#S2Roadshow Recap – Week One

Central Pennsylvania

We’re happy to report that the information security community in Central Pennsylvania is alive and well!

Partners

One goal of the SecurityStudio Roadshow is to get out and meet new partners. We want to meet them, understand their businesses, and help them grow their information security consulting practices using simple, fundamental, and compliant solutions (S2Score, S2Org, S2Vendor, and S2Team/S2Me).

We met some amazing people and companies this week. We’re expecting as many as four new partners from Central Pennsylvania coming from this leg of the roadshow! Stay tuned for the announcements coming soon!

Keep up with our progress on Twitter, using the #S2Roadshow hashtag. We’re entertaining dammit!

BSides Harrisburg

In addition to meeting new potential SecurityStudio partners, John (Harmon) and I attended the inaugural BSides Harrisburg Conference on Wednesday (10/2). The event was held at the Harrisburg University of Science and Technology downtown, and the organizers did a great job!

SPECIAL SHOUTOUT to Julie Goolsby. Julie is the Director of Professional Development Programs at Harrisburg University of Science and Technology, and she was instrumental in coordinating everything for the event. She is patient, responsive, and incredibly effective.

I’m sure there were others who helped Julie, but we coordinated with her the most.

There were ~300 – 400 people at the conference (my guess), and maybe a dozen vendors. I didn’t speak until 10am, so John and I took in the Opening Remarks and the Keynote. The Keynote was presented by Ken Bechtel, a very well-respected Malware/Threat Researcher with more than 30 years under his belt. I shuddered when he mentioned boot sector viruses of the 90s. I started my (paid) career cleaning boot sector viruses from Windows 3.1 machines.

Ken has been around for a long time and he’s got a boatload of wisdom to share. Crazy how much he’s seen and how many malware packages he’s reversed. Most people haven’t heard of Ken because he’s one of those behind the scenes kind of guys. Sort of like me. He and I are both most comfortable in a dark room behind a keyboard somewhere. After his talk, we spent 30 minutes or so sharing stories and laughs.

NOTE: Ken informed me that he’s in the market for more/new work. Get in touch with him if you’d like to inquire. Here’s his LinkedIn Profile.

My Talk

This was one of those talks where I didn’t choose the title, but one of our marketing folks did. The title was “WANTED – People Committed to Solving our Information Security Language Problem”. Alright, let’s do it!

Finished my slides in a small coffee shop in Columbia, PA. SHOUTOUT to Café 301 in Columbia, a great little coffee shop in downtown. Good coffee and a great place to finish presentation slides.

My talk was in the event auditorium. There’s this slight fear of giving a talk in a large room (or in this case auditorium) and having a small audience. Thankfully, attendance was good, and it looked like the place was almost full. Phew! The talk was also livestreamed I hear.

This slideshow requires JavaScript.

SIDE NOTE: The very first talk I gave after starting FRSecure in 2008(ish) was at a conference in Bloomington, MN. This was my first ever talk, so I prepped thoroughly. I was early to the venue. I got to my room early. I got setup early. I was raring to go! One problem. Nobody came. Zero attendance. A good dose of humble pie, but ever since that day, I’ve said to myself, “as long as there’s more than zero, it’s a good day for a talk”.

I think the talk went well. There were awesome questions, and there was a dozen or so people who came up to talk with me afterwards. If you’re interested, a copy of my presentation can be downloaded here. If you want to watch the video, BSides live-streamed it, and you can also see it here.

Back to the Conference

We spent the remainder of the conference roaming the floor, striking up conversations, and attending other people’s talks. The two talks that I particularly enjoyed, so more SHOUTOUTS:

  • Rae Baker’s Open Source Intelligence 101: Finding Information on Anyone was a great introduction to OSINT. Really enjoyable presentation, and she nailed it!
  • Brandon Keath’s Hacking Yourself First, Penetration Testing for the Blue Teams: Part 2 was great. I had to miss Part 1 because I was in Rae’s talk. Brandon knows what he’s talking about and I really liked his dry humor. Good stuff.

We wrapped up the day with a few more introductions to potential partners, then headed off for BBQ (reviews below) and hotel work.

BSides Harrisburg was a GREAT CONFERENCE.

Cybersecurity Awareness Summit

Thursday’s agenda included attendance at the Cybersecurity Awareness Summit. This summit was also held at Harrisburg University of Science and Technology. The theme for this conference was “Caring and Sharing to Safeguard Our Citizens. Cross-collaboration Among Government & Education Makes Pennsylvania Safer & More Secure.

I sat through the following:

  • Welcome– Eric Darr, PhD, President Harrisburg University
  • Opening Remarks– John MacMillan, Deputy Secretary for Information Technology and Chief Information Officer, Commonwealth of PA
  • Security Challenges Confronting Government and Schools and Benefits to Collaboration & NASCIO’s Cybersecurity State of the States Report– Erik Avakian, CISSP, CRISC, CISA, CISM, CGCIO, ITILv3, Chief Information Security Officer Commonwealth of Pennsylvania and Srini Subramanian, Risk and Financial Advisory Lead, Deloitte
  • CISA: Cybersecurity Resources for State and Local Governments– Benjamin Gilbert, Cybersecurity Advisor, Cybersecurity and Infrastructure Security Agency

I will be PC in my feedback, although I don’t really want to. Mr. MacMillan is a very sharp dresser. Mr. Avakian has a nearly impossible job and needs more help. If Mr. Subramanian would have said “cyber” one more time, my head would have exploded. Mr. Gilbert was a good guy who used a helluva lot of acronyms.

I have a ton of respect for state CISOs. They do very hard work in a (sometimes) very hostile environment with less support.

RANT: Somehow, we’ve gone from using the words information security to cybersecurity to just “cyber”. Information security is NOT “cyber”. I get it, “cyber” sounds a lot cooler. Maybe using “cyber” helps you sell more $*!%. Certainly, the hipsters are impressed by the word. The truth is, using “cyber” as a reference to information security is NOT helping. Words matter. Use a dictionary.

I’m a stickler for this because I’ve been part of this army, and we’ve fought very hard to make information security a business issue, NOT just an IT issue.

OK, off the soap box now.

