The Burn(out)

If you work in this field (information security) long enough, burn out is something you’re sure to encounter. You will fight against burn out yourself, meet somebody who is on the verge of burn out, or sadly, meet someone who has already burned out.

We work our asses off. The hours are long. The stress is real. Isolation comes with the territory.

If you are on the verge of burning out, please seek help (from me, a colleague, a friend, a counselor, etc.). We need you. We need you to fight beside us. We need your ideas. We need your perspectives. We need your wisdom. We need your support. We need your passion. We need your skill. We have serious information security problems in society. In fact, we’ve created more problems than we’ve solved.

WE NEED YOU FOR THE CREATION AND IMPLEMENTATION OF SOLUTIONS TO SOCIETY’S INFORMATION SECURITY PROBLEMS.

The letter below is hypothetical. It’s not written to anyone in particular or with anyone in mind (except the information security professional). It’s a raw dump of frustrations I’ve heard over the years from my brothers and sisters in arms.


Dear <INSERT NAME OR TITLE>,

I’m tired.

You may not care, but you should. I’m holding shit together while you focus on life. Some of my frustration stems from your view that information security (or “cybersecurity”) isn’t part of life. The truth is, information security IS part of life. It’s a damn life skill!

Before you ask why I’m tired, I’ll tell you. I’m tired because:

  • I work 80+ hours a week to protect you and all that you are responsible for.
  • I’m fighting a fight I cannot win, especially without your help.
  • I’m asking you to help, but you aren’t listening.
  • We’re under relentless attack, but you don’t see it, so you don’t care.
  • You think “it won’t happen to me” and I’m afraid it already has.
  • I’m losing support from my family because they’re sacrificing their time with me while I protect you (and worse, they don’t understand why I’m doing it).
  • You won’t step up and take responsibility for what’s yours.
  • I need you to help me solve problems, but I can’t get you to participate.
  • You think this is my responsibility, but it’s not, it’s yours.
  • I tell you things with honesty and transparency, but I don’t think you trust me.
  • We’re understaffed and underfunded, but you keep telling me to do more with less.
  • I need you to champion this cause, but you do nothing more than tolerate it.
  • I want to teach you about information security, but you are too smart or too busy for education.
  • You don’t see the value in me because I’m nothing more than a cost center to you.
  • You will blame me when things go wrong, but you don’t notice when things seem OK.
  • Your demands for more technology and gadgetry makes protecting you harder than it already was.
  • I sit behind a screen all day and my physical health is declining.
  • I deal with the dark shit of this world, mostly alone, and my mental health is at risk too.

Despite all this, believe it or not, I LOVE what I do. I love what I do because I love doing good, fighting against evil, and protecting people like you. It scares me to think of doing anything else for a living. You pay me well, so I’m not complaining about money.

You know this isn’t about money, right?!

My work and passion runs deeper than money. Money provides the means to my cause, but it’s not the cause. I do what I do because I want to make a positive difference in your life and I want you to be healthy. I do this because I care about you, obviously more than I care about myself sometimes. I’m here to serve. I am here to help. I answer the phone when you call. I’m here to respond when things go wrong, even if it means I take the blame.

This is my duty and my promise to you.

Sometimes I ask myself if it’s worth it. Is the frustration worth the reward? Is this all worth it, knowing that I’m destined to fail?

You might be inclined to ask “what do you mean, destined to fail?!”

I’m destined to fail because you ask me (directly or indirectly) to do the impossible, you won’t enable me to succeed even it were possible, and you have expectations of me that can’t be met

You ask me to keep you “out of the news,” but I can’t promise you that. No matter what I do, I can’t protect you from all the bad things that can/will happen. I’ve always told you the goal is risk management, and not risk elimination. Risk elimination just isn’t possible.

I don’t want you to take pity on me, and I don’t want any outward acknowledgement. I want you to own what’s yours! I want you to get in this game and play ball. You can delegate all sorts of things to me and others, but you will never be able to absolve yourself of your ultimate responsibility. The wolves in our industry will fool you into thinking they can solve all your problems without your attention or worry, just your money. They can’t. It’s a lie. They prey on your ignorance to mislead you and steal your money, not unlike the attackers we’re trying to fight against in the first place!

All of us need you to step up. We need you to own what’s yours. We need you to lead. Ultimately, the security and safety of all things and people under your control is your responsibility. It’s time to step up before I give up. I’m your best hope, but we’re hopeless without each other.

-Information Security Professional (on the verge of burnout)

K is for Key

In kindergarten (or thereabouts) we learned the ABCs of the English language (assuming we’re from the U.S.). Learning the ABCs provided the foundation necessary to form words. Before long, words became sentences, sentences became paragraphs, and paragraphs became chapters, reports and books.

The ABCs of Information Security are important in much the same way the ABCs for English are. We start with learning and mastering basic concepts. Basic concepts begin to combine with other basic concepts to form the foundation of an information security program. In time, advanced techniques are applied on top of the solid foundation, and a world class information security program is born.

The Information Security ABCs are written as education for people who don’t speak information securitynese yet, and they’re good reminders for people who already speak information securitynese fluently.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

And here we are, ready for “K”. “K” doesn’t get much respect in the English language, appearing with a frequency of only 1.1% (compared to “E” and its 11.16%). All letters deserve respect, and “K” can brag that it isn’t as lonely as poor “Q” (.196%).

Some alliteration…

Our kindhearted kin are kayoed, watching their kingdom go kaput while losing the kitty to knave knuckleheads, all because they didn’t know key concepts, built knotty networks, and failed to kindle interest from kleptocratic leaders.

For the purposes of the Information Security ABCs, “K” is for “Key”.

The word “key” has many applications in information security. It’s one of a few words that fit across the spectrum of what information security is:

Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

There are physical keys, logical (or technical) keys, and all the “other” keys.

Physical Keys

Physical keys are used to open physical locks. Physical locks are used to secure physical things. Physical “things” might be a locker, a door, a window, a safe, or any number of other “things”. Don’t confuse physical key locks with other physical locks. Combination locks and keypad locks aren’t physical key locks, but they have keys too. The key in these locks is the combination.

