Family Visit from FRSecure

What happens in Mexico, stays in Mexico.

NOT because anything bad or controversial happens here, far from it. It’s because this is a safe place to be “real”, to let your guard down without being attacked for being you. I’ll share things, but never in detail, protecting those who share things in confidence.

ELT in Puerto Vallarta, Q4/2022

Last week, the FRSecure Executive Leadership Team (ELT) was here.

GLOAT: Holy crap, these are AMAZING people! Collectively, they do GREAT things everyday. Individually, each ELT member is uniquely INCREDIBLE in their own right. Spending time with the FRSecure ELT is HUGE blessing for a CEO like me. I’ll never take this time for granted.

Information security is not about information or security as much as it is about people.

Me

The ELT comes to Puerto Vallarta (where I live) twice a year to do whatever they want. This has MUCH less to do about business than it does about doing life together. This is a time to just be people. To rest, hang out, fish, scuba dive, eat great food, swim, play games, take in the sights, etc. The ELT can do whatever they want to do, when they want to do it. No rules beyond what’s legal, responsible, and respectful (never a problem with this group).

This slideshow requires JavaScript.

Sure, we talked about more than our share of information security stuff, discussed lots of cool information security ideas, and made plans to serve our customers better, but this was secondary to us being healthier together.

Fix what’s broken with the information security industry.

FRSecure’s mission.

It was a GREAT week and I’m PROUD of this team! We are all focused on our mission, and we won’t achieve the mission without each other. The trust we have built in each other and the love we have for each other will get us through all of the hard times. On the flip side, it’s pretty damn cool to celebrate success with “real” people who have become family.

We made a TON of AMAZING memories. We played games at my dining room table (I didn’t, but I watched the others play, shedding a few “man tears” as I call them). We drank. We sang. We ate. We laughed. We cried (yeah, I cried, but shut up). We talked. We argued. We got mad. We reconciled. We smiled. We laughed. We fought. We sweated (it’s hot in Mexico for some people). We swam. We took in sights. We fished. We dove. We hugged. We talked (about hard stuff sometimes). We rested. We listened. We shouted. We danced. We were offended (to some degree or other). We forgave.

At the end of the week, we had reinforced what we already knew. We are family.

LOVE my FRSecure family, starting with the amazing FRSecure ELT, and I can’t wait until next time (March, 2023)!

UNSECURITY Episode 138 Show Notes

Hope you had a wonderful Independence Day (July 4th)! We’ve gone through a lot together in this country, and I love this place we call home. Lots to do in making the USA better, but this will always be the case. This is the best country in the world, and I’m grateful!

In case you missed it, two big events last week; the Kaseya ransomware attack and Microsoft’s PrintNightmare.

Kaseya Ransomware

So, you might have heard. On Friday (going into July 4th weekend), computers around the world (not all of them, but maybe ~1,000,000 of them) started to lock up. The announcement came around midday that Kaseya’s VSA servers were being used to distribute ransomware, primarily to MSP customers. My first thought was “Oh shit! We might have another SolarWinds.” Thank God, this wasn’t the case.

Facts started to come in, and it became evident that this was an attack directed at VSA servers hosted by MSPs. Some MSPs (about 2,200 of them) installed their VSA servers so that they were accessible from the Internet. I’m not a VSA expert, but this high number implies this as standard practice. A zero day vulnerability (and exploit) was discovered by the REvil ransomware gang (or an affiliate) and was used to infect clients.

Kaseya already knew about the vulnerability thanks to the good work by Wietse Boonstra and his compatriots at NIVD. The vulnerability was reported to Kaseya and the two groups were working on a patch at the time of the ransomware attack. The end result was somewhere between 60-70 MSPs affected and somewhere between 1,200-1,500 companies infected. Kaseya did a good job responding, and so did many MSPs. Lessons learned are TBD after the dust settles.

Links referenced in today’s show are below.

Microsoft PrintNightmare

If it hadn’t been for Kaseya, this would have been top news. In terms of scope, this is much bigger, affecting many millions of servers (and companies). In terms of potential impact, this also exceeds the Kaseya attack. News broke on June 30th about an impressive and potentially very damaging vulnerability in the Microsoft Print Spooler service. On July 1st, Microsoft released additional information about the vulnerability and offered (un)helpful guidance.

There is an exploit in the wild for this vulnerability that allows complete control over a server (and Active Directory).

We’ll talk a little about this too. Links referenced in today’s show are also below.

 

OK. Show notes for episode 138…


SHOW NOTES – Episode 138 – Tuesday July 6th, 2021

Opening

[Evan] Welcome listeners! It’s good to have you join us. Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 138, and the date is July 6th, 2021. Joining me is my good friend, Mr. Brad Nigh. Good Morning Brad!

[Evan] Hope you had a wonderful 4th of July. Many people had the day off yesterday, but some people were fighting the fire caused by ransomware deployed through Kaseya’s VSA servers. This is where we’ll start.

