The UNSECURITY Podcast – Episode 80 Show Notes – Zero Trust

We write our show notes either at the end of the week (Friday) or at the very beginning of the next (Sunday). It’s easier to remember the things that happened during the week on Friday than Sunday, that’s for sure! Only one day away (Saturday), and it’s easy to forget all that we did.

Most weeks are crazy, for us at FRSecure and SecurityStudio, and for people in general.

Normal(ish)

Are you feeling like things are slowly returning to normal? I am, and it’s great news! Personally, I don’t like the term “new normal”. I think I don’t like it because I feel like people have twisted it to serve their own desires and/or opinions without any factual basis. Normal is normal, and the greatest abnormality (in my opinion) has been our lack of in-person contact. We’ve been built, or wired, for analog personal interaction. Digital, online interaction will never substitute for it, and the longer we go without it, the more mentally unhealthy we become.

Four Things

Last week was a great week! Four cool things stand out in particular:

  1. Last week’s podcast was awesome! I love every opportunity to chat with Brad, and it’s a blessing to hang out every Monday morning. Recording episode 79 was a great way to kick things off last week. If you missed it, we talked about information security in K12, and you should go catch it.
  2. We made great progress in helping state governments last week! Had a great conversation with Minnesota’s CISO, Rohit Tandon, on Wednesday as we discussed third-party information security risk management. This was followed by the scheduling of a similar meeting with the State of New Mexico and joining the National Association of State CIOs (NASCIO) Cybersecurity Committee on Thursday.
  3. Chris Roberts, Ryan Cloutier, and I did Episode #1 of The Security Shit Show on Thursday night. It was a ton of fun hanging out with these guys! We’re planning to do our episodes/shows live every Thursday night at 10pm CDT, record them for future playback, and use he audio for our podcast. It’s definitely entertaining for our viewers/listeners and therapeutic for us. Be sure to tune in if you can!
  4. The Daily inSANITY Check-ins are still going strong, and this past week was great! People supporting each other and helping where we can is what it’s all about. Come join us when you can.

There were many great things about last week, but these were the four that came to mind when I sat down to write these show notes.

Speaking of show notes, let’s get to it! Today we’re going to talk about Zero Trust; what it is, why it’s a hot topic today, and what you should be doing about it.


SHOW NOTES – Episode 80

Date: Monday, May 18th, 2020

Episode 80 Topics

  • Opening
  • Catching Up (as per usual)
  • Zero Trust
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey everyone! Welcome to the UNSECURITY Podcast. This is episode 80, the date is May 18th, 2020, and I’m Evan Francen. With me today is my co-host, Brad Nigh. Good morning Brad!

[Brad] We’ll see what sort of mood Brad is in this morning…

[Evan] We’ve got a good show planned today! There’s this thing called “zero trust” that people are talking about, and I thought it’d be good for you and I to discuss it. Personally, I’ve received a lot of questions about it, and I’m sure you have too Brad. Like always, before we dig in, let’s catch up. What were some highlights for you from last week and how was your weekend?

Catching Up

Quick discussion about last week, last weekend, COVID-19, life, and other stuff.

Zero Trust

[Evan] A simple Google search of Zero Trust turns up “About 691,000,000 results”. A Google search of “Zero Trust” (with quotes) turns up “About 1,940,000 results“. So, clearly there are a lot of people who know what it means, right? Here’s some returns from the first page of search results:

The fact that there are so many “what is zero trust?” search returns might be a hint that people are confused. Let’s tackle this!

Zero Trust Discussion

Let’s try to clear some of the confusion:

  • What is Zero Trust?
  • Is it really new?
  • Is Zero Trust possible?
  • If I want Zero Trust, what do I need to do?
  • What common mistakes should I look out for?

[Evan] Alright. Good talk Brad. Thanks for sharing your insight! I think our listeners have a clearer picture of Zero Trust and what it means to them. If they have additional questions or comments, they can always contact us for more!

News

[Evan] News stuff! What the heck happened in the world last week? Let’s see…

I found four articles that caught my attention. Let’s talk about them!

Wrapping Up – Shout outs

[Evan] Never a shortage of things to talk about in this industry is there? Well, episode 80 of the UNSECURITY Podcast is just about a wrap. Brad, you have any shoutouts?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Here’s mine…

[Evan] Can’t say enough thanks to our listeners! Crazy how we run into you in all sorts of places. Stay safe and let us know how we can help you. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Thinking about coming to hang out at the Daily inSANITY Check-in? You can follow this on Twitter too at @InSanityIn.

There you go, have a great week!

Daily inSANITY Check-in

If you want to join us in our Daily inSANITY Check-ins, you are welcome to! Join us by going here.

Compassion Wins

As you know too well, the COVID-19 pandemic seems to have changed everything. Nothing is the same. We don’t work the same, we don’t shop the same, we don’t entertain the same, and some of us don’t even defecate the same (without toilet paper). No doubt, we’ve endured massive changes to our lives. Compounding the resulting chaos is the uncertainty about our future.

One thing hasn’t changed, and that’s our human compassion.

Through human compassion we will endure together. By our endurance we will prevail together too.

The Start of the Daily inSANITY Check-in

We knew early on, from the beginning of the COVID-19 pandemic, that we’d struggle with mental health. The truth is, some of us have always struggled with mental health. Sanity is precious and need to do all we can to protect it. Rather than sit idly by, and let ourselves blow in the wind, we decided to do something. On March 23rd, six days after FRSecure and SecurityStudio closed our physical offices, we started this thing called the Daily inSANITY Check-In.

Here’s what the Daily inSANITY Check-In is all about:

If you need a break from the chaos, or just want to talk about things, we’re hosting the Daily inSANITY Check-in for these reasons (among others).

Never has the world changed so significantly and affected so many in such a short period. These times are historic, and the effects of the Coronavirus (COVID-19) are not fully known. What we do know is we’ll never be the same. The prominent changes to our lives can force many of us to lose focus and even affect our mental health. Noise generated by the unrelenting media coverage, marketing, and scams only exacerbates our problems.

