Beware of People Who Do Everything

Part one in a three-part series about the information security industry money grab.

Introduction

NOTE: I covered some of these issues in my book; Unsecurity: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry?

In this series, I’ll focus on three types of money grabbers:

  1. Those who will do anything and everything for your money,
  2. Those who sell snake oil, and
  3. Those who will sell you something regardless of its effects on your security.

Sometimes the money grabbers grab your money intentionally, but rarely do they do it with malicious intent.

There’s no doubt that the money grab is alive and well in the information security industry. We’re in the midst of the Cybersecurity gold rush, and there are thousands of companies fighting for their piece of your pie.

Cybersecurity gold rush

First, a quick comparison between the famous California gold rush and our cybersecurity gold rush.

The California gold rush looked like this: $10 million in 1849, $41 million in 1850, $75 million in 1851, and $81 million in 1852 (peak). After 1852, the rush gradually declined until 1857, then leveled to about $45 million per year.

The cybersecurity gold rush looks like this: $3.5 billion in 2004, $114 billion in 2018, $124 billion in 2019, and $170 billion by 2022. We haven’t exactly leveled off yet, but that day will come.

The truth about the cybersecurity gold rush; if you’re not one who’s making money, you’re probably one who’s spending it.

Spending well or not

Ask yourself these questions:

  • How confident am I that I’m spending my information security dollars wisely?
  • Am I getting the most value out of every dollar I spend?
  • Where do I get answers?

If you seek answers from a money grabber, you’re in for a rude awakening. Maybe not immediately, but soon. Money grabbers are biased, they’ll give you answers with a bias to sell you something.

So, how can you tell a money grabber from a trusted source of good information? It starts with understanding who the players are in our industry.

The Players

There are four players (or roles) in our industry; manufacturers, vendors, partners, and practitioners. Each of the players serve a very important role in making our industry function, and one player cannot effectively exist without the others. Don’t fall into the trap of thinking that one player is any better than another, they’re all critical.

Let’s break them down.

Security Manufacturers

Security manufacturers provide innovative hardware and/or software designed to solve real-world information security problems. They are critical to the information security industry because they make the tools we all use to secure ourselves.

Security manufacturers have three responsibilities to our industry:

  1. Understand the problem they’re trying to solve enough to make an effective hardware and/or software solution.
  2. Make an effective hardware and/or software solution that solves a problem.
  3. Sell the hardware and/or software solution to people in order to make money.

The manufacturer obviously needs to make money in order to satisfy investors and stakeholders. They’ll also need the capital to make more products. Stop the cycle and the manufacturer dies.

All fine and dandy.

Problems arise when a manufacturer attempts to play other roles, like giving you non-product related advice. It only seems logical that the advice you’d receive would be biased by one of their primary motivations which is to sell you their products. A manufacturer wants to sell you things because they want your money. What they sell you might solve a problem, but if it doesn’t, that’s ultimately your problem. The worst practice is convincing you that you have a problem that in reality doesn’t exist.

Even if a manufacturer solves a problem for you, you need to ask yourself if it was the right problem to solve. Was the risk significant enough to warrant a reallocation of resources (personnel, time, money, etc.)?

A manufacturer is probably not the best place to ask your questions about where you should spend your next information security dollar. They’ll certainly have an answer, but it won’t be unbiased, and it may not be in your best interest.

Security Vendors

Security vendors are an interesting bunch. They don’t make products, they sell them. We need vendors though. We need them because they’re closer to our problems than most manufacturers, and they know products better than partners (up next). They give manufacturers a distribution and support channel, so the manufacturer can go back to what they do best, making things.

Vendors represent products made by the manufacturers, and probably provide support for the products too. Vendors are usually specialists in the products they represent and are the “go to” people for making sure your products operate the way their intended to operate.

Advice from a vendor might be closer to the truth, but it will still be significantly biased. Vendors get paid for selling products, and they only represent their suite of products. Vendors, like manufacturers, want to sell you something. Ultimately, they want your money. Solving problems will be limited to the products they carry and advice probably won’t take other creative possibilities into account. Security vendors usually don’t innovate much and are more likely to go with whatever the herd is doing.

Security vendors are the best place to go for advice about a specific suite of products, but are not the best place to go for unbiased expertise.