Kaseya Ransomware Attack

Here’s a list of links/articles we’re explore in this episode:

All in all, this attack could have been MUCH worse than it was. Incident responders did a great job and communicated well. More to come in time…

Microsoft PrintNightmare

This one is a doozy. Here are the three links/articles we’ll reference in this episode:

Last week’s show was all about Microsoft security debacles, and now this. A patch is not available yet and many IT teams are scrambling right now. I’m become less and less of a Microsoft fan with each passing day.

That’s it for today’s show. Lots of work to do!

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 137 Show Notes

It’s been a few weeks since I posted show notes, and even then, I’m late!

If you working in the information security industry, you’re probably extremely busy. My busyness is what’s kept me from updating show notes and things.

Episode 137 was a fun one. Brad was back and we talked about all Microsoft’s recent blunders/issues.

John McAfee

Before we get into it, I want to take a moment to remember John McAfee. On June 23, he was found unresponsive in his jail cell at the Brians 2 Penitentiary Center near Barcelona, Spain. Sadly, he passed away at the age of 75 after an apparent suicide by hanging. He had just lost his hearing for extradition to the United States.

John McAfee was a very interesting guy, and some might say he was nuts and a crook. While that might be true (I don’t have evidence to say either way), I remember him before the mid-2000s, when he was an icon in our industry. The guy was smart as hell!

  • 1968 – 1970, programmer for NASA working on the Apollo Program
  • Software designed for Univac
  • Operating system architect for Xerox
  • Software consultant for Computer Sciences Corporation
  • Consultant for Booz Allen Hamilton
  • Software engineer for Lockheed (where he first learned about computer viruses and came up with the idea to remove them programmatically)
  • 1987, founded McAfee Associates Inc which sold the world’s first anti-virus software
  • 1990, sold millions of copies of McAfee anti-virus software leading to John’s $5M/year salary
  • 1992, McAfee’s initial public offering (IPO)
  • August 1993, steps down as CEO.
  • 1994, sold all his remaining stake in McAfee Associates Inc.

In January 2014, after Intel (who’d acquired McAfee in August 2010) announced that McAfee products would be marketed as “Intel Security”:

I am now everlastingly grateful to Intel for freeing me from this terrible association with the worst software on the planet.” – John McAfee

Soon afterwards, the business was de-merged from Intel and re-acquired the McAfee name.

John McAfee was all over the place after divesting from the company with his name. He invested in many ventures, travelled, dabbled in politics (two U.S. presidential candidacies), was a person of interest in a Belize homicide investigation, charged with tax evasion, posted hundreds of public remarks and videos on social media, before it all eventually ended on June 23rd. He was a very interesting person who was influential in our industry.

I will miss him.

OK, now the show notes. Here’s the notes (with relevant links). Episode 137…


SHOW NOTES – Episode 137 – Tuesday June 29th, 2021

Opening

[Evan] Welcome listeners! It’s good to have you join us. Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 137, and the date is June 29th, 2021. Joining me is my good friend, Mr. Brad Nigh. Good Morning Brad!

[Evan] Welcome back sir. Happy that you’re back in the saddle again. Microsoft was front and center in the information security news this week. Let’s dissect some of this.

Microsoft in the (Information Security) News

Here’s a list of articles that we talk about in this episode:

Obviously, Microsoft has its hands full. Don’t we all? One issue with Microsoft is how much control they have over our industry and how much data they hold. Significant information security events at Microsoft have a significant impact for millions of organizations.

Just one other news article of interest this week: One billion dollars lost by over-60s through online fraud in 2020, says FBI – https://hotforsecurity.bitdefender.com/blog/one-billion-dollars-lost-by-over-60s-through-online-fraud-in-2020-says-fbi-26049.html

That’s a lot to unpack! Hopefully you caught all that.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.

M is for Money

Fundamentals are critical to the foundation of an information security program (or strategy). Deficiencies in information security fundamentals are analogous to cracks in a fortress foundation. Fortress defenses won’t stand and neither will your information security protection.

The Information Security ABCs are drawn from information security fundamentals. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

TRUTH: If more people and organizations applied the fundamentals, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

It’s been too long, but the time has come for the letter “M”.

The magnate’s magnitude of moneymotivated myriad manipulation makes mayhem and mess of society’s macrocosmmasqueraded with mentor-less and maladroit management who’s malfunctioning mandates manifest in the malefactor’s monopoly.

The letter “M” is for “money”. It shouldn’t be, but it is.

Our Tribe

Last year (2020) we spent an estimated $123,000,000,000 (that’s $123 billion) on “cybersecurity” worldwide. That’s a helluva sum of money, and it begs to question:

  1. What did we get for all this money?
  2. Was (all/some/any of) this money well spent?
  3. Is this too much money, not enough money, or about right?

At a macro level, these questions are nearly impossible to answer objectively. There isn’t uniformity in how we apply or measure information security effectiveness (although we’re working hard to change that) and we don’t have quality data. When we consider estimated losses (to “cybercrime”), maybe we get an indication of how we’ll we’re doing.

According to estimates/predictions from Cybersecurity Ventures, cybercrime will cost us $6,000,000,000,000 (that’s $6 trillion) this year (2021), up from $3 trillion in 2015. The trend doesn’t appear to reverse anytime soon, with 2025’s losses expected to approach $10.5 trillion.