Confused? Don’t be. Here are the most common types of physical key locks.

Types of Keyed Locks

IMPORTANT: Every physical key lock is susceptible to compromise (picking, bumping, impressioning, etc.), but some are much harder than others to bypass.

  • Pin cylinder (or pin tumbler) locks – a lock with pins that must be aligned with a shear line to turn the cylinder (open the lock). The key is specifically shaped to lift the pins to align with the shear line. The number of pins in these locks vary, but the most common are 5 and 6-pin locks.

  • Lever (or lever tumbler) locks – the key lifts each of the levers to the exact height required to move the locking bolt. The most common lever lock is one with three levers, but you’ll need a five-lever lock (or more) to get home insurance in many cases.

  • Wafer (or wafer tumbler) locks – like the pin tumbler lock but uses flat wafers instead of pins.

  • Warded locks – obstructions are used within the lock to prevent anything but the correct key to turn. One of the oldest lock designs, and only used in low security applications today.

  • Disc detainer (or disc tumbler) locks – uses slotted rotating rings where the slots must be aligned to unlock. Harder to pick and sometimes sold as “high security” locks.

Keys open locks. Simple, right?

Again, don’t forget that ALL physical locks susceptible to picking or bypass. Here’s a look at a couple of pick sets.

Logical Keys

Logical keys are very commonly used to protect assets too. The three most widely used references to logical keys in information security are:

  • Secret Key – this often refers to a type of cryptography (“secret-key” encryption, or algorithm) and the key itself. Secret-key encryption is also referred to as symmetric encryption (not to confuse anyone). In this type of encryption, the same key (secret key) is used to encrypt and decrypt data. The key can take the form of a simple password, a passphrase, or any other combination of bits/bytes. Popular symmetric-key algorithms include AES (Rijndael), Twofish, DES, 3DES RC4, and others.
  • Public Key – this term refers to a type of encryption and the key itself too. Public-key cryptography is also referred to as asymmetric cryptography because one key is used to encrypt the data and a separate (but related) key is used to decrypt the data. If the public key is used to encrypt, only the private key can decrypt, and vice versa. The public key is often freely distributed while the private key is kept, you guessed it, private. Common asymmetric-key algorithms include RSA, Diffie-Hellman (key exchange), Elliptic Curve Cryptography, and others.
  • Private Key – private keys are paired with public keys in asymmetric encryption algorithms. These are sometimes referred to as secret keys, but not the same secret keys as those used in symmetric encryption (because we like to reuse words and confuse people I guess).

It’s common to use asymmetric encryption to establish communications and exchange secret keys, then use symmetric encryption to exchange data. This is because symmetric encryption is stronger (per bit of key length) and faster.

Other Uses of “Key”

The word key and security (and information security) are like second cousins. They’re different but related to each other. The image of a key (or padlock with keyhole) is often used symbolically to reference information security, like the graphic below.

Then there are information security “key” concepts, like:

  • Information security is risk management.
  • Information security protects the confidentiality, integrity, and availability of information.
  • Information security is a business issue, not an IT issue.
  • You can’t prevent all bad things from happening (eliminate risk), so you must have something in place to detect the bad things and something in place to respond appropriately too.
  • And many, many more…

More use of the word “key”:

  • Key Chain
  • Key Distribution Center (KDC)
  • Key Escrow
  • Key Fob
  • Key Generator (Keygen)
  • Key Length
  • Key Performance Indicators (KPI)
  • Key Risk Indicators (KRI)
  • Key Value Store
  • Key-Value Pair (KVP)
  • Keyboard
  • Keyboard Buffer
  • Keyboard Macro
  • Keyboard Shortcut
  • Keycap
  • Keygen
  • Keylogger
  • Keypad
  • Keystroke
  • Keystroke Logger
  • Keyword
  • Keyword Stuffing

So, there you go. The letter “K” is for “Key”. The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics).

On to “L”!

J is for Jaded

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

And now for “J”.

One is justified in their joy and jubilation from the judicious and just protection of information.

The jibes, jeers, judgement, and jitteriness of losing to jackanapes along our journey through the jargon, jabberwocky, jactitation, jostling and jackassery of our juvenile industry makes us justifiably jaded.

There you have it.

“J” is for Jaded

We’re not all jaded all the time, but too many of us jaded too often.

Feeling jaded seems to come with the territory. As someone who works in this industry, sometimes it feels like we’re fighting a fight that can’t be won, we’re losing ground, and that life has given us the short end of the stick. Given enough time in this industry, you’ll either become jaded or you’ve fought hard against becoming so.

If you’ve done something so much that it doesn’t excite you anymore but just leaves you tired, consider yourself jaded. If someone says you look a little jaded, it just means that you look tired.

https://www.vocabulary.com/dictionary/jaded

The formal definition of “jaded”, courtesy of George Merriam and Noah Webster (not really, these two are long gone and Merriam Webster, Inc. was acquired by Encyclopedia Britannica, Inc. in 1964):

  1. Fatigued by overwork : EXHAUSTED
  2. Made dull, apathetic, or cynical by experience or by having or seeing too much of something.

Being fatigued, exhausted, overworked, dull, apathetic, and cynical are not things we should aspire to.

Jaded is Bad

There is nothing good about being jaded. People who are jaded are live a sad life, or at the very least, a life with less joy than there should be.

Here’s what Dr. Stephen Diamond (a clinical and forensic psychologist) has to say about jaded people:

bitter, jaded people tend to project a self-righteous attitude suggesting they’re justified in feeling resentment. They’re often bored and cynical. They observe and criticize more often than they participate. Because they believe they’ve been burned, they no longer have the trust necessary to build solid, positive relationships. They believe the world is unfair and freely express their impatience and anger. They no longer expect success, but don’t accept responsibility for their failures; instead, they blame others. They’re almost always irritable and frequently express annoyance in most situations.

The highlighted words represent traits that are too common with people in our industry, some of these people we know personally, and maybe one of those people is you.

Jaded people often lash out at others. Bitter sarcasm and criticism are hallmarks. They often feel like they’re victims of what they perceive as injustice. The injustice leads to resentment, anger, and general unhappiness. Jaded people are more likely to suffer from burnout, mental health issues (depression, anxiety, et al.), broken relationships, and chemical dependency (self-medication).

