Status Update – March 24, 2019

Just got to the hotel in Aberdeen. Getting into the groove, and I felt compelled to share an update with you all. Compelled mainly because I haven’t been able to write here nearly as much as I had intended. It’s not unusual for me to bite off a little (or a lot) more than I can chew.

No matter. It is what it is. If I could learn to say no more often, I’d probably be healthier.

Current (or Recent) Things

Here’s some of things going on in this guy’s work life:

  • Running FRSecure, sort of. I’m the CEO here, but I’m not the person who get’s things done. I say “sort of” because I’ve been blessed with an INCREDIBLE leadership team who truly runs the best company in our industry. I love what they’re doing and they’re breaking records every month.
  • Running SecurityStudio, sort of. I’m the CEO here too. Like FRSecure, I’m not the person who get’s things done. I’m a little more involved with SecurityStudio because it’s such a young company. Awesome, awesome, awesome leaders here and it’s so much fun to watch this company grow. VENDEFENSE is attracting new customers every week, and there is some really exciting news coming soon!
  • The UNSECURITY: Information Security for Normal People book is behind schedule right now, so I need to focus more attention on completing the draft/manuscript. This will take up most of my time for the next few weeks or so. I’m really excited about this book, mostly because of the audience it’s intended for and the plain-Englishness of it all. I’m hoping it will resonate with “normal” people and help them better, more secure lives.
  • The So You Want to Get into Security? series of articles is complete, and I’ve compiled the articles into a simple free eBook. I’d never published an eBook to iTunes before, and it was a fun exercise to learn. I’ll plan on making more, and better quality eBooks available in the future. Check out this one, if you don’t mine, and let me know what you think.
  • The UNSECURITY Podcast is going well, but it’s a struggle to do a weekly one hour show sometimes. Feeling like we’re dragging @55 a little bit, but we’ll get back into the groove. My show notes have been a couple days late the last two weeks (vacation and work travel), but that should get back on track soon. We’ve done 19 consecutive weekly shows so far and we’ve learned a lot, but we’ve still got a ways to go before it really feels dialed in. Please be patient with us (me and Brad Nigh). We’re committed to creating a really good show and we’ll keep at it.
  • I’ve written a few more articles lately for other publications. Some are better than others:
  • I’m coming up on my one-year anniversary as the vCISO for a large, global company. I’m actually the vCISO for only one region, the Americas region that includes Canada, United States, and Mexico. It’s a 40-50 hour/month commitment, but it would be a lot more if there weren’t some awesome people there running the day-to-day operations. Great experience with really good people all around.
  • Was at the RSA Conference a couple weeks ago. I had no agenda but to see a friend of mine give his talk and to have lunch with him. Flew in late Thursday night, did what I was there to do, then left Friday afternoon. My friend is Roger Grimes, and he delivered a really good, and very well-attended talk titled 12 Ways to Hack 2FA. Afterwards, we visited (not nearly long enough) for lunch. Roger has an amazing security mind and he’s got impeccable character. We think A LOT alike.
  • The first gathering/meeting of the Cloud Security Alliance Minnesota Chapter (CSA MN) Executive Advisory Board met on March 14th, but I was on vacation. Sucked to miss the first meeting, but vacation was scheduled many months ago. I’m excited to help CSA MN make a real impact. Lots of great people involved!
  • Trying to stay up with Twitter and LinkedIn feeds. I’m thinking that I sort of suck at social mediaing.

I think that covers most of it.

What’s Coming – Future Things

  • Travelling to Aberdeen, South Dakota this week to work with a new client and figure out how we can secure the Ag industry better. We have a lot of work to do in the ag industry!
  • The UNSECURITY Podcast episode 20, live from Aberdeen with Shawn Pollard.
  • Sometime this week, I’m going to start a new hashtag #100DaysOfSecurityTruth. Each day, for 100 days, I will tweet a new truth. Hoping for some interaction, ideas, suggestions, etc.
  • New article for Cyber Security Intelligence about Identity Management. Tim Heath is the CEO over there, and he’s a good dude.
  • New article for here (or somewhere) about the bad things about RSA.
  • Planning the next Security Summit for my vCISO client. These are always fun. People from all over the region come to meet, learn, teach, and have fun together. The last Security Summit was one full day of incident management training and a second day about identity and access management.
  • The next Hacks and Hops event is this week. We didn’t pick the most enthralling topic (third-party security risk management), but it is a critical one. There will be good opportunities to network and learn what work (and what doesn’t). Come if you can.
  • Speaking of third-party security risk management, there’s another eBook being planned. The book will be a soup to nuts/zero to hero book; practical advice from starting from scratch —> the best friggin’ program ever, and everything in between. Thinking a few months or so, but it’s on the docket.
  • Lots of writing for the next book. I’m already behind a bit, so it’s time to get real on this thing! This is actually the number one priority right now.
  • More collaboration with security people I admire. I’d like to collaborate more with Chris Roberts and Roger. I already said a few great things about Roger, but Chris is pretty damn awesome too. More allies = more progress.