Are we doing this right? Our cybersecurity investments are growing, but our losses are growing faster.

Who’s getting paid?

Simple. The $123 billion goes into our pockets. The $6 trillion goes into the criminals’ pockets.

The Good.

There are many, many good people making a good living in our industry. They’re “good” people because they do their work for the right reasons, to protect others, and to protect information that’s been entrusted to them.

We all get paid in this industry. I get paid, you get paid, our co-workers get paid, our bosses get paid, the companies we work for get paid, etc., etc. Some of us get paid a lot, some of us get paid less. There’s nothing wrong with getting paid. We have bills and people to support (whether it’s just us, our family, etc.).

According to CyberSeek, there are 956,341 people employed in the U.S. “cybersecurity workforce” and nearly a half million job openings. The supply of talent is “very low” and the demand is high. If you believe the numbers, our job prospects should be good for a long time. According to ZipRecruiter, “the Average Cyber Security Salary”  is $112,974 per year, ranging from $125,664 in New York to $82,936 in North Carolina.

Again, if we agree with these numbers, the average worker in our industry makes good money. We make twice as much as the average U.S. worker. This is good!

The Bad.

The criminals are expected to steal nearly $6 trillion worldwide in 2021. This is a HUGE number, so let’s try to put this into perspective.

  • The worldwide economy (GDP – nominal) is roughly $94 trillion, so cybercrime is costing about 6.38% of the world’s economy.
  • The global pharmaceutical market is roughly $1.27 trillion. Cybercrime has this number beat by a factor of four.
  • Some estimates put the global drug trade at roughly $450 billion. Not even in the same league as cybercrime.
  • Only the United States ($22 T), European Union ($19.2 T), China ($16.6 T), and Japan ($6.2 T) have economies larger than the cybercrime economy.

Cybercrime is expected to grow by as much as 15% annually. There are (at least) three primary reasons why global cybercrime has gotten (and continues to get) out of hand:

  • Lack of accountability. The lack of accountability when it comes to information security is astounding.
    • There’s very little (if any) accountability for the criminals.
    • There’s no accountability for software companies writing crappy code (as long as we keep buying it, they’ll keep selling it).
    • There’s very little accountability for the CEO who ignores his/her responsibility to protect their company’s assets and customers’ data. Compliance is a joke because we stop once the box is checked. As long as nobody really pays the price, there isn’t much motivation to change. Instead of individuals paying the price, the costs are spread across a wide population through higher fees, higher prices, etc.
  • We like our ignorance. Nobody will admit it, but we must not really care. We have the illusion of care, but we don’t really care. If we did, we would nail the basics. We don’t like the basics because the basics are work. The criminals like that we don’t like the basics because they have less work too. We do less work, they do less work. Maybe that’s the twisted win-win here.
  • We adopt technology much faster that our ability to secure it. We live in an easy button, instant gratification, entitlement world where we lust for new features, blinking lights, and hot gadgets. Every day, we add more and more complexity to our lives, pushing good information security further and further out of reach. Complexity is the worst enemy of security.

The cost of cybercrime seems like a cost we’re willing to accept and it’s definitely a cost we’re going to pay. This doesn’t magically go away, and the endgame is actually pretty scary to think about.

The Ugly.

There are the wolves (the criminals) and there are the wolves in sheep’s clothing (those in our industry who take advantage of others in our industry). There’s a population within our industry who doesn’t give two sh*ts about protecting the innocent, but instead prey on their fear and ignorance. These are the vendors and marketers who will keep selling you crap you don’t need, can’t use, or doesn’t work. Some of these players are very big, and I won’t name names, but you know who they are.

The illogical acceptance of vendor BS:

Vendor: “Buy my thing, you need it.”

Ignorant Victim: “OK, if you say so. It looks cool.”

 

Ignorant Victim: “Hey, I think your thing is making me vulnerable.”

Vendor: “Well you have to patch my thing.”

Ignorant Victim: “But it’s your thing, why do I have to patch it?”

Vendor: “Because when you bought it, the liability became your thing.”

Ignorant Victim: “OK. How often do I need to patch your thing.”

Vendor: “We don’t know, maybe monthly.”

 

Ignorant Victim: “Hey, I don’t think your thing works.”

Vendor: “Oh, that’s because you didn’t configure it right.”

Ignorant Victim: “How do I configure it right?”

Vendor: “You can try reading the manual or you can attend our training. Attending our training is recommended, and it’s only $5,000.”

Ignorant Victim: “OK, so I should pay $5,000 to learn how to use your thing that I paid you for?”

Vendor: “Yep, that’s how it works.”

 

Ignorant Victim: “Hey, a criminal hacked your thing and stole a ton of stuff from us.”

Vendor: “That sucks. Oooh. Looks like you didn’t have our other thing that would protect the first thing from criminals.”

Ignorant Victim: “So I need to buy another thing from you to protect your first thing that was supposed to protect me?”

Vendor: “Yep. Times change and we gotta keep up.”

 

Ignorant Victim: “Hey, me again. Looks like somebody compromised the first thing again, even though we had the second thing.”