Again, think about people we know in our industry; the people we fight alongside every day. There are people we know personally who have a self-righteous attitude, criticize more than they should, and have lost patience with “dumb users” and/or “incompetent management”. Dialogs such as these are examples:

US: “We need to educate our users and constantly make them aware of information security dangers.”

JADED US: “Why waste our time or money? They don’t get it and they never will. They just keep clicking on links and choosing sh*tty passwords.”

OR:

US: “Let’s figure out a better way to communicate with executive management and the board. If they understood better, we’d be able to secure the budget we need.”

JADED US: “What’s the use? Management doesn’t give two sh*ts about information security!”

Someone who’s jaded has given up, lost hope, and just exists to exist. They’re debilitated and they’re debilitating to the people around them. Someone who isn’t jaded, is still fighting the good fight.  They’re relaxed, rested, energetic, and active. Jaded people have a negative impact. People who aren’t jaded make a positive difference, creatively solving problems and hoping for better outcomes. The truth is, jaded people hurt themselves and others. People who aren’t jaded help themselves and others.

Jaded people hurt themselves and others.

Jaded people are NOT bad people. Please don’t make this mistake. Often, they are good people who care(d) deeply about something. They care(d) so much, they took it personal and suffer(ed) for it.

To simple? Maybe, but the point is this; we need to do everything we can to avoid becoming jaded.

But how?

Start with a simple and honest self-evaluation; are you jaded? If you’re not sure, ask someone close to you. Then decide:

  • If you’re jaded, choose to come back or not.
  • If you’re not jaded, learn how to keep yourself from becoming jaded or not.

The mindset and skills are the same either way.

People who work in our industry often (or always) find our work stressful. When we become jaded, we negatively impact our quality of life and become much less effective in our work. Back to our definition of the word; jaded people are fatigued by being overworked and/or made dull, apathetic, or cynical by experience. Being jaded is not acceptable to me, and it shouldn’t be acceptable to you either. So, let’s do something about it.

Fatigued, Overworked, and Exhausted

People who work in our industry are some of the most passionate, motivated, and intelligent people anywhere in the world. We’re unique and we’re amazing! The passion pushes us to work our tails off, mostly without appreciation beyond our paycheck (we do get paid well though). Some of us work 50, 60, 70+ hour weeks, forgo vacations, and sleep much less than we should. Our passion will work against us when/if we’re not in balance. The constant hard-driving workload can lead to fatigue and exhaustion. Eventually, something has to give.

To make matters worse, it doesn’t matter how many hours we put in, security incidents are inevitable. No matter what we do, we cannot prevent all bad things from happening. When the bad thing happens, then “they” notice; the appreciation we longed for becomes condemnation. Nobody cares about the 1,000s of hours we put in, often while others weren’t watching. They want to know why the bad thing happened and who’s to blame.

Feeling any injustice? Oh, how we need tools to fight against becoming jaded! So, what to do?

Priorities

Somewhere along the line, we might get our priorities messed up. Our job is a job. We do it as well as we can, but we must recognize that work is not life. Work is part of life, but it is NOT life. Good priorities might look something like this:

  1. Faith
  2. Spouse (if you’ve got one)
  3. Family
  4. Work
  5. Friends

Notice how “self” isn’t listed? Self supersedes all priorities. Self-preservation is primal.

You could switch #4 (Work) on the list with #5 (Friends) and still be OK. Regardless, work is NOT in the top three. Bad priorities look like this:

  1. Work
  2. Fame
  3. Money
  4. Spouse
  5. Work
  6. Family
  7. Work
  8. Friends

The first list lends itself to health, the second list lends itself to becoming fatigued, overworked, and exhausted. Couple messed up priorities with the nature of our work; guaranteed failure (if failure is defined as preventing all bad things), and you have a recipe for becoming jaded.

Health (Spiritual, Mental, and Physical)

All health requires maintenance. If we’re not maintaining our health, we can expect it to fail (eventually) and we can expect it to suck.

This isn’t the place or time to preach Jesus to you, but we all need a spiritual “higher power”. This is the place we go when the world doesn’t make sense, and we all know the world doesn’t make any damn sense, right?! If you need help finding a spiritual advisor, reach out to a close personal friend for guidance. If you don’t have a close personal friend to trust for this guidance, you get my advice; seek Jesus! That’s all the preaching you’ll get (for now).

According to the National Institute of Mental Health, nearly one in five U.S. adults live with a mental illness (51.5 million people in 2019), and less than half (44.8% or 23.0 million people in 2019) received mental health services. Think about these numbers for a second. Due to the nature of what we do and the stress related to it, the percentages for us are probably worse than the U.S. population. Most of us rely VERY heavily on our minds, and if our minds our broken, then what? If you need help, or think you might need help, here are some great resources to check out (DO NOT IGNORE THIS):

It’s easy to overlook our physical health, but we can’t. Most of us sit for hours on end at a computer keyboard. This is not healthy. We must get up, get out, exercise more, and eat healthier. There’s nothing glamorous about dying of a heart attack while reverse engineering a piece of code.

Our health has a direct impact upon being jaded. The more unhealthy we are, the more likely we are to become jaded. The inverse is also true.

Dull, Apathetic, and Cynical

The second part to our definition of “jaded” is being dull, apathetic, and cynical by experience or by having or seeing too much of something.

Seriously, how many times have we:

  • Seen someone click a link they shouldn’t have?
  • Witnessed someone fall for a phishing attack after we’ve taught them a kajillion times not to?
  • Read about a breach that should have been prevented?
  • Told people to master the basics, only to see them NOT compile/maintain an asset inventory?
  • Shaken our heads at dumb mistakes people (including “we”) make?
  • Beat our heads against the wall trying to get management to give a sh*t?

After a while, shouldn’t we just give up? What’s the use? People keep doing dumb things and making crappy decisions. Aren’t we tired of it yet?!

Spoken like someone who’s jaded.

Maybe it’s not them. Maybe it’s us.