I’m sure something else will pop up, but that’s all I can think of right now. If you ask me to do something else, don’t be offended if I graciously decline (for now).

NOTE:  The Writing UNSECURITY series of articles – I still intend to finish writing this series, but for now it’s on hold. There are too many other pressing things (the Information Security for Normal People book, other articles, business commitments, speaking engagements, podcasting, and oh yeah… family!) that need focus too. Comes down to priorities, as it should, and this series must take a back seat for now.

Take care!

-Evan

 

UNSECURITY Podcast Episode 20 Show Notes

Late again.

Hopefully, I’ll be back on track with getting these show notes posted on Friday like they’re supposed to be.

Two weeks ago, I was out. Last week, I was back, but I was stuck in New Orleans. This week, Brad is out and I’m in Aberdeen, South Dakota. Confusing. Such is the life of… well, us I guess.

If you missed episode 19, you can still give it a listen. I think we still have some work to do on our audio quality and more structure to our content. In time. Please enjoy while you maintain your patience with us.

Episode 20

These are the notes we use to guide the discussion. These notes were written by me (Evan). This episode would normally be led by Brad, but he wanted a vacation or something. I was like, whatever man.

Description – Today’s Topic: Staying Healthy

The basis for the content of today’s show will be provided by the article with the same name that was written and published on March 7th. The article also became Chapter 5 in the So You Want to Get into Security? eBook. The eBook is free on iTunes.

Show Recording: Monday, March 25th, 2019 @ 6:45am

Opening

[Evan] Good morning folks, this is episode 20 of the UNSECURITY Podcast. The date is March 25th, 2019 and not joining me today is my friend Brad Nigh. Brad wanted a vacation. Can you believe it?! Whatever.

I’m not going solo however. Joining me this morning is Shawn Pollard. Good morning Shawn!

[Shawn] Says something…

[Evan] Backing up a second. On the topic of vacation. I guess I took one a couple of weeks ago, so I should cut Brad some slack. Shawn, for people who don’t know, is an Analyst at FRSecure. Shawn, is that you’re title?

[Shawn] Says something…

[Evan] How long have you been with FRSecure now?

[Shawn] Says something…

[Evan] Do you take vacations? When was the last vacation you took?

[Shawn] Says something…

[Evan] What’s you’re thoughts on vacations? Are they important for us?

[Shawn] Says something…

[Evan] I think they’re critical to healthy living, especially as a security professional. I should have added this to a recent article I wrote titled Staying Healthy. Have you seen and read this article Shawn?

[Shawn] Says something…

[Evan] What did you think?

[Shawn] Says something…

Open Discussion

Open discussion about the importance of getting and staying healthy, based on the article. I have a lot to learn here, and I’m very interested in Shawn’s take on these things.

News

[Evan] I have to admit, I’ve been swamped this week and I haven’t been up-to-date on the news as much as I normally do. Shawn, do you keep up with the news and if so, how do you do it?

[Shawn] Says something…

[Evan] Here’s some recent news that did catch my eye this week.

There’s a ton more news to talk about, but we’re out of time. There’s no shortage of breaches, bugs, and attack news. Stay alert and be careful! If you’re not keeping up with the news, or you feel a bit overwhelmed, you’re not alone. What are some of you’re favorite ways to stay up-to-date, but not get slammed?

Closing

[Evan] Any parting words of wisdom Shawn?

[Shawn] Wisdomy things.

[Evan] We have work to do soon, don’t we? What did you think of your first podcast experience?

[Shawn] Says something…

Thank you very much for stepping in Shawn. It’s always a great experience to chat with you! Next week, Brad’s back. Neither one of us will be at the home office though. Both of us are working on a project in Rochester, New York, so that’s where we’ll be coming to you from next week.

Don’t forget, you can follow me Brad or I on Twitter; @evanfrancen  and @BradNigh. Shawn, you use Twitter at all?

