The UNSECURITY Podcast – Episode 86 Show Notes – Women in Security Pt3

Hoping everyone reading this is healthy and doing well. Losing focus on what matters is too easy in today’s craziness. Reach out to someone if you need a listen.

Women in Security Series

Well, we’re a couple weeks into the Women in Security Series, and so far the feedback has been great! Brad and I continue to learn great things from our guests. We’re not sure yet how long the series will go yet, but we have guests booked for the next six (6) shows (after this one). So, we DO know the Women in Security Series will go through (at least) episode 92 (August 10th). The guests we have lined up are incredible:

  • Today – Victoria Fogarty (see below)
  • Episode 87 – CEO of an information security-related non-profit
  • Episode 88 – A Senior, majoring in Cybersecurity Analytics and Operations at a leading university
  • Episode 89 – A CISO from a really cool large company
  • Episodes 90 through 92 – A CISO working in healthcare, a renowned educator, and a cool lady working in information security sales.

This journey is just getting started!

Women in Security Series – Part One

We kicked off the Women in Security series on June 15th, and we couldn’t have chosen a better first guest! Renay Rutter, FRSecure’s COO, got the series started with sharing her experience, wisdom, and insight she’s gained over her 30+ year IT career. Brad and I learned a ton!

If you missed this episode, you can catch up here; https://podcasts.apple.com/us/podcast/unsecurity-episode-84-women-in-security-pt-1-renay-rutter/id1442520920?i=1000478037575

Thank you Renay!

Women in Security Series – Part Two

We kept things in the FRSecure family for week two, hosting Lori Blair. Lori is a treasure chest of information security knowledge and wisdom, beginning from when she started her information security career in 1985. Think about that for a second; 1985?! For the math folks in the house, that’s 35 years!

I have a TON of respect for Lori, and her opinions carry weight for me (and many others). It’s not just her experience that makes Lori amazing, she’s a wonderful, practical, and level-headed person who loves mentoring others. This is a can’t miss episode, go give a listen here; https://podcasts.apple.com/us/podcast/unsecurity-episode-85-women-in-security-pt-2-lori-blair/id1442520920?i=1000479175255

Thank you Lori!

Women in Security Series – Part Three

Here we are, Part Three. In episode 86 (this one), we’ll introduce you to Victoria Fogarty. Victoria works at FRSecure and does some pretty cool things around here. You’ll get to meet her and hear her perspective on all sorts of things, including the information security industry (as a whole), her journey, what it’s like to do what she does, etc. Victoria is a pretty cool lady, and you’ll definitely enjoy her energy!

WELCOME VICTORIA!

Let’s get on with the show!

I’m (Evan) leading the show this week, and these are my notes…


SHOW NOTES – Episode 86

Date: Monday, June 29th, 2020

Episode 86 Topics

  • Opening
  • Introducing Our Special Guest: Victoria Fogarty
  • Catching Up (as per usual)
  • Women in Security
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey all! Welcome to this episode, number 86, of the UNSECURITY Podcast! For those of you who are new to the show, I’m your host, Evan Francen, and the date is June 29th, 2020. We’re a good 100(ish) days into the COVID pandemic here in the States, so it’s easy to lose track of the date. At least for me it is! Joining me this morning is my good friend and colleague, Mr. Brad Nigh. Morning Brad!

[Brad] <<<INSERT BRAD’S GREETING HERE>>>

[Evan] We’re on our 3rd week of the Women in Security series, and I’m super excited to welcome our guest, Victoria Fogarty! Victoria works here at FRSecure and is an all-around awesome person! Join me in welcoming Victoria. Welcome Victoria!

[Victoria] Every time I’ve talked with Victoria, she’s always got energy and a GREAT attitude. Let’s see if this is true at 7am on Monday morning (when we record the UNSECURITY Podcast)

[Evan] You all know what we do first before jumping into business, we check in quick. What’s up guys? How you doing, and how was your weekend?

Catching Up

Quick discussion about last week, the weekend, or whatever else comes to mind.

[Brad] Guessing he got outside, did some family stuff, did some yard/garden work, made some sweet BBQ, and other cool things.

[Evan] Victoria, how about you?

[Victoria] Looking forward to this. I don’t really know what Victoria does for fun, hobbies, etc. Opportunity to learn.

[Evan] Ugh. Interesting weekend (aren’t they all?) here…

Alright, now on to our series topic.

Women in Security, Part Three

[Evan] This is the 3rd week in the Women in Security Series. It’s been a blast so far! Feedback keeps rolling in, and so do the guests. I’m excited to hear about Victoria’s perspectives because honestly, I don’t know many (if any) of them. This will be a great discussion!

So, Victoria, thanks again for joining us. Let’s start out with how you got started with information security.

Open Discussion (~30 minutes)

  • How you got into the industry?
  • Your journey in the industry.
  • Advice you have for someone starting out.
  • Do you think we need more women in our industry and why?
  • Opinions about the talent shortage in our industry.
  • What can we do better in recruiting more people, and specifically more women in our industry?
  • Whatever else we’d like to share.

[Evan] Thank you Victoria! Nice work! I’m sure our listeners learned some good things.