Vendor: “Yeah, that’s because we don’t support the first thing anymore. You should have gotten the nextgen first thing.”

Ignorant Victim: “But it seems like the first thing should have done the things that the nextgen thing does now.”

Vendor: “Well, not really. The nextgen thing uses this new proprietary technology that nobody knows about or can explain.”

 

Ignorant Victim: “I don’t think the nextgen thing is serving our needs anymore. It’s really hard to use and I can’t afford the manpower to run it.”

Vendor: “Lucky you! We’ve got a new cloud nextgen managed service thing! You’ll love it.”

Ignorant Victim: “Cool! Do I still need the nextgen first thing and the second thing?”

Vendor: “We can get rid of the the nextgen first thing because we moved that to the cloud, but you should keep the second thing. One more thing, we need to add a third thing so we can talk to the cloud through it.”

 

Vendor: “So how you liking this cloud thing? We just released the hypergen version, and I’d like to show it to you. Oh, and by the way you’re still patching the first thing and third thing, right?”

Ignorant Victim: “Patching? Um, yeah, we’re doing that. Tell me more about this hypergen thing.”

 

Vendor: “Oh crap! Our nextgen cloud thing got it. You suffered because you weren’t in our hypergen thing yet. We’ve added a new feature to the hypergen thing that you’ll need too. It’s super cool, it’s a feature that can think for itself! We call it “artificial intelligence”. It’s finally the easy button we’ve all been looking for!

…and the insanity never ends.

 

Some marketers and vendors in our industry are top notch, but there are far too many who will sell you anything to get your money. They don’t care if it’s the thing you should buy or if it’s a thing you can even use. Just buy it.

Somehow, someday, we need to hold information security product and service vendors accountable for:

  • Making sure their products and/or services do what they say they do. False advertising needs to go.
  • Making sure they don’t sell things that aren’t the right fit. Stop selling customers (or victims) things they can’t use, aren’t ready to use, or shouldn’t use.
  • Making sure they’re held liable for damages caused in full or in part because of their faulty products and/or services.

The truth is, any organization who doesn’t understand and practice information security fundamentals is the PERFECT victim for the criminal AND the wolf in sheep’s clothing. What are the fundamentals? Good you asked.

Information Security Fundamentals

I won’t spend a ton of time on this because we could write a book on this. Wait a second. I did, and so have others.

Briefly…

  1. Roles and responsibilities. Who’s responsible for what and what’s expected of them? Once defined, motivate and hold people accountable.
  2. Asset management. You can’t possibly protect the things you don’t know you have. If asset management seems too complex, it’s probably because your environment is too complex, and something’s out of whack. Assets come in three flavors; hardware, software, and data. You could add “people” as an asset too, but you know, people are hard.
  3. Control. Only now can you determine what controls are adequate. You can’t secure what you can’t control, and there’s lots to do here. Configuration control, access control, change control, etc.
  4. Wrap all this is risk management. Information security IS risk management.

Don’t know what risk management is, or not certain? Make it simple:

  • Assess, Decide, Implement/Do, Assess, Decide, Implement/Do, etc.
    • Risk Assessment – good assessments are objective, measurable, comprehensive, and actionable.
    • Decide – only four choices here: accept the risk, mitigate the risk, transfer the risk, or avoid the risk.
    • Implement/Do – do the work it takes to make the decision a reality.
  • Risk is likelihood something bad will happen and the impact if it did. Likelihood and impact are driven by threats and vulnerabilities. (note: you won’t know your vulnerabilities without asset management).
  • If we’re talking “information security”, we’re talking about operational/administrative controls, physical controls, and technical controls. This is NOT an IT issue.

In Conclusion

M is for money. Lots of money.

Some people say this is a dog eat dog world. I like dogs. They’re wonderful creatures. Often the difference between what makes a good dog and a bad dog is how they were raised. I believe all dogs were good at the start, but some got stuck with sh!tty owners.

The good dog – The good dog serves others. They’re loyal, selfless, dependable, loving, etc. Most people in our industry are “good dogs”, myself included. We’re in this for the right reasons, and we make money as a reward for the good honest work we do.

The bad dog – The bad dogs serve themselves. They steal, fight, hurt others, etc. The criminals are “bad dogs”, but sadly so are some people in our industry. They make money by taking advantage of others. Most bad dogs know they’re bad, but some lack the self-awareness to know any better.

Be a good dog. Make lots of honest money AND make a positive difference in the lives of the people we serve!

UNSECURITY Episode 134 Show Notes

Alright, welcome back! We had a great run of guests over the past 7 or 8 weeks, and now it’s back to Brad and I for a bit.