Expectations

Maybe we’re jaded because we have too many or the wrong expectations. We’re less likely to become jaded when things go well, when we experience things that are good (or exceed our expectations). It’s not like we’d say:

  • “Dammit, Jane in accounting picked a great password again!”, or
  • “Life would be so much better if Joe would just click links without thinking more often.”, or
  • “It just sucks when management always gives us the budget we need for information security.”

Absolutely not. Some (or a lot) of our jadedness comes from being disappointed. We’re setting the wrong or unrealistic expectations, leading to disappointment, leading to frustration, leading to becoming jaded. We think expectations are good, but they’re often not.

What did we expect in the first place? Did we actually expect humans to NOT be human? Did we expect management to treat information security like it was THE issue versus AN issue? Did we expect people to listen to us when we don’t speak their language? Did we expect to not have breaches? Did we expect such a thing as risk elimination, or did we realize this is actually about risk management?

If we set any expectation, we should expect to be disappointed if we have expectations. Expect disappointment, and if it happens often and long enough, it WILL lead to frustration. Frustration is the last step in the path to becoming jaded. This is the “jade cycle” (simplified), see diagram.

The math: (-e + e2) = -d + -j, where e is expectations, e2 is better expectations, d is disappointment and j is jadedness. Essentially, fewer expectations and better expectations = less disappointment and less jadedness. Living life without expectations is NOT the goal, living a life with fewer and more realistic expectations is the goal.

NOTE: The exception is computers and other logical, binary things. We can always expect computers to do what we tell them to do. Care must be taken with emotional and non-binary (analog) things like human beings.

Summary

Beware and be aware of jadedness in yourself and others in our industry. It makes us less effective and it steals our joy. If you need help, ask for it. Being jaded is more common than many of us realize, and it does nothing to help our cause. The cause being better information security, and through it, better lives.

This is no honorable mention for “J” because it’s a letter we don’t use enough. 😉

Next up, “K”. What are some good relevant words for this letter?

I is for If

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

Now for “I”…

“I” is for “if”.*

What if we were less ignorant, imperious, incoherent, irksome and impetuous, but a little more integrous, inoffensive, instrumental, interpersonal, and ingenious? Would we be less inundated with incessant information security incidents?

What if we were less inept and imprudent with the technology that’s so intertwined with every aspect of our daily lives? Would it even be possible to become impenetrable, impregnable and impervious to interminable attacks?

What if?

If we do more of the right things right, and less of the wrong things wrong, just think how much better off we’d be. The people we serve would be safer, we would be saner, and the world would be a better place!

The keys to making “if” closer to reality are less ignorance and more integrity.

What if we were less ignorant?

Ignorance is the lack of knowledge, understanding, or information about something.

Ignorance runs rampant within our industry and amongst the people we serve. People don’t know what information security is or what their personal responsibilities are.

If we were less ignorant, we’d know what information security is, and we’d know that it cannot be separated from privacy or physical safety. We’d know the importance of information security basics, and we’d practice them religiously.  If we were less ignorant, we’d know how vulnerable we are and we’d demand better of ourselves. We’d know what we’re responsible for and what we should hold others accountable for. If we were less ignorant, we’d think twice before plugging that new sexy gadget into our home network. We’d demand more protection in the products and technologies marketed and sold to us incessantly.

By definition, we’re all ignorant. Nobody knows everything, but this isn’t the issue. The issue is being ignorant of something we shouldn’t be ignorant of.

Is it OK to be ignorant of:

  • computer security best practices if you use a computer?
  • Internet security best practices if you use the Internet?
  • what things are running on your home network if you have a home network?
  • online safety best practices if you have loved ones (kids, spouse, et al.) who are online?
  • the most significant organizational security risks if you’re the leader of the organization?
  • information security basics if you’re in charge of information security?

The answer in all these circumstances is “NO”. It’s NOT OK to be ignorant of things you are responsible for.

In today’s world, we can no longer separate information security from privacy or safety; even personal, physical safety. Everything is integrated. A single information security incident has the potential to expose private information, but even worse, it has the potential to kill someone. The truth is, information security is a life skill that all people should must learn. Everyone has responsibilities, so what are yours?

Accepting ignorance is a default response when people are confronted with something that seems too complex, too confusing, too technical, or too anything. The key to fighting ignorance is simplification and mastering the basics. The basics are boring, the basics aren’t sexy, but despite these things, the basics are absolutely necessary.

So, what are the unsexy basics?

The first basic principle is to define rules for the game.

At Home
  • If you’re the head of your household, you’re the boss and you make the rules. It’s NOT OK to accept ignorance in this role. Learn what good information security behaviors are, lead by example, and expect others to follow. Ultimately, every bit of data that traverses your home network, every website visited by you and your family members, every device you plug in, everything is your responsibility.
  • If you’re not the head of your household, your job is to follow the rules and provide respectful feedback. No rules? Go see the head of your household and help them define the rules.

Go check out S2Me, it’s a FREE and SIMPLE personal information security risk management tool.

At Work
  • If you’re the CEO (or whatever title sits at the top of the org chart), you’re like the head of the household (above) for your organization.
  • If you’re not the CEO, your job is to follow the rules and provide respectful feedback. No rules? Go see the CEO (or his/her assistant) and help them define the rules.

Quick sidenote: This isn’t the article about writing rules for you, but maybe “R” will stand for rules (later).

No rules = chaos, anarchy, confusion, and disorder. There must be rules. You either define the rules and follow them, or you follow them and provide feedback. Now that you’ve read this, you cannot claim ignorance. You have knowledge, and now you must act.

Knowledge without action is negligence.

I’m not a lawyer, so I won’t give legal advice. The generic definition of negligence is “failure to take proper care in doing something”.  Are you negligent if someone suffers because:

  • you don’t know the right thing to do, but you should?
  • you know the right thing to do, but fail to do it?

Ignorance isn’t bliss, it’s breach.

More than once, I’ve heard the comment “ignorance is bliss”. Ignorance for something you shouldn’t be is nothing more than an excuse for laziness and genuinely not giving a sh*t.

What if we were more integrous?

Integrous is the adjective form of integrity.

