSecure.

That’s it, talk you all again next week!

FACTS and OPINIONS

They’re not the same and treating either as the other has consequences.

  • FACT: something that has actual existence, or the quality of being actual.
  • OPINION: a view, judgment, or appraisal formed in the mind about a particular matter.

Facts seem to be in short supply, but the shelves in the warehouse of human discourse are overflowing with opinions. Opinions are easy and they’re cheap (short-term). People like easy and cheap, so they opinions sell like hotcakes.

But, there’s trouble.

Opinions, especially biased ones, can easily lead us to make decisions that are restrained, irrational, and even foolish. Facts are rooted in reality, and reality, although (sometimes) harsh, leads to better decisions and better outcomes.

We’re not sheep. We can think. We have the gift of logic. We can discern fact from opinion, but it might require work. Work isn’t easy and it’s expensive. The expense has a certain long-term payoff, but many of us are short-term thinkers.

Finding facts requires seeking facts. Some facts are harder to find than others, but they are out there!

  • Before you buy the next blinky light someone told you to buy, do the work. Find the facts to support or dispute the matter.
  • Before you take someone’s advice at face value, seek or ask for facts. Anyone with a foot to stand on should be able to defend their position (hopefully with facts).
  • Before you believe what you read, in the news or elsewhere, seek facts. Do your research.

Whatever you do, don’t spread your opinion as fact. You’re only hurting yourself and others who buy what your selling.

UNSECURITY Podcast – Episode 96 Show Notes

Hope you had a fantastic Labor Day weekend! Personally, it was nice to get away with family and disconnect for a while!

Did you know the history of Labor Day?

It’s always the first Monday in September, ad it’s dedicated to the social and economic achievements of American workers. The first state to recognize the holiday was Oregon in 1887, and it became a federal holiday in 1894. So, this year we celebrate more than 125 years of American work!

Read more about the history of Labor Day on the U.S. Department of Labor website.

Brad’s out today.

Like most weeks, I’m writing the show notes last minute. On the way into work this morning (2:30am), Brad sent me a text message informing me that he is not feeling well. We think it might be a bout of food poisoning, so he should be OK with some rest. Please keep him in your thoughts and prayers.

No Brad today, so this means I’m left to my own devices. This will be the first episode I’ve done by myself. We’ll see how this shakes out.

Let’s get on with it! These are my (Evan) notes.


SHOW NOTES – Episode 96

Date: Tuesday, September 8st, 2020

Episode 96 Topics

  • Opening
  • Catching Up
  • Context Means Everything A Lot
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning everyone. Thanks for tuning in. The date is September 8th, 2020 and this is episode 96 of the UNSECURITY Podcast! I’m your host, Evan Francen, and my buddy is out sick today. Normally Brad Nigh joins me as co-host, but he informed me early this morning that he might have a case of some food poisoning.

Wishing Brad a fast and full recovery!

Be warned. Without Brad, I might end up rambling a bit!

Catching Up

[Evan] Regular listeners to our show know that Brad and I normally start off with catching up with each other. No Brad today, so I’ll bore you with some of the stuff I’ve been up to:

  • Great weekend camping with my wife, my daughter, my good friend Ryan Cloutier, and his wife Aimee
  • Bunch of meetings last week, including 11 last Tuesday; Chubb, the Cybercrime Support Network, Schneider Downs (makers of Red Lure), etc.
  • Lots of great work going on at both companies; FRSecure and SecurityStudio.
    • New service offerings at both companies.
    • S2Org – working on a global S2Score, integrating S2Team, S2Vendor, and new deeper-dive risk assessments.
    • S2Vendor – working on customized workflows, custom due dates, integration of something called the “Cowbell Factor”, vendor breach data/news, etc.
    • S2Me – Redesign based on user feedback, definition of four new “normal” language dialects, and the introduction of “Sam”.
  • The Security Shit Show last Thursday night; topic was “Negativity is Bullsh*t”.
  • Some other miscellaneous things…

Crazy week, but it appears as though business is really picking up and market sentiment is positive(r).

[Evan] Alright, again, no Brad to catch up with. Hoping he had a great week and weekend, minus the food poisoning thing. Now on to the topic for today’s show.

Transition

Context Means Everything A Lot

[Evan] If you know me, you know I use many sayings/themes to try to get my point across. One saying I’ve muttered many times:

One of the easiest tells for determining a good information security advice from bad is using context.

Context is critical. Think about it. You make decisions all day, from the seemingly insignificant ones to the critical ones, and everything in between. How does the lack of context effect your decision-making? Without context, the quality of your decisions will suffer.

Without context people make crappy decisions

Recent conversation with “James”:

  • [James] We get the importance of a risk assessment, but we’re just not focusing on that right now. We’re focusing on partnering with firms with forensics capabilities and setting up a security operations center (or “SOC”).
  • [Mike] Are these our most significant risks to focus on right now?
  • [James] We think so. We don’t have any forensics capabilities and we don’t feel like we’re able to identify events happening in our environment.
  • [Mike] What’s the environment look like? How many servers, how many systems, how many applications, etc.?
  • [James] We’ve probably got 100(ish) servers and a couple hundred applications I’d guess.
  • [Mike] You guess?

