The UNSECURITY Podcast – Episode 73 Show Notes – COVID-19 IR

Hope you and your loved ones are well! We can’t understate the importance of physical, mental, and spiritual health, especially in times like these.

If you missed last week’s show notes or episode 72 of the UNSECURITY Podcast, there’s some pretty good stuff there.

Episode 73 Topics

Topics for episode 73 of the UNSECURITY Podcast include:

  • Opening
  • Catching Up 
    • The first full week with a closed office.
    • Staying sane and healthy at home.
  • COVID-19 Affects on Information Security (some of them)
    • Introducing our special guest, FRSecure’s Director of Technical Solutions and Services
    • Incident Response During COVID-19
      • Current Events/Incidents
      • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
    • COVID-19 Scams and Attacks
      • What have we seen?
      • What are we planning for?
    • Physical Security Considerations
  • The Daily inSANITY Check-in
  • FRSecure CISSP Mentor Program Update
  • Wrapping Up – Shout outs

You can find the full show notes near the bottom of this post. Before getting there, I need to get some thoughts out.

Thoughts

It’s been 13 days since FRSecure and SecurityStudio closed their offices. All of us are still around and working, but it’s crazy how much life has changed. Personally, I’m still struggling to make sense of things and I’m mulling over COVID-19 data almost obsessively. The COVID-19 scoreboards plastered everywhere don’t help. On one hand, I like being informed. On the other, I’m tired of tracking the number of infections and deaths.

As I write this, there are 140,164 infections in the United States and 2,476 deaths. What does this mean in the context of everything else? How do I make sense of these numbers? Here’s one attempt:

What does a “normal” 30 days look like in the U.S. for deaths/mortality? According to the CDC, there were nearly 3,000,000 deaths in the U.S. in 2018 (the latest data available). Using this data, here are the number of people who died within an average 30 day window:

  • 53,867 from heart disease (the top killer in the U.S. with 655,381 deaths)
  • 49,255 from cancer (#2 – 599,274 deaths)
  • 13,736 from accidents/unintentional injuries (#3 – 167,127 deaths)
  • 10,029 from Alzheimer’s Disease (#6 – 122,019 deaths)
  • 3,973 from suicide (#10 – 48,344 deaths)

Compare these numbers to where we’re at now with COVID-19. I’m NOT at all minimizing the impact of COVID-19. I’m trying to make sense. I know the number of infected people and deaths will rise significantly over the coming weeks/months, and sadly, we’re in for more terrible news. I’m trying to understand what the numbers mean in the context of other things that aren’t as foreign to me.

A single sick person and/or a single death is sad enough, let alone thousands.

OK. Got that off my chest. Lots and lots of great things going on at FRSecure and SecurityStudio. The best place to keep up with them right now is probably on social media:

Let’s get to the show notes now!


SHOW NOTES – Episode 73

Date: Monday, March 30th, 2020

Show Topics:

  • Opening
  • Catching Up 
    • The first full week with a closed office.
    • Staying sane and healthy at home.
  • COVID-19 Affects on Information Security (some of them)
    • Introducing our special guest, FRSecure’s Director of Technical Solutions and Services
    • Incident Response During COVID-19
      • Current Events/Incidents
      • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
    • COVID-19 Scams and Attacks
      • What have we seen?
      • What are we planning for?
    • Physical Security Considerations
  • The Daily inSANITY Check-in
  • FRSecure CISSP Mentor Program Update
  • Wrapping Up – Shout outs
Opening

NOTE: The show notes were written by me (Evan), but Brad’s leading this episode.

[Brad] Hello listeners, this is another episode of the UNSECURITY Podcast. My name is Brad Nigh, this is episode 73, and the date is March 30th, 2020. Joining me is my co-host Evan Francen. Good morning Evan.

[Evan] Good morning Brad!

[Brad] Also joining us for the show is our special guest and FRSecure’s Director of Technical Solutions and Services, Oscar Minks. Good morning Oscar!

[Oscar] Says good morning or something with his cool southern accent.

[Brad] We’ve got lots to talk about! As is our custom, let’s get started by catching up quick.

Catching Up

Topics here include how we’re coping with COVID-19, the first full week with a closed office, and staying sane (and healthy) at home. Brad found a really good video online; Covid-19 Protecting Your Family, Dr. Dave Price

[Brad] Here’s a can of worms (maybe). Let’s talk about some of the effects that COVID-19 has on what we do. Some of the effects on information security, starting with incident response and physical security. We already mentioned that we’ve got our special guest Oscar Minks here. He’s got some good insights to share, and this should be a good discussion.

Discussion – COVID-19 Affects on Information Security (some of them)
  • Introducing our special guest (again), FRSecure’s Director of Technical Solutions and Services
  • Incident Response During COVID-19
    • Current Events/Incidents
    • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
  • COVID-19 Scams and Attacks
    • What have we seen?
    • What are we planning for?
  • Physical Security Considerations

[Brad] Sadly, the frequency of scams and attacks only increases during times of distress. It’s important that we keep our eye on the ball and not compound our problems with an information security lapse.

OK, switching gears now. Some people are struggling right now. Struggling with making sense of things, struggling with employment, struggling with anxiety, or struggling with any number of things. We started this thing called the Daily inSANITY Check-in last week. Evan, tell the listeners about this thing.