Email us on the show at unsecurity@protonmail.com.

Thanks again and see you next week!

UNSECURITY Podcast Episode 19 Show Notes

Well, I planned to post this on Friday. Good intentions will get you…

I have good reason, at least I think I do, for the delay. I was on vacation last week, and I promised my lovely wife that I wouldn’t work. It’s always a good idea to keep your word with the ones you love! You might remember episode 16 (notes and show). If we want a smooth episode like that again, we’d better behave.

On normal weeks, I do my best to post the notes for the upcoming UNSECURITY Podcast episode on Fridays. Brad Nigh and I record each podcast early on Monday morning, before the week has a chance to get out of control. Brad and I alternate leading episodes, he leads the even ones, and I lead the odd ones. There’s probably some hidden meaning in that.

Brad led last week, and I wasn’t around for episode 18. I don’t get any credit for what you liked about it. If you missed episode 18, you can still give it a listen.

Episode 19

These are the notes we use to guide the discussion. These notes were written by me (Evan).

Description

Show Recording: Monday, March 18th, 2019 @ 6:45am

Brad went solo (sort of) last week, as Evan was not allowed to join the podcast because of his vacation. Key words are “not” and “allowed”. Evan’s back from vacation (sort of), and we’ll pick up from there.

Opening

[Evan] Top of the mornin’ to ya Brad! I’m not Irish, but yesterday was St. Patrick’s Day. I can do that right?

This is the UNSECURITY Podcast episode 19, and I’m your host this morning, Evan Francen. Joining me as usual is my favorite security pal, Brad Nigh. Say “hi” Brad. Today is Monday, March 18th and I’m stuck in New Orleans. More about that later.

Man, we’ve got so much to catch up on Brad! You and I haven’t even talked really for what seems like forever. Where do we start? What’s new?

[Brad] Says all sorts of cool stuff probably.

[Evan] As you know, I was on a boat. A big boat. Internet service sucked, and I didn’t do any work. I had one call on Friday with some lawyers and read a few emails, but none of that counted really. Last work thing was leaving RSA like 10(ish) days ago. More about that later too. What about you Brad, tell me about your week.

[Brad] More cool stuff probably.

[Evan] How did last week’s podcast go? I know you and “Host X” were going to talk about some IR stuff, right? Where’d you go with that and where’d you leave off?

[Brad] More cool stuff probably, but it’ll get cooler even.

[Evan] Nice. Let’s come back to the IR talk later. As you know, I have a love/hate relationship with all things IR. Since it’s been a while, I want to share some RSA stuff with the audience quick.

RSA Thoughts

For those who don’t know, the RSA Conference is an annual information security conference held each year in San Francisco. It’s arguably the largest, most well-attended conference in our industry.

General discussion about RSA and why I went there in the first place.

  • Been to RSA before?
  • What’s to like/dislike about RSA? There are two things that I hate in our industry, and both can be found at RSA.
  • Why I went:
    • See my friend Roger Grimes give his talk, “12 Ways to Hack MFA”.
    • Met up (briefly) with our team.
    • Have lunch with Roger and his wife.

From RSA, I flew to New Orleans to meet up with my wife and start our vacation.

Vacationy Things

  • Quick recap on the importance of vacations and taking a break.
  • I wrote an article before I left about the importance of health for the information security professional.
  • What I did on my vacation, and what Brad’s gonna be doing on his soon.

Incident Response (cont)

So, where did we leave off last week? I honestly don’t know as I write these notes because I haven’t listened to episode 18 yet. That’s OK though, you can listen to us wing it.

News

We read things in the news all the time. It’s so easy to tune things out because there seems to be so much noise nowadays. Have you ever tried personalizing the news you read? How often do we ask ourselves the question; What does this mean for me and the ones I love? Questions like this make news more meaningful.

There’s a ton more news to talk about, but we’re out of time. There’s no shortage of breaches, bugs, and attack news. Stay alert and be careful! If you’re not keeping up with the news, or you feel a bit overwhelmed, you’re not alone. What are some of you’re favorite ways to stay up-to-date, but not get slammed?

Closing

[Evan] Any parting words of wisdom Mr. Nigh?

[Brad] Wisdomy things.

[Evan] What’d think? Good episode?

It’s good to be back. Thank you! That’s a wrap for episode 19. Follow me on Twitter @evanfrancen. Follow Brad on Twitter @BradNigh. Email us on the show at unsecurity@protonmail.com.