If you missed any of the guest episode, here’s a recap:

Memorial Day

Monday, May 31st was Memorial Day. It’s a day of remembrance and gratitude. Here’s the text from one of my Twitter posts:

  • A small table set for one, symbolizing the isolation of our absent service member.
  • The table is round to represent the everlasting concern the survivors have for the missing.
  • The white tablecloth symbolizes the pure motives of our lost service members who responded to our country’s call to arms.
  • A single rose in the vase represents the blood our service members have shed in sacrifice to ensure the freedom of the United States of America.
  • The rose also represents family and friends who keep the faith while awaiting the return of the missing service members.
  • The red ribbon represents our service members’ love of country that inspired them to serve our country.
  • A slice of lemon on the bread plate represents the bitter fate of the missing.
  • Salt sprinkled on the bread plate represents the tears shed by waiting families.
  • The inverted glass represents the fact that the missing and fallen cannot partake.
  • A Bible represents the spiritual strength and faith to sustain the lost.
  • A lit candle symbolizes a light of hope that lives in hearts to illuminate the missing’s way home.
  • An empty chair represents the absence of our beloved missing and fallen. service members.

We are grateful for all our men and women who serve in uniform and we hold those who sacrificed all in the highest esteem.

The Show Must Go On

Visiting with our guests the past couple months has been a lot of fun and we hope it’s been educational and entertaining for our listeners. We hope listeners enjoyed listening as much as we enjoyed hosting!

This week (episode 134), Brad and I are going to take a look at some of the recent news. Lord knows, there’s plenty to cover!

Let’s get to the episode 134 show notes, shall we?


SHOW NOTES – Episode 134 – Wednesday June 2nd, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 134, and the date is June 2nd, 2021. Joining me is my good friend, Mr. Brad Nigh. Good Morning Brad!

[Evan] Welcome back from Memorial Day weekend. It was a beautiful weekend to pay our respects.

What’s going on in the world of “cybersecurity”?

Today, we’re going to change things up a little. There’s so much going on in the world around us, I thought it would be good for us to focus on six news articles and discuss them. Here they are:

That’s a lot to unpack! Hopefully you caught all that.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 133 Show Notes

We’re back with another amazing guest this week! It’s our treat to welcome Gabriel Friedlander from Wizer to the show!

The guests from the last month (or so) have been incredible. There are so many great people in our industry who are in this for the right reasons, primarily to serve other people!

If you missed any of these shows, you can find them here:

This week, episode 133, we’re joined by a really cool guy with a huge heart for serving the underserved, Gabriel Friedlander from Wizer!

A quick introduction to Gabriel and Wizer is in the show notes (below).

This will be a GREAT episode for sure!

NOTE: We’re looking for people from other walks of life to share their perspectives too, especially men and women of color. Let us know at unsecurity@protonmail.com if you have suggestions.

Let’s get to the episode 133 show notes, shall we?


SHOW NOTES – Episode 133 – Tuesday May 25th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 133, and the date is May 25th, 2021. My buddy Brad is here, as usual. Good morning Brad!

[Evan] I’m excited to welcome our guest this week. He’s someone I greatly admire, and a true asset to our community, Gabriel Friedlander from Wizer. Welcome Gabe!

Getting to know Gabriel Friedlander

An open and honest dialog with Gabriel about his background, ObserveIT, Wizer, and whatever else comes up in our conversation.

About Gabe – From His LinkedIn Profile

I founded wizer-training.com in early 2019 with a mission to make basic security awareness training free for everyone. Since then Wizer has been rapidly growing with over 6000 organization who signed up for our free training. And in 2020 we partnered with several local counties to offer free Citizen Training. We believe that in this day an age, security awareness should be a basic human skill.

Prior to founding Wizer I was the co-founder of ObserveIT (acquired by ProofPoint) , a company specializing in the detection and prevention of insider threats. I am also the co-author of the book, “Insider Threat Program: Your 90-Day Plan”. For more than a decade I have researched insider threat and trained numerous organizations on how to avoid and mitigate the risk it poses.

About Wizer

Did you know the average human attention Span is 8 Seconds – that’s just 1 Second Less Than A Goldfish! So we created training videos to be around 1 min long, entertaining, and to the point.  Our goal is to train employees on how to avoid today’s most common cyber attacks and to help create a “Human Firewall”.  Since there are officially more mobile devices than people in the world, we made Wizer mobile-friendly so you can access it from anywhere, anytime, with or without sound. Happy learning!  

Gabriel didn’t need another job (or necessarily the income) when he started Wizer. He started Wizer because he saw a need, wanted to help, and was looking for something fun to do. At first, everything Wizer did was free, and Gabriel didn’t have a plan for making money. Since then, things have taken off and he’s had a tremendous positive impact on our community.

News

Guessing we’ll use up the entire hour talking to Gabriel. Maybe we’ll cover some news next week.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Gabriel, how do you want people to find you?

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 132 Show Notes

Hey Listeners!

Spring is in full bloom (finally) in Minnesota, and life is good. The weather is great, and last week, our Governor (Tim Walz) lifted the mask mandate for people who are vaccinated and maintain some semblance of social distancing. It’s good to see people’s faces again, especially when they’re smiling. 🙂

We’re grateful for the guests who have joined our show the past four weeks! We’ve learned a ton from these conversations.

If you missed any of these shows, you can find them here:

NOTE: We’re looking for people from other walks of life to share their perspectives too, especially men and women of color. Let us know at unsecurity@protonmail.com if you have suggestions.

This week, we’re not planning to have a guest, so you’ll have to put up with Brad and I.

Next week (episode 133) we’re hoping to have Gabriel Friedlander from Wizer on the show!