Daily inSANITY Check-in Discussion

The purpose of the Daily inSANITY Check-in is to provide a safe place for people to discuss current events, information security things, challenges we’re facing, or whatever else comes to mind. The check-ins are short (30- to- 60-minute) daily meetings with discussion. People are always free to come and go as they please.

[Brad] The Daily inSANITY Check-in is just one place to get support out of many within our community. The point is to find help when you need it and to help people where you can. It’s cool to see so many people rally and help.

FRSecure CISSP Mentor Program Update

[Brad] Real quick, we made an announcement last week about the FRSecure CISSP Mentor Program. We’re happy to say that we are still going through with this year’s class! The only change is that we have cancelled the in-person portion of the program. As of last Monday, the 23rd, we have 1,007 registered students! That’s crazy! Oh, and I should mention, if you haven’t registered yet, registration is still open.

Wrapping Up

[Brad] No news this week because we had so many other things to talk about. Two last things to mention:

  • Our pal Ryan Cloutier, aka “Cola” just wrapped up the second episode of his K12 Cybersecurity Podcast. It’s a great podcast and you should give it a listen!
  • A shout out to one of our regular listeners, Olga Hoogendoorn – Startseva. Evan promised to give her a shout out because she’s pretty awesome!

Well, that’s it for this week. Plenty going on and lots to do.

Thank you for listening. We’re a couple of guys who really care about you. We’re hoping you all stay healthy and sane! We love hearing from you, so if you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet like that. I’m @BradNigh, and this other guy is @evanfrancen. Also, don’t forget to check out @studiosecurity and @FRSecure. They post some good things! Let us know how we can help you!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 65 Show Notes – Money Grab

Another week down. Damn, a whole month is down! January is already in the books.

While I’ve got you here, help us out with our mission. We’re busting our tails off doing our part to fix the broken information security industry. We’re striving and doing these things:

  • Setting a common information security language that can be spoken by everyone; the S2Score.
  • Developing and delivering simple (but effective and credible) information security risk assessments for the under-served (SMBs, state and local government, K-12, etc.):
  • Developing and delivering simple (but effective and credible) tools to help the under-served do information security better.
  • Teaching and mentoring others for free. The FRSecure CISSP Mentor Program is in it’s 11th year! We started with six students in 2010, last year we had 532, and this year we had more than 540 enrollments within the first 24 hours! Check it out and enroll here.

What can you do to help? Simple. You can help in (at least) three ways:

  • Do your own S2Org and S2Me assessments.
  • Contribute your opinions and feedback (after all, we’re all in this together).
  • Spread the word. Tell others. Tell them about the S2Org and S2Me assessments and tell them about the FREE FRSecure CISSP Mentor Program!

OK, on to the show…

February is already upon us, and RSA is just around the corner. Speaking of RSA, let’s talk about our industry’s money grab in this week’s episode. Let’s also discuss tips for talking to the board of directors about information security stuff .

This will be fun!

Alright, on to the show notes. This is my (Evan) show to lead and these (below) are my notes.


SHOW NOTES – Episode 65

Date: Monday, February 2nd, 2020

Show Topics:

Our topics this week:

  • Opening
    • Normal Stuff
    • Got Mail?
  • The Money Grab
    • It’s alive and well – everybody wants your $$$.
    • The Bad Guys Of Course
    • The “Good Guys” Too?
  • Talking to the Board
    • Tips
    • Recent Experiences
  • News
Opening

[Evan] Alright, welcome! This is Evan Francen, this is episode 65 of the UNSECURITY Podcast, and the date is February 3rd, 2020. In studio with me is none other than Mr. Brad Nigh. Howdy Brad.

[Brad] We’ll see how awake he is on an early Monday morning.

[Evan] I’m curious, are you a morning person or a night person?

[Brad] I don’t know what he’ll say here…

[Evan] We’ve got a great show planned for you today. Lots to talk about, for sure! We’re going to talk about this industry’s money grab and we’ll cover some tips for speaking to the board of directors. Before we dig in, Brad, how you doing?

Quick Catch-up Talk

[Evan] Alright. Well, let’s get to it. Let’s talk about the money grab in this industry. In case you didn’t know, I’m referring to the information security industry. You have the something that everybody wants. The bad guys, the good guys, and everyone in between. They all want your money. Collectively, I call this the “money grab” and we’re going to discuss this. I want to discuss this because I don’t want you losing your hard earned money to some crook and I don’t want you to piss it away on something that doesn’t do what you thought.

Discussion about the Money Grab

The money grab is alive and well. Everybody wants your $$$. Everybody.

  • The Bad Guys Of Course
    • The 2018 cybercrime industry was worth at least $1.5 trillion
    • There is no low that’s too low.

This slideshow requires JavaScript.

  • The “Good Guys” Too?
    • Gartner estimated that 2019 industry spending was $124 billion in 2019, and by some estimated it’s expected to grow to more than $170 billion by 2022. NOTE: this is for context only and not to imply that this is wasted spending.
    • FUD (scare the sh*t out of you) and Sex Sell (buzzwords, new blinky lights, etc.)
    • Seems like everybody is fighting for your money.
      • Conferences (RSA, Black Hat, etc.)
      • Companies (borderline extortion, crappy advise, etc.)
    • We’re (FRSecure and SecurityStudio) human too. Mission over money, does it keep us honest?