A recent article “Most cyber-security reports only focus on the cool threats

A recent conversation with “Bill”. Bill is the CEO:

  • [Bill] Hey Mike. We need to stop everything we’re working on and take care of this exploit I heard about from a friend.
  • [Mike] I’ve never heard of this exploit. Why do we need to stop everything and focus on it?
  • [Bill] My buddy over at XYZ company was just telling me about how his company got hit.
  • [Mike] OK, we’ll get right on it.

Regulators and auditors are notorious for missing context and often take us down the road of compliance management versus risk management.

Penetration testers, especially those who are newer to our industry are notorious for getting things out of context. Context is critical.

Same concept applies to the world Around Us

The information security industry is unique, but it’s not unique in the fact that human beings are the ones making decisions. Context works the same way.

Take COVID-19 for instance:

  • The headline reads “South Dakota dismisses ‘elite class of so-called experts,’ carries on with state fair after Sturgis rally fueled COVID-19 surge” – The words “Sturgis rally fueled COVID-19 surge” is troubling. If we made a decision based on these words it might be different than a decision with some context. The article goes on to say (buried in 6th paragraph) “Nationally, about 300 cases have been linked to the rally.” For context, there were an estimated 460,000 attendees. 300 cases out of 460,000 attendees works out to about .065%. Granted, there will likely be more, but the rally was a month ago now.
  • Another headline reads “New challenges in US battle against Covid-19 come with the approaching fall season” – This article goes on to say “The holiday crowds mark the unofficial end to a devastating summer across the country, with Covid-19 infections surging to more than 6.3 million and deaths topping 189,000.” The word “devastating” is not only subjective, but it lacks context. A single infection and a single death is bad, but in context it seems a little less devastating. 6.3 million people is about 1.91% of the U.S. population. More than 640,000 people die each year from heart disease and almost 600,000 die from cancer.

IMPORTANT: COVID-19 is a pandemic and it is VERY serious. I don’t mean to minimize the coronavirus in any way, but I do want to put it into context. Be courteous to others. Wear a mask and follow the CDC’s guidance. Speaking of the CDC, this is a great source for context!

Racism and police violence is another hot button issue. Judging from some of the news and reactions from some of the public, you’d certainly think this was worth burning down the “establishment”. I’m someone who wants to fix broken things, so if I’m interested in fixing broken things, I need to make good decisions in context. Here’s some context.

Spend some time reviewing the statistics and graph above. Don’t jump to any conclusions yet! There is a significant issue here, but I’d prefer to use logic versus emotion to drive my reaction.

Now, here’s a couple more things to think about:

Interesting information for sure, and I’m NOT going to draw any conclusions for you. Racism is a thing and it’s a very bad thing. Decisions about what we’re going to do about the problem will be more effective with context.

IMPORTANT: Racism is real and I’m praying for constructive solutions to end it versus destructive solutions that will probably make it worse.

Context is VERY important for decision-making and problem-solving.

Here’s another saying I use often:

Empty spaces get filled.

Without context, what do we rely on to make our decisions? Usually it’s assumptions, bias, and/or emotions. Where we lack information to make a good decisions, some of us have a tendency to make up our own information to fill the gap. You know what they say about assumptions, right? Bias is prejudice in favor of or against one thing, person, or group compared with another, usually in a way considered to be unfair, and this doesn’t sound like a good base for decision-making. Emotions are variable and always play a role in decision-making, but it can become a problem when it’s the dominant role. Emotions like fear, anger, and frustration can easily be played against you and drive you to make a decision you’ll come to regret.

So, what to do?

First, understand that information security is about risk management. Risk is the likelihood of something bad happening and the impact if it did. This requires context!

Slow down. Think about the data your consuming and ask yourself if there’s more to the story. Is the new exploit your boss read about the most critical thing you should be attending to? If someone asks you what your most significant risk is, would you have an answer? Could you defend your answer if challenged?

About the world stuff, in short:

  • Will COVID-19 be the end of the world? – No, it’s highly unlikely. COVID-19 is a pandemic and all pandemics come to an end.
  • Is COVID-19 serious? – Absolutely! People get sick and people die. It’s 100% serious and we should all do what we can to help ourselves and each other be safe.
  • If you’re a black man in America, are you going to die at the hands of police? – Even by the most credible research I could find, there’s a 99.9% chance that this will NOT happen. Even .1% is way too high! We need to do everything we can to drive this number much lower. In context, the problem goes beyond the police though.

Well, I hope this helped. Remember to put things into context as much as you are able.

[Evan] Let’s move on to some news topics.

News

[Evan] Here’s some news I thought was interesting:

Wrapping Up – Shout outs

[Evan] OK. That’s about it. Episode 96 is coming to an end. Lonely without Brad, but hopefully useful to our listeners.

[Evan] Shout out…

[Evan] We’re very grateful for our listeners and we love hearing from you. Send us messages by email at unsecurity@protonmail.com or check us out on Twitter, @UnsecurityP.

If you wanna socialize with me or Brad directly, we dare you! I’m @evanfrancen, and Brad’s @BradNigh. We work for people and if you want to follow those people, SecurityStudio is @studiosecurity and FRSecure is @FRSecure.

That’s it, talk you all again next week!

Information Security Isn’t About Information or Security

NOTE: Throughout this article, I’ll refer to “we” and “us”. This collective is defined as me, FRSecure employees, SecurityStudio employees, our families, our customers, our partners, and everyone else who thinks in similar ways.