Let’s get to the episode 132 show notes, shall we?


SHOW NOTES – Episode 132 – Tuesday May 18th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 132, and the date is May 18th, 2021. Joining me is my good friend, highly-skilled information security expert, and all around great guy, Brad Nigh.

Good morning Brad!

There are so many things happening in our world, it’s hard to keep track. One interesting event from the last week (other than the Colonial Pipeline attack) was the announcement of President Biden’s Executive Order (EO) 14028 titled “Improving the Nation’s Cybersecurity”. In today’s episode, Brad and I are going to break this down.

Improving the Nation’s Cybersecurity

  • The EO was announced by the Administration on 5/12/21.
  • There’s a lot of information to unpack here, including:
  • Section 1. Policy, containing:
    • Policy statement.
    • Scope.
  • Section 2. Removing Barriers to Sharing Threat Information, containing:
    • Review existing reporting requirements and procedures.
    • Recommend updates to the Federal Acquisition Regulation (FAR).
    • Update the FAR.
    • Enforce IT/OT provider compliance.
    • Centralize reporting.
    • Provide budget for this section.
  • Section 3. Modernizing Federal Government Cybersecurity
    • Adopt security best practices.
    • Advance toward Zero Trust Architecture.
    • Accelerate movement to secure cloud services.
    • Adopt multi-factor authentication.
    • Encrypt data at rest and in transit.
    • Centralize and streamline access to cybersecurity data.
    • Invest in both technology and personnel to match the modernization goals.
  • Section 4. Enhancing Software Supply Chain Security
    • Develop standards, tools, and best practices for secure software development.
    • Enforce secure software development practices.
    • Define and enforce a “Software Bill of Materials (SBOM)”.
    • Define “critical software” and its protection requirements.
    • Consumer labeling programs for IoT and software.
  • Section 5. Establishing a Cyber Safety Review Board
    • Requirements for a new “Cyber Safety Review Board”.
    • All requirements are for the Secretary of Homeland Security and the (yet to be established) Cyber Safety Review Board (“board”).
  • Section 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents; the playbook:
    • Will Incorporate all appropriate NIST standards.
    • Be used by all Federal Civilian Executive Branch (FCEB) Agencies.
    • Will articulate progress and completion through all phases of an incident response.
    • Will allow flexibility so it may be used in support of various response activities.
    • Establishes a requirement that the Director of CISA reviews and validates FCEB Agencies’ incident response and remediation results upon an agency’s completion of its incident response.
    • Defines key terms and use such terms consistently with any statutory definitions.
  • Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
    • The adoption of a Federal Government-wide Endpoint Detection and Response (EDR) initiative.
    • CISA threat hunting on FCEB networks and systems without agency authorization.
    • Information sharing between the Department of Defense and the Department of Homeland Security
  • Section 8. Improving the Federal Government’s Investigative and Remediation Capabilities
    • Types of logs to be maintained.
    • Time periods to retain the logs and other relevant data.
    • Time periods for agencies to enable recommended logging and security requirements.
    • How to protect logs (logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention)
    • Data shall be retained in a manner consistent with all applicable privacy laws and regulations.
    • Ensure that, upon request, agencies provide logs to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law.
    • Permit agencies to share log information, as needed and appropriate, with other Federal agencies for cyber risks or incidents.
  • Section 9. National Security Systems
  • Section 10. Definitions
  • Section 11. General Provisions

This will be a great conversation as Brad and I share our summary, thoughts and opinions on all this!

News

Just time for one news story this week. This one is from Brian Krebs, “Try This One Weird Trick Russian Hackers Hate“.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 131 Show Notes

Apologies for not posting something about last week’s show, episode 130. We were honored and pleased to welcome John Strand from Black Hills Information Security as our guest. John, Brad and talked openly about John’s path through information security, what Black Hills is working on, the different pockets of security people, why it’s important to work together as information security vendors to improve the community, and John’s latest Pay What You Can (PWYC) Series.

It was a GREAT talk and we’re VERY grateful that John stopped by. Check out episode 130 here; https://podcasts.apple.com/us/podcast/unsecurity-episode-130-john-strand-black-hills-information/id1442520920?i=1000520139261

Episode 131

Pumped about this week’s show!

My good friend, Security Shit Show co-host, hacker extraordinaire, and all around great guy Chris Roberts is stopping in for a chat.

Special Guest – Chris Roberts

Chris and I (Evan) were introduced to each other by our mutual friend Tony Cole maybe three years ago, but we didn’t get to know each other well until the last 13, 14 months. We’re both REALLY busy guys, so our circles just didn’t cross much. In the past year, we’ve gotten to know each other quite well which is no surprise seeing that we spend more than two hours together each week on the Security Shit Show with Ryan Cloutier (another great guy).