[Evan] It’s a dangerous world and people (non-information security people are confused). I wonder how much of this is on purpose. The enterprise organizations can afford to make mistakes, but the smaller players are left in the cold and they’re suffering because they often miss the basics, the fundamentals. I feel bad for the under-served markets, especially SMBs. This is our primary focus. OK, on that note…

Discussion about talking boards of directors and executive management

[Evan] Brad, you and I have had the privilege on many occasions to talk to boards and executives. What tips do we have?

Some good back and forth discussion I’m sure…

After a while, let’s do some news.

News

[Evan] I’ve only got two stories to discuss today, but I think they’re interesting ones:

Closing

[Evan] OK, that’s it. Episode 65 is in the bag. Brad, you’ve got any ideas for next week’s show yet?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet sometimes. I’m @evanfrancen and Brad’s @BradNigh. If you like company stuff, we work for SecurityStudio (@studiosecurity) and FRSecure (@FRSecure). The company people post good things from time to time too!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 60 Show Notes – 2019 Year End Review

Goodbye 2019. It’s been real.

Where did the time go?

A common question, we ask ourselves. This year I decided to take a stab at answering it.

Here’s where my time went, for what it’s worth (roughly):

  • 38.58% (or 3,380 hours) working
  • 27.09% (or 2,373 hours) sleeping
  • 23.90% (or 2,094 hours) personal (family, friends, etc.) quality time
  • 10.42% (or 913 hours) other

I spent ~15% more time working than I did making memories with my family in 2019. Some priority adjustments are overdue for me in 2020.

Thank God for the gift of reflection.

The end of the year is a good time to reflect. Reflection is healthy. As I reflect on 2019, I can think of many good things about us like improved industry diversity, great personal growth, business accomplishments, and amazing people working round the clock for our collective benefit.

Unfortunately, there are also bad things. Since we’ve got plenty to cover, both good and bad, we’ll use this episode (#60) to discuss the bad. We won’t want to leave a sour taste in your mouth for too long, so we’ll cover the good things, and the things to look forward to in 2020, in next week’s episode (#61).

Now, the bad.

I already mentioned one of the bad things I discovered from 2019, that my priorities are out of whack, but I also learned things about the sad state of our industry. I learned that we’re (still) losing the war, and we’re losing it on multiple fronts.

Are you wondering what war?

The war where the bad people take advantage of the good people. The war where the immoral ones take advantage of the decent ones. Where the informed and corrupt beat the ignorant and noble every single time.

Let me preface the rest of this by saying I’m not a doomsayer. I’m a realist. I’m a realist with a deep desire to share the truth. If you’ve been paying attention, and can be objective, you’ll find it easier to predict our future. Predicting where a path leads is easier when there’s no (or little) change of course.

Our discussion points for episode 60’s year-end review:

  • Front #1 – Breaches are more common than ever, but we seem to care less than ever.
  • Front #2 – Our local governments and schools are losing their battles.
  • Front #3 – Our homes are part of the battleground and we’re not prepared.

All is not lost, and there’s hope. There’s good news too. We’ll cover good news next week. 2020 is the year for you, me, and our industry to get real. It’s time for us to tackle our most significant issues head-on, together!

I am (Evan) leading the show this week, and these are my notes.


SHOW NOTES – Episode 60

Date: Monday, December 30th, 2019

Show Topics:

Our topics this week:

  • Opening
  • The year (2019) in review.
    • Priorities and life adjustments
    • Front #1 – Breaches are more common than ever, but we seem to care less than ever.
    • Front #2 – Our local governments and schools are losing their battles.
    • Front #3 – Our homes are part of the battleground and we’re not prepared.
  • Closing
Opening

[Evan] Welcome to the last UNSECURITY Podcast episode of 2019! We’ve got a great show planned for you. The date is December 30th, and this is episode number 60. Joining me as (almost) always is my guy Brad Nigh. Hi Brad.

[Brad] Early morning version of Brad…

[Evan] No guest today. It’s just me and you. How you doing?

[Brad] More early morning version Brad things…

[Evan] When I put together today’s show notes, I felt like I was a little harsh, maybe even depressing. It’s not like I was depressed when I wrote the notes, but when I take an objective look at what took place this year, it’s sort of depressing to me. 2019 brought with it a record number of breaches, a record number of records disclosed/stolen, ransomware everywhere, etc. Crap man. Do I seem depressed to you?

[Brad] He’s got something to say.

[Evan] Maybe I take this too personal, but I HATE seeing people get taken advantage of. There were too many times this year that we read about people being taken advantage of, and it sucks. Ugh. Maybe I am depressed.