The purpose of the Daily inSANITY Check-in is to provide a safe place for people to discuss current events, information security things, challenges we’re facing, or whatever else comes to mind. The check-ins are short (30- to- 60-minute) daily meetings with discussion. People are always free to come and go as they please.

This is a joint effort from FRSecure and SecurityStudio, and the host is FRSecure and SecurityStudio CEO, Evan Francen. Joining Evan as co-hosts are Ryan Cloutier, SecurityStudio Principal Security Consultant and Brad Nigh. FRSecure Director of Professional Services & Innovation.

We hope you’ll come join the conversation aimed at restoring and/or maintaining our sanity!

Rules for the Daily inSANITY Check-in are:

  • Be yourself.
  • Respect everyone.
  • Respect opinions.
  • Be kind.

Anyone not playing by the rules is not welcome. Sorry.

Still Going Strong

Today is May 11th, 2020 and we still meet every day. Altogether, we’ve had seventy-nine (79) people visit, and there are many of us who’ve been here since the start. The relationships we’ve built here are real and they’re strong. These solid friendships around our “virtual water cooler” (as it’s been called by some) are incredible, and you’re invited too!

Everyone is welcome to join us. If you need some support or you’ve got some to give, come say “hi”! If you want to share your audio or video, you can. If you don’t, don’t. We’ll welcome you when you come and we’ll be here when you need us!

Sign up here.

The UNSECURITY Podcast – Episode 79 Show Notes – K12 Cybersecurity

56 days.

That’s how many days have passed since we officially closed our (physical) offices at FRSecure and SecurityStudio. The date was March 16th, 2020, and it’s a common closure date for many organizations. It’s crazy, but I hardly remember the month of April or the first week and a half of May! I’ve either lost context, or I’m losing it in a big way. These are times like no other.

This thought about context got me thinking about how it applies to our work as information security professionals. I believe one of the biggest tells about good or bad information security leadership is the ability or inability to put risk into context. I think there’s a whole series of podcasts we could do on this topic focusing on how we can help people understand context better. The better we understand context, the better our information security decisions will be. Maybe we’ll start tackling this in a series of podcasts, starting with episode 80 next week.

This week, we’ve got a slightly different topic.

Today, in episode 79, we’re going to focus our attention on a recent report from the Consortium for School Networking (CoSN) titled “The State of Edtech Leadership in 2020“. There’s some really good information in this report, and kudos to CoSN for pulling it together!

Let’s just get to it, episode 79 show notes below…


SHOW NOTES – Episode 79

Date: Monday, May 11th, 2020

Episode 79 Topics

  • Opening
  • Catching Up (as per usual)
  • The State of Edtech Leadership in 2020
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey everyone! Welcome to the UNSECURITY Podcast. This is episode 79, the date is May 11th, 2020, and I’m Evan Francen. With me today is my co-host, Brad Nigh. Good morning Brad!

[Brad] Brad’ll say good morning I bet. He’s a super nice guy like that! 

[Evan] We’ve got a good show planned today! You and I both love helping people, and I think we’re covering some things in this episode that should help all our listeners. Before we get too deep though, let’s catch up. It’s what we do! How you doing and what’s new Brad?

Catching Up

Quick discussion about COVID-19, life, and other stuff.

The State of Edtech Leadership in 2020

[Evan] Like you Brad, I get asked a lot for my opinion about this or that in information security. If the question I get is focused, it’s easier to provide a quick answer, but when a question is vague or open-ended, it takes much longer. This hit home for me this weekend when I was asked to chime in on this article; K-12 Tech Leaders Prioritize Cybersecurity, But Many Underestimate Risks, Survey Says. There’s a lot to unpack here, and a good opinion takes more time.

[Brad] He probably hasn’t read the article yet, but we’ll see…

[Evan] One thought that came to mind when I was asked for my opinion was the concept of context. Anything taken out of context can be made to look anyway we want, good, bad, and/or anything in between. When I read the article, one statement stood out right away:

fewer than 20 percent marked any items on a list of cybersecurity threats as “high-risk” from their perspective

[Evan] What caught my attention were the words “from their perspective”. Questions popped into my head. How do Edtech leaders define “cybersecurity”? What’s on their list of “cybersecurity threats”? What’s “high-risk”? This is a can of worms.

The following are key quotes directly from the CoSN report.

Cybersecurity remains the number one technology priority for IT Leaders, yet the threat is generally underestimated.

For the third straight year, cybersecurity has ranked as the top priority. When it comes to maintaining network security, 69% of districts say they are proactive or very proactive – up significantly over last year’s 52%. Districts employ a variety of strategies to minimize risk, including the vast majority in which IT staff training is a top practice and a majority requiring teachers and principals to receive training as well. Despite concerns, the survey also found that less than a fifth of respondents (18%) have a dedicated full-time employee (FTE) whose sole job is cybersecurity. IT Leaders feel phishing scams pose the greatest risk to network security, with almost half (49%) rating them medium/high risk to high risk. Despite this, results also showed an overall trend to underestimate risk—less than a fifth of respondents considered any specific threat as high risk. This runs counter to the reality that school systems are being specifically targeted by cybercriminals with reported cyber incidents tripling in one year.

Artificial Intelligence (AI) holds both promise and peril for IT Leaders.

The majority (55%) of IT Leaders anticipate that of the emerging technologies, AI will play a significant or transformational role in teaching and learning over the next five years. However, AI also poses concerns, with privacy being the biggest. Before AI becomes adopted at scale and can deliver on its promise, privacy issues will need to be addressed.

The top three challenges persist: budget, professional development, and department silos.

These three areas have been vexing IT Leaders since 2017. While budget is often beyond district control and directly affects professional development, it is within districts’ abilities to address the existence of silos. As outlined in CoSN’s “Digital Leap Success Matrix,” cross-functional executive team leadership is integral to the development of a successful digital learning environment. Until the executive leadership breaks down the silos, IT Leaders will continue to face difficulty in achieving their district’s own technology goals.