Benjamin Gilbert did a great job showing us all that CISA has to offer. They are trying to do everything for everyone though. This will get very expensive (to taxpayers) and will be less than optimal (wait lists, skill shortages, etc.). CISA provides a lot of value, but it would be nicer to see them do one or two things really well versus doing a whole bunch of things sort of half-assed.

This conference was very well attended and overall it was great. Seriously, it was.

BBQ Reviews

A roadshow isn’t a roadshow without a heathy dose of BBQ, or lots of doses of BBQ. John and I promise to eat at all the best BBQ places we can find during our travels and provide you with the lowdown. It’s the toughest part of our job, but you can count on us. We’re in it to win it!

We rate each BBQ joint we try on four characteristics on a scale of 1 (sucks) – 10 (best); Atmosphere, Service, Portions/Value, and Taste. The overall rating is the average of the four.

Sweet Lucy’s Smokehouse – Overall: 6.75

  • Atmosphere – 9
  • Service – 6
  • Portion/Value – 6
  • Taste – 6

Our first stop after landing in Philadelphia was Sweet Lucy’s Smokehouse. The BBQ was good, but not great. The best thing about the place was the really cool atmosphere.

Mission BBQ – Overall: 8

  • Atmosphere – 7
  • Service – 10
  • Portion/Value – 7
  • Taste – 8

We ate at Mission BBQ in Harrisburg in the evening of the first day. I wasn’t that excited for it because I knew it was part of a chain, but it was the closest BBQ joint to where we were staying. The staff was AMAZING. I can’t remember ever getting better service that we did at this place.

The cashier asked us if this was our first time at Mission BBQ. We said it was, then she proceeded to tell us all about the menu and how they make their BBQ.

Once our order was ready, the lady behind the counter asked us if it was our first time at Mission BBQ. We said it was, then she proceeded to tell us all about the sauces and how to help ourselves.

After we sat down to eat, another lady came by our table three or four times to make sure we had everything we needed. She cleared our table for us too (even though this was a self-service joint).

The service was exceptional, so I rate it a 10. The food was good too, the best being the jalapeno cheddar sausage.

This slideshow requires JavaScript.

Redd’s BBQ – Overall: 7.25

  • Atmosphere – 8
  • Service – 5
  • Portion/Value – 9
  • Taste – 7

After almost 24 hours without BBQ, we made the drive from Harrisburg to Carlisle on Wednesday night. We enjoyed some good (again, not great) BBQ at Redd’s BBQ. The atmosphere was pretty good and the portions were large. Service was so-so; the waitresses spent more time chatting with each other than they did helping their customers. Overall, this was good BBQ and it was worth the drive.

This slideshow requires JavaScript.

Shakedown BBQ – Overall: N/A

  • Atmosphere – N/A
  • Service – N/A
  • Portion/Value – N/A
  • Taste – N/A

The disappointment of our BBQ adventure came when we made the drive out to Grantville only to find the Shakedown BBQ was closed. This was one place that came most recommended from the people we talked to at BSides. Before making the drive, we confirmed that the place would be open, both online and through a friend of the owner. They were supposed to open at 11am on Thursday, and we got there at 11:15. A paper plate was hung on the front door saying they were closed. Ugh.

Divine Swine – Overall: 8.5 – #S2Roadshow Week 1 Champ

  • Atmosphere – 7
  • Service – 8
  • Portion/Value – 10
  • Taste – 9

After the Shakedown BBQ disappointment, we swung over to Manheim, where we found Divine Swine. This place takes the crown as the #S2Roadshow Week 1 BBQ Champ. The best tasting BBQ we had on the trip and huge portions. If you’re in the area, you have to visit this place!

This slideshow requires JavaScript.

Maybe we’re BBQ snobs, maybe not. One thing is certain, we enjoyed all of the BBQ we ate, and we’re pumped for next week’s adventures.

Next Week’s #S2Roadshow

I’ll be heading to Orange County, California. I’m speaking to the fine folks at the Orange County Chapter of ISACA on Tuesday. I’ve got a bunch of great meetings on Wednesday and Thursday with some potential partners and other security folks. If you’re in the area, let’s hook up. We can talk security and grab some BBQ. If you’ve got some BBQ recommendations, let me have ‘em!

John will be in Madison, Wisconsin speaking at an event hosted by Applied Tech. He’s going to be joined by Steve Krause, SecurityStudio’s Partner Manager. If you’re in that area, go hang out with John. I think he’s funner than I am.

Stay tuned for next week’s #S2Roadshow update! You can follow us on Twitter (@evanfrancen, @HarmonJohn, @StudioSecurity, and the #S2Roadshow hashtag) and on LinkedIn.

The SecurityStudio Roadshow

Introduction

OK, we’re doing this roadshow. Publicly, we call it the SecurityStudio Roadshow. Internally, we call it “Project Bacon”. Who doesn’t like bacon?

This is a short article to tell you about the SecurityStudio Roadshow and what we’re trying to accomplish with it. The first phase of the #S2Roadshow kicks off at the BSides Harrisburg (PA) Conference on October 2nd and ends with the RSA Conference in February, 2020.

Purpose

We’re on a mission. Our mission is to fix the broken information security industry. Say what?! Yeah, we know. It’s a big mission. Two things come to mind right away:

  1. Where do we start?
  2. How do we start?

We need to start where we’ll have the greatest positive impact on our industry and we need to start with people who are closest to the problem.

Where do we start

We start with information security fundamentals. If you hired me as your CISO, the very first thing I would do is an information security risk assessment. Considering that maybe ~90% of organizations in the United States fail to do this fundamental exercise reinforces the notion that this is where we’ll start.

SecurityStudio developed the S2Org information security risk assessment, and it’s already been used by more than 1,500 companies. We’ll start with the S2Org assessment and we’ll offer it for free.

The S2Org is SIMPLE, FUNDAMENTLAL, and COMPLIANT. More about this later.

How do we start

We start by making friends. We’ll get on the road and we’ll meet them where they are. The #S2Roadshow! We’ll travel the country recruiting people for our cause. We’re recruiting partners and end users. Partners use our tools to attract new customers and help their existing ones. End users can use our tools for free to address their fundamental information security needs.

Keep Up

We invite you to join us on the road, either in person or online. If you’ll be at one of the various events we’ll be at, come say “hi”! Tell us how we can help you and/or join us. For those of you who can’t be where we are, follow us on my personal blog, on Twitter, and/or LinkedIn.