[Brad] More things…

[Evan] Alright, let’s get to it. The 2019 year-end review…

The year (2019) in review discussion
  • Priorities and life adjustments
  • Front #1 – Breaches are more common than ever, and we seem to care less than ever.
    • Another record year for breaches, do we care?
    • Sources; https://www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/ and https://lifehacker.com/the-worst-data-breaches-of-2019-1840616463
    • “total number of breaches was up 33% over last year”
    • “medical services, retailers and public entities most affected”
    • “5,183 data breaches for a total of 7.9 billion exposed records”
    • Risk Based Security stated that 2019 is/was the “worst year on record” for breaches
      • January – Marriott breach (383 million)
      • February – 617 million accounts, from 16 websites and for sale on the dark web
      • March – 100s of millions of Facebook and Instagram accounts
      • April – 540 million Facebook records
      • May – 885 million First American Financial records
      • June – 20 million patients, bill collector American Medical Collection Association
      • July – Capital One and 100 million credit card applications
      • August – MoviePass and 160 million unencrypted/unauthenticated records
      • September – 218 million Words with Friends accounts
      • October – 4 billion social media profile records (???)
      • November – Facebook again…
      • December – we’re still waiting…
    • Breach fatigue.
    • Are we getting better at finding/reporting breaches? Are breaches happening more often? Are we getting worse?
  • Front #2 – Our local governments and schools are losing their battles.
    • Ransomware nails our local governments and schools.
    • A great article by Michael Mayes at CPO Magazine; the Top 10 Ransomware Stories of 2019.
      • “As the year ends, it’s time to declare 2019 the Year of Ransomware Escalation.”
      • Baltimore was “just one of 82 cities and municipalities to publicly report being struck by ransomware” in 2019.
      • “By December 1, a total of 72 US school districts have fallen victim to ransomware, impacting 867 individual schools and over 10,000 students.”
      • Nine “school districts representing 98 individual schools have been attacked by ransomware just in November. They include:
        • Wood County Schools, Parkersburg, West VA
        • Port-Neches Grove Independent School District, Port Neches, TX
        • Penn-Harris-Madison School Corporation, Mishawaka, IN
        • Livingston New Jersey School District, Livingston, NJ
        • Chicopee Public Schools, Chicopee, MA
        • Claremont Unified School District, Claremont, CA
        • Sycamore School District 427, DeKalb, IL
        • Sunapee Middle High School, Sunapee, NH
        • Main School Administrative District #6, Buxton, ME”
      • Louisiana declared a state of emergency twice in 2019
    • Do we just accept it?
    • We started a civic duty push in 2019, calling for citizens to inquire about ransomware protections from their local government officials. We’ll need to pick this up again this year, and include schools too.
  • Front #3 – Our homes are part of the battleground and we seem ignorant about it.
    • Security, privacy, and safety at home.
    • We still don’t emphasize information security, privacy, and safety enough at home.
    • Did this problem get worse in 2019?
    • Will this get worse before it gets better?

[Evan] That wasn’t too depressing, was it?

[Brad] Gives his honest opinion.

[Evan] We’ve got a lot of work to do, and there are no easy answers. No easy buttons. I think the answer is found in learning and applying information security fundamentals. We spent 2019 working hard at SecurityStudio and FRSecure to reach people with simple, but practical information security solutions like our vCISO, S2Org (information security risk assessment for all organizations), S2Vendor, S2Me (information security risk assessment for all people) and others. We even made some of our tools free! We’ll continue our quest to reach people and help wherever we can!

Got anything to add Mr. Nigh?

[Brad] Adds if he wants to add.

Closing

[Evan] That’s a wrap for another show. Heck, not just another show, but another year!

Thank you and Happy New Year to our listeners! Be sure to tune in next week, when we’ll cover some positive developments from 2019 and maybe a prediction or two. We love recording these shows for you, and we hope you enjoy them. Send us your questions and feedback at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and this other guy is @BradNigh.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 59 Show Notes

If you’re an information security consultant, you know how crazy the end of the year is. It’s crazy!

We’re trying to wrap up all the projects that needed to be completed before the end of the year, and it’s always a challenge. Thank God for Project Managers and a top-notch operations group!

If you missed last week’s episode, we talked about information security in schools with Mike Dronen, the Executive Director of Technology for Minnetonka Public Schools (District 276). Mike shared some great insight and advice for addressing the unique information security challenges facing K-12 schools. If you missed the episode, give it a listen here!

It was no coincidence that last week I also gave the keynote at the East Central Minnesota Education Cable Cooperative (ECMECC) School Security Summit. The Summit was held at the Braham Event Center on December 19th, and was attended by a few hundred K12 school administrators, technology coordinators, facilities staff, and law enforcement. Met a ton of cool people and my keynote was well-received.

If you’d like a copy of the ECMECC presentation, you can go grab it here.

This is Christmas week! For those of us working this week, please take some time off to spend with your loved ones. Merry Christmas to all of you!

Brad is leading the show this week, and these are his notes.


SHOW NOTES – Episode 59

Date: Monday, December 23rd, 2019

Show Topics:

Our topics this week:

  • The SecurityStudio Roadshow Recap (not all the questions, but I have some surprises)
    • Let’s talk about who we met on the Roadshow; different roles, titles, experience levels, etc.
    • Anyone stand out in particular?
    • Was there a specific event that really stood out to you, and why?
    • What was something you learned that surprised you?
  • News
Opening

[Brad] Welcome back! This is episode 59 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is December 23rd, and joining me is my co-host, Evan Francen. Good morning Evan.

[Evan] Lots of words of wisdom I’m sure.

[Brad] We have an in-studio guest today. FRSecure and Security Studio President, John Harmon. Good morning John.

[John] John says something I hope.

[Brad] Before we dive in, we like to check-in. John, how you doing? How was your week and what do you expect this week?

[John] John wonders why he agreed to do a podcast again this early in the morning but is a good sport and says something.

[Brad] And Evan. How are you and what’s up?