Other items from the report

Page 14:

Districts without a dedicated person on staff use a variety of methods to monitor network security. The most common approach is sharing the responsibility across several jobs (46%) followed by incorporating network security monitoring as part of another job (30%). Outsourcing is used by 11% of respondents. A concerning 10% of respondents have an ad hoc approach and do not have anyone assigned to monitoring their district’s network security. A makeshift approach to addressing cybersecurity is one reason why “school districts are proving to be particularly enticing to hackers.”

Page 15:

When it comes to maintaining network security, 69% of districts say they are proactive or very proactive. This represents a significant increase over the prior year’s 52%. Only 13% describe their activity as reactive or very reactive, a decrease from 23% the prior year. These year-over-year results indicate that districts are highly aware of increased network attacks in K-12 environments and are increasing efforts to thwart them. It is likely that lack of resources, not lack of awareness, is responsible for the 13% described as reactive/very reactive. As one respondent lamented: How is our small district able to fend off a multitude of possible cyber threats with the staff we have?

When asked to rate their perception of various risks to network security, respondents did not make significant distinctions between threat types. The largest segment fell into the Medium risk range—low/medium, medium, high/medium. With 49% rating it medium/high risk or high risk, phishing was deemed the greatest risk. It is surprising more did not consider it a greater risk. Phishing attacks have reached the “highest level in three years” with more than two-thirds of all phishing sites using SSL protection. With SSL decreasing as a reliable indicator of security, risks increase for users unable to spot phishing sites. Less than a third (31%) of respondents perceive ransomware attacks as medium/high riisk or high risk. This risk level assessment is also likely lower than it should be as the FBI is reporting ransomware schemes are being specifically designed to target public schools.8 With less than a fifth of respondents rating any threat as high risk (phishing received the most with 16%), threats overall appear underrated. Only 5% assessed student data to be at high risk, yet, according the most recent data on reported K-12 cybersecurity incidents, “the most frequently experienced type of school-related cyber incident…..were data breaches, primarily involving the unauthorized disclosure of student data.” With the number of reported K-12 cybersecurity incidents rising—nearly triple from 2018 to 201910—perceptions in perceived risks should start to realign more closely with reality.

[Evan] No doubt, we have a lot of work to do in K-12. It’s our obligation to do everything we can to help. Check out SecurityStudio’s free resources and do a holistic information security risk assessment like the S2School we developed earlier this year. Put information security risk into perspective and make much better choices.

News

[Evan] Alright. Good talk. Thanks Brad! Let’s cover a couple of interesting news stories before we wrap this up. Here are a couple stories that caught my attention:

Wrapping Up – Shout outs

[Evan] Sheesh! Lots of stuff. Well, that’s it for episode 79. Brad, you have any shoutouts?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Here’s mine…

[Evan] Seriously, a huge thank you to our listeners! We love your encouragement and we don’t take your advice lightly. You’re all great! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Have a great week!

The UNSECURITY Podcast – Episode 78 Show Notes – Working From Home

Keeping the show notes short again this week. It was another crazy week at FRSecure and SecurityStudio. We make progress towards our mission each and every day, regardless of COVID-19. Our mission is to fix the broken information security industry, which can be summed up by this statement:

Information security isn’t about information or security as much as it is about people.

When we help people, we help our industry. After all, would anyone care about information security is nobody suffered when things go wrong?

We’ll keep on trucking! We’re grateful for the people who put their trust in us and our credibility.

Let’s just get to it, episode 78 show notes below…


SHOW NOTES – Episode 78

Date: Monday, May 1st, 2020

Episode 78 Topics

  • Opening
  • Catching Up (as per usual)
  • Working from home
  • S2Me/S2Team
  • Listener Mail
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey guys and gals. Welcome to the UNSECURITY Podcast. This is episode 78, the date is May 4th, 2020, and I’m Evan Francen. With me today is my co-host, Brad Nigh. Good morning Brad!

[Brad] It is a good morning and Brad’ll be in a good mood for sure. Let’s see how he responds.

[Evan] Another good show planned for today, but before we jump in, let’s catch up. It’s sort of our usual thing to do about this time.

Catching Up

Quick discussion about some of the cool things we’re doing.

[Evan] We’ve been talking a lot lately about working remote or working from home. This has been a hot topic for some time, but since the COVID-19 outbreak, this is one of the top trending topics in the information security world. Let’s discuss another take on this, more of a future looking strategic perspective.

Working from home

Discussion about:

  1. What work from home looked like before COVID-19.
  2. What happened because of COVID-19.
  3. What the future looks like after COVID-19.

There are plenty of news articles about these topics and there’s no shortage of “expert” advice. Here’s just a few:

  • Is Working From Home The Future Of Work? – https://www.forbes.com/sites/nextavenue/2020/04/10/is-working-from-home-the-future-of-work/#4260c2c846b1“An early-April 2020 MIT survey of 25,000 American workers found that 34% of those who’d been employed four weeks earlier said they’re currently working from home. Combined with the roughly 15% who said they’d been working from home pre-COVID-19, that means nearly half the U.S. workforce might now be remote workers.”
    • “The Brookings Institution’s Katherine Guyot and Isabel V. Sawhill just wrote their take on remote work and COVID-19, calling the pandemic “among other things, a massive experiment in telecommuting.”
    • ‘In a March survey of HR execs by the Gartner IT research firm, 76% said the top employee complaint during the pandemic has been “concerns from managers about the productivity or engagement of their teams when remote.”’
    • “In Buffer.com’s9 State of Remote Report, 19% of remote workers called loneliness their biggest struggle with working from home and 17% cited collaborating and/or communication.”
  • Some May Work From Home Permanently After COVID-19: Gartner – https://www.crn.com/news/running-your-business/some-may-work-from-home-permanently-after-covid-19-gartner“Gartner last week released results from a March 30 survey of 317 CFOs and business finance leaders that found 74 percent of those surveyed expect at least 5 percent of their workforce who previously worked in company offices will become permanent work-from-home employees after the pandemic ends.”
    • “According to Gartner, about 25 percent of those surveyed expect 10 percent of their employees will remain remote, 17 percent expect 20 percent will remain remote, 4 percent expect 50 percent will remain remote, and 2 percent expect over 50 percent of employees now working from home to permanently work from home after the pandemic subsides.”
  • Working from home has a troubled history. Coronavirus is exposing its flaws again – https://www.theguardian.com/commentisfree/2020/apr/12/working-from-home-history-coronavirus-uk-lockdown“According to the Office for National Statistics, only 5% of the UK labour force worked mainly from home in 2019, but well over a quarter had some experience of home-working.”
    • “With all but key workers confined to their homes, the virtual office is now the new norm – a development that could prove to have far-reaching consequences.”
  • As working from home becomes more widespread, many say they don’t want to go back – https://www.cnbc.com/2020/04/24/as-working-from-home-becomes-more-widespread-many-say-they-dont-want-to-go-back.html“States of Play, a joint CNBC/Change Research survey of swing states, finds 42% of respondents nationwide saying they are working from home.”
    • “Once the economy reopens, 24% say they’d like to work either entirely or more from home compared to how they worked before, while 55% plan to head back to the office.”
    • “Some 60% report being either as productive or even more productive than they were working from the office.”