News

[Evan] Time for newsy things again. My God, there’s never a shortage of news, is there?! We could use an entire day and not cover it all. Our day jobs won’t allow us an entire day, so I’ll just take a few that caught my eye:

Wrapping Up – Shout outs

[Evan] There you have it. Episode 86 is almost in the books. Just wrapping up and shout outs before we go. Victoria, thank you for joining us. Also, thank you for sharing you story and your thoughts.

You’re going to enjoy next week’s guest too! We’re going outside FRSecure to get perspectives from women beyond these four walls. Going to be a great show!

Either of you have any shout outs this week?

[Brad and/or Victoria] We’ll see.

[Evan] Thank you listeners! You guys are pretty cool, I think. Send us your questions, feedback and suggestions by email at unsecurity@protonmail.com. We still need to talk about the whole Mandiant, Capital One, incident response, confidential legal report thing. Ugh! Maybe next week.

Online social people can follow us on Twitter. I’m @evanfrancen and Brad is @BradNigh. Victoria, you got somewhere you want people to follow/interact with you?

[Victoria] Maybe/maybe not.

The companies we work for are pretty social too. SecurityStudio’s Twitter is @studiosecurity and FRSecure’s Twiiter is @FRSecure.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 83 Show Notes – It’s About People

Ever have so many things going on that you can’t remember what happened last week? Yeah, that’s where I’m at right now.

Pretty sure Brad’s in the same place I am. So, rather than recapping everything (or trying to), I’ll just get to the show notes.

These are Brad’s show notes this week…


SHOW NOTES – Episode 83

Date: Monday, June 8th, 2020

Episode 83 Topics

  • Opening
  • Catching Up (as per usual)
  • Information Security Isn’t About Information or Security
  • Work, Life, and Mental Health
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 83 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is June 8th, and joining me this morning as usual is Evan Francen.

[Evan] Regales us with stories from the weekend. Oh God!

[Brad] Before we get going let’s recap our week.

Catching Up

Quick discussion about last week, the weekend, family, safety etc.

[Brad] What would you say you do here Evan?

[Evan] Hmmm. Good question! This outta be interesting.

Information Security Isn’t About Information or Security

Discussion about people, information security, working remote, stress, and overall mental health.

[Brad] Your blog from last Tuesday (Information Security Isn’t About Information or Security) really inspired me for this week’s podcast.  There have been countless articles written about how to secure remote workers so we aren’t going to focus on that, though it will probably come up in the course of this discussion.

Here’s the reality, it’s no secret that InfoSec and IT staff struggle with stress and a healthy work/life balance (Mental Health and Cybersecurity).  There really is no “done for the day”, systems can be attacked or suffer an outage anytime.  Add to that the now nearly 3 months of social distancing and quarantine that add even more stress.  We’ve seen an increase in cyber attacks the last 3 months and if your staff is struggling and has lost focus or is more distracted than usual your risk increases even more. So what can we do about it?  (Disclaimer, neither Evan or I are licensed mental health professionals and this conversation should not be taken as professional advice).

From an information security perspective I think you really captured the increased risks to organizations during this unprecedented time in your blog.

As a leader in an organization the employees’ health is critical, looking at it from a business perspective if they are not able to work we cannot deliver for our customers, but to me that feels cold & cynical.  I really do care for every one of our employees, I have a personal, vested interest in their well-being and want to be aware and in-touch with their status… That has become incredibly difficult during this time when you can’t read them face-to-face.

So what I want to do is talk about how we can be more aware and help reduce these risks.  First is being aware, I found these articles that I thought were really good to help identify and be proactive.

And then some really solid advice for employees, or really anyone feeling additional stress right now.

[Brad] Good conversation. Thank you Evan.

Let’s do some news…

News

[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:

Wrapping Up – Shout outs

[Brad] Alright, that’s it. Episode 83 is a wrap. We got any shout outs this week?

[Evan] We’ll see.

[Brad] Next week is Evan’s show and I think he’s sort of itchin’ to tell us his idea.

[Evan] Yep. Tune in.

[Brad] Thank you to all our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh (B-R-A-D-N-I-G-H) and this other dude is @evanfrancen (just spell his name without a space). Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for goodies and things.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 81 Show Notes – Hard Truths

Welcome back! Episode 81 is sure to be a good one, but before I get started, just a few thoughts…

We just went through our first Memorial Day weekend under COVID-19. I don’t know what to say about it, other than the world seems as crazy, or crazier, than ever. Seems like 1/2 the country is out and about like everything’s normal while the other 1/2 of the country stays cooped up as though the apocalypse were upon us. To complicate matters, both halves seem to look upon each other with disdain.

We’re learning more and more each day about this coronavirus we call COVID-19. One thing appears certain, we’ve had crappy data to work with since day one. Crappy data leads to crappy decisions and crappy decisions lead to crappy outcomes. I’ll just leave it at that.

Memorial Day

This is one of my favorite holidays. I wonder how many of us know what it stands for or what it means. I wonder because I was wished a Happy Memorial Day numerous times yesterday, yet there’s nothing “happy” about it. The day is set aside to remember and honor our nation’s war dead from the Civil War onwards. It’s a day to stop what you’re doing, spend (at least) a few moments remembering the sacrifices that were made by our soldiers, and be grateful.

I suppose there are happy parts too, but these are mostly the product of what somebody else gave for you and me.

Not sure if I’m in a pissier mood today or what. No matter, I’ll snap out of it soon. Let’s get to Brad’s show notes!