It’s going to be one helluva ride, and we’re excited to share it with you! We’ll meet a bunch of cool people, establish some great new relationships, and make a lot of progress on the mission!

I’ll post daily updates here. This will sort of be my #S2Roadshow journal.

Want to know more about SecurityStudio, check us out online; https://securitystudio.com. Get your S2Score, become a partner, or help us with our mission!

Oh yeah, one more thing.  We’ll be hunting down the best BBQ joints while we’re on the road. We’ll eat and we’ll review. It’s hard to be a security guy on the road.

The UNSECURITY Podcast – Episode 47 Show Notes

Here we go. The show notes for episode 47 of the UNSECURITY Podcast.

I’m writing these during the Vikings/Bears game on Sunday. Skol Vikings! Yeah, whatever, I’m late, but I’ve got excuses. I’m late because things are sort of crazy at home right now. I’ll try to explain:

  • I was in Bulgaria for a week (several weeks ago). My sleep was thrown off a little because Bulgaria is 8 hours ahead of us.
  • My wife was in China for 10 days. This means that I was left to my own devices (not usually a good idea), and I had no backup for my 14 year-old daughter’s manipulation. Seemed like there were more kids at my house than normal. I don’t know. The house is still standing, so that’s a win.
  • In the middle of this, I decided to quit smoking on Wednesday. After 30 years of 1-1/2 packs a day, I’m done. This is day four, and the withdrawals are a challenge (my PC word for it).
  • My wife got back last night, and now her sleep is all wonky. She was 13 hours ahead.

So, let’s give this thing a go, shall we?

Last week was a blur, but I think we did some really good things! Brad spent the latter part of the week offsite with FRSecure’s Senior Management Team (SMT), doing some strategic planning. I spent most of my time working on some timely SecurityStudio stuff:

  • Next week’s launch of S2Org.
  • SecurityStudio Partner Jumpstart
  • Roadshow preparation, hard to believe that we (me and John Harmon) hit the road next week already.

Do you know what we’re doing on the #S2Roadshow? Did you know that we’re using the “#S2Roadshow” hashtag? Do you know what S2Org is? Don’t worry if you don’t, we know we’ve got a lot of preaching to do!

Friday was highlighted by a great meeting with Minnetonka School District representatives (Mike Dronen, Executive Director of Technology and Dave Eisenmann, Director of Instructional Technology), Ryan Cloutier (repeat podcast guest and Chairperson of the Consortium of School Networking Cyber Security Advisory Panel), and Ivan Peev (SecurityStudio’s VP of Product Development). We discussed how we can work together to create a free S2Teen product for students and parents. There will be some great things coming out of this (eventually).

If you missed episode 46 of the UNSECURITY Podcast, here it is.

OK. Show notes…


SHOW NOTES – Episode 47

Date: Monday, September 30th, 2019

Show Topics:

Our topics this week:

  • Fundamentals
  • Roadshow
  • Parents and Kids

[Evan] – Let’s do this. I’m Evan Francen, it’s Monday, September 30th, and this is episode 47 of the UNSECURITY Podcast. My guy Brad Nigh is here with me. Hey Brad!

[Brad] You know Brad. He’ll say something because he’s nice like that.

[Evan] I know you were offsite with the FRSecure Senior Management Team (or SMT) the last half of the week. I love how you guys set an example by working hard and playing hard. How was it?

[Brad] Cool things.

[Evan] So, late last week, I had this meeting. It was the first time I’d met this guy who runs the information security program for a VERY important organization. I can’t share the name because I don’t like to out people like that. Anyway, he has many years of information security experience and seemed like he had all the right things to say. As the discussion progressed, I could sort of sense that he and I didn’t see security the same way exactly.

He knew all the acronyms and threw them around like candy at a parade. He’s also very well connected and dropped a lot of names. We knew some of the same people, but this was the first time he and I had met each other. He went on to say how they’ve built a good foundation for their security program, and now they want to take things to the next level.

One thing that became obvious is we don’t think about the foundation or fundamentals the same way. Let’s talk about this.

[Brad] He’ll agree because he likes to talk about these things.

Fundamentals Discussion

Things to discuss:

  1. What is information security?
  2. What is risk?
  3. If I hire you to “do” information security for me, what is the first thing you would do?
  4. What percentage of SMBs…?
  5. Discuss last week’s discussion

[Evan] The basics man. How many breaches do we see where it’s just the missing basics? 

[Brad] Something…

[Evan] Complexity is the enemy. We’ve all heard it before. Really, this is what the SecurityStudio Roadshow is about.

Roadshow Discussion

  • Was called “Project Bacon”.
  • Mike Dronen brought me some bacon!
  • This week is Harrisburg, PA BSides
  • Hashtag #S2Roadshow

[Evan] Quickly, let’s talk parents, kids, security, privacy, and safety. Maybe we can devote a whole show to this in the future. Maybe we can get a guest to join us.

Parents and Kids Discussion

[Evan] Alright. That’s a lot to take in. Good discussion Brad. We could take any one of these topics and make it an entire show.

News

Here’s our news for this week:

Closing

[Evan] There you have it. I’ll be checking in regularly from the road. We have a mission dammit! Stay tuned. Hope you’ll follow along.

Thank you to our loyal listeners! Shout out to Kevin! Thank you for your tips and feedback. We’re working on it. For the rest of you, send us your feedback by email  at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Talk to you all again next week!

The UNSECURITY Podcast – Episode 46 Show Notes

Here we go, we’re on week 46 (already)!

Hard to believe how far we’ve come over the past 45 weeks. Our first podcast was recorded over a Zoom Web conference on a Sunday afternoon. Brad was at home and so was I. We kept up the Sunday routine for a while, at least until our wives requested their Sunday afternoons back. Thank God, because the quality of those early podcasts sucked, and we needed to up our game.

Anyway, there’s a story here. Maybe a story for another day.

This has been another incredible week.

The week started with a Sunday evening trip to Washington D.C. for a Monday afternoon meeting.

The highlight on Tuesday was participation in the 2019 Minnesota IT Symposium at the Mall of America. I had the privilege to participate on a panel with two really awesome information security leaders; Judy Hatchett (VP, Information Security & CISO at Fairview Health Services) and David Young (CISO at Medica). The panel was moderated by my good friend (and SecurityStudio board member) Nick Hernandez. It was an amazing discussion, and it was an honor to share the stage with these guys.