But what about information security?

There is no shortage of information security tips for people working from home. Just a small sampling:

A different approach – S2Me and S2Team

[Evan] In early 2019, SecurityStudio release its first version of S2Me. The S2Me was released (well ahead of COVID-19) to gauge people’s information security habits at home and S2Team was a way to share the results with an employer without violating privacy at home. Last week, SecurityStudio released version two of S2Me and I’d like to talk about all this.

  • What is S2Me?
  • What is S2Team?
  • How do S2Me and S2Team work together?
    • S2Me is a simple, personal information security risk analysis tool for use at home. S2Me helps people understand their risk related to security, privacy, and safety. Once these risks are understood, S2Me attempts to motivate people to build better information security habits at home.
    • S2Team is a collection of S2Me aggregated results to help organizations understand their employees information security habits. Organizations use S2Team to develop better, more personal information security training programs.
    • A couple of quotes from the “Introduction to S2Team and S2Me Topic Descriptions” draft document:
      • “The problem isn’t people. The problem is managing risk related to people.”
      • “People are creatures of habit. People will occasionally deviate from their habits, but habits are their default. Habits create peoples’ baseline and become nearly (or in some cases completely) involuntary.”
      • “People choose to form new habits because if they desire the positive outcome or because they fear a negative one.”
  • A quick peek into S2Me.
  • A quick peek into S2Team

[Evan] I think we’re on the right track, trying to help people build better information security habits at home where everyone ultimately benefits.

Listener Mail

[Evan] A loyal listener, one who got a shout out from me last week, Jason Dance, sent us this article that I thought was interesting and worthy of a brief discussion; It’s Not Just Zoom. Google Meet, Microsoft Teams, and Webex Have Privacy Issues, Too. – https://www.consumerreports.org/video-conferencing-services/videoconferencing-privacy-issues-google-microsoft-webex/

Brief discussion

[Evan] Alright, now some newsy things quick.

News

[Evan] It’s easy to find interesting things to talk about in our industry! Here’s a few that caught my attention:

Wrapping Up – Shout outs

[Evan] Wow. Lots of things. Well, episode 78 is almost in the can. Brad, got a shout out or two?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Here’s mine…

[Evan] Seriously, a huge thank you to our listeners! We love your encouragement and we don’t take your advice lightly. You’re all great! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Have a great week!

The UNSECURITY Podcast – Episode 77 Show Notes – Lots Going On

Keeping the show notes short again this week. We’ve been swamped here at FRSecure and SecurityStudio, so not a lot of time to recap what we’ve been up to.

Let’s just get to it, episode 77 show notes below…


SHOW NOTES – Episode 77

Date: Tuesday, April 28th, 2020

Episode 77 Topics

  • Opening
  • Catching Up (as per usual)
  • Remote Working and COVID-19 Stuff
  • Quick Zoom Update
  • Other Things
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 77 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is April 28th, and joining me this morning as usual is Evan Francen. Good morning.

[Evan] Evan says his “blah, blah, blah”.

[Brad] We have a jam packed show this week for sure, but before we jump in, let’s catch up quick. Lots going on.

[Evan] Yep. LOTS going on! Good things, but a helluva lot of good things!

Catching Up

Quick discussion about some of the cool things we’re doing.

[Brad] Good! Let’s shift gears now quick and talk about security remote workers. We’ve briefly touched on it over the last few weeks but as this appears to be becoming the “new norm”, I would like to spend some time dedicated to the topic.

[Evan] Yeah man! Sounds good.

Remote Working and COVID-19 Stuff

Discussion about many news articles, topics, announcements and such…

[Brad] First up, a news article titled “Malware Risks Triple on WFH Networks: Experts Offer Advice”

[Brad] Obviously this is bitsight so we know the limitations however I think in this use-case the data is valuable. We’ve got some other good resources and guidance to share, including:

[Evan] Yeah, these are all great resources that are worth looking at. I think our listeners will appreciate them all. Quick announcement, S2Me version two is releasing this week! It’s a limited release, but it’s a VERY good one! We’ll get into S2Me and how it works with S2Team to offer a unique (and what we think is a better) approach to securing the remote workforce.

[Brad] Cool. Should be a good show next week then!

Quick Zoom Update

[Brad] Zoom has been all over the news since the COVID-19 outbreak, and the stories have been all over the place. Thought we’d mention some of the latest developments. As a quick aside, we’ve touched on Zoom the last few weeks and it’s interesting that some of the other options have flown under the radar despite attacks that seem to be more severe.

And Zoom has released quite a few new security features, there’s this good write-up on Tech Republic titled “Zoom 5.0 Includes Security and Privacy Improvementshttps://www.techrepublic.com/article/zoom-5-0-is-coming-with-improved-security-features-heres-whats-new/

Other Things

[Brad] Like we said, there’s always a lot going on around here at FRSecure and SecurityStudio. Quick list of things:

  • FRSecure CISSP Mentor Program (we started this 11+ years before the COVID-19 pandemic)
  • Safety and Cybersecurity at Home 101 Webinar Series (Videos here).
  • SecurityStudio Partner Community (Join here).
  • The Daily inSANITY Check-in (Join here).