Oh yeah, one more thing. We have our upcoming Hacks & Hops event. We’ve got some good experts coming to share how they tackle third-party information security risk. Maybe not the most exciting topic ever, but a SUPER critical one that must be addressed better than it is.

Thanks again and see you next week!

UNSECURITY Podcast Episode 18 Show Notes

Each Friday, I’m going to do my best to post the notes for the UNSECURITY Podcast episode that Brad Nigh and Evan Francen (me) will record on the following Monday morning. Each week, Brad and I alternate leading episodes, so I lead the odd episodes and Brad leads the even ones.

If you missed episode 17, you can still give it a listen.

Episode 18

These are the notes we use to guide the discussion. These notes were written by Brad.

Description

Show Recording: Monday, March 11th, 2019 @ 6:45am

Good morning, this is your host for the day Brad. Today’s show is going to be different.  We kicked Evan out for a week and refused to give him a call in number so he could actually enjoy his vacation.  So joining me today is a special guest host, say hello Host X (I’m not telling you, you have to tune in to see who we got!)

We’ve been talking a lot about all the incident responses we’ve been seeing and so we wanted to start talking a little bit more about preparing for when it happens to you.  This will be the first in a series around a successful Incident Response program.  Buckle up, it will be riveting.

Opening

[Brad] Alright, here we are again. This is the UNSECURITY Podcast, and this is episode 18. My name is Brad Nigh, and I’ll be your host for today’s show. Joining me is NOT Evan Francen, instead we have Host X. Host X, what’s up?

[Host X] Will introduce themselves and talk a little about their experience around Incident Response and Information Security

[Brad] Well thank you for helping out and saving the listeners from an hour of me talking to myself.

Discuss Last Week’s Show (Teaser Questions)

  • Have you been listening to the podcast? (It’s always a great idea to put the person who is stepping in to help out on the spot right away)
  • Explain to the listeners a bit about you and your role(s) at FRSecure, and previously. Do you have any experience in security incident response?

Week Recap

[Brad] Host X we like to start off with a recap of our week.  Would you like to share anything about the last week that stood out to you?

[Host X] Probably says things that are deep and introspective, basically the opposite of Evan and my weekly shenanigans.

Discuss the important things about last week, including:

  • More IRs. Why do you think we’re seeing such an increase? What are some of the commonalities between these incidents? Nope not a repeat.. More IRs
  • Not a last week thing but an upcoming event.  FRSecure has their next Hacks & Hops event coming up
    • Thursday, March 28th, 2-5 p.m. at Day Block Event Center in Minneapolis
    • You can go to hacksandhops.com to register/buy tickets
    • Tickets include appetizers, beer, networking, and the keynote/panel discussion
    • Evan will be there with books, and attendees can purchase signed copies
    • Listen to the podcast for a special promo code that will get you 50% off

One more piece of housekeeping before we really get going. We want to remind everyone how to contact the show, and each of us. Send your suggestions, comments, or whatever else to unsecurity@protonmail.com. If you’d like to be a guest on our show, you can email us there too. The best, least intrusive way to keep up and/or contact either Evan or me is probably through Twitter. Evan is@EvanFrancen and I am @BradNigh

Easy, right?! Let’s move on.

Let’s talk about, at a high level, the phases of an IR plan, get Host X’s perspective on how these go, and if we have any time left we have some news stories as well.  I think this will be a good conversation because Host X is a normal person, meaning not an information security professional, so we will be getting a more business perspective around this which is important.

[Brad] Okay Host X from a business perspective what do you think of when you hear IR plan?

[Host X] Business, business, business. Numbers. Is this working? Yaaaaaaay! (Okay it will probably be really good stuff and interesting to hear from the business perspective)

[Brad]  Have you been through an IR before?  Did your company have a good IR plan in place or was it more ad-hoc?

[Host X] Shares what happened and their take on the process. 

[This will undoubtably lead to more Q&A that will be spontaneous, or will be painfully awkward with lots of silence… Tune in to find out!]

[Brad] Okay so now let’s talk about what we do when we put together an IR plan and the phases we go through.  Obviously there is a lot more detail and work that will go into each of these but let’s start building the foundation of being prepared. Today we are just going to talk through these at a very high level with more detailed discussions into the phases and how to attack them in the weeks to come.

  • Phase I – Preparation
  • Phase II – Identification and Assessment
  • Phase III – Containment
  • Phase IV – Investigation
  • Phase V – Eradication & Recovery
  • Phase VI – Follow-Up

[Hopefully Host X is still awake, it is early and they are not an infosec professional.]