Things about Chris:

From his LinkedIn Profile:

  • Currently the Chief Security Strategist for Cynet Security (among many other things)
  • Currently an Executive Committee Member at the CyberEdBoard Community
  • Currently an Advisor, Researcher, Hacker, Etc. at HillBilly Hit Squad
  • Currently co-host of The Security Shit Show
  • Former Chief Security Strategist at Attivo Networks, Inc.
  • Former Chief of Adversarial Research and Engineering at LARES Consulting
  • Former Chief Security Architect at Acalvio Technologies
  • Former Senior Consultant at Sentinel Global LLC
  • Founder of One World Labs
  • Former Managing Director Electronic Intelligence/Principal Investigator at Cyopsis, LLC
  • Former President/CEO at CCi5, Inc.
  • Former Director of Coalfire Labs at Coalfire Systems, Inc.
  • and on and on…

Chris has been all over the world and all over the United States doing crazy cool hacker stuff at every stop.

He is truly on of my favorite people on the planet to talk to! Always a good time.

Other Guests – Past, Present, and Future

Lots of GREAT conversations with lots of GREAT information security folks!


SHOW NOTES – Episode 131 – Tuesday May 11th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 131, and the date is May 11th, 2021. Joining me is my good friend, infosec buddy and partner in crime.

Also joining the UNSECURITY Podcast is our special guest, Mr. Chris Roberts! Welcome my friend. It’s an honor to have you on our show!

Introducing Chris Roberts

  • Let’s start with trying to figure out how Chris first got into the information security industry.
  • Next, we’ll see how far we can get down his career path before 1) we start chasing squirrels (we’re both ADD) or 2) we run out of time (because there’s A LOT there).
  • The Colonial Pipeline Attack and global security tensions/consequences.
  • Current projects.
  • Current events.

We’ll see if we get to his plane hacking antics too, but I’m not sure we’ll have the time.

News

We’ll probably skip news in this show. Guessing that Brad, Ron, and myself will have no problem filling the entire show with good discussion.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! HUGE thank you to Chris for joining us. If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Chris is easy to find, but can be reached on LinkedIn and Twitter (@Sidragon1).

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.

Operationally Cumbersome?

The leading cause of death in the workplace is falls. 36.5% of all fatalities are due to falls, followed by 10.1% caused by being struck with an object. Recognizing the problem, OSHA created requirements to protect workers from falls, including:

  • guardrail systems
  • safety net systems
  • personal fall arrest systems
  • covers
  • positioning device systems
  • fences
  • barricades
  • controlled access zones

All these controls, when used properly, save lives.

Hypothetical Scenario

A successful construction company is working on a 30-story office building. Timelines were already tight, but a series of material delivery delays has put them way behind schedule. In a rush to complete the project, it’s easy overlook certain things. In this case, a properly configured personal fall arrest system was overlooked. They bought the system, the system was onsite, but the system wasn’t installed correctly. Nobody noticed until one day a worker, twenty stories up, slipped and fell to his death.

As you can imagine, there was a serious investigation. In the end, the company admitted their oversight, received a fine, settled a lawsuit with the worker’s family, and continued operations.

A few weeks later, same thing happens. Another investigation, another slap on the wrist, another settled lawsuit, and back to business as usual.

A few months go by, and there’s another incident! The investigation cited the same cause as the others, a poorly configured/installed personal fall arrest system. This time, OSHA wants a public hearing and invites company representatives to answer questions before their panel. At the hearing, company representatives were asked the following question:

If a properly deployed personal fall arrest system had been used, would these lives have been saved?

A company representative responds:

It depends. In theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.

Seems reasonable, right?. We certainly don’t want to get in the way of company production!

Or, wait a second. This doesn’t seem right. Poor safety because good safety is “operationally cumbersome” doesn’t sit well with you. Good, it shouldn’t!

Sadly, a similar analogy plays out all over the information security industry every day.

Hearing on the Hack of U.S. Networks by a Foreign Adversary

The construction analogy hit home while watching recent testimony in front of the U.S. Select Committee on Intelligence.

On February 23rd, 2021, Kevin Mandia (FireEye CEO), Sudhakar Ramakrishna (SolarWinds CEO), Brad Smith (Microsoft President), and George Kurtz (CrowdStrike President and CEO) were invited to give their testimony about the attacks on SolarWinds Orion last year (and ongoing). These are four very powerful men in our industry, and I appreciate what they’ve accomplished. In general, I have a great amount of respect for these men, but I’m not comfortable in their representation of our industry without also considering (many) others. Some of the reasons I’m not comfortable, include these facts:

  • They run billion and multi-billion dollar companies that sell products and services to protect things.
    • If people were already protected, they’d have nothing to sell. There is incentive to keep people insecure.
    • Companies must continue to produce new products (See: product life cycle diagram below). Without new products, sales decline. As long as people keep buying (regardless of need), they’ll keep making.

  • They have significant personal financial interests in the performance (sales, profit, etc.) of their companies.
  • They represent shareholders who have significant financial interests in the performance of their companies.
  • They may lack clear perspective of what most Americans and American companies are struggling with due to where they sit.

A hearing such as this is a fantastic opportunity for people to tout their accomplishments (which they do), tout their companies accomplishments (which they do),  and sell more stuff as a result. I DO NOT fault the witnesses for doing these things. It’s their job!

Let’s just hope our Senators take the hearing and witnesses in proper context and seek many more perspectives before attempting to draft new policy.