Integrity is an oft-used word in our industry, and here’s the definition:

  • the quality of being honest and having strong moral principles that you refuse to change
  • someone’s high artistic standards or standards of doing their job, and that person’s determination not to lower those standards:
  • the quality of being whole and complete

Integrity applies to our industry in (at least) two ways; the integrity of data and the integrity of personnel responsible for protecting data.

Integrity of Data

If you’ve been in our industry for any amount of time, you’ve surely heard of the CIA triad. It’s an acronym for a fundamental concept; we protect the Confidentiality, Integrity, and Availability of data. Our “I” in CIA refers to the wholeness, completeness, and accuracy of the data we try to protect.

Simple. It’s important to remember that our job goes beyond making sure data is kept secret; we also need to make sure it’s accurate and available (to those who are authorized to access it).

Integrity of Personnel

On this point, it’s hard not to rant. To keep us honest, we’ll over-simplify.

In our industry, there are the practitioners who work their tails off to protect people, and there are suppliers who make things practitioners use to protect people. Practitioners and suppliers; integrity is paramount to both. A lack of integrity in either is terrible and sad.

Practitioners

The person behind the keyboard is an integral part of any information protection strategy. Their integrity must be rock solid and continually verified. Background checks, character references, solid OSINT, etc., are all encouraged before hiring anyone. Address the questionable things before hiring, and not after you’ve given them the keys to the kingdom. Depending upon your comfort level, sensitivity of the job, etc., questionable things should be questioned, but they don’t always need to be a disqualifier. Giving people the opportunity to address the questionable things from their past might be good, given that people change (hopefully for the better).

Verify integrity constantly. At work, a practitioner shouldn’t mind having his/her activities monitoring continually. They should see the value in it.

Suppliers

What’s worse, an attacker stealing $100,000 from your organization’s bank account or someone selling you security software that doesn’t work, or you can’t use, or you don’t need, or…? They’re both bad and either way you’re out a hundred grand. Stolen (or wasted) money is money your organization can’t use for better things; market expansion, employee benefits, innovation, etc. Suppliers who sell something to a practitioner when they know it’s not the right thing are like wolves in sheep’s clothing; almost worse than an attacker because at least you know the attacker is bad.

There are many suppliers who operate with integrity in our industry, but we must do a better job weeding out the ones who aren’t.

Summary

There you have it. “I” is for “if”. What if we were less ignorant and more integrous? Things would be much better around here.

*NOTE: “If” was inspired by my good friend Chris Roberts. Thanks!

Episode 110 Show Notes – All Hell Broke Loose

Welcome! These are the show notes for episode 110 of the UNSECURITY Podcast.

We’re putting the Information Security @ Home series on hold again this week. In case you didn’t know, it seems we have a big problem on our hands. Over the course of this last week (or so), we’ve witnessed events in our industry that we’ve not seen before, in terms of magnitude and impact. It all started (publicly) with FireEye’s announcement of an intrusion and exfiltration of data. FireEye is one of the largest and most respected firms in our industry, so this was big news!

Unfortunately, this was only the tip of the iceberg.

Over the weekend, we learned of two more really significant breaches; one at the U.S. Treasury Department and the other at the U.S. Commerce Department. On Monday (12/14), all hell sort of broke loose when we learned that these breaches are all related, and the source is SolarWinds. Attackers compromised SolarWinds defenses and inserted malware into their premier product, the Orion platform. Orion is a network management system (NMS) used by thousands of organizations to manage and monitor their IT infrastructure. SolarWinds has become a single source of possible intrusions into ~18,000 other organizations. These intrusions into the other organizations aren’t run of the mill either, these are intrusions using “trusted” software (often) configured with elevated/privileged access. This and will continue to get worse before it gets better.

Seems 2020 isn’t done 2020ing yet. The end of 2020 countdown at the time of this writing:

Other things? Yes, or course!

There are always many, many things going on around here (SecurityStudio and FRSecure). One very newsworthy event included the announcement from the State of North Dakota. North Dakota has made our S2Me (personal information security risk assessment) available for all state residents and will use it to help their citizens be more secure at home! One down, and 49 left to go!

Alright, on to it. Brad’s leading the discussion this week, and these are his notes. GOOD NEWS, we’ve invited our good friend Oscar Minks to join us as we delve in to the whole SolarWinds debacle.


SHOW NOTES – Episode 110

Date: Tuesday December 15th, 2020

Episode 109 Topics

Opening

[Brad] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 110, the date is December 15th, 2020, and I’m your host, Brad Nigh. Joining me as usual is my good friend and co-worker, Evan Francen. Good morning Evan.

[Evan] Cue Evan.

[Brad] Also joining us this morning is another good friend and co-worker, Oscar Minks. Good morning Oscar.

[Oscar] Cue Oscar.

Quick Catchup

[Brad] As if 4th quarter wasn’t crazy enough we had the SolarWinds news break this week.  Before we dig into that let’s catch up and see how we are all doing with just over 2 weeks left in the year. What’s new?

Transition

Information Security @ Home
All Hell Broke Loose

[Brad] Well, we planned to do more security at home stuff, but as I said a couple weeks ago, 2020 won’t stop 2020’ing.

Topics

  • SolarWinds breach (only the beginning)
  • The timeline (FireEye announcement)
  • FireEye, U.S. Government, (possibly) 425 of the Fortune 500, and (probably) 18,000 organizations.
  • What happened?
  • What are the ramifications of all this?
  • What do you need to do?
  • What do we need to do?

Discussion between Brad, Evan, and Oscar

[Brad] 2020 is not going quietly into the night, is it? Alright, moving on for now.

News

[Brad] Amazingly SolarWinds wasn’t the only news in the last week. We probably won’t have time to get to all of these but they are good reads and good to stay on top of.

Wrapping Up – Shout outs

[Brad] That’s it for episode 110. Thank you Evan and Oscar! Who you got a shoutout for today?

[Evan & Oscar] We’ll see.

[Brad] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m@BradNigh and Evan can be found @evanfrancen.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

Episode 109 Show Notes – Information Security @ Home

This is Episode 109, and we’re continuing our Information Security @ Home series.