Wednesday was an office day, trying to catch up. It doesn’t seem healthy to process so many emails in such a short period of time.

Thursday was arguably the highlight of the week. FRSecure held their 4th Hacks & Hops event. More than 200 friends and partners gathered at U.S. Bank Stadium to talk about security incident response. After the keynote, I was joined by some incredible information security peers; Jadee Hanson (CISO and VP of Information Systems at Code 42), Bill Boeck (Senior VP, Insurance and Claims Counsel at Lockton Companies), and our very own Oscar Minks (FRSecure’s Director of Technical Solutions and Services).

We discussed the importance of incident response planning, cyber insurance, shared some personal stories, and fielded some great questions from the audience.

One or our attendees summed it up well in his LinkedIn post after the event.

There is an incredible amount of work that goes into arranging an event like this. FRSecure’s Jess Kooiman led the charge, with a significant amount of help from Brandon Matis, Andy Forsberg, Christy Kleve, Renay Rutter, and McKenzie Adams.

Friday wrapped with some good SecurityStudio meetings, including one with Tyler Olson (Founder and CEO of SHYLD Academy). He’s got a good thing going there!

Great week and tons going on. I hope you had a great week too. If you’d like to share your week, get in touch with me or Brad. You can find us at unsecurity@protonmail.com. We’d love to hear your successes and/or help if we can.

If you missed episode 44 of the UNSECURITY Podcast, here it is.

OK. Show notes…


Just a quick note. Brad’s super busy, so these are his show notes written by me (Evan).

SHOW NOTES – Episode 46

Date: Monday, September 23rd, 2019

Show Topics:

Our topics this week:

  • Hacks & Hops Recap
  • Upcoming Speaking Engagements
    • Our upcoming talks
    • The SecurityStudio Roadshow
  • Mental Health
  • Industry News

[Brad] – Hi there, welcome to episode 46 of UNSECURITY Podcast. I’m Brad Nigh and joining me in studio is Evan. This is two weeks in a row where we’ve been together in studio. Want to say “hi” Evan?

[Evan] We record the show at 6:45am on Mondays. Who knows what sort of mood I’ll be in.

[Brad] Sheesh, we have another jam-packed show this week. I need to stop Evan from writing the show notes!

[Evan] Yeah, probably.

[Brad] Another crazy, but great week around here. One of the highlights from this past week was our Hacks and Hops event. Let’s talk about it and share some thoughts, especially for the listeners who couldn’t make their way to U.S. Bank Stadium on Thursday.

Hacks & Hops Recap and Discussion

[Brad] It was a great event! I didn’t mind helping you out with the joke you couldn’t remember either. Your welcome.

[Evan] I was stuck. Why are jokes so hard for me to remember?

[Brad] You and I have a bunch of talks coming up, and you’ve got the Project Bacon roadshow too. We’re going to be all over the place.

[Evan] We do. It’s exciting to spread the word, and we hope that we’re helping people along the way.

Upcoming Speaking Engagements Discussion

[Brad] This will be good. One of the things that you mentioned at the beginning of your Hacks & Hops keynote was the mental health. This is a topic that isn’t discussed as much as it should be.

[Evan] Yeah, we need to shine a brighter light on this.

[Brad] You wore a Mental Health Hackers t-shirt and gave some statistics. Let’s talk about Mental Health Hackers, the statistics you shared, and how this hits home for us here at FRSecure.

Mental Health Discussion

We could spend an entire series talking about the importance of mental health in our information security industry, but for now we’ll keep it fairly short.

[Brad] Talking about mental health openly is important. We are all in this together, and we all need to take a more active role in supporting each other.

[Brad] OK, as is the custom, we close this thing out with some news. Here’s the industry newsy things to discuss briefly this week.

News

Here’s our news for this week:

Closing

[Brad] There you have it. We talked about a lot!

Always grateful for our our loyal listeners. We love your feedback and appreciate the fact that you join us each week. Send your feedback to us at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen.

Talk to you all again next week!

The UNSECURITY Podcast – Episode 45 Show Notes

Welcome back for another quick recap of the week and another dose of UNSECURITY Podcast show notes. Hope you all had a great week!

For last week’s show, Brad was in studio while I was calling in from Sofia, Bulgaria. Brad was joined by Ryan Cloutier, an awesome return guest. As far as I could tell, it was another great show. I had some connectivity issues, but who doesn’t have connectivity issues in Bulgaria? Brad did a great job holding things together while we chatted about issues such as liability and speaking information security with “humans”.

Catch episode 44 here.

I was in Bulgaria to visit members of our SecurityStudio development team, check out the new office, and spend some time planning future releases of the software. Bulgaria is eight hours ahead, so timing with U.S. resources was interesting.

This slideshow requires JavaScript.

The trip was very successful and we made significant progress on a number of fronts. While I was halfway around the world, Brad held down the fort. He’s a really good leader and I’m sure he has a bunch of things going on. I didn’t get to check in with him last week, so we’ll ask how he’s doing on the podcast.

Lots of other really cool stuff to share, but I’ll do that in another post or on the show.

Let’s do some show notes now.


SHOW NOTES – Episode 45

Date: Monday, September 16th, 2019

Show Topics:

Our topics this week:

  • Catching Up
    • More Mentor Program success
    • Civic duty example
  • vCISO Revisited
  • Book Announcement

[Evan] – Hi folks, welcome to the UNSECURITY Podcast. This is episode 45 and I’m your host, Evan Francen. Brad’s joining me as usual. Hi Brad!

[Brad] Brad politely says hello to me and by proxy all of our listeners. Good Brad.

[Evan] Man, this is two shows in a row where I’m out of studio. Today I’m stuck in Washington, D.C. for a meeting. Only one day, so that’s good. What’s up with you?

[Brad] Stuff and things.

[Evan] We haven’t recorded together in person the last couple of weeks, and I haven’t even been able to catch up with you. You cool if we catchup quick?

[Brad] Brad will probably say “yes”.

[Evan] Alright, let’s start with your week. Tell us what you’ve been up to.