IMPORTANT NOTE: It may appear in this article that I’m critical of the people in this Senate hearing, but this is NOT the point. The people participating in the hearing have done tremendous things for our industry and our country. For all we know, if we were in one of their seats, we would respond in much the same way they did. If anything, I’m critical of us, our industry. We have tools sitting right under our noses that we don’t use correctly. Instead of learning to use our tools correctly, and actually using our tools correctly, we go looking for more tools. This is ILLOGICAL, and might should be negligent.

The point.

At one point during the hearing (1:22:08, if you’re watching the video), Senator Wyden (D-OR) begins a logical and enlightening line of questioning.

Senator Wyden:

The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?”

To which Mr. Ramakrishna (SolarWinds) responds:

Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring, system monitoring, application monitoring on premises of our customers.”

Key points:

  1. SolarWinds Orion did not require Internet connectivity to function.
  2. The IRS had Orion.
  3. The IRS did not permit Orion to communicate with the Internet.
  4. Attackers were not able to control the IRS Orion server (because it couldn’t communicate home).
  5. The attack against the IRS was mitigated.

Senator Wyden continues:

Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.”

Points made by Senator Wyden:

  1. Network security 101 includes blocking high-risk applications from connecting to the Internet when it’s not specifically required for functionality.
  2. Firewalls are designed to block unwanted and unnecessary network traffic.
  3. There is good authoritative guidance for using firewalls properly, including from the NSA and NIST.
  4. None of this is new.
  5. Organizations that don’t follow “network security 101” are irresponsible.

Kevin Mandia responds first:

And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.

OK, here the logic falls apart. The answer “it depends”, followed by “firewalls never stopped” a FireEye red team exercise, did NOT answer Senator Wyden’s question. Logically, this (non) answer would only be valid if (at a minimum):

  • The FireEye red team exercises were run against a “network security 101” firewall configuration.
  • The FireEye red team exercises were a variant or emulation of the SolarWinds attack.

The question was whether a “network security 101” (or a properly configured) firewall would have mitigated the SolarWinds attack (meaning a firewall configured to only permit necessary traffic, as per NSA and NIST guidance). The non-answer justification continues by mentioning “in theory, it’s a sound thing, but it’s academic”. Since it’s been brought up, this IS NOT theoretical, it’s factual. If an attacker cannot communicate with a system (either directly or by proxy), the attacker cannot attack or control the system.

The last part of this statement brings us (finally) to our original point. Using a firewall, the way it’s supposed to be used (“network security 101”) is “operationally cumbersome”.

Responses from the others:

  • Mr. RamakrishnaSo my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules. (THE BEST ANSWER)
  • Mr. SmithI’m squarely in the “it depends” camp. (Um, OK. So, a non-answer.)
  • Mr. KurtzYes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys. (Basically the same statement as the first. DID NOT answer the question.).

So the score is 3 to 1, “it depends” (without answering the question) versus “yes” (the correct answer).

Operationally Cumbersome

If a firewall (or any tool) is effective in preventing harm when it’s used correctly, why aren’t we using it correctly? The reason “because it’s operationally cumbersome” is NOT a valid argument.

It’s like saying “I don’t do things correctly because it’s hard” or “I don’t have time to do things right, so I don’t” or (as in our construction example) “We don’t have time to use a personal fall arrest system correctly, so people die”? Truth is, our infrastructures are so interconnected today, a failure to configure a firewall properly could/will eventually result in someone’s death.

So what do we do today? We do the illogical:

  • Since we don’t have time (or skill or operational bandwidth or whatever) to use an effective tool effectively, we purchase another tool.
  • We won’t have the time (or skill or operational bandwidth or whatever) to use this new tool effectively either, so we purchase another tool.
  • We won’t have time (or skill or operational bandwidth or whatever) to use the new tool and this newer tool effectively, so we purchase yet another tool.
  • The insanity continues…

What we must do (sooner or later):

  • inventory the tools we already have
  • learn how to use the tools we already have properly (knowledge/skill)
  • use the tools we already have properly (in practice)
  • then (and ONLY then) seek additional (or different) tools to address the remaining gaps

As an industry, we must (sooner or later):

  • make this “network security 101” (it’s not new, so we can’t call it the “new network security 101”)
  • hold organizations responsible for “network security 101” (the opposite being, the “new irresponsible” or negligent)

Other facts

Firewalls are NOT the end all, but they are an important part of security strategy. Here we are, many years down the road and we’re still fighting the same fight: the basics.

  • Firewalls have been around for more than 35 years.
  • Firewalls block unwanted and unnecessary network traffic (inbound/ingress and outbound/egress).
  • A properly configured, “network security 101”, “responsible”, “best practice” implementation of a firewall would have mitigated the SolarWinds (or similar) attack.
  • Many (maybe most) U.S. organizations have a firewall that is capable to mitigating the SolarWinds (or similar) attack.
  • There are still ways to bypass a firewall, but if you don’t have your firewall configured properly, what are the chances you’d stop a bypass anyway?
    • application vulnerabilities
    • SQL injection
    • social engineering
    • physical access
    • man-in-the-middle

Operationally cumbersome is not a valid excuse for our failures to understand and follow the basics.