We’re smack dab in the middle of the holiday season. Lots of people are going to receive neat, new electronic gadgets as Christmas gifts. Who doesn’t like cool new gadgets?! Your refrigerator can order milk before you’re out of milk, your dishwasher can send you messages when the dishes are done, your television can remind you it’s time to veg out on the couch for the latest episode of The Undoing, and your doorbell can show you who’s at the door while you’re away. We LOVE gadgets! (even if they end up killing us)

But wait! What about information security? What about privacy? What about safety?

Herein lies some problems. Problems that we (infosec folks) want to help you avoid.

Information security is an afterthought, if it’s ever a thought at all! We continue to connect more devices, install more apps, and stream more things. Home networks become more complex, and most people don’t even know what they’re trying to protect. This is your home network, and it’s your responsibility to use it responsibly. Nobody cares about the protection of you and your family more than you. It’s time to step up and learn some basics before this gets any more out of hand. (it’s already out of hand, but it’s not too late)

So…

In case you didn’t know, we’re less than 16 days from Christmas!

…and less than 23 days left in 2020!

I’m not sure what I’m more excited for at this point, Christmas or 2021. 2020 can suck it. Well, I guess it already has. Here’s to an awesome end to an ______ year!

I’ll (Evan) be leading the discussion this week, and these are my notes.


SHOW NOTES – Episode 109

Date: Wednesday December 9th, 2020

Episode 109 Topics

  • Opening
  • Catching Up
  • Information Security @ Home
    • Picking up where we left off in episode 108
    • Demonstration – The router/firewall
      • Finding your router.
      • Logging into your router.
      • Changing the default password.
      • Poking around a little bit.
    • What’s on your network anyway? You can’t possibly protect the things you don’t know you have.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey oh! Welcome to episode 109 of the UNSECURITY Podcast. We’re glad you’ve joined us. The date is December 9th, 2020 and I’m your host Evan Francen. Joining me is my pal and co-worker, Brad Nigh. Good morning Brad!

[Brad] Cue Brad.

[Evan] It’s nice to come up for air this morning, and it’s nice to hang out with you man. How you doing?

Quick Catchup

It’s 4th quarter, I’m now a week and a half behind and it’s only getting busier. Hopefully Evan is in a better mood than episode 106.

We’ll discuss a thing or two…

Topics:

Transition

Information Security @ Home

[Evan] Last week, we got into some of the important things we should be doing at home. When I say “we” I mean everybody, security people and non-security people alike. We mentioned that step #1 should be to change the default password on your home router. We talked about it, gave some advice, and pointed people in the right direction. Today, I’d like for you and I to demonstrate how to change a router password and talk about it while we’re doing it. After this, we’ll poke around a little inside the router’s configuration. Once we’re done with that, we can move on to the next task; finding out what’s on your network.

Sound good?

[Brad] Cue Brad.

Begin discussion

Information Security @ Home Discussion

  • Picking up where we left off in episode 108
  • Demonstration – The router/firewall
    • Finding your router.
    • Logging into your router.
    • Changing the default password.
    • Poking around a little bit.
  • What’s on your network anyway?
    • Why is this important?
    • What you should do next…

Transition

[Evan] Alright. Good stuff. Hopefully our listeners learned a thing or two. For those who already knew this stuff, hopefully they’ll share with others.

That’s that. On to some news…

News

[Evan] Crazy stuff going on in this industry. What’s new? Well, here’s a few things that caught our eye this week:

[Evan] That’s a lot of news for one day, and that’s only the tip of the iceberg.

Wrapping Up – Shout outs

[Evan] That’s it for episode 109. Thank you to all our listeners. We dig you. Also, thank you Brad! Who you got a shoutout for today?

[Brad] We’ll see.

[Evan] Next week, we’ll continue the Information Security @ Home discussion. We’ll dig in a little more on identifying system on your home network and talk about patching. In the meantime, send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and this other guy is on Twitter at @BradNigh. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

Episode 108 Show Notes – Information Security @ Home

NOTE: We’ll be a day late this week, recording on Wednesday. Work stuff and personal stuff, you probably know what it’s like.

It’s time for episode 108 of the UNSECURITY Podcast!

Brad and I (Evan) hope you had a wonderful Thanksgiving (assuming you’re in the U.S.). 2020 is a funky year to say the least. So many things that were “normal” before, aren’t so normal anymore. Despite the craziness of this year, we still found MANY things to be thankful for:

  • Our faith, and knowing that everything is going to be OK (eventually).
  • Our family.
  • Our friends.
  • Our co-workers.
  • Our community (the infosec community and our home community).
  • The people we serve.

While acknowledging that some of us have suffered significant losses this year, there’s always something to be thankful for. If you ever need support in dealing with loss or you’re just struggling, reach out to people around you. Here are some resources you might find helpful:

Love truly heals.

Some of us had a couple days off work last week. Monday we jumped right back in. The emails were still there (and maybe more of them), the projects are still in full swing, reports are still due, etc., etc. Assuming you recovered from the Monday onslaught, here we are! It’s Wednesday, and it’s time for episode 108!

Brad’s back, he’s leading the discussion today, and these are his notes. Welcome back Brad!


SHOW NOTES – Episode 108

Date: Wednesday December 2nd, 2020

Episode 108 Topics

  • Opening
  • Catching Up
    • What’s new?
    • Thanksgiving hangover?
  • Information Security @ Home
    • Picking up where we left off in episode 106
    • Why is this a big deal (personally and for employers)
    • What can we do about it?
    • Intro to what Brad and Evan do.
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 108, the date is December 2nd, 2020, and I’m your host, Brad Nigh. Joining me as usual is my good friend and co-worker, Evan Francen. Good morning Evan.

[Evan] Cue Evan.

[Brad] This will be first time I actually get to talk to you about why yesterday was my first day back since 11/17.  I have no idea what you’ve been up to because I was basically totally offline.

Quick Catchup

It’s 4th quarter, I’m now a week and a half behind and it’s only getting busier. Hopefully Evan is in a better mood than episode 106.