We have a strong belief that:

Information security isn’t about information or security as much as it is about people.

The fact is, if people didn’t suffer when things go wrong (cybersecurity incident, data breach, etc.), then nobody would (or should) care. Obviously, people do suffer, and we DO care.

There’s a second point related to our belief, it’s the fact that people (NOT technology) pose the greatest risk (to themselves and to each other). Technology only does what we tell it to do, but it’s people who tell technology to do the things that are risky (click links, download files, misconfigure settings, etc.).

We’ve held fast to this belief for years, and it’s not just a catchy saying. This is a deep belief we apply every day, in all that we do. For example, our sales team only sells what people need*, our analysts pour their heart and soul into every project, we’re committed to being product agnostic, and we always sleep well knowing we did right by the people who count on us.

*A rumor has been circulating for years at FRSecure; if you sell something that a customer doesn’t need (i.e. money-motivated BS solutions) I’ll run you over with my truck. I want to dispel this rumor. I will NOT run you over with my F250 (officially). Unofficially, this is a good rumor. For the record, I’ve never run anyone over (yet).

Why am I bringing this up again, and why now? Simple, I think it’s relevant.

People who love other people make the best information security people.

When making information security decisions, it’s important to feel the weight of those decisions. Especially when the information you’re protecting isn’t yours, meaning you’re not the one who suffers when it’s lost or stolen.

Relevance to Current Events

We’ve lived our belief (about people) for years, and it’s as relevant today as it’s ever been. People are suffering, directly and/or indirectly from the results of information security incidents. These are people from all walks, regardless of race, religious beliefs, economic backgrounds, political affiliations, or sexual or gender preferences.

Risk doesn’t discriminate, and neither do threats (attackers).

This is true in general terms. There are always specific threats targeting specific groups; however, in general, risk by itself doesn’t discriminate. Even if you’re not specifically targeted, you’ll still encounter some degree of consequence. In today’s world, most of us are digitally connected. In fact, most of us are digitally connected through a mesh of associations; networks, applications (SaaS platforms, social media, online shopping, and other shared services), etc.

The truth is we are all at risk, and people DO suffer. When people suffer, we shouldn’t roll over an take it. We all should get a little (or a lot) pissed off! People taking advantage of others should raise an ire in all of us. Playing the victim helps no one.

Beyond the non-discriminatory nature of information security, there’s additional relevance related to focus, emotions and lack of personal accountability.

Focus

While we’re focusing on VERY legitimate racial injustices in our society, the attackers are still attacking. Attackers know that we’re not paying as much attention to them, and they’re crafting attacks that are more likely to succeed given our emotional state.

Attackers are taking down (DDoS) local and state government websites and services, using language like “Black Lives Matter”, “Peaceful Protest”, and “Support Racial Injustice” as click bait (opposed to legitimate causes), and setting up fake fundraising sites to lure people into giving money for fake causes.

Attackers always use current, well-known, and emotion-laden events to take advantage of panic, fear, and compassion. The attacks happen every time these types of events, and it’s because they work. The attacks work so well that attackers don’t even bother changing their tactics.

Do your best to maintain (at least some) focus on information security. Easier said than done for some of us, but you can do it if you try!

Emotions

When emotions run high, we are quicker to react, and more likely to find ourselves in bad situations. This is due to the way our brain works. Our left brain is more pragmatic and tells us to act logically, while our right brain tells us to follow our heart. In a “normal” state, the left brain and right brain wrestle for control of a decision and the result is a compromise between the two. In highly emotional states, the right brain tends to dominate our decisions and logic takes a back seat. We think less and react more.

People are beautiful. Human beings are delicate and intricate systems, yet we come with this magnificent resilience that seems to defy logic. Most (or maybe it’s many, I don’t know) of us posses empathy, compassion, and love that are interwoven perfectly together. While these things are true, sometimes our emotions get the best of us, and we do things we wouldn’t normally do. It almost seems like things get a little jumbled when we’re in a highly emotional state.

There are at least two important tendencies that are more common for us when we’re in a highly emotional state:

  1. We make more mistakes. In our rush to act, we’re more likely to act before thinking things through to a logical conclusion. The right brain sorta kicks our left brain’s ass.
  2. We open ourselves more to manipulation. If an attacker knows you’re in a highly emotional state, it’s easier to use these emotions against you. Let’s say that you’re torn up about racial injustice. You feel the need to do something about it, driven by your deep compassion for others. If an attacker makes up a compelling story about how you can help right some of the wrongs in our society, don’t you think you’d be more likely to act on it? In a less heightened emotional state, you might be more logical about it the decision to help, be skeptical, and even do some research first.

If you can learn to recognize where your decisions are coming from, you’ll be better prepared to make good decisions. This takes self-discipline and honest introspection. For the time being, it might make sense to put off important decisions until after you’ve had time to process your emotions. Maybe take some time off.

Personal Accountability

During tense and emotional times, there is a much stronger desire to hold people accountable (for something or anything). We’re quicker to assign blame, point fingers, and lash out at anyone we perceive to be going against our personal version of right. This is true in societal issues like racial inequality and to some extent it’s also true with information security. In our rush to hold someone externally accountable, we lessen (even more) our own personal accountability.