[Evan] Probably isn’t sure what to do with himself since he isn’t traveling all the time.

[Brad] Sounds like everyone is ready for the holidays to recharge and prepare for the next year.  We thought it would be fun to answer some questions and hear from Evan and John their thoughts on the recently completed roadshow, so without further ado let’s dive in.

SecurityStudio Roadshow Recap
  • Some surprise questions will be asked…
  • Let’s talk about who you met on the roadshow, roles, titles, experience levels, etc.
  • Anyone particular stand out?
  • Was there a specific event that really stood out to you, why?
  • What was something you learned doing this that surprised you?

[Brad] Great discussion.  Always fun talking with Evan and John.

Let’s do some news…

News

[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:

Closing

[Brad] That’s it. Episode 59 is a wrap. Thank you to John for joining us again, although this is the first time I’ve been here for it.

Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh, and Evan is @evanfrancen. John, is there a way you prefer for people to interact with you?

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 58 Show Notes

We welcome Mike Dronen to be our guest in episode 58 of the UNSECURITY Podcast! Mike is the Executive Director of Technology for Minnetonka Public Schools (District 276), and he’s joining us to talk about information security challenges facing K-12.

In case you missed the past couple of weeks, we talked a ton about legal and privacy stuff with our favorite data privacy and “cybersecurity” attorney, Justin Webb. Justin works for Godfrey & Kahn, S.C. in Milwaukee, and here’s what we covered:

Lots of good content and advice in these past couple of episodes. This week with Mike Dronnen is sure to be great too!

I’m leading the show this week, and here are my notes.


SHOW NOTES – Episode 58

Date: Monday, December 16th, 2019

Show Topics:

Our topics this week:

  • Information Security Challenges in K-12
    • Article: The Cybersecurity Threats That Keep K–12 CIOs Up at Night
    • How does information security work in K-12?
    • What makes K-12 different than everywhere else?
    • What are there differences between large school districts and smaller ones?
    • What tips do we have for administrators?
    • What tips do we have for educators?
    • What tips do we have for parents?
  • News
Opening

[Evan] Welcome back! This is episode 58 of the UNSECURITY Podcast, and I’m your host this week, Evan Francen. Today is December 16th, and joining me is my co-host, Brad Nigh. Good morning Brad.

[Brad] We’ll see how awake he is this fine Monday morning.

[Evan] We’ve had a couple of great shows the past couple of weeks. We learned a lot from our guest, Justin Webb. We talked a ton about privacy things and legal things. This week we’re going to shift gears a bit, and talk about information security in K-12. To help us navigate these waters, I’ve invited the Executive Director of Technology from Minnetonka Public Schools to our show. Minnetonka is my alma mater, and Mike Dronnen is a good friend. Welcome Mike!

[Mike] Mike’s a good guy. He’ll surely say “hi” or something.

[Evan] Mike, we’re excited to have you on the show for a number of reasons. You’re a good guy, I’m a Skipper, and Brad’s got some kids in your district too. Thank you for joining, especially on short notice.

Before we dive in, I like to check-in. Mike, how you doing? How was your week and what do you expect this week?

[Mike] Mike shares what he’d like to share.

[Evan] And Brad. How are you and what’s up?

[Brad] Sharing is caring.

[Evan] We’re all busy. Hopefully, health busy. My quick recap…

Alright, let’s talk about information security in K-12, shall we?

Discussion about information security challenges in K-12
  • Article: The Cybersecurity Threats That Keep K–12 CIOs Up at Night
  • How does information security work in K-12?
  • What makes K-12 different than everywhere else?
  • What are there differences between large school districts and smaller ones?
  • What tips do we have for administrators?
  • What tips do we have for educators?
  • What tips do we have for parents?

[Evan] Another great discussion. There are some real challenges for K-12, and I think we’ve all got some skin in this game to do the best we can. Thanks Mike!

Let’s do some news…

News

[Evan] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:

Closing

[Evan] That’s it. Episode 58 is a wrap. Thank you to Mike for joining us and for sharing your perspectives on K-12 information security!

Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Mike, is there a way you prefer for people to interact with you?

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 40 Show Notes

Another week in the books (almost). Speaking of books, I’m working on one with two more in the works. So much writing to do, and not enough time! I’m sure that lack of time is not a problem that’s unique to me. Time is precious, and nobody’s got enough of it.

In case you missed it, this week was “Hacker Summer Camp” in Las Vegas. Thousands of information security people descended upon Sin City this week for Black Hat, BSides Las Vegas, and DEF CON. These are three of the best known and well-attended conferences in our industry. David (aka “System Overlord”) writes a good summary, you can read it here.

Instead of going to Hacker Summer Camp, I took this week to get away. A few people were surprised that I wasn’t going, but to be honest, it’s not really my jam. It’s too much noise, too much BS, too much drinking, and too flashy for me. Maybe it’s just a different stage of life for me now. Some people thrive on being where the action is; I’m just not one of them. To each his/her own.

We sent 10 people from FRSecure, people with more self-control.

While Black Hat was kicking off, I took off to Duluth, MN and the North Shore for a few days. Did some catch-up work and some writing. It was good soul time.

This slideshow requires JavaScript.

