The UNSECURITY Podcast – Episode 39 Show Notes

HAPPY FRIDAY! You made it through another week. Did you survive or did you thrive? Hmm. Something to think about, I suppose.

Good week here for me, the folks at FRSecure and the folks at SecurityStudio. Most weeks are good weeks really.

I was in town all week, but not in the office too much. Came in for meetings, then excused myself for more writing. Most of my days are consumed by writing lately. Writing a few blog posts, a few articles, and working on the upcoming book.

I’ll leave it at that for now. Many exciting things to share, but we’ll be patient and let them take a little more shape before sharing.

Did you catch episode 38 of the UNSECURITY Podcast? John Harmon, the president of SecurityStudio was in studio and we had a great chat. John and I are working well and working closely together. It’s a blast!

This week’s show, episode 39, is a real treat. “Ben” comes back in studio to give us the lowdown on what he’s been up to. I’m excited for you to hear what he’s got to say. This show is released on Monday (8/5), so be sure to look for it!

On to the show notes…


SHOW NOTES – Episode 39

Date: Monday, August 5th, 2019

Today’s Topics:

Our topics for the week include:

  • Conversation with “Ben”
    • Research
    • Responsible Disclosure
    • Social Engineering (SE) Things
    • Team Ambush
    • DEF CON
  • Industry News

[Evan] – Hello listeners, and welcome to episode 39 of the UNSECURITY Podcast. My name, for those of you who don’t know, if Evan Francen. I’m your host for today’s show, again. Scheduling stuff for security people is always a pain in the ass, and this week is no different. We’re recording this show on Friday because I’m out of the office next week. This is still Brad’s vacation, so he’s out of hand for hosting. All this means that I get to host again! That’s cool, right?!

Brad will be back next week, and he’ll have a great show planned I’m sure.

Now, you don’t want to sit there and listen to this voice for an entire show, so I invited someone last minute to join me. I found “Ben”! Want to say hi to the listeners Ben?

[Ben] Ben does Ben.

[Evan] Ben, thank you for agreeing to join me, especially last minute like this.

[Ben] Ben does Ben.

[Evan] Ben’s not your real name, right? So why do we call you “Ben”?

[Ben] Ben does Ben.

[Evan] You were here back in episode 14 (February 11). It was a great talk then, and this one will certainly be as good or better. Ben, you live a damn cool life, at least as it goes for security people. You cool if we talk about some of the things going on with you?

[Ben] Ben does Ben.

Conversation with “Ben”

Topics to discuss with Ben include:

  • Research
  • Responsible Disclosure
  • Social Engineering (SE) Things
  • Team Ambush
  • DEF CON

[Evan] See, I told you. Ben does cool stuff, and a lot of it! We could have talked for hours, but we can’t do that here. Let’s close with some news.

Industry News

Plenty of news this week, but arguably the most talked about is the Capital One breach. Instead of what’s in your wallet, now the joke is “who’s” in your wallet. Seriously though, this was big news this week.

Here’s our news to discuss in this week’s show.

Closing

[Evan] – So, there you go. That’s how it is. Ben, a huge thank you for joining me this week. Best of luck to you and all of Team Ambush this week at DEF CON. You’re going to have a great time and I can’t wait to hear how things went. Also, as always, thank you to our listeners. The podcast continues to grow and we’re grateful. Keep the awesome feedback coming, send it to unsecurity@protonmail.com. If you give us something real cool, we’ll mention it. Without your approval of course. Wait. That’s not right. I mean WITH your approval.

If you’d like to be a guest on the show or if you want to nominate someone to be a guest, send us that information too.

Ben, how can people reach out to you? Or do you even want people to reach out to you?

[Ben] People can reach me through Twitter. My Twitter handle is @M1ndFl4y. I don’t post much, but you can reach me through a DM there.

[Evan] OK. Thanks again. Find us on Twitter for daily chatter. I’m @evanfrancen and Brad’s @BradNigh. Have another great week everybody!