Sadly, a great number of people think that their information security is somebody else’s responsibility. The truth is, you’re the one who’s primarily responsible for your own information security, privacy, and safety. Nobody cares about (or should care about) your information security more than you. If information security doesn’t motivate you, maybe your privacy will. If that still doesn’t work, maybe your own safety, and the safety of your loved ones will motivate you to act. In today’s world, safety, privacy, and information security can’t be separated.

Sure, there are others who play a role too, but you are responsible for all parts of information security for which you can control. You can control what your children are accessing online. You can control patching of your home network equipment. You can control which passwords you choose, what applications you run, and which websites you visit for entertainment.

What to Do

So, I covered a lot of stuff. Mostly educational stuff. Now, the practical stuff (hopefully).

The best thing you and I can work on is our habits. If we take the time to learn and form good information security habits, we’ll be in a much better spot to protect ourselves from attackers, especially in light of world-shaking events. Habits form a mindset of default actions, and default actions form a baseline that’s less likely to change, even in response to high stress situations.

In Organizations

Develop an information security program that fits with your culture and master the fundamentals. A good security program is built around risk management and risk management starts with:

  1. An intimate understanding of what “risk” is.
  2. Management commitment, not just endorsement.
  3. An objective and measurable risk assessment.
  4. A roadmap built from the unacceptable risks discovered in the risk assessment.
  5. Execution of the roadmap using creative solutions and processes that fit your culture.
  6. Re-assessment and repetition. This builds the habits.

If your information security program is counter-culture it won’t result in good habit forming. If you can’t secure management commitment, you’re just going through the motions.

At Home

You are the CEO at home, you make the calls, and you are ultimately responsible. The same process outlined above for businesses applies at home. You will need management commitment (you), an objective and measurable risk assessment (see below), a roadmap for improvements, action to implement the improvements, and repetition.

At SecurityStudio we’ve built all of these steps into a simple and FREE tool called S2Me. The only thing we couldn’t build into the tool is your commitment. That’s on you.

Quick Conclusion

There’s too much hate in the world, and we don’t want to make problems worse. I can only think of one thing I hate, and it’s people taking advantage of other people. For me, it’s the lowest of the low. Today, we’re witnessing riots all across the country (and world). They’re not about information security, but they’re about people taking advantage of other people. It’s all bullshit, and it needs to stop! Learn and play your role in information security, and don’t let yourself be a helpless victim.

You Don’t Know Me

Let’s cut through the bullshit. You don’t know me, and I don’t know you.

Here’s why this is important; despite us not knowing each other, I will judge you and you will judge me. This is human nature. We make our judgements based on information we have available and our own historical perspective (or world view). Judgement might not be overt, but you and I are always engaging in making judgements. You might think this is a bad thing, but it’s not. Judgement, by itself, is nothing more than:

  • the process of forming an opinion or evaluation by discerning and comparing
  • an opinion or estimate so formed
  • the capacity for judging: discernment
  • a proposition stating something believed or asserted

Judgement is good. When you judge me or I you, this could be a good thing; however, it’s only good without bias (unlikely).

Bias is a one-sided, closed-minded, and destructive mindset. Bias doesn’t discriminate, but it leads to discrimination. Look at the definitions of “bias”, “racism”, and “discrimination” for a second.

We can conclude that judgement is good, bias (and racism and discrimination) is bad.

The point

You don’t know me; therefore, if you were to judge me, what would your judgment be based on? If you don’t get to know me, you’d have to judge based on superficial things like how I look, the vehicle(s) I drive, how I dress, etc.

What if I told you these things about me?

  • I’m white/Caucasian.
  • I’m a man.
  • I have a long beard.
  • I drive an F250 pickup truck.
  • I drive a Harley Davidson motorcycle.
  • I live in a small town.
  • I have a good job.
  • I am licensed to carry a firearm.
  • I go to church every Sunday.

Would you think that I’m some sort of right-wing nut job? Would you treat me like one?

How about you? Let’s say:

  • You’re black/African American.
  • You’re a man.
  • You look “normal”, but you’re not clean shaven.
  • You’re middle-aged.
  • You’ve never been married.
  • You have plenty of money.
  • You wear nice clothes.
  • You drive nice sports cars.
  • You didn’t graduate high school.
  • You grew up in New Orleans

Would I think you’re a drug dealer, a thug, or involved in some sort of criminal activity? Would I treat you like you were?

God, I hope not!

In both cases, these judgements are 100% wrong! Like not even close. The judgements are wrong because they are biased.

Me, I am not some right-wing whacko. I despise most of what they stand for and I would never consider doing some of the things they do. Despite this, I can see how someone would mistake me for one. I look the way I look and like the things I like because I do. That’s it, nothing more and nothing less. I hate hatred in all its forms and have a genuinely deep love for people. I don’t just love people like me either, I love people from all walks, all backgrounds, and all beliefs. People who aren’t like me fascinate me.

About the only time I don’t love people is when I must share the road with them, but I’m told that’s sort of normal(ish).

The second person I referenced is Tyler Perry. He is an amazing man with an incredibly inspiring story. Rising from where he did to where he is now is a miraculous journey. He’s impacted thousands (maybe millions) of people across the globe with his works and his story. If you don’t know his story, I’d suggest you read up on him. He grew from a very troubled youth (shitty father figure, attempted suicide, child molestation, etc.) to become a tremendously successful actor, writer, producer, comedian, and director. In my opinion, he’s one of the most inspiring men alive today.