SHOW NOTES – Episode 81

Date: Tuesday, May 26th, 2020

Episode 81 Topics

  • Opening
  • Catching Up (as per usual)
  • Hard Truths
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 81 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is May 26th, and joining me this morning as usual is Evan Francen.

[Evan] Has some sort of story for us I’m sure

[Brad] We’ve got a good show planned today! Before we get going though, let’s recap our week.

Catching Up

Quick discussion about last week, Memorial Day, last weekend, COVID-19, life, and other stuff.

[Evan] Evan talks about the cool things he did.

[Brad] I talk about the cool things I did.

Hard Truths

[Brad] So interestingly, at least to me, this is the first time I struggled with what to cover in our podcast.  Maybe the monotony of quarantine, the tidal wave of news around breaches and new attack vectors, or just plain old writer’s block but even sitting down to write this I don’t know where it ended up.

Because I was stuck I decided to start with news, there have been several really interesting things that have come out lately and that’s when I found this article from CSO Online 6 hard truths security pros must learn to live with and, yeah we can talk about this.

The Hard Truths

Discussion about the hard truths outlined in the CSO Online article:

  1. Hackers are probably inside your network right now
  2. You can do everything right and a careless end user can ruin everything
  3. You face critical staffing and skills shortages
  4. IoT creates new and unforeseen security problems
  5. You sometimes feel misunderstood and underappreciated
  6. Stress, anxiety and burnout come with the territory

[Brad] Good conversation, thank you Evan.

Let’s do some news…

News

[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye

Wrapping Up – Shout outs

[Brad] That’s it, Episode 81 is a wrap. Evan, you have any shout outs?

[Evan] Of course he does!

[Brad] Here’s mine…

[Brad] Huge thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 73 Show Notes – COVID-19 IR

Hope you and your loved ones are well! We can’t understate the importance of physical, mental, and spiritual health, especially in times like these.

If you missed last week’s show notes or episode 72 of the UNSECURITY Podcast, there’s some pretty good stuff there.

Episode 73 Topics

Topics for episode 73 of the UNSECURITY Podcast include:

  • Opening
  • Catching Up 
    • The first full week with a closed office.
    • Staying sane and healthy at home.
  • COVID-19 Affects on Information Security (some of them)
    • Introducing our special guest, FRSecure’s Director of Technical Solutions and Services
    • Incident Response During COVID-19
      • Current Events/Incidents
      • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
    • COVID-19 Scams and Attacks
      • What have we seen?
      • What are we planning for?
    • Physical Security Considerations
  • The Daily inSANITY Check-in
  • FRSecure CISSP Mentor Program Update
  • Wrapping Up – Shout outs

You can find the full show notes near the bottom of this post. Before getting there, I need to get some thoughts out.

Thoughts

It’s been 13 days since FRSecure and SecurityStudio closed their offices. All of us are still around and working, but it’s crazy how much life has changed. Personally, I’m still struggling to make sense of things and I’m mulling over COVID-19 data almost obsessively. The COVID-19 scoreboards plastered everywhere don’t help. On one hand, I like being informed. On the other, I’m tired of tracking the number of infections and deaths.

As I write this, there are 140,164 infections in the United States and 2,476 deaths. What does this mean in the context of everything else? How do I make sense of these numbers? Here’s one attempt:

What does a “normal” 30 days look like in the U.S. for deaths/mortality? According to the CDC, there were nearly 3,000,000 deaths in the U.S. in 2018 (the latest data available). Using this data, here are the number of people who died within an average 30 day window:

  • 53,867 from heart disease (the top killer in the U.S. with 655,381 deaths)
  • 49,255 from cancer (#2 – 599,274 deaths)
  • 13,736 from accidents/unintentional injuries (#3 – 167,127 deaths)
  • 10,029 from Alzheimer’s Disease (#6 – 122,019 deaths)
  • 3,973 from suicide (#10 – 48,344 deaths)

Compare these numbers to where we’re at now with COVID-19. I’m NOT at all minimizing the impact of COVID-19. I’m trying to make sense. I know the number of infected people and deaths will rise significantly over the coming weeks/months, and sadly, we’re in for more terrible news. I’m trying to understand what the numbers mean in the context of other things that aren’t as foreign to me.

A single sick person and/or a single death is sad enough, let alone thousands.

OK. Got that off my chest. Lots and lots of great things going on at FRSecure and SecurityStudio. The best place to keep up with them right now is probably on social media:

Let’s get to the show notes now!


SHOW NOTES – Episode 73

Date: Monday, March 30th, 2020

Show Topics:

  • Opening
  • Catching Up 
    • The first full week with a closed office.
    • Staying sane and healthy at home.
  • COVID-19 Affects on Information Security (some of them)
    • Introducing our special guest, FRSecure’s Director of Technical Solutions and Services
    • Incident Response During COVID-19
      • Current Events/Incidents
      • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
    • COVID-19 Scams and Attacks
      • What have we seen?
      • What are we planning for?
    • Physical Security Considerations
  • The Daily inSANITY Check-in
  • FRSecure CISSP Mentor Program Update
  • Wrapping Up – Shout outs
Opening

NOTE: The show notes were written by me (Evan), but Brad’s leading this episode.

[Brad] Hello listeners, this is another episode of the UNSECURITY Podcast. My name is Brad Nigh, this is episode 73, and the date is March 30th, 2020. Joining me is my co-host Evan Francen. Good morning Evan.