Security Partners

A true security partner is a consultant without bias, but someone without bias is a pipe dream.  The truth is, nobody is without bias, but good partners do their best to be a trusted advisor to clients with as little bias as possible. Good security partners who understand the importance of their role (in the industry and to their clients) are product agnostic. They strive to make recommendations based on what’s best for the client.

Partners also want your money, but they won’t make money if they betray your trust. Trust is what keeps them honest.

Advice from a security partner must be as unbiased and as objective as possible. Security partners are good at creating or finding innovative solutions to problems because they’re not tied to any specific product or suite of products. One problem with a security partner is they may not have the deep knowledge about any one particular product like a vendor or manufacturer may have. Partners try to compensate for this by establishing working (not selling) relationships with vendors and manufacturers.

Security partners are the best place to go for advice about solving your information security problems with as little bias as possible. A security partner would be the best place to start for answers to most information security questions.

Security Practitioners

The hard-working security people who bust their asses everyday to make their workplace and the world a better place. Security practitioners make (or influence) buying decisions and they’re the ones who live with the fruits (or consequences) of their decisions. Most security practitioners don’t have time to research everything and need others to assist them in fulfilling their own personal mission.

Security practitioners deserve, and should demand respect at all times.

OK, now you know the roles/players. Where’s the money grab?

Beware of People Who Do Everything

I’m speaking to the security practitioners now.

Wouldn’t it be great if you could go one place for everything? A one-stop shop. Seems like a great idea and a real benefit, but it’s ignorant to think that there wouldn’t be an undercurrent of bias that could hurt you and your organization.

  • A manufacturer is biased to sell you their products.
  • A vendor is biased to sell you something out of their suite of products.
  • A partner couldn’t even sell you products if they wanted to. A partner cannot be a one-stop shop even if they want to be.

If you’re comfortable with the bias and you’re comfortable with the inevitable waste of resources, you’ll be comfortable with the one-stop shop approach. It’s lazy and wasteful, but it’s your security program.

If you’re not comfortable with the bias and wasted resources, you might have a little more work cut out for you. The right thing is to use each player for what they were designed for. A manufacturer for buying their products, a vendor for buying from their suite of products and product support, and a partner for the best advice.

Problems come when a player doesn’t understand their own role. When a vendor tries to be a partner too or when a partner tries to be a vendor too. Worse yet is the player who tries to be manufacturer, vendor, and partner. If you didn’t know any better, the “we do everything” player has you by the neck.

In my experience, the most common offender of their role, almost like an identity problem, is a vendor. Many vendors grew their business through other means, maybe selling printers and copiers, maybe doing information technology (IT) work, or maybe reselling networking equipment. The vendor resells things, but as a matter of survival and as margins decrease, they look for new streams of revenue. One common stream of revenue is security consulting services where the market is relatively immature and where a vendor can realize more significant margins.

Two problems with the vendor who plays partner:

  1. The bias problem. I’ve already covered this, but it’s a significant problem. I’ve witnessed many occasions where a vendor has sold things to a client that were clearly biased by the fact that the vendor sells those products. It’s only natural that a vendor would sell products, but it’s the practitioner who pays the price.
  2. Good at some things, but an expert in no things. Nobody can be the best at everything, you can only be the best at one thing or maybe a few things. A vendor who sells copiers, installs Cisco networks, builds data centers, and recycles old equipment, is not likely to be an expert in information security. Information security requires a specialized skill set, and you will get what you pay for. Unfortunately, it’s the practitioner again who pays the price.

Vendors aren’t bad. Partners aren’t bad. Manufacturers aren’t bad. Things can get bad when one player tries to play multiple roles. These multi-role players do it because it’s in their best interest, not necessarily because it’s in your best interest.

Things can get bad for you when you play into a multi-role player’s hand. You wouldn’t know the difference unless you were paying attention. Spend every information security dollar like it’s precious, because it is. One wasted dollar is one less dollar to spend on other more productive and enjoyable things.

Before I close, and one last time, there is nothing wrong with manufacturers, vendors, or partners. They’re all critical. It just helps if you know who they are, and better yet, if they know who they are.

The UNSECURITY Podcast – Episode 39 Show Notes

HAPPY FRIDAY! You made it through another week. Did you survive or did you thrive? Hmm. Something to think about, I suppose.

Good week here for me, the folks at FRSecure and the folks at SecurityStudio. Most weeks are good weeks really.