Alright back to the grind. In the office this morning, putting together episode 40’s show notes, and getting face time with some of my favorite people. Hopefully, you enjoyed last week’s show, with the return of “Ben”. As I write this, Ben is neck deep with FRSecure’s Team Ambush competing (and winning?) in their DEF CON CTF.

This week, Brad’s back!

On to the show notes…


SHOW NOTES – Episode 40

Date: Monday, August 12th, 2019

Today’s Topics:

Our topics this week:

  • Catching up; Brad’s Back
  • More Incident Response(s)
  • Hacks & Hops
  • warl0ck gam3z
  • Industry News

[Brad] – Welcome to episode 40 of the UNSECURITY Podcast! My name is Brad Nigh, and I’m your host this week. I’ve had a couple of weeks off from the podcast, but it’s good to be back! Joining me as co-host this week is Evan Francen. Hi Evan.

[Evan] Hi Brad. Welcome back!

Catching up (a little)

[Brad] So, jumping right back into things this week. We received a couple of interesting incident response calls. I’d like to talk about them, how we handle them, and then we’ll segue into Hacks & Hops and a great tip/question we received from one of our listeners this week.

[Evan] Sounds good. Let’s do it.

Incident response discussion

Discuss real security incidents that we’re working on/investigating.

[Brad] Incident response is the theme for our next Hacks & Hops event coming up next month at US Bank Stadium.

[Evan] Yep. We’ve got an amazing event planned with an all-star panel.

[Brad] Who’s on the panel? Tell me about them.

[Evan] We have three panelists joining us, and I’ll be moderating. All three panelists are people that I have deep respect for; Jadee Hanson, Mark Lanterman, and Chris Roberts.

  • Jadee is the CISO at Code42, and she’s done an amazing job building a world-class security team. She’ll bring the perspective of an expert security leader. Jadee’s bio is here.
  • Mark is the CTO at Computer Forensic Services. He’s one of the best incident investigators I know, and he’s got some amazing stories to share. He’ll bring the perspective of an expert security investigator. Mark’s bio is here.
  • Chris is Chris. Two things I like most about Chris is his truth and his style. He scares most people by telling them the truth, he’s got some incredible stories, and he’s blunt. Chris will bring the perspective of a hacker. Chris’ bio is here.

All in all, this is an incredible panel. I’m pumped!

Hacks & Hops discussion

[Brad] Since we’re on the topic of incident response, let’s address a question that came in from one of our listeners this week. This is from Jeff. Jeff asks:

Incident Response – what is minutia and what is a real incident?  It seems contradictory to say that some companies may not use their IR plan in a year – and to also say that every suspected attack, malware, scan, etc. is an incident.

Let’s tackle this quick.

[Brad] Alright, moving on. Last week was “Hacker Summer Camp” in Vegas. Neither you nor I went this year, mainly because of workloads and other priorities. We did send ten (10) people from FRSecure though, and eight of them belong to a group that calls themselves “Team Ambush”. These guys competed in the warl0ck gam3z CTF at DEF CON. Two years ago, they took 3rd place. Last year, they took 2nd place. This year they claimed that they were all in!

How’d they do.

Discuss warl0ck gam3z and Team Ambush

[Brad] OK. I’ve only got one news item to discuss this week. I think one is enough because of it’s significance. Let’s talk about the security incident(s) at AT&T that were announced recently.

Sources:

Closing

[Brad] – There you go, that’s how it is. It’s great to be back. Thank you Evan, and a special thank you to our listeners. We’re sort of blown away by the number of people who listen to our podcast each week, and we love getting your feedback. Please keep it coming. You can reach the us on the show by email at  unsecurity@protonmail.com.

If you’d like to be a guest on the show or if you want to nominate someone to be a guest, send us that information too.

As always, you can find me and Evan on Twitter. I’m @BradNigh and Evan’s at @evanfrancen. Talk to you all again next week!

The UNSECURITY Podcast – Episode 35 Show Notes

Happy (belated) Birthday America!

Hope you all had a great 4th of July holiday! Both Brad and I (sort of) took the week off last week. We got some much needed rest for the 2nd half 2019 push. Brad spent time with his family, catching some huge fish with his kids. I made a road trip on my bike from Minnesota to Ohio. My wife and 14-year-old daughter joined me and we spent the week celebrating our great country.

This slideshow requires JavaScript.

The first half of 2019 has been wildly successful on multiple fronts, and both Brad and I are grateful.

I left Brad alone this week. I didn’t even reach out to him for our podcast show notes, so I’m not sure if he was planning to write some. Out of respect for his time away from the office, I’m writing this week’s notes.

Haven’t run this past Brad yet, but I think we’ve got the next three shows planned. We’ll see if he’s game. Here’s my plan:

  1. This week (episode 35) – Transfer of Wealth
  2. Episode 36 – The Money Grab
  3. Episode 37 – Project Bacon

Are you intrigued? Yeah, maybe.

OK, let’s get to it…


SHOW NOTES – Episode 35

Date: Monday, July 8th, 2019

Today’s Topics:

  • Civic Duty? – An update
  • Transfer of Wealth
  • News

[Evan] Hi everyone, this is Evan Francen, your host for episode 35 of the UNSECURITY Podcast. Welcome back from last week’s 4th of July holiday. My security bestie, Brad Nigh is joining me. He’s my co-host and stuff.

Welcome Brad.

[Brad] Brad probably greets me/us here. Assuming that he’s polite and engaged.