Okay some news

News

Closing

[Brad] This was fun, thank you Host X for filling in for Evan and providing your insights on Incident Response

[Host X] Hopefully something positive and about how much fun was had.  

Well, that’s episode 18 of the Unsecurity Podcast. Evan will be back next week with stories about his trip to RSA and I’m sure more IR stories. Don’t forget to register for Hacks and Hops using the super-secret promo code.

Another quick reminder to send your questions and suggestions to us at unsecurity@protonmail.com

Thank you and see you next week!

UNSECURITY Podcast Episode 17 Show Notes

UNSECURITY PODCAST – Episode 17

Monday, March 4th, 2019 @ 6:45am

Description

This podcast is led by yours truly (Evan, if you didn’t know me). If you’ve been following our podcasts for a while, hopefully you’re noticing that we continue to improve. Sound quality is better for sure, but Brad and I are also feeling more comfortable talking into microphones. Speaking into a microphone is neither of our strengths. This will be a relaxing week/podcast as we try to recover from last week’s visit with our wives. Actually, I’m kidding. Brad and I both loved spending time with them in episode 16, and we both learned some things about ourselves from our wive’s perspectives. We’re grateful for them, and we hope you enjoyed the listen! If you missed episode 16, check it out!

This week we’re going to dig in to our information security principles. When we started FRSecure in 2008, we documented our guiding principles, almost like our very own Ten Commandments. We revisit them every so often just to make sure that they’re still relevant. This podcast will be our review!

Opening

[Evan] Alright, here we are again. This is the UNSECURITY Podcast, and this is episode 17. My name is Evan Francen, and I’ll be your host for today’s show. Joining me as always is Mr. Brad Nigh. Brad, what’s up?

[Brad] He’ll surely say something here… If not, I’ll kick him under the table.

Discuss Last Week’s Show (Teaser Questions)

  • What did you think of last week’s show?
  • Did your wife listen to the show? If so, what did she think?
  • What sort of feedback did we get from listeners?

Week Recap

[Evan] Before we dig in to the meat of the podcast, let’s share some of the highlights (or maybe lowlights) of our last week with the listeners. Brad, tell me about your week.

[Brad] He’ll surely say something here too… If not, I’ll kick him under the table again.

Discuss the important things about last week, including:

  • More IRs. Why do you think we’re seeing such an increase? What are some of the commonalities between these incidents?
  • Pentest and Political Capital
  • Book Signing Event
  • Stuff that Brad did last week that he hasn’t told me about yet.

Well, good. We have a lot to cover this week. So, let’s get started, but before we do, one more thing that we do every week. We want to remind everyone how to contact the show, and each of us. Send your suggestions, comments, or whatever else to unsecurity@protonmail.com. If you’d like to be a guest on our show, you can email us there too. The best, least intrusive way to keep up and/or contact Brad or I is probably through Twitter. Brad is @BradNigh and I am @EvanFrancen.

Easy. Let’s move on now.

FRSecure’s Information Security Principles

As I stated in the opening, Brad and I are going to review FRSecure’s Information Security Principles together. Brad and I have never done this together, so it will be fun to get each other’s view on these things.

Principles are vital to us at FRSecure because they serve as boundaries and reminders. They keep us honest in all the work we do as security professionals. We first documented our principles in 2008, at the same time we established FRSecure. We wrote our principles down because we always wanted to remind ourselves why we’re different and why we wanted to start our own company in the first place.

Basically, we wanted to do information security right. Not just sometimes, but always. Lofty goal and a high (maybe unrealistic) standard for sure, but that’s the kind of people we are. Always striving for perfection, but never actually getting there.

That sort of sounds sad, doesn’t it?

[Evan] Brad, you’ve seen our principles once or twice right?

[Brad] He’ll surely say something here too, but I’m afraid if I kick him under the table again, he’s going to retaliate. I’ll nicely urge him to say stuff, like friends do.

[Evan] As you might now, I review these principles each year. I’m looking for relevance and alignment with what we believe in. If relevance and alignment are good, the principle is still good. Even though I review these each year, I’ve never had to make a change. This makes me believe that maybe these principles are timeless, after all this is the eleventh year.

Now, I’ve never reviewed these with anyone before. Today, I’ll review them with my good buddy and trusted cohort Brad. What do you say Brad? You cool with this?

[Brad] Now it’s totally up to him if he wants to say anything. If I really did have to kick him like I said I might have too, he’s probably not even be here anymore.