[Brad] Good conversation. Thank you Evan. Let’s do some news quick.

News

[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye:

Wrapping Up – Shout outs

[Brad] That’s it. Episode 77 is a wrap. Thank you listeners! We hope you’ve enjoyed the show. Any quick shout outs for you Evan?

[Evan] Yes, I have two…

[Brad] Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh, and Evan is @evanfrancen. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 76 Show Notes – Tough Times

Keeping the show notes short this week. We have a special guest, a great friend of mine, Serge Suponitskiy!

There are many, many things going on around here (@FRSecure and @SecurityStudio). I can’t recap everything for you, to do so would be very time consuming. There was one highlight from last week that stood out from the rest though…

2020 FRSecure CISSP Mentor Program

The 2020 FRSecure CISSP Mentor Program kicked off last week with Class #1 on Monday (4/13) and Class #2 on Wednesday (4/15)! It’s crazy, this is the 11th consecutive year of our free training program. With 1,444 students registered in 2020, we have now helped more than 2,825 students over the years!

We’ve had many people try to convince us to charge for this, even if only a small sum, but the answer is always “NO”. This is one of the ways we try to give back to our community, and we’ll continue to do this well into the future. We have done this since 2010, well before COVID-19 showed up at our front door.

Since COVID-19, we moved class to 100% online, with live streaming to YouTube. We archive the videos so anyone can watch any time (even those who never registered). The archives are here:

We’ve also setup an online study group. The study group, as of this morning, has 470 active members.

Here’s to a great 2020 program, and here’s to much success for the students!

On to the episode 76 show notes now.


SHOW NOTES – Episode 76

Date: Monday, April 20th, 2020

Episode 76 Topics

Opening

[Evan] Good morning everyone! This is the 76th episode of the UNSECURITY Podcast. The date is April 20th, 2020 and I’m Evan Francen. Joining me is my co-host Brad Nigh.

Good morning Brad.

[Brad] Brad says “hi”.

[Evan] We have a special guest! Let me give you a little background about this guy.

He’s a global business and technology leader with more than 20 years experience building enterprise innovative solutions. He’s guided many organizations through successful transformations, but arguably none more difficult than the one he’s currently facing with COVID-19. He’s currently working at Fight Centre, a global travel company, and as you know, the travel industry has been decimated by the pandemic.

His name is Serge Suponitskiy, and he’s the CTO, CISO, and now interim CIO at Flight Centre, Americas Region.

Welcome Serge!

[Serge] Serge does Serge.

Catching Up

[Evan] As is customary for us, before we jump in to the meat of the show, let’s catch up. If you’re a new listener, you might not know the first motivator for starting the UNSECURITY Podcast. It was to spend an hour shootin’ the breeze with Brad. So what’s up guys? How’s things?

Catching up. Recent events. Coping with *&#!

Introducing our Special Guest

[Evan] I invited Serge to our show for a couple of reasons, the first is, I really like the guy. He’s somebody I respect. The second reason I invited him was to get his perspective on dealing with COVID-19. Serge works in the travel industry, and everything in the travel industry has been turned upside down. He works for Flight Centre, a really great company, and it’s crazy what’s happening…

Topics for discussion:

  • Welcome Serge!
  • Our history and past together.
  • What’s happened to the travel industry since COVID-19?
  • What’s changed for you and your company?
  • What’s the focus for the next 3-6 months?
  • What do you think Flight Centre looks like on the other side?

[Evan] Thank you Serge. You’re a helluva guy and I’m sure everything will work out OK, even if it doesn’t seem like it sometimes.

Middle School Fight

[Evan] Interesting happenings last week between to industry middleweights; Rapid7 and Qualys. I’d like to get your take guys. On Thursday, I get this email…

It goes on…

[Evan] This sort of thing gets under my skin. In our industry, which is about serving and protecting people, we’re supposed to be better than this. So I wrote a short post on LinkedIn and reached out to my friend Chris Roberts for a sanity check.

Here this skinny:

[Evan] What do you guys (Brad and Serge) think about this?

Discussing the middle school playground fight between Rapid7 and Qualys.

News

[Evan] Just one news story this week; IT Services Giant Cognizant Hit by Maze Ransomware Cyber Attack.

Wrapping Up – Shout outs

[Evan] Alright, good show. Thank you for joining us Serge.

[Serge] May or may not say something.

[Evan] Lots going on this week. We continue our Daily inSANITY Checkins, everyone is welcome to join us. Just register online and you’ll get the invites. We also continue the CISSP Mentor Program with classes on Monday and Wednesday. Brad’s teaching tonight and Ryan (“cola”) Cloutier is teaching on Wednesday. I get the week off!

OK, shout out time. Brad, who you want to give a shout out to?

[Brad] We’ll see if he’s got someone.

[Evan] Serge, how about you? You have someone you want to give a shout out to?

[Serge] Maybe he does, maybe he doesn’t.

[Evan] I’d like to give a shout out to __________!

Well, that’s a wrap.

Huge thank you to our listeners. Episode 76 is about to go in the can. We love hearing from you, so if you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, feel free to follow us on Twitter. You can find me @evanfrancen, you can find Brad @BradNigh, and you can find Serge too @SergeSup.

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 75 Show Notes – Hope

Keeping the show notes short this week. Last week’s show notes post should have been broken into two or three posts!

I’m writing this on Easter Sunday, and I’m wishing everyone a Happy Easter! The meaning behind today is promise and hope. Hope is the key talking point for this episode of the UNSECURITY Podcast.

If you missed last week, we had Jim Nash on the show. Jim is our Minnesota State Representative. He shared his perspectives on things like COVID-19, information security in state government, etc. It was a good talk!

Give episode 74 a listen.

Let’s get right to it! Here are the episode 75 show notes…


NOTE: These are my show notes (Evan), but Brad is leading the show.