[Evan] How was your week off?

[Brad] Brad shares stuff about his time off.

[Evan] I’ll share some brief things about last week.

The meat of the show starts here.

[Evan] Over the past couple of weeks, we’ve been talking about ransomware. We haven’t been talking about the technical details related to how ransomware works because the attack vector essentially hasn’t changed drastically over the past, I don’t know, 20 years!

What we’ve been focused on is the destruction that ransomware is causing organizations, specifically local government organizations. We talked about cities that are suffering millions in losses and those that have chosen to pay ransoms to attackers. These things really strike a nerve in us, and we’ve encouraged people to do something about it.

For reference, see other related posts in chronological order:

Let’s catch up quick on this Brad.

Open Discussion – Civic Duty? – An update

[Evan] So, before we get too heated and deep into the ransomware discussion again, let’s talk a little about the money. The money in terms of how much attackers steal from us and in terms of how much money we steal from each other. We call the latter the “money grab”.

[Brad] Let’s do it! (and other stuff probably.)

[Evan] I was revisiting some of the research about our industry this week, and I wanted to talk about two things.

  1. The transfer of wealth – the money the attackers steal from us.
  2. The money grab – the money we steal from each other, or maybe “spend” is more politically correct.

We won’t have enough time to discuss these two topics with any depth in one show, so we we’ll need to split this up across multiple shows. Whatever, let’s discuss what we can now.

[Brad] Sounds good (hopefully).

[Evan] According to a study/predictions conducted/made by Cybersecurity Ventures, “Cybercriminal activity is one of the biggest challenges that humanity will face in the next two decades.” You’ve seen this study, right?

[Brad] Oh yes, of course!

[Evan] We know the source of the study, so we need to take it with a grain of salt, but listen to some of the claims:

  • Cybercrime is the greatest threat to every company in the world, and one of the biggest problems with mankind. The impact on society is reflected in the numbers.
  • In August of 2016, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.
  • Cyberattacks are the fastest growing crime in the U.S., and they are increasing in size, sophistication and cost.

Let that sink in a little. Are these numbers and claims accurate in your opinion. Do these numbers and claims just feed our scare tactics? Let’s discuss.

Open Discussion – Money – Transfer of Wealth

[Evan] Good talk Brad! We certainly have our share of opinions on this. Let’s hold off on the “money grab” discussion until next week, then we’ll contrast these issues. Sound good?

[Brad] He’ll agree because he’s a very agreeable man.

[Evan] Just two newsy things this week. We’ll cover them quick.

News

Just two quick stories today.

Closing

[Evan] That’s how it is. Thanks again to our listeners and thank you Brad! Have a great week friends. Don’t forget, you can follow me or Brad on Twitter; @evanfrancen is me, and Brad’s at @BradNigh. Email us on the show at unsecurity@protonmail.com if you want to be one of the cool kids.

CALL TO ACTION UPDATE – Doing your part about civic ransomware

Does the all caps “CALL TO ACTION UPDATE” get your attention? It’s supposed to.

The facts:

  1. The call to action still stands.
  2. Our municipalities are still under siege.
  3. The ransomware threat has far from abated.
  4. Too many communities are under-prepared.

You aren’t powerless. You have options.

  1. You can sit there and do nothing, playing the victim.
  2. You can point fingers and complain, playing the critic.
  3. You can wait for somebody else to do something, playing the sluggard.
  4. You can be part of the solution by doing something constructive, playing the responsible citizen. In my opinion, this is the best option.

If you choose (or have chosen) option 4, pen an email to your local government officials. Respectfully ask them how they’ve prepared for an eventual ransomware attack. If you are willing and able, offer to help them if they need it. If you aren’t willing or able to help them, refer them to one of us who is willing and able to help them.

Follow the guidance in my previous CALL TO ACTION article or follow your own charge.

For those of you who choose to do nothing, you have no right to play the victim card or complain. You give up those rights, in my opinion.

UPDATE

Now for the update. Many of you have taken me up on the CALL TO ACTION. You have emailed your local government officials and you’ve shared some of their responses with us at unsecurity@protonmail.com.

Kudos to you for choosing option 4 (above)!

Here are some of the responses that have been shared with us, protecting the names of the innocent/guilty.

Response from small city in a rural area:

We are familiar with these attacks on cities and we utilize network security professionals to protect our systems.  We also utilize a firm to audit us and test for gaps or issues proactively as well as routinely backing up and storing our data off site to protect against ransom demands and other risks.

Not too bad. The resident followed up with the city to gain more insight and offer help. Nice work!

Response from a medium-sized U.S. county:

Thanks for reaching out. No organization can claim with 100% certainty that they are protected from any cyberattack. However this is a very front and center topic for <REDACTED> County, and many efforts have been taken to reduce our risk and exposure to various kinds of cyber attacks, including Ransomware.

The County does not have a defined policy regarding what they would do if faced with this decision (in fact none of the metro counties have one, last time I checked), but in my conversations with Administration I do not believe paying a ransom would be an option they would choose.

Hope that helps answer your question.

This is good to know, yes? Someone (why not us/you) should work with this county to address the issue, and while we’re at it, address the issue with all “metro counties”. Kudos to this county official for responding with some transparency!