Denver ISSA Incident Management Workshop Recap

Finally. I’m finally getting around to posting about this event. The fine folks of the Denver ISSA chapter invited me to speak at their chapter event on May 23rd. The event was a three-hour incident management workshop (titled Incident Management – Panic or Plan).

‘Wait! What?! Three hours?!

Yes. These poor folks endured three hours of my preaching. Read on…

About Denver ISSA

The Denver ISSA Chapter is the largest chapter in the world with more than 800 members. I’ve attended numerous ISSA chapter events over the years, and the Denver ISSA Chapter is one of the best! Read about the Denver ISSA Chapter here.

I spent some time with James Johnson, the Chapter President, and Shannon Welton, the Chapter Training Coordinator while I was there, and they are both top notch! Seriously. They’re good, and it was great conversation (for me anyway).

Can’t say enough good things about Denver ISSA. Loved every minute I spent there.

About the Workshop

Shannon Welton was my primary contact for the workshop. She’s a pleasure to work with. I was given liberty to create and present whatever content I wanted to, and she made sure I had everything I needed at every step of the way.

Flight in the morning from Minneapolis to Denver. Grabbed a Lyft. Made the trip from the airport to Maggiano’s Little Italy (16th St Mall). Lunch started at noon, and I got there at 12:05. Not bad. 😉

From the moment I arrived, I felt welcomed. There seemed to be ~100 people there, and they were all engaging. They showed genuine interested in each other and it felt good to be there. Lunch ran from noon til 12:45, at which time Shannon kicked off the workshop with an introduction. When she introduced me, she asked if anyone had heard of me. Funny! Only one person raised their hand.

After three hours together, they’ll all have heard of me now!

I’m the sort of guy that could talk for three days about information security (and incident management), so three hours wasn’t going to be a problem for me. The challenge is/was keeping people engaged for three hours.

Here’s the learning objectives.

Here’s the agenda.

I used two things to keep people awake; a 15-minute break at 2:15 and Dad jokes. We made it through to 4:00pm, and the group was very engaged. More than I expected. There were great questions, good eye contact, and I felt as though we all got something from the experience together.

Workshop Content

Get it here.

  • ISSA-Denver_PanicOrPlan-052319.pdf, the slide deck.
  • CSIR-Maturity-assessment-tool_Info1.pdf, the CREST Cyber Security Incident Response Maturity Assessment Tool introduction document.
  • Maturity-Assessment-Tool.xlsm, CREST Cyber Security Incident Response Maturity Assessment Tool (Summary).
  • Maturity-Assessment-Tool_Detailed.xlsm, CREST Cyber Security Incident Response Maturity Assessment Tool (Detailed)
  • ISSA-SAMPLE_Incident_Log&Categorization_Tool.xlsx, the FRSecure basic information security incident logging and categorization workbook.
  • ISSA-SAMPLE_Security_Incident_Response_Plan-052319.docx, the FRSecure basic incident management/response plan template.

Summary

The Denver ISSA is awesome! If I lived in Denver, I’d be at every event. If you live in Denver, you should go to every event. Seriously, get there.

A dozen of so people came up to speak with me after the workshop. More great questions and some great connections. I felt bad that I had to run shortly after the workshop in order to catch my plane back to Minneapolis. Next time (if/when there is one), I will stay longer.

Presenting this workshop was a real privilege, and I’d go back anytime.

P.S. Another example of their awesomeness; I received a beautiful “thank you” gift basket at my office from these guys. Too cool!

2019 New Directions in IT Education Conference

This was a wonderful opportunity to talk to some fascinating people; people tasked with helping us create the future talent of our industry.

It was also the fourth talk at the fourth conference of the week, so things were getting a little weird. Regardless, I always enjoy this and I’m having fun!

About the 2019 New Directions in IT Education Conference

This is an annual conference attended by “educators and industry experts”, sponsored by the Minnesota State IT Center of Excellence.