We’re going to cover each principle, one-by-one and give our thoughts on them. We’ll at least cover the following questions, but probably more:

  • What does this principle mean to you?
  • Do you think it still applies to the work we do everyday?
  • How well do you think it aligns with our mission?
  • Would you change it if you could? If so, how?

NOTE: As we cover each of the principles, do you notice any change in our tone? Do Brad or I seem to be more engaged? I’m guessing you’ll hear and sense how important these things are to us. We defend what we believe in.

The Principles

#1 – A business is in business to make money

Information security must align with business objectives.

#2 – Information Security is a business issue

Information security is NOT an IT issue.

#3 – Information Security is fun

That’s right, we said “FUN”!

#4 – People are the biggest risk

Not technology.

#5 – “Compliant” and “secure” are different

We shouldn’t confuse the two.

#6 – There is no common sense in Information Security

If there were, we would have better information security.

#7 – “Secure” is relative

One of many reasons for ongoing measurements and comparisons.

#8 – Information Security should drive business

Identify and focus on information security benefits. Information security shouldn’t just be a cost-center.

#9 – Information Security is not one size fits all

No two businesses are exactly alike.

#10 – There is no “easy button”

So stop looking for one.

Other Bonus Security Wisdom

  • If something is insecure at the core, then it will always be insecure at the perimeter.
  • Gain an intimate understanding of “information security” and “risk”. All of security and compliance flows from these two definitions.
  • You cannot prevent all breaches. You better be able to detect them and respond to them too.
  • A wise man once said “Complexity is the Enemy of Security”.

Alright we made it through that. I was taking notes, so if we decided on changing anything, we’ll be sure to get those changes implemented in the next version or our principles. I’d actually be surprised if we did change anything, but who knows. This is the first time we’ve done this together.

News

OK, we like our news, yes? Let’s get to some news quick. I think we have some time.

E59D9CCA-18E1-4340-A056-FFD6F8290ABF

[Evan] I’m not sure how newsworthy this article is, but I love the content. My show, my news.

Closing

[Evan] Well, what do you think Brad? Good show?

[Brad] Assuming Brad is still here or he came back…

Well, that’s episode 17 of the Unsecurity Podcast. I had fun, and I hope the listeners found the hour spent to be a valuable one.

Oh crap, I just remembered! RSA is this week. I’ll be out there, just for a day to see my friend Roger Grimes give his awesome talk on 12 ways to hack MFA. That’ll be cool.

Next week, we’re not sure what we’re doing yet. Brad, you have anything specific planned for next week’s show? We’ll wing it if we gotta. Another quick reminder to send your questions and suggestions to us at unsecurity@protonmail.com

Thank you and see you next week!

UNSECURITY Podcast Episode 16 Show Notes

Each Friday, I’m going to do my best to post the notes for the UNSECURITY Podcast episode that Brad Nigh and Evan Francen (me) will record on the following Monday morning. Each week, Brad and I alternate leading episodes, so I lead the odd episodes and Brad leads the even ones.

If you missed episode 15, you can still give it a listen.

These are the notes we use to guide our discussion for the UNSECURITY PODCAST – Episode 16. This will end in disaster, or it will be great. Hard to tell where this one will go.

Saturday, February 23rd, 2019 @ 4:00pm

Description

This podcast is led by Brad and he’s invited two special guests for this one; his wife and Evan’s wife. We’ll talk about what it’s like to be married to an information security person and ask a bunch of questions that we think might help us learn more about maintaining a healthy relationship at home while working like we do (long hours, hard challenges, and mission-driven).

Opening

[BRAD] Alright, welcome to the UNSECURITY Podcast. My name is Brad Nigh, and I’ll be your host for today’s show. Joining me as always is Evan Francen. Hi Evan.

[EVAN] Hi Brad. Good afternoon.

[BRAD] That’s right. We had to switch it up a little this week because Evan is travelling to a client on Monday and Tuesday. Instead of recording our podcast on a Monday morning, like usual, we’re recording on Saturday afternoon.

We’re excited for today’s show because we have not one, but two special guests.

[EVAN] That’s right. We’re excited. Tell the listeners why we’re so excited Brad.

[BRAD] We’re excited because we’ve invited our wives to participate in today’s show!

[EVAN] Oh boy.

[BRAD] No, I think it’s OK. They promised they’d be nice, and only tell half-truths to protect us.

[EVAN] OK, good.