So, again, bias is bad. Put your bias to death as much as you are able.

What to work on

Here are some of the things I will work on to kill my own bias. I can’t change the world, but I can work on me. Here’s my pledge (to myself as much as anyone else):

  1. I will give people the benefit of the doubt. If I don’t know something to be true, instead or going the shitty route, I’ll take the good path in my thoughts and feelings toward others.
  2. I will seek other people’s perspectives. I don’t know what it’s like to be someone else. A person’s perspective is their reality. Understanding their reality and validating it where possible will go a long way towards killing my own biases.
  3. I will listen to people more. We’re all quick to offer advice and stories about the things we’re passionate about. I’ll do better at hearing these things from other people. Who knows, maybe I’ll learn a bunch.
  4. I will embrace the uniqueness in people. We all belong to people groups, either by birth or by choice. Despite whatever people group we belong to, there are beautifully unique things about each one of us. I want to discover the unique gifts in people and embrace them.
  5. I seek to change people and/or their minds less. You have your beliefs and I have mine. We can each be us.
  6. I’ll be a friend to anyone. This doesn’t mean there aren’t boundaries. All relationships have them, even friendships.
  7. I’ll work to find common ground. You’re not me and I’m not you. You believe certain things and so do I. We’re both human beings and if we can’t find anything more common than that, so be it. We’ll start there.

These are seven things that I’ll work on. I said it earlier, I don’t know you, so I can’t suggest the things you should work on. Only you can determine these things, and (probably) only after deep, honest introspection.

I truly love people, and it saddens me to see us hurt each other like we do.

Memorial Day & Other Things

Memorial Day

We live in the best country in the world. Period.

We all have something to complain about and everybody whines. Some of us do these things more than others, and this is “normal”. It’s not normal when we can’t see the good in things. When we can’t see the good, we’re blind and maybe the blindness comes from our sense of entitlement.

Entitlement is taking advantage of and taking for granted the things that were given to us. Given freely, and not earned.

We all take things for granted, at least I do. I take for granted that I can wake up without soldiers outside my door. I take for granted that I can leave my house and take a walk. I take for granted that I can practice the religion I want, drive the truck I want, go many of the places I want, etc. The list of things I take for granted is long, too long.

These things I take for granted weren’t free and they didn’t magically appear. They were were paid for. Our freedom, our way of life, the good things about us were paid for with sacrifices, sacrifices of blood and death.

Tomorrow is Memorial Day. The day to stop and remember the people who sacrificed for us. We remember the ultimate sacrifices made by some of the best among us. These are men, women, fathers, daughters, wives, husbands, mothers, and sons. They gave, we got.

There are no words to express my gratitude. God bless all who serve in our military, especially those who sacrificed all.

Other Things

This morning I’m writing this post from a coffee shop in a small Wisconsin town. The town is Black River Falls, and the name of the coffee shop is Revolution. We’re still inside the COVID 19 pandemic, but there are signs of hope everywhere.

This slideshow requires JavaScript.

We came to Wisconsin for Memorial Day weekend because our neighbors to the East have opened their campgrounds, and we can use the sanity. We’re playing by the rules, being responsible, and for the first time in months, things almost seem right. Whatever “right” is. The picture below is our campsite, with our friends.

While hiking on the first evening, we came across this little fawn. We snapped the picture below while maintaining our distance.

I’m grateful for this amazing country and I’m grateful for all it has to offer; wonderful people, hope, togetherness, beauty, and love. There are so many amazing and good things about our United States (keyword “United”). Again, this is the best country in the world. Period.

UNSECURITY Podcast

We’re not recording anything tomorrow. We’ll pick up the show (Episode 81) on Tuesday (5/26). Both Brad and I are wishing you all the best; the good graces of health, family, etc.

Daily inSANITY Check-in

If you want to join us in our Daily inSANITY Check-ins, you are welcome to! Join us by going here.

Compassion Wins

As you know too well, the COVID-19 pandemic seems to have changed everything. Nothing is the same. We don’t work the same, we don’t shop the same, we don’t entertain the same, and some of us don’t even defecate the same (without toilet paper). No doubt, we’ve endured massive changes to our lives. Compounding the resulting chaos is the uncertainty about our future.

One thing hasn’t changed, and that’s our human compassion.

Through human compassion we will endure together. By our endurance we will prevail together too.

The Start of the Daily inSANITY Check-in

We knew early on, from the beginning of the COVID-19 pandemic, that we’d struggle with mental health. The truth is, some of us have always struggled with mental health. Sanity is precious and need to do all we can to protect it. Rather than sit idly by, and let ourselves blow in the wind, we decided to do something. On March 23rd, six days after FRSecure and SecurityStudio closed our physical offices, we started this thing called the Daily inSANITY Check-In.

Here’s what the Daily inSANITY Check-In is all about:

If you need a break from the chaos, or just want to talk about things, we’re hosting the Daily inSANITY Check-in for these reasons (among others).

Never has the world changed so significantly and affected so many in such a short period. These times are historic, and the effects of the Coronavirus (COVID-19) are not fully known. What we do know is we’ll never be the same. The prominent changes to our lives can force many of us to lose focus and even affect our mental health. Noise generated by the unrelenting media coverage, marketing, and scams only exacerbates our problems.