Catching up

  • What Brad’s up to.
  • What I’m up to.
  • We have more Mentor Program success to talk about
  • One of our listeners is setting a great example for all of us in holding his local government accountable for security.

[Evan] Alright, lots of good things. We’re all in this together and there’s a job and place for everyone.

[Brad] Brad’s words of wisdom.

[Evan] We’re always grateful for feedback that we get from listeners. If you’d got some, email us at unsecurity@protonmail.com. One of the more popular topics in the past few months has been that of the virtual Chief Information Security Officer (or vCISO). We’ve received some great questions about how to become a vCISO. A couple of episode ago, we talked about what a good vCISO is, but we didn’t really talk about how to become one. Let’s do that.

How to become a vCISO discussion

  • If you’re new (less experience).
  • If you’re experienced (even existing CISOs)
  • What are the benefits to being a vCISO versus being a FTE CISO?

[Evan] Alright. Good perspective and good discussion. Thank you Brad.

[Brad] Brad’s gotta say something or we’ll have an uncomfortable silence here.

[Evan] OK, last topic before we get into some news. I want to announce something that I’m VERY excited about. You and I are going to write a book, right?

[Brad] Brad confirms. See if you can notice any change in the tone of his voice when he responds.

New book announcement and discussion

There’s a tie in here with vCISO too.

[Evan] I’m pumped about writing with you Brad. What better time than 4th quarter to get started?

[Brad] He’s lived through multiple 4th quarters, so he’ll laugh/cry.

[Evan] Let’s close this thing out with some news, eh?

News

Here’s our news for this week:

Closing

[Evan] There you have it. Thank you for another great show Brad!

A special thank you to our loyal listeners. We love your feedback and sincerely appreciate the fact that you join us each week. Send your feedback to us at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Talk to you all again next week!

The UNSECURITY Podcast – Episode 44 Show Notes

Welcome back for another quick recap of the week and another dose of UNSECURITY Podcast show notes!

Last week, Brad and I were back in studio together to record episode 43. It was a good show, where we covered some relevant topics such as (more fricken) incident response, vCISO questions, and how we (the good guys) can’t possibly do all the things that they (the bad guys) do.

Quick words about vCISO

  • It’s the future of information security leadership.
  • There are good vCISOs and less good (maybe bad) vCISOs, you need to learn the differences.
  • We got some great feedback this week from people who aspire to be a vCISO, which was really cool!

Quick words about good guys and bad guys

  • There’s a gap between what we can do and what they can do.
  • We have rules, they don’t.
  • We have ideas about how to close some of the obvious gaps (didn’t cover in the episode 43, but we’ll cover this somewhere in the future).

If you missed episode 43, you can always go back and nab it here.

Hoping you all had a great week. It was a short week, but if you’re like me, it only meant that we crammed more stuff into less time.

Most of my time this week was spent working with SecurityStudio partners find success in serving their clients. This is a blast because we create situations where everyone wins, and we do it together.

This week I started exploring the possibility of helping an incredible organization combat sex trafficking in the United States. The organization is SHAREtogether, and they’re doing amazing work. The organization is run by Jaco Booyens, the director of the movie 8 Days. If you get a chance, check them out and watch the movie (it’s been watched more than 2,000,000 times). If you feel more inclined, do more to help. Right now, my involvement is more exploratory, but I’m sure there will be more to this story before it’s all said and done.

Anyway, on the the show! Brad is leading the show this week, and he’ll have another returning


SHOW NOTES – Episode 44

Date: Monday, September 9th, 2019

Show Topics:

Our topics this week:

  • The security expert’s take on liability.
  • Speaking information security for “humans”.
    • What’s the problem?
    • Ideas for solving the problem(s).
    • Consequences of the failure to solve the problem.
  • Industry News

[Brad] – Brad can choose any opening he’d like. This is his show to lead. The standard one sort of goes like this…

Welcome to the UNSECURITY Podcast, episode 44. Joining me is my co-host, Evan Francen. Say hi Evan.

[Evan] I’ll say something here. Probably. Maybe I’ll stay silent to through Brad off, but now that it’s in the show notes, I think I let the cat out of the bag. Whatever.

[Brad] Also joining us today is a repeat guest. Ryan Cloutier is here in person. Ryan is an amazing information security expert with a noble mission. He was also on with us back in episode 27, back in May. Welcome Ryan.

[Ryan] Ryan’s a guy with something to say, so he’ll say something here.

[Brad] This week, Evan’s in Bulgaria. What’s going on over there, Evan?

[Evan] Stuff.

[Brad] It’s sort of funny. We’re beginning to think you don’t like Ryan all that much because last time he was on, you were in California. You got something against Ryan or what?

[Evan] Maybe.

[Brad] We brought Ryan on the show again because we love his perspectives on helping “normal” people, or as he likes to call them, “humans”, secure themselves better. Great mission, but before we cover that, let’s talk about some common questions we get about liability. Now, we’re not lawyers, so don’t think this is official legal advice, but we do work with lawyers pretty often when we investigate breaches.

Discussion about liability, from a security person’s perspective

[Brad] So, the key is to do the things that a “reasonable” person would do in your same circumstance. This leads to a whole bunch of questions that you should be asking yourself.

Now let’s switch gears a little bit. Ryan, you’ve got this deep desire to help “humans” secure themselves better, and this passion is shared with us here at FRSecure. You recently posted an open letter to the security community on Evan’s blog and you regularly speak to crowds all over the United States. Let’s talk about all this for a bit.

Discussion about Ryan’s mission and speaking “human”

  • What are some of the problems we’re facing when speaking “human”?
  • What ideas do we have for solving the problem(s)?
  • What are some of consequences of the failure to solve the problem?

[Brad] There’s so much we can do together, as a community, to do this better. Great discussion. What’s our one call to action?

[Brad] OK, on to this week’s security news.

News

Here’s our news for this week:

Closing

[Brad] Alright. Another great show. Thank you for joining me Ryan.

Evan, have a good time in Bulgaria. Bring me home a gift or something.

A special thank you to our loyal listeners. We love your feedback and sincerely appreciate the fact that you join us each week. Send your feedback to us at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen.

Talk to you all again next week!

The UNSECURITY Podcast – Episode 43 Show Notes

Crap. I had a good streak going for a bit. I was getting show notes published on Friday, but now I’m back to being consistently late with this. Oh well, it is what it is.