I was in town all week, but not in the office too much. Came in for meetings, then excused myself for more writing. Most of my days are consumed by writing lately. Writing a few blog posts, a few articles, and working on the upcoming book.

I’ll leave it at that for now. Many exciting things to share, but we’ll be patient and let them take a little more shape before sharing.

Did you catch episode 38 of the UNSECURITY Podcast? John Harmon, the president of SecurityStudio was in studio and we had a great chat. John and I are working well and working closely together. It’s a blast!

This week’s show, episode 39, is a real treat. “Ben” comes back in studio to give us the lowdown on what he’s been up to. I’m excited for you to hear what he’s got to say. This show is released on Monday (8/5), so be sure to look for it!

On to the show notes…


SHOW NOTES – Episode 39

Date: Monday, August 5th, 2019

Today’s Topics:

Our topics for the week include:

  • Conversation with “Ben”
    • Research
    • Responsible Disclosure
    • Social Engineering (SE) Things
    • Team Ambush
    • DEF CON
  • Industry News

[Evan] – Hello listeners, and welcome to episode 39 of the UNSECURITY Podcast. My name, for those of you who don’t know, if Evan Francen. I’m your host for today’s show, again. Scheduling stuff for security people is always a pain in the ass, and this week is no different. We’re recording this show on Friday because I’m out of the office next week. This is still Brad’s vacation, so he’s out of hand for hosting. All this means that I get to host again! That’s cool, right?!

Brad will be back next week, and he’ll have a great show planned I’m sure.

Now, you don’t want to sit there and listen to this voice for an entire show, so I invited someone last minute to join me. I found “Ben”! Want to say hi to the listeners Ben?

[Ben] Ben does Ben.

[Evan] Ben, thank you for agreeing to join me, especially last minute like this.

[Ben] Ben does Ben.

[Evan] Ben’s not your real name, right? So why do we call you “Ben”?

[Ben] Ben does Ben.

[Evan] You were here back in episode 14 (February 11). It was a great talk then, and this one will certainly be as good or better. Ben, you live a damn cool life, at least as it goes for security people. You cool if we talk about some of the things going on with you?

[Ben] Ben does Ben.

Conversation with “Ben”

Topics to discuss with Ben include:

  • Research
  • Responsible Disclosure
  • Social Engineering (SE) Things
  • Team Ambush
  • DEF CON

[Evan] See, I told you. Ben does cool stuff, and a lot of it! We could have talked for hours, but we can’t do that here. Let’s close with some news.

Industry News

Plenty of news this week, but arguably the most talked about is the Capital One breach. Instead of what’s in your wallet, now the joke is “who’s” in your wallet. Seriously though, this was big news this week.

Here’s our news to discuss in this week’s show.

Closing

[Evan] – So, there you go. That’s how it is. Ben, a huge thank you for joining me this week. Best of luck to you and all of Team Ambush this week at DEF CON. You’re going to have a great time and I can’t wait to hear how things went. Also, as always, thank you to our listeners. The podcast continues to grow and we’re grateful. Keep the awesome feedback coming, send it to unsecurity@protonmail.com. If you give us something real cool, we’ll mention it. Without your approval of course. Wait. That’s not right. I mean WITH your approval.

If you’d like to be a guest on the show or if you want to nominate someone to be a guest, send us that information too.

Ben, how can people reach out to you? Or do you even want people to reach out to you?

[Ben] People can reach me through Twitter. My Twitter handle is @M1ndFl4y. I don’t post much, but you can reach me through a DM there.

[Evan] OK. Thanks again. Find us on Twitter for daily chatter. I’m @evanfrancen and Brad’s @BradNigh. Have another great week everybody!

The UNSECURITY Podcast – Episode 38 Show Notes

YES! I’m on time again. If I get good at this, I won’t need to make this comment anymore. Odds of that?

As usual, I’ll give a quick review of the week, then we’ll jump right into the show notes.

It was another good and productive week. Gooder and more productiver than I probably deserve, but this is what you get when you are surrounded by awesome people all the time. 