The purpose of the Daily inSANITY Check-in is to provide a safe place for people to discuss current events, information security things, challenges we’re facing, or whatever else comes to mind. The check-ins are short (30- to- 60-minute) daily meetings with discussion. People are always free to come and go as they please.

This is a joint effort from FRSecure and SecurityStudio, and the host is FRSecure and SecurityStudio CEO, Evan Francen. Joining Evan as co-hosts are Ryan Cloutier, SecurityStudio Principal Security Consultant and Brad Nigh. FRSecure Director of Professional Services & Innovation.

We hope you’ll come join the conversation aimed at restoring and/or maintaining our sanity!

Rules for the Daily inSANITY Check-in are:

  • Be yourself.
  • Respect everyone.
  • Respect opinions.
  • Be kind.

Anyone not playing by the rules is not welcome. Sorry.

Still Going Strong

Today is May 11th, 2020 and we still meet every day. Altogether, we’ve had seventy-nine (79) people visit, and there are many of us who’ve been here since the start. The relationships we’ve built here are real and they’re strong. These solid friendships around our “virtual water cooler” (as it’s been called by some) are incredible, and you’re invited too!

Everyone is welcome to join us. If you need some support or you’ve got some to give, come say “hi”! If you want to share your audio or video, you can. If you don’t, don’t. We’ll welcome you when you come and we’ll be here when you need us!

Sign up here.

The UNSECURITY Podcast – Episode 78 Show Notes – Working From Home

Keeping the show notes short again this week. It was another crazy week at FRSecure and SecurityStudio. We make progress towards our mission each and every day, regardless of COVID-19. Our mission is to fix the broken information security industry, which can be summed up by this statement:

Information security isn’t about information or security as much as it is about people.

When we help people, we help our industry. After all, would anyone care about information security is nobody suffered when things go wrong?

We’ll keep on trucking! We’re grateful for the people who put their trust in us and our credibility.

Let’s just get to it, episode 78 show notes below…


SHOW NOTES – Episode 78

Date: Monday, May 1st, 2020

Episode 78 Topics

  • Opening
  • Catching Up (as per usual)
  • Working from home
  • S2Me/S2Team
  • Listener Mail
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey guys and gals. Welcome to the UNSECURITY Podcast. This is episode 78, the date is May 4th, 2020, and I’m Evan Francen. With me today is my co-host, Brad Nigh. Good morning Brad!

[Brad] It is a good morning and Brad’ll be in a good mood for sure. Let’s see how he responds.

[Evan] Another good show planned for today, but before we jump in, let’s catch up. It’s sort of our usual thing to do about this time.

Catching Up

Quick discussion about some of the cool things we’re doing.

[Evan] We’ve been talking a lot lately about working remote or working from home. This has been a hot topic for some time, but since the COVID-19 outbreak, this is one of the top trending topics in the information security world. Let’s discuss another take on this, more of a future looking strategic perspective.

Working from home

Discussion about:

  1. What work from home looked like before COVID-19.
  2. What happened because of COVID-19.
  3. What the future looks like after COVID-19.

There are plenty of news articles about these topics and there’s no shortage of “expert” advice. Here’s just a few:

  • Is Working From Home The Future Of Work? – https://www.forbes.com/sites/nextavenue/2020/04/10/is-working-from-home-the-future-of-work/#4260c2c846b1“An early-April 2020 MIT survey of 25,000 American workers found that 34% of those who’d been employed four weeks earlier said they’re currently working from home. Combined with the roughly 15% who said they’d been working from home pre-COVID-19, that means nearly half the U.S. workforce might now be remote workers.”
    • “The Brookings Institution’s Katherine Guyot and Isabel V. Sawhill just wrote their take on remote work and COVID-19, calling the pandemic “among other things, a massive experiment in telecommuting.”
    • ‘In a March survey of HR execs by the Gartner IT research firm, 76% said the top employee complaint during the pandemic has been “concerns from managers about the productivity or engagement of their teams when remote.”’
    • “In Buffer.com’s9 State of Remote Report, 19% of remote workers called loneliness their biggest struggle with working from home and 17% cited collaborating and/or communication.”
  • Some May Work From Home Permanently After COVID-19: Gartner – https://www.crn.com/news/running-your-business/some-may-work-from-home-permanently-after-covid-19-gartner“Gartner last week released results from a March 30 survey of 317 CFOs and business finance leaders that found 74 percent of those surveyed expect at least 5 percent of their workforce who previously worked in company offices will become permanent work-from-home employees after the pandemic ends.”
    • “According to Gartner, about 25 percent of those surveyed expect 10 percent of their employees will remain remote, 17 percent expect 20 percent will remain remote, 4 percent expect 50 percent will remain remote, and 2 percent expect over 50 percent of employees now working from home to permanently work from home after the pandemic subsides.”
  • Working from home has a troubled history. Coronavirus is exposing its flaws again – https://www.theguardian.com/commentisfree/2020/apr/12/working-from-home-history-coronavirus-uk-lockdown“According to the Office for National Statistics, only 5% of the UK labour force worked mainly from home in 2019, but well over a quarter had some experience of home-working.”
    • “With all but key workers confined to their homes, the virtual office is now the new norm – a development that could prove to have far-reaching consequences.”
  • As working from home becomes more widespread, many say they don’t want to go back – https://www.cnbc.com/2020/04/24/as-working-from-home-becomes-more-widespread-many-say-they-dont-want-to-go-back.html“States of Play, a joint CNBC/Change Research survey of swing states, finds 42% of respondents nationwide saying they are working from home.”
    • “Once the economy reopens, 24% say they’d like to work either entirely or more from home compared to how they worked before, while 55% plan to head back to the office.”
    • “Some 60% report being either as productive or even more productive than they were working from the office.”