[Evan] Good morning Brad!

[Brad] Also joining us for the show is our special guest and FRSecure’s Director of Technical Solutions and Services, Oscar Minks. Good morning Oscar!

[Oscar] Says good morning or something with his cool southern accent.

[Brad] We’ve got lots to talk about! As is our custom, let’s get started by catching up quick.

Catching Up

Topics here include how we’re coping with COVID-19, the first full week with a closed office, and staying sane (and healthy) at home. Brad found a really good video online; Covid-19 Protecting Your Family, Dr. Dave Price

[Brad] Here’s a can of worms (maybe). Let’s talk about some of the effects that COVID-19 has on what we do. Some of the effects on information security, starting with incident response and physical security. We already mentioned that we’ve got our special guest Oscar Minks here. He’s got some good insights to share, and this should be a good discussion.

Discussion – COVID-19 Affects on Information Security (some of them)
  • Introducing our special guest (again), FRSecure’s Director of Technical Solutions and Services
  • Incident Response During COVID-19
    • Current Events/Incidents
    • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
  • COVID-19 Scams and Attacks
    • What have we seen?
    • What are we planning for?
  • Physical Security Considerations

[Brad] Sadly, the frequency of scams and attacks only increases during times of distress. It’s important that we keep our eye on the ball and not compound our problems with an information security lapse.

OK, switching gears now. Some people are struggling right now. Struggling with making sense of things, struggling with employment, struggling with anxiety, or struggling with any number of things. We started this thing called the Daily inSANITY Check-in last week. Evan, tell the listeners about this thing.

Daily inSANITY Check-in Discussion

The purpose of the Daily inSANITY Check-in is to provide a safe place for people to discuss current events, information security things, challenges we’re facing, or whatever else comes to mind. The check-ins are short (30- to- 60-minute) daily meetings with discussion. People are always free to come and go as they please.

[Brad] The Daily inSANITY Check-in is just one place to get support out of many within our community. The point is to find help when you need it and to help people where you can. It’s cool to see so many people rally and help.

FRSecure CISSP Mentor Program Update

[Brad] Real quick, we made an announcement last week about the FRSecure CISSP Mentor Program. We’re happy to say that we are still going through with this year’s class! The only change is that we have cancelled the in-person portion of the program. As of last Monday, the 23rd, we have 1,007 registered students! That’s crazy! Oh, and I should mention, if you haven’t registered yet, registration is still open.

Wrapping Up

[Brad] No news this week because we had so many other things to talk about. Two last things to mention:

  • Our pal Ryan Cloutier, aka “Cola” just wrapped up the second episode of his K12 Cybersecurity Podcast. It’s a great podcast and you should give it a listen!
  • A shout out to one of our regular listeners, Olga Hoogendoorn – Startseva. Evan promised to give her a shout out because she’s pretty awesome!

Well, that’s it for this week. Plenty going on and lots to do.

Thank you for listening. We’re a couple of guys who really care about you. We’re hoping you all stay healthy and sane! We love hearing from you, so if you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet like that. I’m @BradNigh, and this other guy is @evanfrancen. Also, don’t forget to check out @studiosecurity and @FRSecure. They post some good things! Let us know how we can help you!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 65 Show Notes – Money Grab

Another week down. Damn, a whole month is down! January is already in the books.

While I’ve got you here, help us out with our mission. We’re busting our tails off doing our part to fix the broken information security industry. We’re striving and doing these things:

  • Setting a common information security language that can be spoken by everyone; the S2Score.
  • Developing and delivering simple (but effective and credible) information security risk assessments for the under-served (SMBs, state and local government, K-12, etc.):
  • Developing and delivering simple (but effective and credible) tools to help the under-served do information security better.
  • Teaching and mentoring others for free. The FRSecure CISSP Mentor Program is in it’s 11th year! We started with six students in 2010, last year we had 532, and this year we had more than 540 enrollments within the first 24 hours! Check it out and enroll here.

What can you do to help? Simple. You can help in (at least) three ways:

  • Do your own S2Org and S2Me assessments.
  • Contribute your opinions and feedback (after all, we’re all in this together).
  • Spread the word. Tell others. Tell them about the S2Org and S2Me assessments and tell them about the FREE FRSecure CISSP Mentor Program!

OK, on to the show…

February is already upon us, and RSA is just around the corner. Speaking of RSA, let’s talk about our industry’s money grab in this week’s episode. Let’s also discuss tips for talking to the board of directors about information security stuff .

This will be fun!

Alright, on to the show notes. This is my (Evan) show to lead and these (below) are my notes.


SHOW NOTES – Episode 65

Date: Monday, February 2nd, 2020

Show Topics:

Our topics this week:

  • Opening
    • Normal Stuff
    • Got Mail?
  • The Money Grab
    • It’s alive and well – everybody wants your $$$.
    • The Bad Guys Of Course
    • The “Good Guys” Too?
  • Talking to the Board
    • Tips
    • Recent Experiences
  • News
Opening

[Evan] Alright, welcome! This is Evan Francen, this is episode 65 of the UNSECURITY Podcast, and the date is February 3rd, 2020. In studio with me is none other than Mr. Brad Nigh. Howdy Brad.

[Brad] We’ll see how awake he is on an early Monday morning.