According to the conference website:

Minnesota State IT Center of Excellence, invites industry professionals, employers, and Minnesota State faculty members to convene at our annual free IT conference that takes place in May.  Explore emerging employer needs, identify specific implications for student learning outcomes, and map out actions that individual faculty and departments can implement, and identify comprehensive innovations to be developed collaboratively.

A really cool opportunity to speak and collaborate! I was here for two reasons:

  1. Deliver a keynote talk
  2. Participate on a panel of experts

I was with some experts, but I’ll apply that word loosely to myself. The full conference schedule is here.

Keynote Plan A

If you know me, you know that I wing it a lot. This makes me very hard to manage, and it can get frustrating for people who work with me. It’s just how I roll.

I prepared my talk for this conference four (maybe five) days ahead of time. That’s crazy good for me! My talk was/is titled “Seven Facts About Unicorns”. I put a lot of work into the presentation and I was excited to give the talk (at the time I wrote it).

Keynote Plan B

There wouldn’t be a need for Plan B if I had just stuck with Plan A, but what fun would that be? Driving on the way to the venue, I changed my mind. I didn’t want to talk about unicorns anymore. I even said to myself in the truck, “Seriously Evan?! Don’t do it.” Thankfully, I was 45 minutes ahead of schedule, so I pulled off at a local coffee shop to create a new presentation.

Some people (I/me) never learn.

I grabbed a cup of coffee, tore my laptop out of my bag, and begin pounding away on the keyboard. What would I talk about though? Hmm. Got it! I will cover the first 38 of 100 truths about information security. I started the #100DaysofTruth series 38 days ago, at the time of the talk (at the time of this writing, I’m on day 50). I felt like hitting some hard truth with the educators in the audience. So, that’s what I did. The title of Plan B was “38 of the 100 Truths About Information Security”.

Whipped the slides together, and away we went!

The talk went extremely well. The audience was engaged, and there were some great questions afterwards. We’ll save the unicorn talk for another day. 😉

Here’s a copy of the presentation if you want to look at it or use it.

Want to see the Seven Facts About Unicorns talk? What’s it worth to you? Just kidding, here it is. I still might deliver this talk someday.

Panel of Experts

This was cool! I just got to sit there and answer questions. Not all the questions, but only the ones where the other two panelists didn’t answer. I suppose I also added a few things here and there to their answers, but the other panelists were dead on I think. You know how you have to add something once in a while to make people think 1) you’re still paying attention and 2) you’re smart and stuff? I did some of that.

It was an honor to sit on the panel with Ryan Manship from RedTeam Security and Sahar Ismail from Legacy Armour

Overall, it was an awesome conference and a great way to end a crazy week.

2019 Secure360

Almost caught up with my conference and talk summaries from a couple weeks ago!

Secure360 is arguably “the” security conference in the Twin Cities each year. 2019 was the 14thyear for the event and it was very well-attended.

About Secure360

In the words of the Upper Midwest Security Alliance (“UMSA”):

This marked the first year that the event was held at the Mystic Lake Center in Prior Lake, and it was a perfect venue. Secure360 is a two-day conference, and I showed up in the afternoon of day two for my talk. I wish I had been able to be there for more, but business kept me away until then.

My impressions were very positive. The event was well organized, and there were people everywhere. I ran into a bunch of people that I know, which made the event comfortable too. I didn’t spend any time in the vendor area because I hate being sold stuff. Walking through the vendor areas at conferences sometimes feels like trying to survive a lions den with a T-bone hanging from my neck.

Judging from the published program, the quality of speakers and the content of talks was very good.

2020’s Secure360 conference will be held at the same place on May 5thand 6th. It will mark the 15thyear, one heck of an accomplishment!

What was I doing there?

Just two things this time.

First, just like the Loffler event, this was a great opportunity to say “hi” to a bunch of people that I don’t get to see very often. I ran into some people that I haven’t seen in a very long time! Fun to catch-up.