[BRAD] Ladies, welcome. Say “hi”

[GUEST ONE AND GUEST TWO] Hello guys. Thanks for having us (or whatever).

Interview Questions

These are interview questions for our guests, or more accurately, our own wives.

All our questions are addressed to both wives; however, other questions may come up during the interview that could be addressed to one or the other specifically.

[BRAD] Alright, you guys ready? You’re sort of the stars of the show today. Remember, no bashing and be nice! We can delete this recording if we need to.

Our sample questions. Depending on how things go, we might skip some or add some. We’ll see…

  1. What’s it like to be married to someone who works in information security?
  2. Share some of the hardest challenges in balancing your marriage with his job.
  3. Do you have any interest in being an information security professional yourself?
  4. Do you notice times of increased stress in your spouse’s life that you know come from their work?
  5. How often do you notice increased stress?
  6. Can you share any tips on how to handle your spouse’s work stress?
  7. Do you give advice to your spouse when he’s stressing from work? If so, what advice have you given him that helped (or not)?
  8. How many hours per week does you husband work? Is it too much? What’s the right number of hours?
  9. What’s the best advice for getting your husband to stop thinking about work?
  10. What do you think is different about being married to a person who works in information security versus some other careers?
  11. If you could give one piece of advice to your husbands related to work/life balance, what would it be?
  12. If you could give one piece of advice to other spouses who are married to information security people, what would it be?

ENDING ON A HAPPY NOTE…

What are some of the greatest benefits to your family that have come from your husband’s work in information security?

[BRAD] Phew. Alright then. Thank you, ladies! We made it out of that alive, right?

DIALOG AS NEEEDED…

Week Recap

Quick recap of anything exciting that happened to either one of us last week…

We’re always looking for feedback from you, our listeners. Tell us how you liked our show, make suggestions, or volunteer to be a guest. Whatever. Just email the show at unsecurity@protonmail.com.

By now, you should know where to find me and Evan. Find me on Twitter at @BradNigh. You can find Evan on his website https://evanfrancen.com or on Twitter at @evanfrancen.

News

OK, let’s get to some news quick. I think we have some time. Ladies, feel free to chime in. You’re perspective matters too.

Closing

Well, that just about wraps it up for this week’s show, episode 16. This was another good show. A special thank you to our special guests. Ladies, thank you! I know that both Evan and I are very grateful to be supported like we are.

Any parting words Evan?

Next week, we’re not sure what we’re doing yet. We’ve always been pretty good at winging it anyway. Another quick reminder to send your questions and suggestions to us at unsecurity@protonmail.com

Thank you and see you next week!

UNSECURITY Podcast Episode 15 Show Notes

UNSECURITY Podcast Episode 14

Each Friday, I’m going to do my best to post the notes for the UNSECURITY Podcast episode that Brad Nigh and Evan Francen (me) will record on the following Monday morning. Each week, Brad and I alternate leading episodes, so I lead the odd episodes and Brad leads the even ones.

If you missed episode 13, which featured MN State Rep. Jim Nash, you can still give it a listen.

These are the notes we use to guide our discussion for episode 14.

Opening

OK, here we go. Today is Monday, February 11th, 2019, and this is episode 14 of the UNSECURITY Podcast. My name is Brad Nigh and joining me as always is Evan Francen. Good morning Evan, how are you today?

Also joining the show today is a special guest, he goes by the name M1ndFl4y or “Ben”, depending upon how well you know him. For the sake of today’s show, we’ll call him Ben. Good morning Ben and welcome.

Everyone knows me and Evan, but Ben, people may or may not know who you are. what would you say you do here? Ben discusses what he does. (NOTE: Don’t let him off easy. He’s a social engineer, pen tester, researcher, mentor and creator of cool things.)

My day today. Evan’s got next week.

Week Recap

Let’s replay some of the things we did this week. Although we all work together at the same place, we don’t often get a chance to hear what each other is doing. Ben, start us off.

Ben

(NOTE: Don’t let him off easy again. Make sure he mentions his https://haveibeenpwned.com/ bash script, and the fact that it’s posted on Troy Hunt’s site and he should also share some goodies from his most recent pen test).

Brad

Well, this is what I did this week. Brad’s leading the show and has the liberty to take this wherever he wants.

Evan

Excellent meetings and collaboration this week. Met with a CISO from a large company this week (We’ll leave out the name because nothing’s been cleared with him). The company is a top 50 company in terms of size. Great meeting (Discuss). Maybe give some other highlights, if there’s time.