Did you catch last week’s show? It was a really good one, where Christophe Foulon joined the show again. He gave us an update on what he’s been up to and reinforced his mission of helping people get into the information security field. Great guy, great mission, and a great talk. Listen to it here.

This week was tough, filled with tough decisions, but the outcome was incredible. I won’t go too much into the details, but I’ll give you a quick recap.

  • My good friend Ryan Cloutier published his first article as a guest on my blog. Ryan’s a great advocate for helping “normal” people learn information security basics, and it’s a honor to have him write something for me/us to share.
  • I was off to New Jersey this week, spending time with a global company’s information security team, building some great information security processes. The two days was filled with some amazing working sessions. We left things much better off than where we found them.
  • Friday was filled with meetings, back to back to back to back. Each meeting was unique, and they all produced positive results. It’s sometimes crazy coming back to the office after a few days away. I love my team and I love being with them, even if it is in a meeting. 😉

OK, show notes. Here they are…


SHOW NOTES – Episode 43

Date: Monday, September 2nd, 2019

NOTE: We recorded this podcast on Friday, August 30th ahead of the Labor Day holiday.

Show Topics:

Our topics this week:

  • Incident Response (why not?)
  • What’s a vCISO?
  • Gaps between us and them
  • Industry News

[Evan] – Some sort of non-standard opening… The standard one is:
“Welcome to the UNSECURITY Podcast, this is episode 43 and the date is sometime in late August. I’m Evan Francen and joining me is my partner in crime, Brad Nigh. Hello Brad.”

[Brad] Brad does Brad.

[Evan] We have a packed show in store again today. We’re recording this episode on Friday because Monday is Labor Day. Summer is over. What the ?!?! Got plans?

[Brad] Brad still does Brad because Brad is Brad.

[Evan] Hopefully our listeners all had an enjoyable Labor Day and an enjoyable summer. Back to school and back to the grind. Speaking of “back to the grind”, let’s talk about a topic that we always seem to be talking about, Incident Response. I’ll be damned if we don’t have more lessons to share with our listeners. Let’s keep it short though, if we can.

Incident response discussion

  • Keep it sort of short.
  • Mention some recent lessons.
  • Mention the upcoming Hacks & Hops

[Evan] A topic came up this week when I was talking with an investor. He asked, “what is a vCISO?” The conversation got me thinking, do we just assume that people know what a vCISO is?

[Brad] Still doing the Brad thing.

[Evan] Let’s discuss this and be clear in our definition of a vCISO and what they do. I’d also like to discuss what makes a good vCISO and what makes a bad vCISO.

[Brad] Yep, still doing Brad. Life is good. 😊

vCISO discussion

  • Define vCISO
  • Why do we need vCISOs?
  • What makes a good vCISO?
  • If you’re looking for a vCISO, what should you demand from them?
  • Whatever else seems pertinent to the conversation.

[Evan] Alright, last topic for the show is something that came up in a recent vCISO engagement with a customer. It demonstrates the gaps between what good guys can do when they test something and what the bad guys can do. There’s always a gap. There’s a line that we can’t or won’t cross. Here’s a recent example:

From: Marty Wikle <mwikle@sygnosinc.com>

Sent: Sunday, August 25, 2019 9:46:59 PM

To: REDACTEDNAME <redacted@redacted.com> Subject: Respond ASAP

Someone ask me to kill you. For your information I am not sending this message with my email address and internet service provider just in case you want to proof smart and stubborn..any ways I like someone like that!because I will be so happy to put a bullet on your skull..My boys have been watching your steps for few days.

I am giving you a chance to live simply because my oracle show me that you dont have a hand in what you were accused of

You are to pay me $10,000 and I shall terminate the operation,after that I will give you the info of the person that wants you dead

You can call the authority and have them do patrol in your area 24/7 that didn’t stop me from hunting you and your love ones down.We are invisible!!

Reply to this email addresse:

trinitybharath048@gmail.com

[Evan] This email demonstrates a gap between what we can test as the good guys and what the bad guys do. This gap will always exist because we play by rules and the bad guys don’t care.

[Brad] Still doing Brad…

Short discussion

[Evan] Alright, let’s wrap this thing up with some news.

News

Here’s our news for this week:

Closing

More great episodes to come.

If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Talk to you all again next week!

Snake Oil Won’t Cure Your Security Illness

Part two in a three-part series about the information security industry money grab.

Introduction

NOTE: I covered some of these issues in my book; Unsecurity: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry?

In this series, I’ll focus on three types of money grabbers, those

  1. Who will do anything and everything for your money
  2. Those who sell snake oil
  3. Those who will sell you something regardless of it’s effects on your security.

There’s no doubt that the money grab is alive and well in the information security industry. Some companies and people in our industry will do everything they can to get their hands on your money. Some of them should get your money, while others should be put out of business because of their deceptive practices.

Clark Stanley’s Snake Oil

This stuff was amazing. A concoction, or “liniment” as Clark Stanley called it, that will cure just about anything; rheumatism, neuralgia, sciatica, “lame back”, lumbago, “contracted cords”, toothaches, sprains, swelling, etc. I don’t even know what half these ailments are, but I don’t know if I’d care either. This stuff will cure me of ailments I don’t even know I have, and it will protect me from future ailments. If I were alive in the 1890s, I might have bought some of this wonder juice.

When Clark Stanley started peddling his snake oil to the ignorant masses, there was nothing to stop him. There was no regulation to govern the safety and effectiveness of drugs until 1906. Nobody even knew what Mr. Stanley’s wonder-drug was made of until 1916, this was the year that the Bureau of Chemistry (later the Food and Drug Administration-FDA) tested Snake Oil and determined it was made from mineral oil, 1% fatty oil (assumed to be tallow), capsaicin from chili peppers, turpentine, and camphor.

People caught on, the jig was up, and Stanley eventually pled no contest to federal civil charges that were leveled against him.

Information security industry snake oil

There’s snake oil for sale in our industry. Don’t buy it. It doesn’t work (for you).

Thanks in large part to Clark Stanley, the term “snake oil” has become synonymous with products and services that provide little (if any) value, but are promoted as solutions to problems. The term is also used to refer to exaggerated claims made by salespeople.