SHOW NOTES – Episode 75

Date: Monday, April 13th, 2020

Episode 75 Topics

  • Opening
  • Catching Up 
    • Easter Sunday
    • Another week at home.
    • What’s new?
  • Hope
    • Hope in our (information security) industry.
      • Signs we’ve seen during the pandemic.
      • Signs we hope to see post-pandemic.
    • How information security fits into the hope of economic recovery.
    • What’s FRSecure doing to instill hope?
    • What’s SecurityStudio doing to instill hope?
  • More About Zoom
    • What happened (without the BS)?
    • Is it safe to use Zoom or not?
  • Other Things
    • FRSecure CISSP Mentor Program (we started this 11+ years before the COVID-19 pandemic)
    • Safety and Cybersecurity at Home 101 Webinar Series (Videos here).
    • SecurityStudio Partner Community (Join here).
    • The Daily inSANITY Check-in (Join here).
  • Other News – Just one: Coronavirus-themed attacks April 05 – April 11, 2020
  • Wrapping Up – Shout outs
Opening

[Brad] Good morning everyone! This is the 75th episode of the UNSECURITY Podcast. The date is April 13th, 2020 and I’m Brad Nigh. Joining me is my co-host Evan Francen.

Good morning Evan.

[Evan] I’ll say good morning too, but the enthusiasm behind my words will depend on how early I got up today.

[Brad] We’re remote still, recording the show on Zoom. Yes, you heard that right. We’re on Zoom right now. We’ll talk more about this later on in the show.

First, as is customary for us. Let’s catch up a little.

Catching Up

[Brad] Yesterday was Easter Sunday. Did you have a good Easter, Evan?

[Evan] Maybe I did. Maybe I didn’t. Ooooh, the suspense!

Discussion between Evan and Brad

Hope

[Brad] Hope is a beautiful thing. Sometimes it’s all we have to hold on to. Let’s talk about the role that hope is playing these days, in our industry and in our companies.

Discussion about the following:

  • Hope in our (information security) industry.
    • Signs we’ve seen during the pandemic.
    • Signs we hope to see post-pandemic.
  • How information security fits into the hope of economic recovery.
  • What’s FRSecure doing to instill hope?
  • What’s SecurityStudio doing to instill hope?
More About Zoom

[Brad] The news and noise about Zoom and their information security issues didn’t slow much last week. Some of the issues are nothing more than FUD, but there are some legitimate concerns too. I think our listeners could really benefit from a continued discussion about this.

Discussion about Zoom issues.

[Brad] There are always two sides to the story. I can’t remember seeing a company go through such a roller coaster of ups and downs in such a short period of time.

Other Things

[Brad] Lots of other things happening around here, that’s for sure! The pandemic, the lockdown, working remotely, and everything else that comes along with those things has not stopped us for a second! We’re just as busy as always.

Discussion about other things.

  • FRSecure CISSP Mentor Program (we started this 11+ years before the COVID-19 pandemic)
  • Safety and Cybersecurity at Home 101 Webinar Series (Videos here).
  • SecurityStudio Partner Community (Join here).
  • The Daily inSANITY Check-in (Join here).

[Brad] Alright. Lots going on. We’ll see what this week brings!

News

[Brad] Just one news story this week. Let’s look at a recap of Coronavirus-themed attacks from this past week posted on Security Affairs.

Wrapping Up – Shout outs

[Brad] Alright, good show. Give someone hope and encouragement today and every day this week! Evan, who do you have a shout out for this week?

[Evan] Some people for sure…

[Brad] I’d like to give a shout out to ________.

Thank you for listening to episode 75. We love hearing from you, so if you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet like that. I’m @BradNigh, and Evan’s @evanfrancen.

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 74 Show Notes – COVID-19 MN Response

If you reading this, I hope you and your loved ones are well! From what I read, we have another few tough weeks ahead of us in the U.S. before (maybe) we turn the corner a little. Keep up the good work by staying at home and/or maintaining your distance from others. Now is NOT the time to let up.

If you missed last week’s show notes or episode 73 of the UNSECURITY Podcast, we had a great time taking with our special guest, Oscar Minks. Oscar leads FRSecure’s Technical Services Team, and he shared some great insight into their current incident response activities.

Episode 74 Topics

Topics for this episode of the UNSECURITY Podcast include:

  • Opening
  • Special Guest – Jim Nash
  • Catching Up 
    • Another week at home.
    • What’s new?
  • COVID-19 Talk With Jim Nash
    • What’s going on in MN state government
    • What’s he hearing from other states
    • How he’s helping our community and tips for listeners
    • Opinion about impact on information security
  • Web Conferencing Craziness (mostly Zoom)
    • The Rise
    • The Bug
    • Zoombombing
    • Other Stuff
    • Overreaction
    • Benefactors
    • Logic and Reason
  • Work From Home – S2Me
    • NASCIO – COVID-19 Response Resources for State IT
    • Safety and Cybersecurity at Home 101 Webinar Series
    • Version Two
  • Other News
    • The Daily inSANITY Check-in
    • FRSecure CISSP Mentor Program
  • Wrapping Up – Shout outs

You can find the full show notes later in this post.

Thoughts

It’s good to get things off your chest from time to time, and it doesn’t matter if anyone else reads what you write. If you are reading this, I hope you get some value from it.

Good News

It’s been hard the last few weeks to find good news. Seems like everywhere I look, there’s bad news. Most of the time is related to Covid-19, but now always. The bad news can come from another breach, vulnerabilities in some application (this week it was Zoom), or any number of things.

If you want to find good news, you have to be intentional about it.

Here’s some good news sources/stories:

See? There are lots of good things happening around the world. Look for them and be encouraged.

Struggling

In the middle of all that’s going on, there are many people struggling. I may be OK and you might be OK too, but the number of people who aren’t OK has grown fast and continues to increase every day. People are losing their businesses, losing their jobs, and losing their minds.

For people who have lost their business, it may feel like you’ve lost your dream. You haven’t! The dream is still alive, it’s just deferred. It’s paused. You may have to start over, or maybe not. The point is to NOT give up. Starting over gives you a chance to do it better this time, using all that you’ve learned from the last time.

