Hope you had a fantastic Labor Day weekend! Personally, it was nice to get away with family and disconnect for a while!
Did you know the history of Labor Day?
It’s always the first Monday in September, ad it’s dedicated to the social and economic achievements of American workers. The first state to recognize the holiday was Oregon in 1887, and it became a federal holiday in 1894. So, this year we celebrate more than 125 years of American work!
Read more about the history of Labor Day on the U.S. Department of Labor website.
Brad’s out today.
Like most weeks, I’m writing the show notes last minute. On the way into work this morning (2:30am), Brad sent me a text message informing me that he is not feeling well. We think it might be a bout of food poisoning, so he should be OK with some rest. Please keep him in your thoughts and prayers.
No Brad today, so this means I’m left to my own devices. This will be the first episode I’ve done by myself. We’ll see how this shakes out.
Let’s get on with it! These are my (Evan) notes.
SHOW NOTES – Episode 96
Date: Tuesday, September 8st, 2020
Episode 96 Topics
- Catching Up
- Context Means
- Wrapping Up – Shout outs
[Evan] Good morning everyone. Thanks for tuning in. The date is September 8th, 2020 and this is episode 96 of the UNSECURITY Podcast! I’m your host, Evan Francen, and my buddy is out sick today. Normally Brad Nigh joins me as co-host, but he informed me early this morning that he might have a case of some food poisoning.
Wishing Brad a fast and full recovery!
Be warned. Without Brad, I might end up rambling a bit!
[Evan] Regular listeners to our show know that Brad and I normally start off with catching up with each other. No Brad today, so I’ll bore you with some of the stuff I’ve been up to:
- Great weekend camping with my wife, my daughter, my good friend Ryan Cloutier, and his wife Aimee
- Bunch of meetings last week, including 11 last Tuesday; Chubb, the Cybercrime Support Network, Schneider Downs (makers of Red Lure), etc.
- Lots of great work going on at both companies; FRSecure and SecurityStudio.
- New service offerings at both companies.
- S2Org – working on a global S2Score, integrating S2Team, S2Vendor, and new deeper-dive risk assessments.
- S2Vendor – working on customized workflows, custom due dates, integration of something called the “Cowbell Factor”, vendor breach data/news, etc.
- S2Me – Redesign based on user feedback, definition of four new “normal” language dialects, and the introduction of “Sam”.
- The Security Shit Show last Thursday night; topic was “Negativity is Bullsh*t”.
- Some other miscellaneous things…
Crazy week, but it appears as though business is really picking up and market sentiment is positive(r).
[Evan] Alright, again, no Brad to catch up with. Hoping he had a great week and weekend, minus the food poisoning thing. Now on to the topic for today’s show.
Everything A Lot
[Evan] If you know me, you know I use many sayings/themes to try to get my point across. One saying I’ve muttered many times:
One of the easiest tells for determining a good information security advice from bad is using context.
Context is critical. Think about it. You make decisions all day, from the seemingly insignificant ones to the critical ones, and everything in between. How does the lack of context effect your decision-making? Without context, the quality of your decisions will suffer.
Without context people make crappy decisions
Recent conversation with “James”:
- [James] We get the importance of a risk assessment, but we’re just not focusing on that right now. We’re focusing on partnering with firms with forensics capabilities and setting up a security operations center (or “SOC”).
- [Mike] Are these our most significant risks to focus on right now?
- [James] We think so. We don’t have any forensics capabilities and we don’t feel like we’re able to identify events happening in our environment.
- [Mike] What’s the environment look like? How many servers, how many systems, how many applications, etc.?
- [James] We’ve probably got 100(ish) servers and a couple hundred applications I’d guess.
- [Mike] You guess?
A recent article “Most cyber-security reports only focus on the cool threats”
A recent conversation with “Bill”. Bill is the CEO:
- [Bill] Hey Mike. We need to stop everything we’re working on and take care of this exploit I heard about from a friend.
- [Mike] I’ve never heard of this exploit. Why do we need to stop everything and focus on it?
- [Bill] My buddy over at XYZ company was just telling me about how his company got hit.
- [Mike] OK, we’ll get right on it.
Regulators and auditors are notorious for missing context and often take us down the road of compliance management versus risk management.
Penetration testers, especially those who are newer to our industry are notorious for getting things out of context. Context is critical.
Same concept applies to the world Around Us
The information security industry is unique, but it’s not unique in the fact that human beings are the ones making decisions. Context works the same way.