You’d be naïve to think there aren’t products and services sold in our industry that don’t fit our definition of “snake oil”. There are two types of snake oil being peddled today, the kind that is overtly deceptive and the kind the covertly deceptive. Both are bad, and you need to watch out.

Overtly deceptive

Overtly deceptive snake oil is the kind that comes with claims that are so outrageous, you start to question everything you know about yourself. The claims seem so real, with seemingly genuine evidence, and fancy words, you ask yourself questions like “Could this possibly be true?” “Is everything I’ve known about these things been wrong?” “How could I be so wrong?” “Is my existence a joke?”

No, you’re not wrong. Your existence is not a joke. The claims are crazy.

Here are two recent examples.

World’s First Patented Unhackable Computer Ever

What?! Unhackable? This can’t possibly be true. Can it? Well, if we were to believe Pritam Nath, the CEO of MicrosafeX Company, then yes it is true. If you use your noggin and think about this for a minute, the answer is absolutely NOT! There is no “unhackable” computer. There is no “unhackable” anything. Mr. Nath is selling snake oil, and thankfully the jig was up before people fell for it.

You should read his claims on his Kickstarter fundraising page. The claims are laughable if they weren’t so sad and patently false. There were 36 reported “backers” of Mr. Nath’s snake oil before the campaign was cancelled. I’m guessing most of these people were in it for the fun, not because they took this thing seriously.

Time AI

Sounds cool. What is it?

AI is sexy, but if AI doesn’t get your juices flowing, how about “quasi-prime numbers”, “infinite wave conjugations,” and “non-factor based dynamic encryption and innovative new developments in AI”?

SOLD! Lots a big words solving cool problems that I don’t understand. Must be cutting edge stuff.

The company peddling this Time AI thingy is Crown Sterling out of Newport Beach, California. I’d never even heard of these guys before last week.

Last week, at Black Hat, Robert Edward Grant, the company’s Founder, Chairman, and CEO gave a talk titled “The 2019 Discovery of Quasi-Prime Numbers: What Does This Mean For Encryption?“. The talk was so overtly snake oilish that it prompted very strong reactions (outrage) from some people who were there.

Dan Guido, the CEO of Trail of Bits stood up during Mr. Grant’s snake oil pitch and shouted “Get off the stage, you shouldn’t be here!” “You should be ashamed of yourself!” Ballsy.

Here’s a video clip of the exchange.

Jean-Philippe Aumasson is a serious crypto guy, and the author of the book Serious Cryptography.

There was enough of an uproar to force changes at Black Hat, including removal of references to the talk from the conference website and a promise of better vetting of sponsored talks in the future.

More coverage:

These are two examples of obvious and overtly deceptive snake oil. There’s also the less obvious, covertly deceptive variety.

Covertly deceptive

Covertly deceptive snake oil is hard for the inexperienced and/or lazy security professional to identify. It’s the sort of snake oil where a salesperson or company claims that their product does something that it doesn’t or that it will solve a problem, but it won’t. This snake oil is hard to identify because you won’t know unless you know.

One tell for covertly deceptive snake oil is the prominent use of sexy buzzwords. Common sexy buzzwords/phrases include:

  • Artificial intelligence or “AI”
  • Blockchain
  • Digital transformation
  • Big data
  • Machine learning or “ML”
  • Nextgen
  • Data-driven

If someone uses a buzzword or phrase that you don’t understand, go find out what it means. Don’t just sit there and nod your head like you know. Discounting buzzwords and phrases won’t always work though. There are legitimate companies and products in the market using sexy buzzwords, but work as promised.

The key to protecting against covertly deceptive snake oil is to follow the advice in the closing (below); research, educate, and/or ask. Don’t ever rely solely on the opinions and research provided by the company or salesperson who’s selling, it’s biased.

Buyer beware

It’s you who makes buying decisions for you. No pressure, but every dollar you spend on security is one less dollar your organization can spend on fulfilling its mission, so you should get it right.

Don’t ever buy anything without doing one (or all three) of the following:

  1. Conduct in-depth research into the product and how it works.
  2. Educate yourself on the technology the product claims to use.
  3. Ask an unbiased expert for his/her opinion.

If we all made good purchasing decisions, the snake oil will dry up. You will need to do more work, but in the end it will save you.

Beware of People Who Do Everything

Part one in a three-part series about the information security industry money grab.

Introduction

NOTE: I covered some of these issues in my book; Unsecurity: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry?

In this series, I’ll focus on three types of money grabbers:

  1. Those who will do anything and everything for your money,
  2. Those who sell snake oil, and
  3. Those who will sell you something regardless of its effects on your security.

Sometimes the money grabbers grab your money intentionally, but rarely do they do it with malicious intent.

There’s no doubt that the money grab is alive and well in the information security industry. We’re in the midst of the Cybersecurity gold rush, and there are thousands of companies fighting for their piece of your pie.

Cybersecurity gold rush

First, a quick comparison between the famous California gold rush and our cybersecurity gold rush.

The California gold rush looked like this: $10 million in 1849, $41 million in 1850, $75 million in 1851, and $81 million in 1852 (peak). After 1852, the rush gradually declined until 1857, then leveled to about $45 million per year.

The cybersecurity gold rush looks like this: $3.5 billion in 2004, $114 billion in 2018, $124 billion in 2019, and $170 billion by 2022. We haven’t exactly leveled off yet, but that day will come.

The truth about the cybersecurity gold rush; if you’re not one who’s making money, you’re probably one who’s spending it.

Spending well or not

Ask yourself these questions:

  • How confident am I that I’m spending my information security dollars wisely?
  • Am I getting the most value out of every dollar I spend?
  • Where do I get answers?

If you seek answers from a money grabber, you’re in for a rude awakening. Maybe not immediately, but soon. Money grabbers are biased, they’ll give you answers with a bias to sell you something.

So, how can you tell a money grabber from a trusted source of good information? It starts with understanding who the players are in our industry.

The Players

There are four players (or roles) in our industry; manufacturers, vendors, partners, and practitioners. Each of the players serve a very important role in making our industry function, and one player cannot effectively exist without the others. Don’t fall into the trap of thinking that one player is any better than another, they’re all critical.

Let’s break them down.