For people who have lost their jobs, you might be worried about bills or even where your next meal comes from. When you’re in the middle of the crap, it’s hard to see the other side. Missing payments can be stressful, but it’s not the end of the world. Do what you can to survive this (and you WILL survive this) and try to focus on what you will do or be on the other side. Plan now for what’s to come.

Personal Story

When we started FRSecure in 2008, the U.S. was in the middle of a recession. I thought we could power through it, and succeed despite the odds. I was wrong. We couldn’t find customers, and within a year, it became evident that we wouldn’t be able to pay our bills, including our house payment. I could have given up on the dream of my business and entered the job market again, or I could believe that things would get better. 11-12 years later and FRSecure is a very healthy company, employing more than 70 people and serving more than 1,000 customers. Foreclosure with a wife and five kids was very hard, but we didn’t give up.

Mental Health

For people who have or feel like they’ve lost their minds, please get help. Maintaining mental health during times of crisis can be extremely difficult. It’s OK to not be OK, but it’s not OK to let it rule you. There are many people who care about you and want you to let them help. This is the truth! The most common lie (I think) is believing that you’re not worthy and nobody cares. That’s the lie. Believe and follow the truth, here are some people who care (100%):

Remember, there is hope and there is help! This is the truth, and you have to believe it.

Social Media Stuff

It dawned on me that we have a lot going on, and we share a lot of it on social media. Here’s the list of social media accounts for us:

Those are some thoughts right now. Let’s get to the show notes!


SHOW NOTES – Episode 74

Date: Monday, April 6th, 2020

Show Topics:

  • Opening
  • Special Guest – Jim Nash
  • Catching Up 
    • Another week at home.
    • What’s new?
  • COVID-19 Talk With Jim Nash
    • What’s going on in MN state government
    • What’s he hearing from other states
    • How he’s helping our community and tips for listeners
    • Opinion about impact on information security
  • Web Conferencing Craziness (mostly Zoom)
    • The Rise
    • The Bug
    • Zoombombing
    • Other Stuff
    • Overreaction
    • Benefactors
    • Logic and Reason
  • Work From Home – S2Me
    • NASCIO – COVID-19 Response Resources for State IT
    • Safety and Cybersecurity at Home 101 Webinar Series
    • Version Two
  • Other News
    • The Daily inSANITY Check-in
    • FRSecure CISSP Mentor Program
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning everyone! This is the 74th episode of the UNSECURITY Podcast. The date is April 6th, 2020 and I’m Evan Francen. Joining me is my co-host Brad Nigh along with our special guest Jim Nash.

Good morning Brad.

[Brad] He’ll say what he wants.

[Evan] Welcome to the show again Jim and good morning!

[Jim] He’ll also say what he wants.

[Evan] Jim, do you remember the last time you were on the show? How long ago was that?

[Jim] Still saying what he wants.

[Evan] It’s customary now that we start the show by catching up a bit with each other.

Catching Up

Discussion between Evan, Brad, and Jim.

[Evan] Alright! We invited Jim to be on the show again for a couple reasons. #1 – We like him and #2 – We want to get his perspectives on COVID-19. He’s certainly got some unique things to share.

COVID-19 Talk With Jim Nash
  • What’s going on in MN state government?
  • What’s he hearing from other states?
  • How he’s helping our community and tips for listeners?
    • Supporting the community and small business.
    • Where can we find his videos, pictures, and updates?
  • Opinion about impact on information security

[Evan] For those who don’t know, Jim is my state representative. He represents the district in which I live and I couldn’t be prouder of the way he represents me!

OK, last week, news about Zoom was all the rage it seemed. There’s plenty of fear, misinformation and confusion about the web conferencing solution. I think our listeners could benefit from some straight talk about the issues.

I put together a series of stories and organized them into subtopics. It’ll be cool to get you guys’ perspective.

Web Conferencing Craziness (mostly Zoom) DIscussion

This slideshow requires JavaScript.

 

[Evan] Crazy. The plot is thick surrounding Zoom, isn’t it. The noise is loud and it’s hard to find the truth in all of it.

Let’s switch gears now and talk about something else that’s related. There is no shortage of articles and guidance for working from home. We built a simple assessment in the beginning of 2019, before all hype surrounding the pandemic. The simple assessment is known as S2Me, and it’s importance is higher than it’s ever been.

Work From Home – S2Me

Discussion about S2Me, including:

[Evan] There you go. S2Me is free and always will be free. Either of you guys feel comfortable sharing your personal S2Score?

Other News

[Evan] We had so many things to talk about this week. We’re going to skip other news stories again. Two quick things to tell you about though, before we go.

  • The Daily inSANITY Check-in
    • Still going strong.
    • Everyone is invited all the time!
  • FRSecure CISSP Mentor Program
Wrapping Up – Shout outs

[Evan] Well, that’s it for this week. Plenty going on and lots to do. Either of you guys have any shout outs?

Thank you for listening. We’re a couple of guys who really care about you. We’re hoping you all stay healthy and sane! We love hearing from you, so if you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet like that. I’m @evanfrancen, and this other guy is @BradNigh. Jim, you’re all over the place. Want to share some places where people can interact with you online?

Jim, thank you for coming on and sharing with us today!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 73 Show Notes – COVID-19 IR

Hope you and your loved ones are well! We can’t understate the importance of physical, mental, and spiritual health, especially in times like these.

If you missed last week’s show notes or episode 72 of the UNSECURITY Podcast, there’s some pretty good stuff there.

Episode 73 Topics

Topics for episode 73 of the UNSECURITY Podcast include:

  • Opening
  • Catching Up 
    • The first full week with a closed office.
    • Staying sane and healthy at home.
  • COVID-19 Affects on Information Security (some of them)
    • Introducing our special guest, FRSecure’s Director of Technical Solutions and Services
    • Incident Response During COVID-19
      • Current Events/Incidents
      • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
    • COVID-19 Scams and Attacks
      • What have we seen?
      • What are we planning for?
    • Physical Security Considerations
  • The Daily inSANITY Check-in
  • FRSecure CISSP Mentor Program Update
  • Wrapping Up – Shout outs

You can find the full show notes near the bottom of this post. Before getting there, I need to get some thoughts out.