But what about information security?

There is no shortage of information security tips for people working from home. Just a small sampling:

A different approach – S2Me and S2Team

[Evan] In early 2019, SecurityStudio release its first version of S2Me. The S2Me was released (well ahead of COVID-19) to gauge people’s information security habits at home and S2Team was a way to share the results with an employer without violating privacy at home. Last week, SecurityStudio released version two of S2Me and I’d like to talk about all this.

  • What is S2Me?
  • What is S2Team?
  • How do S2Me and S2Team work together?
    • S2Me is a simple, personal information security risk analysis tool for use at home. S2Me helps people understand their risk related to security, privacy, and safety. Once these risks are understood, S2Me attempts to motivate people to build better information security habits at home.
    • S2Team is a collection of S2Me aggregated results to help organizations understand their employees information security habits. Organizations use S2Team to develop better, more personal information security training programs.
    • A couple of quotes from the “Introduction to S2Team and S2Me Topic Descriptions” draft document:
      • “The problem isn’t people. The problem is managing risk related to people.”
      • “People are creatures of habit. People will occasionally deviate from their habits, but habits are their default. Habits create peoples’ baseline and become nearly (or in some cases completely) involuntary.”
      • “People choose to form new habits because if they desire the positive outcome or because they fear a negative one.”
  • A quick peek into S2Me.
  • A quick peek into S2Team

[Evan] I think we’re on the right track, trying to help people build better information security habits at home where everyone ultimately benefits.

Listener Mail

[Evan] A loyal listener, one who got a shout out from me last week, Jason Dance, sent us this article that I thought was interesting and worthy of a brief discussion; It’s Not Just Zoom. Google Meet, Microsoft Teams, and Webex Have Privacy Issues, Too. – https://www.consumerreports.org/video-conferencing-services/videoconferencing-privacy-issues-google-microsoft-webex/

Brief discussion

[Evan] Alright, now some newsy things quick.

News

[Evan] It’s easy to find interesting things to talk about in our industry! Here’s a few that caught my attention:

Wrapping Up – Shout outs

[Evan] Wow. Lots of things. Well, episode 78 is almost in the can. Brad, got a shout out or two?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Here’s mine…

[Evan] Seriously, a huge thank you to our listeners! We love your encouragement and we don’t take your advice lightly. You’re all great! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Have a great week!

The UNSECURITY Podcast – Episode 74 Show Notes – COVID-19 MN Response

If you reading this, I hope you and your loved ones are well! From what I read, we have another few tough weeks ahead of us in the U.S. before (maybe) we turn the corner a little. Keep up the good work by staying at home and/or maintaining your distance from others. Now is NOT the time to let up.

If you missed last week’s show notes or episode 73 of the UNSECURITY Podcast, we had a great time taking with our special guest, Oscar Minks. Oscar leads FRSecure’s Technical Services Team, and he shared some great insight into their current incident response activities.

Episode 74 Topics

Topics for this episode of the UNSECURITY Podcast include:

  • Opening
  • Special Guest – Jim Nash
  • Catching Up 
    • Another week at home.
    • What’s new?
  • COVID-19 Talk With Jim Nash
    • What’s going on in MN state government
    • What’s he hearing from other states
    • How he’s helping our community and tips for listeners
    • Opinion about impact on information security
  • Web Conferencing Craziness (mostly Zoom)
    • The Rise
    • The Bug
    • Zoombombing
    • Other Stuff
    • Overreaction
    • Benefactors
    • Logic and Reason
  • Work From Home – S2Me
    • NASCIO – COVID-19 Response Resources for State IT
    • Safety and Cybersecurity at Home 101 Webinar Series
    • Version Two
  • Other News
    • The Daily inSANITY Check-in
    • FRSecure CISSP Mentor Program
  • Wrapping Up – Shout outs

You can find the full show notes later in this post.

Thoughts

It’s good to get things off your chest from time to time, and it doesn’t matter if anyone else reads what you write. If you are reading this, I hope you get some value from it.

Good News

It’s been hard the last few weeks to find good news. Seems like everywhere I look, there’s bad news. Most of the time is related to Covid-19, but now always. The bad news can come from another breach, vulnerabilities in some application (this week it was Zoom), or any number of things.

If you want to find good news, you have to be intentional about it.

Here’s some good news sources/stories:

See? There are lots of good things happening around the world. Look for them and be encouraged.

Struggling

In the middle of all that’s going on, there are many people struggling. I may be OK and you might be OK too, but the number of people who aren’t OK has grown fast and continues to increase every day. People are losing their businesses, losing their jobs, and losing their minds.

For people who have lost their business, it may feel like you’ve lost your dream. You haven’t! The dream is still alive, it’s just deferred. It’s paused. You may have to start over, or maybe not. The point is to NOT give up. Starting over gives you a chance to do it better this time, using all that you’ve learned from the last time.