[Evan] I’m curious, are you a morning person or a night person?

[Brad] I don’t know what he’ll say here…

[Evan] We’ve got a great show planned for you today. Lots to talk about, for sure! We’re going to talk about this industry’s money grab and we’ll cover some tips for speaking to the board of directors. Before we dig in, Brad, how you doing?

Quick Catch-up Talk

[Evan] Alright. Well, let’s get to it. Let’s talk about the money grab in this industry. In case you didn’t know, I’m referring to the information security industry. You have the something that everybody wants. The bad guys, the good guys, and everyone in between. They all want your money. Collectively, I call this the “money grab” and we’re going to discuss this. I want to discuss this because I don’t want you losing your hard earned money to some crook and I don’t want you to piss it away on something that doesn’t do what you thought.

Discussion about the Money Grab

The money grab is alive and well. Everybody wants your $$$. Everybody.

  • The Bad Guys Of Course
    • The 2018 cybercrime industry was worth at least $1.5 trillion
    • There is no low that’s too low.

This slideshow requires JavaScript.

  • The “Good Guys” Too?
    • Gartner estimated that 2019 industry spending was $124 billion in 2019, and by some estimated it’s expected to grow to more than $170 billion by 2022. NOTE: this is for context only and not to imply that this is wasted spending.
    • FUD (scare the sh*t out of you) and Sex Sell (buzzwords, new blinky lights, etc.)
    • Seems like everybody is fighting for your money.
      • Conferences (RSA, Black Hat, etc.)
      • Companies (borderline extortion, crappy advise, etc.)
    • We’re (FRSecure and SecurityStudio) human too. Mission over money, does it keep us honest?

[Evan] It’s a dangerous world and people (non-information security people are confused). I wonder how much of this is on purpose. The enterprise organizations can afford to make mistakes, but the smaller players are left in the cold and they’re suffering because they often miss the basics, the fundamentals. I feel bad for the under-served markets, especially SMBs. This is our primary focus. OK, on that note…

Discussion about talking boards of directors and executive management

[Evan] Brad, you and I have had the privilege on many occasions to talk to boards and executives. What tips do we have?

Some good back and forth discussion I’m sure…

After a while, let’s do some news.

News

[Evan] I’ve only got two stories to discuss today, but I think they’re interesting ones:

Closing

[Evan] OK, that’s it. Episode 65 is in the bag. Brad, you’ve got any ideas for next week’s show yet?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Thank you to our listeners, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet sometimes. I’m @evanfrancen and Brad’s @BradNigh. If you like company stuff, we work for SecurityStudio (@studiosecurity) and FRSecure (@FRSecure). The company people post good things from time to time too!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 60 Show Notes – 2019 Year End Review

Goodbye 2019. It’s been real.

Where did the time go?

A common question, we ask ourselves. This year I decided to take a stab at answering it.

Here’s where my time went, for what it’s worth (roughly):

  • 38.58% (or 3,380 hours) working
  • 27.09% (or 2,373 hours) sleeping
  • 23.90% (or 2,094 hours) personal (family, friends, etc.) quality time
  • 10.42% (or 913 hours) other

I spent ~15% more time working than I did making memories with my family in 2019. Some priority adjustments are overdue for me in 2020.

Thank God for the gift of reflection.

The end of the year is a good time to reflect. Reflection is healthy. As I reflect on 2019, I can think of many good things about us like improved industry diversity, great personal growth, business accomplishments, and amazing people working round the clock for our collective benefit.

Unfortunately, there are also bad things. Since we’ve got plenty to cover, both good and bad, we’ll use this episode (#60) to discuss the bad. We won’t want to leave a sour taste in your mouth for too long, so we’ll cover the good things, and the things to look forward to in 2020, in next week’s episode (#61).

Now, the bad.

I already mentioned one of the bad things I discovered from 2019, that my priorities are out of whack, but I also learned things about the sad state of our industry. I learned that we’re (still) losing the war, and we’re losing it on multiple fronts.

Are you wondering what war?

The war where the bad people take advantage of the good people. The war where the immoral ones take advantage of the decent ones. Where the informed and corrupt beat the ignorant and noble every single time.

Let me preface the rest of this by saying I’m not a doomsayer. I’m a realist. I’m a realist with a deep desire to share the truth. If you’ve been paying attention, and can be objective, you’ll find it easier to predict our future. Predicting where a path leads is easier when there’s no (or little) change of course.

Our discussion points for episode 60’s year-end review:

  • Front #1 – Breaches are more common than ever, but we seem to care less than ever.
  • Front #2 – Our local governments and schools are losing their battles.
  • Front #3 – Our homes are part of the battleground and we’re not prepared.

All is not lost, and there’s hope. There’s good news too. We’ll cover good news next week. 2020 is the year for you, me, and our industry to get real. It’s time for us to tackle our most significant issues head-on, together!

I am (Evan) leading the show this week, and these are my notes.


SHOW NOTES – Episode 60

Date: Monday, December 30th, 2019

Show Topics:

Our topics this week:

  • Opening
  • The year (2019) in review.
    • Priorities and life adjustments
    • Front #1 – Breaches are more common than ever, but we seem to care less than ever.
    • Front #2 – Our local governments and schools are losing their battles.
    • Front #3 – Our homes are part of the battleground and we’re not prepared.
  • Closing
Opening

[Evan] Welcome to the last UNSECURITY Podcast episode of 2019! We’ve got a great show planned for you. The date is December 30th, and this is episode number 60. Joining me as (almost) always is my guy Brad Nigh. Hi Brad.