Awesome. We have a lot to cover in this week’s episode, so let’s get going. But, before we get started, we want to make sure everyone knows how to get in touch with us. Send us your suggestions, questions, or cool things you might want us to know. Use unsecurity@protonmail.com.

Social Engineering

The main theme for today’s episode is social engineering. You know anything about social engineering Ben?

Ben, Evan, and I will share between 3 – 5 real stories from our own personal experiences. The exact number will depend on time.

Three questions:

  1. How does someone go about becoming a social engineer?
  2. Can you suggest any good educational resources (classes, books, podcasts, etc.)
  3. If you could give one piece of advice to our listeners on how to protect themselves, what would it be? (We’re not really gonna hold you to one!)

Alright, good stuff. You can follow M1ndFl4y on Twitter, although he doesn’t post much, at @M1ndFl4y. Be careful though! He probably only uses Twitter as some sort of OSINT source for his next project.

By now, you should know where to find me and Evan. Find me on Twitter at @BradNigh. You can find Evan using his website https://evanfrancen.com or on Twitter at @evanfrancen.

OK, let’s get to some news…

Topics for Discussion

Any other topic before we get into some of the news?

Recent News

Oh yeah, Apple released a security update on Thursday. The biggest fix was for the FaceTime bug that blew things up last week. The update is iOS version 12.1.4, go apply it!

Closing

Well, that just about wraps it up for this week’s show, episode 14. Thank you, Ben, for coming on. Always fun catching up with you.

Next week, I think we might be starting a series about incident response. We’ll see what Evan decides to do. As always, be sure to send your questions and suggestions to us at unsecurity@protonmail.com.

See you next week!

UNSECURITY Podcast Episode 13

Each Friday, I’m going to do my best to post the notes for the UNSECURITY Podcast episode that Brad Nigh and Evan Francen (me) will record on the following Monday morning. Each week, Brad and I alternate leading episodes, so I lead the odd episodes and Brad leads the even ones.

These are the notes we use to guide our discussion.

Show Notes

Monday, February 4th, 2019 @ 6:45am

OK, here we go. Today is Monday, February 4th, 2019, and this is episode 13 of the UNSECURITY Podcast. My name is Evan Francen and joining me as always is Mr. Brad Nigh. Good morning Brad, how are you today?

Also joining Brad and me is a special guest, Assistant Minority Leader of the Minnesota House of Representatives and FRSecure’s Chief Storyteller, Jim Nash. Welcome Jim.

As you know, this is my day to lead the show.

We had an eventful week last week. The Polar Vortex, board meetings, travel stories, a panel discussion, and some incident response stuff.

We have a lot to cover in this week’s episode! Let’s get going.

Speaking of incident response stuff… I want to discuss two topics with you guys this morning, and I’d like to start with incident response, more specifically the importance of incident response planning.

The Importance of Incident Response Planning

  • A couple of incidents that you and I worked on last week.
  • In all the calls we’ve received for incident response, how many of the companies had an incident response plan? Can you name one?
  • Last week’s trip and the IRT meeting
  • Talk about another incident or two? How would’ve an incident response plan helped

What’s happening at the State/States – State of Minnesota

State Security Conference

  • Jim, you recently attended a pretty important security event.
  • You attended the NCSL (National Convention of State Legislatures)
  •  You’re one of 22 legislators from across the nation on the task force.
  • “We talked about the California initiative for IOT security, Elections Cyber, GDPR and the California initiative to Americanize it, the veracity of consolidated IT to reduce risk, and pudding” – the “pudding” part is/was a joke

If you have thoughts or suggestions for us about the UNSECURITY Podcast, you can email the show at unsecurity@protonmail.com.

Topics for Discussion

Any other topic before we get into some of the news?

Recent News

The BIG NEWS of the week – On Monday, news broke about an Apple FaceTime bug
It’s crazy how quickly these things blow up, among the stories:

Other News

2.2B hacked user details found in new ‘Collections’ freely shared databases and 2.2 billion emails found in new Collection data dumps

Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts (This was the only news story I saw about this)

Lastly, if we have time:
Microsoft 365 Underwent Two Day Outage, Outlook and Exchange Down

Closing

Be sure to follow Evan (@evanfrancen), Brad (@BradNigh), and Jim (@JimNashMN). Also, be sure to send your questions and suggestions to us at unsecurity@protonmail.com

Catchup on past episodes of the UNSECURITY Podcast here, or on you’re favorite podcast app.

See you next week!