Response from a mid-sized suburban city:

Thanks for the email. For the security of the City’s network and systems, we follow the recommendations set by the <REDACTED – state’s criminal justice system>. We also use a third party vendor that does penetration testing against our firewall to try to stay ahead of the malicious attacks. We conduct staff cybersecurity training with this third party vendor to ensure our staff is behaving appropriately as well.

OK, maybe not a great response, but a response nonetheless. Didn’t really address the ransomware preparedness question directly, but a conversation has begun. The resident will be following up. Making a difference!

Response from another mid-sized city:

Thank you for your email. The City of <REDACTED> has a multi-faceted approach to cybersecurity.  We have improved security both internally and externally.  While no system is immune from attack, we are actively scanning and patching for vulnerabilities.  A specific key to protecting against ransomware is to have good, frequent, and tested backups.  We maintain a healthy backup system and in the case of a ransomware attack being successful, could restore lost data as needed. It is our policy to not pay ransomware demands.   Our <REDACTED> has made security a top priority, and has taken many steps to enhance the City’s security posture.  This includes revamping the firewall and anti-virus infrastructure.  We continue to take cybersecurity very seriously, and are constantly striving to keep our data secure and protected against attack.

Not bad. Another conversation starter and another difference made, even if a small one.

Final Words (for now)

Responses from good citizens continue to come in to our mailbox (unsecurity@protonmail.com) and we’re encouraged by the actions some of you are taking! For those who haven’t yet reached out to your local government officials, get on it! Again, you can follow the guidance here if you want.

The problem isn’t going away. Here’s some recent news about ransomware and our local communities:

My other related posts in chronological order:

OK, the rest is up to you (or not). That’s the way it is.

The UNSECURITY Podcast – Episode 34 Show Notes

Happy Friday!

2019 is almost half-gone. The midpoint is coming next Monday/Tuesday, and that’s crazy to me. Hard to believe that half the year is already gone, but holy cow it’s been a good first half!

Hope yours was too!

Lots of things happening as usual, but I’ll spare you the details and get right into this week’s show. My (Evan) show this week, so my notes. 😊


SHOW NOTES – Episode 34

Date: Monday, July 1st, 2019

Today’s Topics:

  • “Let’s get real”
  • News

[Evan] Hi everyone, this is Evan Francen, your host for episode 34 of the UNSECURITY Podcast. Joining me is my right-hand man, Brad Nigh. Good afternoon Brad!

[Brad] Spews wisdom, the kind you can’t find anywhere else…

[Evan] If you were paying attention to the opening, you might have heard me say “afternoon”. That’s because we’re recording on Friday afternoon for Monday’s release. Both Brad and I will be out of the office next week doing some vactiony things. Right Brad?

[Brad] Spews more wisdom. He’s a wisdom spewer.

[Evan] Should we share our vacation plans or should we keep ‘em confidential? We tell others to keep vacation stuff non-public for privacy and safety reasons, so maybe we should follow suit. Whatya think?

[Brad] Brad confirms because of he’s like a wisdom volcano. Hot wisdom.

[Evan] So the last few weeks, we’ve talked about ransomware attacks.

A couple of weeks ago we talked about ASCO, the Belgian aircraft parts maker that was hit with ransomware and lost production for some undisclosed amount of time (globally, so likely lacking proper network segmentation/isolation as well as proper response processes). That news has sort of died out.

Last week we discussed the City of Riviera Beach and how their city council voted unanimously to pay the $600,000+ ransom. This one ticked me off. So, I wrote a blog post about it; DON’T SUCK – STOP PAYING RANSOMS.

We also talked about the fact that we’re not powerless to stop these things, so that prompted another blog post; ASK QUESTIONS – GET ANSWERS (HOPEFULLY). We discussed in reaching out to our local government officials in episode 33, so I gave instructions on how to do so (including an email template). Some people reached out to their local governments and shared their responses! To those who did this, kudos and thank you for making a difference.

Next, we read about another Florida city (Lake City) that voted to pay the ransom. Sunnuva!

So, what did I do? I wrote yet another blog post; CALL TO ACTION – DO SOMETHING ABOUT CIVIC RANSOMWARE. I also reached out to one of our local news stations. The declined the story. No skin off my back, but when are we going to get serious?!

My reply:

“OK. I’d expect the next one to hit within a week. Cities are under siege right now. Have a great weekend and 4th of July!”

All of this leads us to now. The good: there are good people who want to help. The bad: most don’t seem to give a rat.

My question for our discussion is:

Do people even want to be secure?

Open discussion.

[Evan] Good talk. Jason Dance, one of our loyal listeners had some good advice to share:

  1. The same things apply at schools. Reach out to schools and ask questions too.
  2. If you don’t get answers:
    • Ask during a town/city meeting.
    • File a FOIL for the specific information.
    • Ask by Facebook/Twitter/Other social media.

Awesome advice! Thank you, Jason.

We must get our sh_t together, or the pain will only get worse. Now for some news.

News

Just two quick stories today.

Closing

[Evan] That’s how it is! Thanks again to our listeners and thank you Brad (the wise)! Hope you have a wonderful week and a safe 4th of July. God bless America for crying out loud! Don’t forget, you can follow me or Brad on Twitter; @evanfrancen is me, and Brad’s at @BradNigh. Email us on the show at unsecurity@protonmail.com if you want to be one of the cool kids.