[Brad] Early morning version of Brad…

[Evan] No guest today. It’s just me and you. How you doing?

[Brad] More early morning version Brad things…

[Evan] When I put together today’s show notes, I felt like I was a little harsh, maybe even depressing. It’s not like I was depressed when I wrote the notes, but when I take an objective look at what took place this year, it’s sort of depressing to me. 2019 brought with it a record number of breaches, a record number of records disclosed/stolen, ransomware everywhere, etc. Crap man. Do I seem depressed to you?

[Brad] He’s got something to say.

[Evan] Maybe I take this too personal, but I HATE seeing people get taken advantage of. There were too many times this year that we read about people being taken advantage of, and it sucks. Ugh. Maybe I am depressed.

[Brad] More things…

[Evan] Alright, let’s get to it. The 2019 year-end review…

The year (2019) in review discussion
  • Priorities and life adjustments
  • Front #1 – Breaches are more common than ever, and we seem to care less than ever.
    • Another record year for breaches, do we care?
    • Sources; https://www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/ and https://lifehacker.com/the-worst-data-breaches-of-2019-1840616463
    • “total number of breaches was up 33% over last year”
    • “medical services, retailers and public entities most affected”
    • “5,183 data breaches for a total of 7.9 billion exposed records”
    • Risk Based Security stated that 2019 is/was the “worst year on record” for breaches
      • January – Marriott breach (383 million)
      • February – 617 million accounts, from 16 websites and for sale on the dark web
      • March – 100s of millions of Facebook and Instagram accounts
      • April – 540 million Facebook records
      • May – 885 million First American Financial records
      • June – 20 million patients, bill collector American Medical Collection Association
      • July – Capital One and 100 million credit card applications
      • August – MoviePass and 160 million unencrypted/unauthenticated records
      • September – 218 million Words with Friends accounts
      • October – 4 billion social media profile records (???)
      • November – Facebook again…
      • December – we’re still waiting…
    • Breach fatigue.
    • Are we getting better at finding/reporting breaches? Are breaches happening more often? Are we getting worse?
  • Front #2 – Our local governments and schools are losing their battles.
    • Ransomware nails our local governments and schools.
    • A great article by Michael Mayes at CPO Magazine; the Top 10 Ransomware Stories of 2019.
      • “As the year ends, it’s time to declare 2019 the Year of Ransomware Escalation.”
      • Baltimore was “just one of 82 cities and municipalities to publicly report being struck by ransomware” in 2019.
      • “By December 1, a total of 72 US school districts have fallen victim to ransomware, impacting 867 individual schools and over 10,000 students.”
      • Nine “school districts representing 98 individual schools have been attacked by ransomware just in November. They include:
        • Wood County Schools, Parkersburg, West VA
        • Port-Neches Grove Independent School District, Port Neches, TX
        • Penn-Harris-Madison School Corporation, Mishawaka, IN
        • Livingston New Jersey School District, Livingston, NJ
        • Chicopee Public Schools, Chicopee, MA
        • Claremont Unified School District, Claremont, CA
        • Sycamore School District 427, DeKalb, IL
        • Sunapee Middle High School, Sunapee, NH
        • Main School Administrative District #6, Buxton, ME”
      • Louisiana declared a state of emergency twice in 2019
    • Do we just accept it?
    • We started a civic duty push in 2019, calling for citizens to inquire about ransomware protections from their local government officials. We’ll need to pick this up again this year, and include schools too.
  • Front #3 – Our homes are part of the battleground and we seem ignorant about it.
    • Security, privacy, and safety at home.
    • We still don’t emphasize information security, privacy, and safety enough at home.
    • Did this problem get worse in 2019?
    • Will this get worse before it gets better?

[Evan] That wasn’t too depressing, was it?

[Brad] Gives his honest opinion.

[Evan] We’ve got a lot of work to do, and there are no easy answers. No easy buttons. I think the answer is found in learning and applying information security fundamentals. We spent 2019 working hard at SecurityStudio and FRSecure to reach people with simple, but practical information security solutions like our vCISO, S2Org (information security risk assessment for all organizations), S2Vendor, S2Me (information security risk assessment for all people) and others. We even made some of our tools free! We’ll continue our quest to reach people and help wherever we can!

Got anything to add Mr. Nigh?

[Brad] Adds if he wants to add.

Closing

[Evan] That’s a wrap for another show. Heck, not just another show, but another year!

Thank you and Happy New Year to our listeners! Be sure to tune in next week, when we’ll cover some positive developments from 2019 and maybe a prediction or two. We love recording these shows for you, and we hope you enjoy them. Send us your questions and feedback at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and this other guy is @BradNigh.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 59 Show Notes

If you’re an information security consultant, you know how crazy the end of the year is. It’s crazy!

We’re trying to wrap up all the projects that needed to be completed before the end of the year, and it’s always a challenge. Thank God for Project Managers and a top-notch operations group!

If you missed last week’s episode, we talked about information security in schools with Mike Dronen, the Executive Director of Technology for Minnetonka Public Schools (District 276). Mike shared some great insight and advice for addressing the unique information security challenges facing K-12 schools. If you missed the episode, give it a listen here!