We’ll discuss a thing or two…

Topics:

  • 4th quarter is notoriously busy, like VERY busy, for us. Everyone is running at 100% capacity right now, which is good, but also stressful.
  • What’s going on at work? Any cool developments or announcements? Heck yeah there are!
  • Security Sh*t Show – no show last week. It was Thanksgiving!
  • Back to book writing…

Transition

Information Security @ Home

[Brad] Well, we had planned to do this last week, but 2020 won’t stop 2020’ing.

[Brad] We are going to go into more details about some of the things we do, hopefully without giving away too much, to try and help others. I feel like this could end up just about anywhere, so it should be fun!

Begin discussion

Topic Ideas:

  • Picking up where we left off in episode 106
  • Why is this a big deal (personally and for employers)
  • What can we do about it?
  • Intro to what Brad and Evan do.
  • Maybe we’ll show some examples and stuff while we’re here.

Transition

[Brad] Alright. That’s that. On to some news…

News

[Brad] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Brad] That’s it for episode 108. Thank you Evan! Who you got a shoutout for today?

[Evan] We’ll see.

[Brad] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan can be found at @evanfrancen. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

H is for Holistic

Despite all the words that could have been chosen for the letter “H”, here it stands for:

Holistic

We use the word “holistic” semi-frequently in our industry, and there are several definitions. The two definitions I like best are both from the Cambridge Dictionary:

dealing with or treating the whole of something or someone and not just a part:

and the second, similar definition:

relating to the whole of something or to the total system instead of just to its parts

So then, a couple questions with respect to “holistic” and “information security”:

  1. What is the “whole” of information security?
  2. Why is the “whole” of information security important?

Let’s figure it out.

What is the “whole” of information security?

Ask an “expert”. Heck, ask ten! See what response(s) you get.

A simple definition of information security would help; however, a significant and often overlooked problem in our industry is that we still haven’t agreed on one. If you don’t believe me, and don’t want to ask an expert, Google “What is information security?“:

  • the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.
  • Information security, sometimes abbreviated to infosec, is a set of practices intended to keep data secure from unauthorized access or…
  • Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
  • Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk…
  • The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

These are only the top five results. There are certain similarities; however, there are significant differences too. Only one of the definitions mentions risk, and even then it references “mitigating risks” versus managing them. I won’t dissect all the definitions here, but the point is, we don’t all agree. Just last week, I read an article from one of our industry experts who claimed that information security and cybersecurity are one in the same.

Ugh! This is us.

If we’re not confused enough ourselves, how do you think we’re viewed by people who don’t work in our field? You know, the ones who are ultimately responsible for information security in the organizations they lead?

Many of them, and some of us, believe information security is complex, overwhelming, and confusing. The default reaction for such things?

Ignorance.

Let’s simplify, explain, and fit information security into organized boxes. Maybe this will help. In order to understand the “whole” of information security, we must first know what “information security” is. The definition:

Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

We can slice and dice this thing into millions of parts, but this will get us into the weeds quickly and back to that overwhelming feeling. A trick that’s worked for me and my clients is to dissect the “whole” of information security, from the top. Start with the goal or purpose of information security and work our way down through to the minutiae.

The purpose of information security is risk management.

Period.

The purpose of information security is NOT compliance and it’s certainly NOT risk elimination (which is impossible). So, start there.

The three high-level functional areas of information security; Administrative, Physical, and Technical means (or controls). Add those next.

Notice the overlap?

Everything is in the context of risk management. Administrative controls govern how we do things, including our handling of physical and technical controls. There has to be overlap between physical and technical controls because it doesn’t matter how well a server is configured when someone steals it.

From here, plug in all the other stuff. Again, fight the urge to dig in the weeds at this point. We can debate details for days (they vary from organization to organization anyway), but this is a good structure for holistic information security.

The most important points for holistic information security are understanding:

  • This is about risk management. (NOTE: Risk mitigation, referenced in one of the cited definitions earlier, is a risk decision as part of risk management. Some risks are completely acceptable as-is, and don’t require mitigation.)
  • Administrative controls rule the others. Computers only do what we tell them to do. Tell them to do bad stuff, and they will. Tell them to be configured poorly, and they will.
  • Information security isn’t an IT issue, clearly.

So, who cares?

Why is the “whole” of information security important?

We can’t fully realize the benefits of information security without understanding and treating the “whole” of information security. We sell ourselves, and the organizations we serve, short. Two important things come to mind almost immediately; we don’t realize the benefits and we don’t live in reality.

Reality

Treating the “whole” of information security better protects us from being blindsided by something we didn’t account for. You’ve probably heard the saying, “your security is only as good as your weakest link“? It’s been said thousands of times by people a lot smarter than me; here’s just a few:

So, then. What is your weakest link?

Treating any one part of information security while neglecting others is poor information security. If you’re fooled into thinking that you’re sufficiently protecting yourself (or your organization) without taking a holistic approach, you’re living with a false sense of security. It’s not reality.

Benefits

Information security has been treated as a cost center since before I started my career in the early 1990s. Sad. Why can’t we use information security to be more efficient, drive more business, and ultimately make more money (assuming this is the purpose of the business)? We can, but it takes a intimate understanding of holistic information security and the organizations we serve.

The short of it; mission (or purpose) alignment is key. Think about it for now, and perhaps we’ll elaborate more when we get to “M”.

Treating the “whole” of information security makes us better consultants to the organizations and leaders we serve. The most common “tell” for an information security leader (CISO or vCISO) who doesn’t understand (or treat) the holistic view of information security is his/her inability or unwillingness to put risk into context. The best CISOs are 1) great leaders and 2) understand risk in context.