Take COVID-19 for instance:
- The headline reads “South Dakota dismisses ‘elite class of so-called experts,’ carries on with state fair after Sturgis rally fueled COVID-19 surge” – The words “Sturgis rally fueled COVID-19 surge” is troubling. If we made a decision based on these words it might be different than a decision with some context. The article goes on to say (buried in 6th paragraph) “Nationally, about 300 cases have been linked to the rally.” For context, there were an estimated 460,000 attendees. 300 cases out of 460,000 attendees works out to about .065%. Granted, there will likely be more, but the rally was a month ago now.
- Another headline reads “New challenges in US battle against Covid-19 come with the approaching fall season” – This article goes on to say “The holiday crowds mark the unofficial end to a devastating summer across the country, with Covid-19 infections surging to more than 6.3 million and deaths topping 189,000.” The word “devastating” is not only subjective, but it lacks context. A single infection and a single death is bad, but in context it seems a little less devastating. 6.3 million people is about 1.91% of the U.S. population. More than 640,000 people die each year from heart disease and almost 600,000 die from cancer.
IMPORTANT: COVID-19 is a pandemic and it is VERY serious. I don’t mean to minimize the coronavirus in any way, but I do want to put it into context. Be courteous to others. Wear a mask and follow the CDC’s guidance. Speaking of the CDC, this is a great source for context!
Racism and police violence is another hot button issue. Judging from some of the news and reactions from some of the public, you’d certainly think this was worth burning down the “establishment”. I’m someone who wants to fix broken things, so if I’m interested in fixing broken things, I need to make good decisions in context. Here’s some context.
Spend some time reviewing the statistics and graph above. Don’t jump to any conclusions yet! There is a significant issue here, but I’d prefer to use logic versus emotion to drive my reaction.
Now, here’s a couple more things to think about:
- Risk of being killed by police use of force in the United States by age, race–ethnicity, and sex – from the Proceedings of the National Academy of Sciences of the United States of America. There’s some great analysis and data here. According to the analysis, “about 1 in every 1,000 black men can expect to be killed by police” over the course of their lifetime.
- Deaths, Percent of Total Deaths and Rank Order for 113 Selected Causes of Death and Enterocolitis Due to Clostridium Difficile, by Race and Hispanic Origin, and Sex: United States, 2015-2017 – Mortality tables from the CDC.
Interesting information for sure, and I’m NOT going to draw any conclusions for you. Racism is a thing and it’s a very bad thing. Decisions about what we’re going to do about the problem will be more effective with context.
IMPORTANT: Racism is real and I’m praying for constructive solutions to end it versus destructive solutions that will probably make it worse.
Context is VERY important for decision-making and problem-solving.
Here’s another saying I use often:
Empty spaces get filled.
Without context, what do we rely on to make our decisions? Usually it’s assumptions, bias, and/or emotions. Where we lack information to make a good decisions, some of us have a tendency to make up our own information to fill the gap. You know what they say about assumptions, right? Bias is prejudice in favor of or against one thing, person, or group compared with another, usually in a way considered to be unfair, and this doesn’t sound like a good base for decision-making. Emotions are variable and always play a role in decision-making, but it can become a problem when it’s the dominant role. Emotions like fear, anger, and frustration can easily be played against you and drive you to make a decision you’ll come to regret.
So, what to do?
First, understand that information security is about risk management. Risk is the likelihood of something bad happening and the impact if it did. This requires context!
Slow down. Think about the data your consuming and ask yourself if there’s more to the story. Is the new exploit your boss read about the most critical thing you should be attending to? If someone asks you what your most significant risk is, would you have an answer? Could you defend your answer if challenged?
About the world stuff, in short:
- Will COVID-19 be the end of the world? – No, it’s highly unlikely. COVID-19 is a pandemic and all pandemics come to an end.
- Is COVID-19 serious? – Absolutely! People get sick and people die. It’s 100% serious and we should all do what we can to help ourselves and each other be safe.
- If you’re a black man in America, are you going to die at the hands of police? – Even by the most credible research I could find, there’s a 99.9% chance that this will NOT happen. Even .1% is way too high! We need to do everything we can to drive this number much lower. In context, the problem goes beyond the police though.
Well, I hope this helped. Remember to put things into context as much as you are able.
[Evan] Let’s move on to some news topics.
[Evan] Here’s some news I thought was interesting:
- Hackers use overlay screens on legitimate sites to steal Outlook credentials – https://securityaffairs.co/wordpress/107932/cyber-crime/phishing-outlook-credentials-overlay.html
- CEOs Could Be Held Personally Liable for Cyberattacks that Kill – https://threatpost.com/ceos-personally-liable-cyberattacks-kill/158990/
- Hackers delete Bykea database, company avoids data loss due to backups – https://www.hackread.com/hackers-delete-bykea-database-evades-data-loss-backups/