For people who have lost their jobs, you might be worried about bills or even where your next meal comes from. When you’re in the middle of the crap, it’s hard to see the other side. Missing payments can be stressful, but it’s not the end of the world. Do what you can to survive this (and you WILL survive this) and try to focus on what you will do or be on the other side. Plan now for what’s to come.

Personal Story

When we started FRSecure in 2008, the U.S. was in the middle of a recession. I thought we could power through it, and succeed despite the odds. I was wrong. We couldn’t find customers, and within a year, it became evident that we wouldn’t be able to pay our bills, including our house payment. I could have given up on the dream of my business and entered the job market again, or I could believe that things would get better. 11-12 years later and FRSecure is a very healthy company, employing more than 70 people and serving more than 1,000 customers. Foreclosure with a wife and five kids was very hard, but we didn’t give up.

Mental Health

For people who have or feel like they’ve lost their minds, please get help. Maintaining mental health during times of crisis can be extremely difficult. It’s OK to not be OK, but it’s not OK to let it rule you. There are many people who care about you and want you to let them help. This is the truth! The most common lie (I think) is believing that you’re not worthy and nobody cares. That’s the lie. Believe and follow the truth, here are some people who care (100%):

Remember, there is hope and there is help! This is the truth, and you have to believe it.

Social Media Stuff

It dawned on me that we have a lot going on, and we share a lot of it on social media. Here’s the list of social media accounts for us:

Those are some thoughts right now. Let’s get to the show notes!


SHOW NOTES – Episode 74

Date: Monday, April 6th, 2020

Show Topics:

  • Opening
  • Special Guest – Jim Nash
  • Catching Up 
    • Another week at home.
    • What’s new?
  • COVID-19 Talk With Jim Nash
    • What’s going on in MN state government
    • What’s he hearing from other states
    • How he’s helping our community and tips for listeners
    • Opinion about impact on information security
  • Web Conferencing Craziness (mostly Zoom)
    • The Rise
    • The Bug
    • Zoombombing
    • Other Stuff
    • Overreaction
    • Benefactors
    • Logic and Reason
  • Work From Home – S2Me
    • NASCIO – COVID-19 Response Resources for State IT
    • Safety and Cybersecurity at Home 101 Webinar Series
    • Version Two
  • Other News
    • The Daily inSANITY Check-in
    • FRSecure CISSP Mentor Program
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning everyone! This is the 74th episode of the UNSECURITY Podcast. The date is April 6th, 2020 and I’m Evan Francen. Joining me is my co-host Brad Nigh along with our special guest Jim Nash.

Good morning Brad.

[Brad] He’ll say what he wants.

[Evan] Welcome to the show again Jim and good morning!

[Jim] He’ll also say what he wants.

[Evan] Jim, do you remember the last time you were on the show? How long ago was that?

[Jim] Still saying what he wants.

[Evan] It’s customary now that we start the show by catching up a bit with each other.

Catching Up

Discussion between Evan, Brad, and Jim.

[Evan] Alright! We invited Jim to be on the show again for a couple reasons. #1 – We like him and #2 – We want to get his perspectives on COVID-19. He’s certainly got some unique things to share.

COVID-19 Talk With Jim Nash
  • What’s going on in MN state government?
  • What’s he hearing from other states?
  • How he’s helping our community and tips for listeners?
    • Supporting the community and small business.
    • Where can we find his videos, pictures, and updates?
  • Opinion about impact on information security

[Evan] For those who don’t know, Jim is my state representative. He represents the district in which I live and I couldn’t be prouder of the way he represents me!

OK, last week, news about Zoom was all the rage it seemed. There’s plenty of fear, misinformation and confusion about the web conferencing solution. I think our listeners could benefit from some straight talk about the issues.

I put together a series of stories and organized them into subtopics. It’ll be cool to get you guys’ perspective.

Web Conferencing Craziness (mostly Zoom) DIscussion

This slideshow requires JavaScript.

 

[Evan] Crazy. The plot is thick surrounding Zoom, isn’t it. The noise is loud and it’s hard to find the truth in all of it.

Let’s switch gears now and talk about something else that’s related. There is no shortage of articles and guidance for working from home. We built a simple assessment in the beginning of 2019, before all hype surrounding the pandemic. The simple assessment is known as S2Me, and it’s importance is higher than it’s ever been.

Work From Home – S2Me

Discussion about S2Me, including:

[Evan] There you go. S2Me is free and always will be free. Either of you guys feel comfortable sharing your personal S2Score?

Other News

[Evan] We had so many things to talk about this week. We’re going to skip other news stories again. Two quick things to tell you about though, before we go.

  • The Daily inSANITY Check-in
    • Still going strong.
    • Everyone is invited all the time!
  • FRSecure CISSP Mentor Program
Wrapping Up – Shout outs

[Evan] Well, that’s it for this week. Plenty going on and lots to do. Either of you guys have any shout outs?

Thank you for listening. We’re a couple of guys who really care about you. We’re hoping you all stay healthy and sane! We love hearing from you, so if you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet like that. I’m @evanfrancen, and this other guy is @BradNigh. Jim, you’re all over the place. Want to share some places where people can interact with you online?

Jim, thank you for coming on and sharing with us today!

That’s it. Talk to you all again next week!