Second, I gave another talk.

The Talk

The title was Speaking Information Security. A copy of this talk can be downloaded here (link) and it’s also available on Secure360s site.

Like the other talk earlier in the day, this one was also well-attended. This room was mostly full, which sort of surprised me. I was surprised because my session was in the last group of sessions on the 2ndday (last day) of the conference. I didn’t think people would still want to hang out. They did. Here’s what I said to them (in jest, of course).

“Ever throw a party? You know when the party is winding down, and there are those folks that just won’t leave? They keep milling around, you’re tired, and you’re trying to shoo them out the door… That’s you. You’re though folks.”

The Secure360 party was coming to an end, but these infosec party animals wanted to keep going. They were committed!

This was essentially the same talk I gave earlier in the day at Tech Fest, but I was bolder with this crowd. I might have been a little ornery because I was getting tired (3rdtalk of the week), or maybe it was because I was talking to members of my own tribe (information security people). The point of the talk was to drive home the fact that we don’t speak the same language in our industry, and to make matters worse, we don’t have any good translations either. Take slide 7 for instance (pictured below).

Information security is… What? Just about everyone in my talk was a security person, but nobody wanted to give me an answer. Why? As I continued, through the presentation, there was head nodding everywhere. Slide 20 made sense to everyone it seemed. People were taking notes anyway, and nobody spoke up in disagreement.

By the time we got to slide 31, you could see skepticism growing on some people’s faces. FISASCORE® for free?! FRSecure has sold millions of dollars worth of FISASCORE® assessments over the years. Why would we make it free?! The simple answer comes from our mission; to fix our broken industry. Our mission is this, not to make millions of dollars on something that everyone should have. Let’s spend more time and money on fixing things.

I asked the audience, “How many of you are skeptical?” Only a few raised their hands. To the rest, I said (in jest again), “I thought you were all security people. I’m disappointed that more of you aren’t skeptical!”Laughs (maybe just obligatory ones). To the skeptics:

Help us. Join us to make a singular information security language that ALL can speak, and ALL can speak freely.

To the obstructionists; buzz off and get out of the way.

The talk was well received. People genuinely seemed interested, and a dozen or so stayed to talk with me afterwards. Met some new people and I’m looking forward to working with some of them toward some common goals. Oh yeah, I gave away some more books too. I like giving stuff away.

Overall, Secure360 is a great conference. I highly recommend it for the quality of the content and the wonderful people everywhere, which makes for great networking opportunities. Way to go UMSA!

Loffler Tech Fest 2019

Where does the time go? Loffler Tech Fest 2019 was held at the St. Paul (MN) RiverCentre on May 15th, and I couldn’t get around to writing this short summary until now.

Ugh.

This was the 2nd talk I gave (of five) that week, and the first of two I gave that day. This is my short summary.

About Loffler Tech Fest

It’s rare to find a quality event that’s free these days. Heck, it’s becoming rare to find a quality event period. Loffler pulls it off each year, and it’s fun to be a part of it. I don’t know how many people were there exactly, but I’d guess there were 1,500, or so. Highlighting the event was the keynote given by PJ Fleck, Head Football Coach, University of Minnesota and the IT Panel Discussion Featuring Twin Cities Business Leaders. Seated on the panel were:

  • Ben Davis – Executive Vice President & Chief Digital Officer at Cambria
  • Cindy Trousdale – Chief Financial Officer at Shaw-Lundquist Associates
  • Steve Molander – Chief Information Officer at Frandsen Financial Corporation
  • Barry Doerscher – Chief Information Officer at Midwest Dental

I know Ben and Steve, and they are amazing IT leaders. If the event only had the keynote and panel, it would be a success. There was more though. There were four technology sessions, prizes/vendor showcase(s), and a networking happy hour.

What was I doing there?

Three things, I think.

First, I stole PJ Fleck’s badge and showed it to my friends. The chances of me passing myself off as PJ Feck were very low, so I gave it back. This was more about having fun than anything else.