It was no coincidence that last week I also gave the keynote at the East Central Minnesota Education Cable Cooperative (ECMECC) School Security Summit. The Summit was held at the Braham Event Center on December 19th, and was attended by a few hundred K12 school administrators, technology coordinators, facilities staff, and law enforcement. Met a ton of cool people and my keynote was well-received.

If you’d like a copy of the ECMECC presentation, you can go grab it here.

This is Christmas week! For those of us working this week, please take some time off to spend with your loved ones. Merry Christmas to all of you!

Brad is leading the show this week, and these are his notes.


SHOW NOTES – Episode 59

Date: Monday, December 23rd, 2019

Show Topics:

Our topics this week:

  • The SecurityStudio Roadshow Recap (not all the questions, but I have some surprises)
    • Let’s talk about who we met on the Roadshow; different roles, titles, experience levels, etc.
    • Anyone stand out in particular?
    • Was there a specific event that really stood out to you, and why?
    • What was something you learned that surprised you?
  • News
Opening

[Brad] Welcome back! This is episode 59 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is December 23rd, and joining me is my co-host, Evan Francen. Good morning Evan.

[Evan] Lots of words of wisdom I’m sure.

[Brad] We have an in-studio guest today. FRSecure and Security Studio President, John Harmon. Good morning John.

[John] John says something I hope.

[Brad] Before we dive in, we like to check-in. John, how you doing? How was your week and what do you expect this week?

[John] John wonders why he agreed to do a podcast again this early in the morning but is a good sport and says something.

[Brad] And Evan. How are you and what’s up?

[Evan] Probably isn’t sure what to do with himself since he isn’t traveling all the time.

[Brad] Sounds like everyone is ready for the holidays to recharge and prepare for the next year.  We thought it would be fun to answer some questions and hear from Evan and John their thoughts on the recently completed roadshow, so without further ado let’s dive in.

SecurityStudio Roadshow Recap
  • Some surprise questions will be asked…
  • Let’s talk about who you met on the roadshow, roles, titles, experience levels, etc.
  • Anyone particular stand out?
  • Was there a specific event that really stood out to you, why?
  • What was something you learned doing this that surprised you?

[Brad] Great discussion.  Always fun talking with Evan and John.

Let’s do some news…

News

[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:

Closing

[Brad] That’s it. Episode 59 is a wrap. Thank you to John for joining us again, although this is the first time I’ve been here for it.

Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh, and Evan is @evanfrancen. John, is there a way you prefer for people to interact with you?

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 58 Show Notes

We welcome Mike Dronen to be our guest in episode 58 of the UNSECURITY Podcast! Mike is the Executive Director of Technology for Minnetonka Public Schools (District 276), and he’s joining us to talk about information security challenges facing K-12.

In case you missed the past couple of weeks, we talked a ton about legal and privacy stuff with our favorite data privacy and “cybersecurity” attorney, Justin Webb. Justin works for Godfrey & Kahn, S.C. in Milwaukee, and here’s what we covered:

Lots of good content and advice in these past couple of episodes. This week with Mike Dronnen is sure to be great too!

I’m leading the show this week, and here are my notes.


SHOW NOTES – Episode 58

Date: Monday, December 16th, 2019

Show Topics:

Our topics this week:

  • Information Security Challenges in K-12
    • Article: The Cybersecurity Threats That Keep K–12 CIOs Up at Night
    • How does information security work in K-12?
    • What makes K-12 different than everywhere else?
    • What are there differences between large school districts and smaller ones?
    • What tips do we have for administrators?
    • What tips do we have for educators?
    • What tips do we have for parents?
  • News
Opening

[Evan] Welcome back! This is episode 58 of the UNSECURITY Podcast, and I’m your host this week, Evan Francen. Today is December 16th, and joining me is my co-host, Brad Nigh. Good morning Brad.

[Brad] We’ll see how awake he is this fine Monday morning.

[Evan] We’ve had a couple of great shows the past couple of weeks. We learned a lot from our guest, Justin Webb. We talked a ton about privacy things and legal things. This week we’re going to shift gears a bit, and talk about information security in K-12. To help us navigate these waters, I’ve invited the Executive Director of Technology from Minnetonka Public Schools to our show. Minnetonka is my alma mater, and Mike Dronnen is a good friend. Welcome Mike!

[Mike] Mike’s a good guy. He’ll surely say “hi” or something.

[Evan] Mike, we’re excited to have you on the show for a number of reasons. You’re a good guy, I’m a Skipper, and Brad’s got some kids in your district too. Thank you for joining, especially on short notice.

Before we dive in, I like to check-in. Mike, how you doing? How was your week and what do you expect this week?

[Mike] Mike shares what he’d like to share.

[Evan] And Brad. How are you and what’s up?

[Brad] Sharing is caring.

[Evan] We’re all busy. Hopefully, health busy. My quick recap…

Alright, let’s talk about information security in K-12, shall we?

Discussion about information security challenges in K-12
  • Article: The Cybersecurity Threats That Keep K–12 CIOs Up at Night
  • How does information security work in K-12?
  • What makes K-12 different than everywhere else?
  • What are there differences between large school districts and smaller ones?
  • What tips do we have for administrators?
  • What tips do we have for educators?
  • What tips do we have for parents?