Security Manufacturers

Security manufacturers provide innovative hardware and/or software designed to solve real-world information security problems. They are critical to the information security industry because they make the tools we all use to secure ourselves.

Security manufacturers have three responsibilities to our industry:

  1. Understand the problem they’re trying to solve enough to make an effective hardware and/or software solution.
  2. Make an effective hardware and/or software solution that solves a problem.
  3. Sell the hardware and/or software solution to people in order to make money.

The manufacturer obviously needs to make money in order to satisfy investors and stakeholders. They’ll also need the capital to make more products. Stop the cycle and the manufacturer dies.

All fine and dandy.

Problems arise when a manufacturer attempts to play other roles, like giving you non-product related advice. It only seems logical that the advice you’d receive would be biased by one of their primary motivations which is to sell you their products. A manufacturer wants to sell you things because they want your money. What they sell you might solve a problem, but if it doesn’t, that’s ultimately your problem. The worst practice is convincing you that you have a problem that in reality doesn’t exist.

Even if a manufacturer solves a problem for you, you need to ask yourself if it was the right problem to solve. Was the risk significant enough to warrant a reallocation of resources (personnel, time, money, etc.)?

A manufacturer is probably not the best place to ask your questions about where you should spend your next information security dollar. They’ll certainly have an answer, but it won’t be unbiased, and it may not be in your best interest.

Security Vendors

Security vendors are an interesting bunch. They don’t make products, they sell them. We need vendors though. We need them because they’re closer to our problems than most manufacturers, and they know products better than partners (up next). They give manufacturers a distribution and support channel, so the manufacturer can go back to what they do best, making things.

Vendors represent products made by the manufacturers, and probably provide support for the products too. Vendors are usually specialists in the products they represent and are the “go to” people for making sure your products operate the way their intended to operate.

Advice from a vendor might be closer to the truth, but it will still be significantly biased. Vendors get paid for selling products, and they only represent their suite of products. Vendors, like manufacturers, want to sell you something. Ultimately, they want your money. Solving problems will be limited to the products they carry and advice probably won’t take other creative possibilities into account. Security vendors usually don’t innovate much and are more likely to go with whatever the herd is doing.

Security vendors are the best place to go for advice about a specific suite of products, but are not the best place to go for unbiased expertise.

Security Partners

A true security partner is a consultant without bias, but someone without bias is a pipe dream.  The truth is, nobody is without bias, but good partners do their best to be a trusted advisor to clients with as little bias as possible. Good security partners who understand the importance of their role (in the industry and to their clients) are product agnostic. They strive to make recommendations based on what’s best for the client.

Partners also want your money, but they won’t make money if they betray your trust. Trust is what keeps them honest.

Advice from a security partner must be as unbiased and as objective as possible. Security partners are good at creating or finding innovative solutions to problems because they’re not tied to any specific product or suite of products. One problem with a security partner is they may not have the deep knowledge about any one particular product like a vendor or manufacturer may have. Partners try to compensate for this by establishing working (not selling) relationships with vendors and manufacturers.

Security partners are the best place to go for advice about solving your information security problems with as little bias as possible. A security partner would be the best place to start for answers to most information security questions.

Security Practitioners

The hard-working security people who bust their asses everyday to make their workplace and the world a better place. Security practitioners make (or influence) buying decisions and they’re the ones who live with the fruits (or consequences) of their decisions. Most security practitioners don’t have time to research everything and need others to assist them in fulfilling their own personal mission.

Security practitioners deserve, and should demand respect at all times.

OK, now you know the roles/players. Where’s the money grab?

Beware of People Who Do Everything

I’m speaking to the security practitioners now.

Wouldn’t it be great if you could go one place for everything? A one-stop shop. Seems like a great idea and a real benefit, but it’s ignorant to think that there wouldn’t be an undercurrent of bias that could hurt you and your organization.

  • A manufacturer is biased to sell you their products.
  • A vendor is biased to sell you something out of their suite of products.
  • A partner couldn’t even sell you products if they wanted to. A partner cannot be a one-stop shop even if they want to be.

If you’re comfortable with the bias and you’re comfortable with the inevitable waste of resources, you’ll be comfortable with the one-stop shop approach. It’s lazy and wasteful, but it’s your security program.

If you’re not comfortable with the bias and wasted resources, you might have a little more work cut out for you. The right thing is to use each player for what they were designed for. A manufacturer for buying their products, a vendor for buying from their suite of products and product support, and a partner for the best advice.

Problems come when a player doesn’t understand their own role. When a vendor tries to be a partner too or when a partner tries to be a vendor too. Worse yet is the player who tries to be manufacturer, vendor, and partner. If you didn’t know any better, the “we do everything” player has you by the neck.

In my experience, the most common offender of their role, almost like an identity problem, is a vendor. Many vendors grew their business through other means, maybe selling printers and copiers, maybe doing information technology (IT) work, or maybe reselling networking equipment. The vendor resells things, but as a matter of survival and as margins decrease, they look for new streams of revenue. One common stream of revenue is security consulting services where the market is relatively immature and where a vendor can realize more significant margins.

Two problems with the vendor who plays partner:

  1. The bias problem. I’ve already covered this, but it’s a significant problem. I’ve witnessed many occasions where a vendor has sold things to a client that were clearly biased by the fact that the vendor sells those products. It’s only natural that a vendor would sell products, but it’s the practitioner who pays the price.
  2. Good at some things, but an expert in no things. Nobody can be the best at everything, you can only be the best at one thing or maybe a few things. A vendor who sells copiers, installs Cisco networks, builds data centers, and recycles old equipment, is not likely to be an expert in information security. Information security requires a specialized skill set, and you will get what you pay for. Unfortunately, it’s the practitioner again who pays the price.

Vendors aren’t bad. Partners aren’t bad. Manufacturers aren’t bad. Things can get bad when one player tries to play multiple roles. These multi-role players do it because it’s in their best interest, not necessarily because it’s in your best interest.

Things can get bad for you when you play into a multi-role player’s hand. You wouldn’t know the difference unless you were paying attention. Spend every information security dollar like it’s precious, because it is. One wasted dollar is one less dollar to spend on other more productive and enjoyable things.

Before I close, and one last time, there is nothing wrong with manufacturers, vendors, or partners. They’re all critical. It just helps if you know who they are, and better yet, if they know who they are.