Second, this was a great opportunity to say “hi” to a bunch pf people that I don’t get to see very often. I love people and I love seeing them when I can.

Third, I gave a talk.

The Talk

The title was Speaking Information Security. It was well-attended. Maybe 80 people. I didn’t count, but the room was full. (I gave a talk once ~8 years ago where nobody showed up! Another story for another day).

This was a new talk, and I planned to deliver it twice that day; once here at Tech Fest, and again in the afternoon at Secure360. Not only does this save some time and frustration with PowerPoint, but I wanted to judge the audience reactions in both venues for a couple of reasons.

  1. The Tech Fest audience was mostly IT folks, not necessarily security folks. The audience in the afternoon would mostly be security folks, not IT folks.
  2. I’m the CEO of two companies; FRSecure and SecurityStudio. The Tech Fest talk was delivered as the CEO of SecurityStudio, while the afternoon talk would be delivered as the CEO of FRSecure.

A copy of this talk can be downloaded here. Arguably the biggest deal in the talk was the announcement that we’re going to be making the FISASCORE (self-assessment) free! I hadn’t even officially told my team yet. More to come on this later…

The talk was fun, as most are. The talk went over well, I gave away a few free books, had a few laughs, and answered a bunch of good questions. Stayed another 30 minutes(ish) to talk with people before I needed to leave for the next conference.

Overall, I loved the conference. Kudos to Loffler and all the cool people there for pulling off a great event!

2019 North America CACS Conference Recap

Each year, the Information Systems Audit and Control Association (ISACA) puts on a really good event in North America; the CACS Conference. This year’s conference (2019) was held at the Anaheim Convention Center from May 13 – 15. Read the conference brochure here.

This was my first time attending this conference. ISACA put on a great event in my opinion. Kudos to them and the 1,500 or so who were in attendance.

I was there for two primary reasons; to give my talk and to sign copies of my book at the SecurityStudio booth. Turned out there was a third reason that might have been more important than my original two; to meet a bunch of really cool people! The coolest of which were my wife, Kevin Orth, and Skylar Wickland (representing SecurityStudio).

The Talk

So, my talk was the first talk of the entire conference, in the Innovation Exchange.

Some Evan Drama

My talk was slated to start at 7:20am, but I thought it was supposed to start at 7:00am. I looked at the stage, looked around, and there wasn’t anyone there! Hell no. I’m not going to stand on a stage in an open space in the middle of all the vendor booths and talk to no one. I went over to the SecurityStudio booth, where my people were hanging out, and told them I was going to skip my talk. They were OK with that.

This slideshow requires JavaScript.

At 7:10am, one of the event organizers stopped by looking for me. She asked if I was ready to talk, and I told her that I was thinking about skipping my talk because there wasn’t anyone there. She said “What are you talking about? The place is packed, and we’re ready for you!” Turned out she was right, and the place was busy. ~100 people were there to hear my spiel (I mean “talk”).

What’s the most exciting thing to talk about on Monday morning, first thing? How about third-party information security risk management?! Maybe not, but there were plenty of people there and most were nodding their heads.

My talk was titled “Why?”. You can download a PDF copy – ISASC_CACS-WHY050719-FINAL-v2.

Book Signing

After giving my talk, people stood in line to get a free signed copy of my book. That was pretty cool.

This slideshow requires JavaScript.

Just when I thought I was done signing, the event organizers announced the book signing on the conference PA system. This brought a bunch more people. We only brought 150 copies of the Unsecurity book, and they all found new homes.

Cool People

My favorite part of the conference, by far, was meeting really cool people. This is usually my favorite part of conferences. When people came to get a book, I’d ask them two questions. 1) Where are you from, and 2) What do you do? I met some amazing people from Nigeria, Colombia, Belgium, Netherlands, Portugal, Spain, and all over the United States.

Overall, it was a very good conference. It was also a great way to start a new week.