[Evan] Another great discussion. There are some real challenges for K-12, and I think we’ve all got some skin in this game to do the best we can. Thanks Mike!

Let’s do some news…

News

[Evan] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:

Closing

[Evan] That’s it. Episode 58 is a wrap. Thank you to Mike for joining us and for sharing your perspectives on K-12 information security!

Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Mike, is there a way you prefer for people to interact with you?

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 40 Show Notes

Another week in the books (almost). Speaking of books, I’m working on one with two more in the works. So much writing to do, and not enough time! I’m sure that lack of time is not a problem that’s unique to me. Time is precious, and nobody’s got enough of it.

In case you missed it, this week was “Hacker Summer Camp” in Las Vegas. Thousands of information security people descended upon Sin City this week for Black Hat, BSides Las Vegas, and DEF CON. These are three of the best known and well-attended conferences in our industry. David (aka “System Overlord”) writes a good summary, you can read it here.

Instead of going to Hacker Summer Camp, I took this week to get away. A few people were surprised that I wasn’t going, but to be honest, it’s not really my jam. It’s too much noise, too much BS, too much drinking, and too flashy for me. Maybe it’s just a different stage of life for me now. Some people thrive on being where the action is; I’m just not one of them. To each his/her own.

We sent 10 people from FRSecure, people with more self-control.

While Black Hat was kicking off, I took off to Duluth, MN and the North Shore for a few days. Did some catch-up work and some writing. It was good soul time.

This slideshow requires JavaScript.

Alright back to the grind. In the office this morning, putting together episode 40’s show notes, and getting face time with some of my favorite people. Hopefully, you enjoyed last week’s show, with the return of “Ben”. As I write this, Ben is neck deep with FRSecure’s Team Ambush competing (and winning?) in their DEF CON CTF.

This week, Brad’s back!

On to the show notes…


SHOW NOTES – Episode 40

Date: Monday, August 12th, 2019

Today’s Topics:

Our topics this week:

  • Catching up; Brad’s Back
  • More Incident Response(s)
  • Hacks & Hops
  • warl0ck gam3z
  • Industry News

[Brad] – Welcome to episode 40 of the UNSECURITY Podcast! My name is Brad Nigh, and I’m your host this week. I’ve had a couple of weeks off from the podcast, but it’s good to be back! Joining me as co-host this week is Evan Francen. Hi Evan.

[Evan] Hi Brad. Welcome back!

Catching up (a little)

[Brad] So, jumping right back into things this week. We received a couple of interesting incident response calls. I’d like to talk about them, how we handle them, and then we’ll segue into Hacks & Hops and a great tip/question we received from one of our listeners this week.

[Evan] Sounds good. Let’s do it.

Incident response discussion

Discuss real security incidents that we’re working on/investigating.

[Brad] Incident response is the theme for our next Hacks & Hops event coming up next month at US Bank Stadium.

[Evan] Yep. We’ve got an amazing event planned with an all-star panel.

[Brad] Who’s on the panel? Tell me about them.

[Evan] We have three panelists joining us, and I’ll be moderating. All three panelists are people that I have deep respect for; Jadee Hanson, Mark Lanterman, and Chris Roberts.

  • Jadee is the CISO at Code42, and she’s done an amazing job building a world-class security team. She’ll bring the perspective of an expert security leader. Jadee’s bio is here.
  • Mark is the CTO at Computer Forensic Services. He’s one of the best incident investigators I know, and he’s got some amazing stories to share. He’ll bring the perspective of an expert security investigator. Mark’s bio is here.
  • Chris is Chris. Two things I like most about Chris is his truth and his style. He scares most people by telling them the truth, he’s got some incredible stories, and he’s blunt. Chris will bring the perspective of a hacker. Chris’ bio is here.

All in all, this is an incredible panel. I’m pumped!

Hacks & Hops discussion

[Brad] Since we’re on the topic of incident response, let’s address a question that came in from one of our listeners this week. This is from Jeff. Jeff asks:

Incident Response – what is minutia and what is a real incident?  It seems contradictory to say that some companies may not use their IR plan in a year – and to also say that every suspected attack, malware, scan, etc. is an incident.

Let’s tackle this quick.

[Brad] Alright, moving on. Last week was “Hacker Summer Camp” in Vegas. Neither you nor I went this year, mainly because of workloads and other priorities. We did send ten (10) people from FRSecure though, and eight of them belong to a group that calls themselves “Team Ambush”. These guys competed in the warl0ck gam3z CTF at DEF CON. Two years ago, they took 3rd place. Last year, they took 2nd place. This year they claimed that they were all in!

How’d they do.

Discuss warl0ck gam3z and Team Ambush

[Brad] OK. I’ve only got one news item to discuss this week. I think one is enough because of it’s significance. Let’s talk about the security incident(s) at AT&T that were announced recently.

Sources:

Closing

[Brad] – There you go, that’s how it is. It’s great to be back. Thank you Evan, and a special thank you to our listeners. We’re sort of blown away by the number of people who listen to our podcast each week, and we love getting your feedback. Please keep it coming. You can reach the us on the show by email at  unsecurity@protonmail.com.

If you’d like to be a guest on the show or if you want to nominate someone to be a guest, send us that information too.

As always, you can find me and Evan on Twitter. I’m @BradNigh and Evan’s at @evanfrancen. Talk to you all again next week!