Honorable Mention for “H”

Several words could have been chosen for the letter “H”, including:

  • Hacker – a person who can think outside of the box, exploring ways to use things beyond their intended purpose. Some hackers are motivated by curiosity, others by notoriety or money. What motivates a hacker is often deeply personal. Just like most things in life, hacking can be used for good or evil, depending upon the motivation.
  • HAL – an acronym for hardware abstraction layer, but every time I think “HAL”, I think of HAL 9000. HAL 9000 is the fictional artificial intelligence system from 2001: A Space Odyssey. If you haven’t seen this movie, stop reading now. It’s a classic, and you need to watch it.
  • Hardening – making systems (infrastructure, computers, etc.) less penetrable (or less vulnerable), often through configuration. Classic hardening techniques are removing applications that aren’t necessary, removing services that aren’t necessary, strengthening authentication (with MFA or other), etc. Well-known resources for system hardening include CIS Benchmarks and the Security Technical Implementation Guides (or STIGs).
  • Hardware – the stuff you can touch. Assets come in two forms; tangible and intangible. Hardware assets are tangible and are often used to manage intangible assets such as software and data.
  • HITECH – acronym for Health Information Technology for Economic and Clinical Health Act. This regulation was enacted in 2009 as part of the American Recovery and Reinvestment Act (ARRA). HITECH prescribes certain information security requirements and clarifies others (related to HIPAA) for healthcare and related entities.
  • HIPAA – acronym for the Health Insurance Portability and Accountability Act, enacted in 1996. Prescribes certain information security and privacy requirements for healthcare entities.
  • Heuristic – in simple terms, methods of deriving solutions to problems through learning and experience.
  • Home Area Network (HAN) – the network, and everything connected to it, in your (and my) home.
  • Honeypot – a purposely vulnerable computer system deployed to attract attackers. Honeypots are often deployed as a deception technique and/or to learn about the tactics attackers are using in the wild.
  • Human – You and me. I’ve often said that information security isn’t about information or security as much as it is about people (humans). Humans are the ones who suffer when things go wrong (if we didn’t, then nobody would care), and we are the most significant risk (not the computer).

That does it for “H”, now on to “I”.

Episode 107 Show Notes – Happy Thanksgiving

Hey there, it’s time for episode 107 of the UNSECURITY Podcast!

Just when you think you can’t get any busier…

You get busier.

Maybe if I learned to say “no” a little more often. My dilemma is 1) mostly brought on by myself and 2) is a blessing. It’s better to be busy than to have nothing to do, especially when you’re helping people. I’m grateful.

Short introduction today. Too much going on to elaborate much (for now).

On to the show notes…

This is Evan, I’ll lead the discussion today, and these are my notes…


SHOW NOTES – Episode 107

Date: Tuesday November 24th, 2020

Episode 107 Topics

  • Opening
  • Catching Up
    • What’s new?
    • “Information Security @ Home”
  • Happy Thanksgiving
    • What are your grateful for?
    • What’s different this year?
    • What’s the same?
    • Holiday shopping tips for EVERYONE
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 107, the date is November 24th 2020, and I’m your host, Evan Francen. Sadly, Brad won’t be joining me today. He’s out of commission fighting a bout of labyrinthitis. The prognosis is good, so we expect him to be back soon!

So, this means you’re all stuck with me. I’ll do my best to provide some value for your ears and brain.

Quick Catchup

[Evan] The catchup time is a little different without Brad, so I’ll just give you a quick recap of what I’ve been up to.

Topics:

  • 4th quarter is notoriously busy, like VERY busy, for us. Everyone is running at 100% capacity right now, which is good, but also stressful.
  • Security Sh*t Show – this is live on YouTube every week; Thursday nights at 10pm CST.
    • Last week Chris Roberts and I did the Paqui One Chip Challenge online with a couple fans.
    • We also unveiled a new sticker (see below). If you’d like one, just subscribe to the Sh*t Show YouTube channel and let us know.

  • Information security hobbies – I’ve been working on a Raspberry Pi home network security device, including Kismet, pfsense, and Pi-hole. More to come on this next week.
  • Maybe another thing or two.

Transition

Happy Thanksgiving!

[Evan] Originally, Brad and I were going to continue our discussion about information security at home, then I realized that this is Thanksgiving week! Instead of talking about our original topic, I’m going to talk about protecting yourself (and your family) from holiday shopping scams. For many Americans, Friday marks the beginning of the holiday shopping season, and it’s important for all of us to be careful! Lots of things have changed this year, it is 2020, but some things haven’t. The scammers are still scamming, and a most of the scams are the same this year as they’ve been in years past.

Some interesting stats/information:

  • 61% of Americans have already started holiday shopping (before Thanksgiving)
  • 22% of Americans start their holiday shopping on (or after) Thanksgiving
  • 15% of Americans start their holiday shopping in December
  • 2% of Americans start their holiday shopping in January (hopefully for next year)
  • Last year:
    • $730 billion was spent on holiday shopping
    • $135.5 billion was spent holiday shopping online
    • $71.3 billion was spent holiday shopping using a mobile device
  • Online holiday shopping (in terms of dollars spent) is expected to increase by 35.8%

More online shopping coupled with the fact that most of us are more distracted (than ever), means attackers could have a heyday.

Opportunity + Distraction = Success (for scammers)

Tips to protect yourself and your loved ones (we will make this into a checklist soon):

Most important – situational awareness. It’s the umbrella for all other protection activities/behaviors.

  1. Ship to a secure location – avoid shipping to places where merchandise could sit unattended and insecure for long periods.
  2. If you decide to use a mobile app for shopping, use official retailer apps only.
  3. Don’t save payment card (debit or credit) information in any shopping accounts
  4. Using Apple Pay or Google Pay for payments wherever it’s available.
  5. If you’re unfamiliar with a retailer, do your research before buying. Make sure the site and retailer are legitimate.
  6. Don’t rush to purchase at the lowest price. Slow down and think about security risks first.
  7. Never make purchases on public Wi-Fi – Never.
  8. Use a VPN when shopping (or doing anything sensitive) online.
  9. Always use strong passwords and a password manager.
  10. Check security and/or privacy policies, especially for retailers you’re unfamiliar with.
  11. A legitimate retailers will NEVER ask for your Social Security number, so don’t give it out.
  12. Make purchases with credit cards over debit cards.
  13. Make purchases with prepaid debit cards over credit cards or regular debit cards.
  14. Review all your accounts and bank statements regularly. You should be doing this all year.

Please be careful this holiday season. DO NOT let scammers steal ANY of your joy or hope!

Transition

[Evan] Alright. That’s that. On to some news…

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] That’s it for episode 107. Gonna give my shout outs…

[Evan] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!