Thoughts

It’s been 13 days since FRSecure and SecurityStudio closed their offices. All of us are still around and working, but it’s crazy how much life has changed. Personally, I’m still struggling to make sense of things and I’m mulling over COVID-19 data almost obsessively. The COVID-19 scoreboards plastered everywhere don’t help. On one hand, I like being informed. On the other, I’m tired of tracking the number of infections and deaths.

As I write this, there are 140,164 infections in the United States and 2,476 deaths. What does this mean in the context of everything else? How do I make sense of these numbers? Here’s one attempt:

What does a “normal” 30 days look like in the U.S. for deaths/mortality? According to the CDC, there were nearly 3,000,000 deaths in the U.S. in 2018 (the latest data available). Using this data, here are the number of people who died within an average 30 day window:

  • 53,867 from heart disease (the top killer in the U.S. with 655,381 deaths)
  • 49,255 from cancer (#2 – 599,274 deaths)
  • 13,736 from accidents/unintentional injuries (#3 – 167,127 deaths)
  • 10,029 from Alzheimer’s Disease (#6 – 122,019 deaths)
  • 3,973 from suicide (#10 – 48,344 deaths)

Compare these numbers to where we’re at now with COVID-19. I’m NOT at all minimizing the impact of COVID-19. I’m trying to make sense. I know the number of infected people and deaths will rise significantly over the coming weeks/months, and sadly, we’re in for more terrible news. I’m trying to understand what the numbers mean in the context of other things that aren’t as foreign to me.

A single sick person and/or a single death is sad enough, let alone thousands.

OK. Got that off my chest. Lots and lots of great things going on at FRSecure and SecurityStudio. The best place to keep up with them right now is probably on social media:

Let’s get to the show notes now!


SHOW NOTES – Episode 73

Date: Monday, March 30th, 2020

Show Topics:

  • Opening
  • Catching Up 
    • The first full week with a closed office.
    • Staying sane and healthy at home.
  • COVID-19 Affects on Information Security (some of them)
    • Introducing our special guest, FRSecure’s Director of Technical Solutions and Services
    • Incident Response During COVID-19
      • Current Events/Incidents
      • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
    • COVID-19 Scams and Attacks
      • What have we seen?
      • What are we planning for?
    • Physical Security Considerations
  • The Daily inSANITY Check-in
  • FRSecure CISSP Mentor Program Update
  • Wrapping Up – Shout outs
Opening

NOTE: The show notes were written by me (Evan), but Brad’s leading this episode.

[Brad] Hello listeners, this is another episode of the UNSECURITY Podcast. My name is Brad Nigh, this is episode 73, and the date is March 30th, 2020. Joining me is my co-host Evan Francen. Good morning Evan.

[Evan] Good morning Brad!

[Brad] Also joining us for the show is our special guest and FRSecure’s Director of Technical Solutions and Services, Oscar Minks. Good morning Oscar!

[Oscar] Says good morning or something with his cool southern accent.

[Brad] We’ve got lots to talk about! As is our custom, let’s get started by catching up quick.

Catching Up

Topics here include how we’re coping with COVID-19, the first full week with a closed office, and staying sane (and healthy) at home. Brad found a really good video online; Covid-19 Protecting Your Family, Dr. Dave Price

[Brad] Here’s a can of worms (maybe). Let’s talk about some of the effects that COVID-19 has on what we do. Some of the effects on information security, starting with incident response and physical security. We already mentioned that we’ve got our special guest Oscar Minks here. He’s got some good insights to share, and this should be a good discussion.

Discussion – COVID-19 Affects on Information Security (some of them)
  • Introducing our special guest (again), FRSecure’s Director of Technical Solutions and Services
  • Incident Response During COVID-19
    • Current Events/Incidents
    • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
  • COVID-19 Scams and Attacks
    • What have we seen?
    • What are we planning for?
  • Physical Security Considerations

[Brad] Sadly, the frequency of scams and attacks only increases during times of distress. It’s important that we keep our eye on the ball and not compound our problems with an information security lapse.

OK, switching gears now. Some people are struggling right now. Struggling with making sense of things, struggling with employment, struggling with anxiety, or struggling with any number of things. We started this thing called the Daily inSANITY Check-in last week. Evan, tell the listeners about this thing.

Daily inSANITY Check-in Discussion

The purpose of the Daily inSANITY Check-in is to provide a safe place for people to discuss current events, information security things, challenges we’re facing, or whatever else comes to mind. The check-ins are short (30- to- 60-minute) daily meetings with discussion. People are always free to come and go as they please.

[Brad] The Daily inSANITY Check-in is just one place to get support out of many within our community. The point is to find help when you need it and to help people where you can. It’s cool to see so many people rally and help.

FRSecure CISSP Mentor Program Update

[Brad] Real quick, we made an announcement last week about the FRSecure CISSP Mentor Program. We’re happy to say that we are still going through with this year’s class! The only change is that we have cancelled the in-person portion of the program. As of last Monday, the 23rd, we have 1,007 registered students! That’s crazy! Oh, and I should mention, if you haven’t registered yet, registration is still open.

Wrapping Up

[Brad] No news this week because we had so many other things to talk about. Two last things to mention:

  • Our pal Ryan Cloutier, aka “Cola” just wrapped up the second episode of his K12 Cybersecurity Podcast. It’s a great podcast and you should give it a listen!
  • A shout out to one of our regular listeners, Olga Hoogendoorn – Startseva. Evan promised to give her a shout out because she’s pretty awesome!

Well, that’s it for this week. Plenty going on and lots to do.

Thank you for listening. We’re a couple of guys who really care about you. We’re hoping you all stay healthy and sane! We love hearing from you, so if you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet like that. I’m @BradNigh, and this other guy is @evanfrancen. Also, don’t forget to check out @studiosecurity and @FRSecure. They post some good things! Let us know how we can help you!

That’s it. Talk to you all again next week!