  • Monday started with UNSECURITY Podcast (episode 37). Our guest was the one and only MN State Representative Jim Nash. If you missed it, you should give it a listen. We call BS on some things, then chat about some other things. All in all it was a great show. After that, it was coffee with a friend and a lot of writing.
  • Tuesday started with coffee with SecurityStudio’s VP of Software Development, Ivan Peev. After coffee it was an executive leadership meeting (all executives rated it a 10, which is always good), more writing, and a global information security strategy meeting with an awesome vCISO client.
  • Wednesday was great. An FRSecure Customer Advisory Board (CAB) meeting, coffee with Peter Vinge (Director of Operations – FRSecure), more writing, a few more meetings, more writing, and a meeting with legal counsel.
  • Thursday started with a SecurityStudio User Advisory Group meeting, then the rest of the day was spent writing.
  • Friday (today) started with a coffee meeting with my good friend and SecurityStudio’s president, John Harmon. We had a cool discussion about family, health, and some security strategy stuff. After coffee came a SecurityStudio product strategy meeting, and now I’m writing again.

What’s with all the writing?

It’s been a while since I’ve updated people on the status of this second book. The first book (Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?) was published this year, and it’s been really well-received. This first book was written to information security professionals. This second book is an information security book written to information security amateurs, or common everyday people. The book’s parts are (for now):

  • Introduction
  • Part 1 – Current State of Affairs (nation-state, cyberwarfare, businesses, attackers, security, privacy, and safety)
  • Part 2 – Motivation (find your motivation to act, family, friends, community, country, and business)
  • Part 3 –  Application (applying the basics and building habits)
  • Part 4 – Introducing and Using S2Me (the assessment, recommendations, and conclusions)
  • Closing

If you read my first book, you might remember where I said that writing a book is a bitch. It still is. The amazingness of the experience is more than worth it though. More to come in the coming weeks and months.

Let’s get to the show…


SHOW NOTES – Episode 38

Date: Monday, July 29th, 2019

Today’s Topics:

We’re going to touch on the following topics this week:

  • Civic Ransomware Awareness Project update
  • The #100DaysofTruth follow-up
  • Project Bacon
  • Industry News

[Evan] – Hi everybody! Holy buckets, we’ve got a good show planned today. Good morning, and in case you don’t know the voice yet, this is Evan and this is episode 38 of the UNSECURITY Podcast. No Brad joining me today. He’s got a “vacation”. Who does that?! Anyway, in his place is my good friend and SecurityStudio’s president John Harmon. This is where you say “hi” John.

[John] He’s a quick thinker with a sharp tongue, so I’ll need to be on my toes with his response (probably).

[Evan] So, Brad’s on vacation. I joked a little about that, but I can hardly think of someone who deserves it as much as he does. Kudos to him for taking some time off to be with his family. Before we get into talking more about our guest and some cool things, I just want to give our listeners a quick update on our Civic Ransomware Awareness Project and an idea for a follow-up to the #100DaysOfTruth thing.

Quick Civic Ransomware Awareness Project Update and New Idea Discussion

John can talk here too, I just don’t have anything specific for him yet.

[Evan] This is our 38th episode of the podcast, and we finally have you on the show. Sorry it took so long. Now, I know you pretty well because we’ve been working together for quite some time now, but the listeners may not know who you are. Tell us about yourself.

[John] Tells us a story about himself

Talking About John

[Evan] I gotta tell you man, I love working with you every day. You’re a guy that truly gets what we’re trying to do and you’re absolutely sold out on our mission. Later this year, like October, you and I are embarking on a new journey. We affectionately call it Project Bacon. Where did the name come from?

[John] The name was John’s idea, but let’s hear him out.

[Evan] The name is awesome. Besides, who doesn’t like Bacon? So, we have this Project Bacon thing. What is it?

[John] Tells us what Project Bacon is.

[Evan] OK, I think I get it (of course I do, but I need to act like I don’t so the show is more interesting or something). Why are we doing this?

[John] Oh yeah! The “why” is the best part.

More Project Bacon Discussion

[Evan] I’m pumped about Project Bacon. It’s going to be a blast and we’re doing good things all along the way. John, you’ve listened to our podcast before. We always close this thing out with a few news stories. You game?

[John] John is always game.

Industry News

Here’s our news to discuss in this week’s show. The depth of the discussion will depend on our time.

Closing

[Evan] – OK. That’s how it is. So many cool things going on and too many things to talk about. Thank you John for filling in for Brad this week. Project Bacon is going to be great! Also, a special thank you to our listeners. Each week, the number of listeners to our podcast continues to grow, and each week we received great feedback from you. Please keep it coming. If we haven’t had a chance to respond, it isn’t because we don’t care, we just haven’t gotten around to it yet.

If you want to keep up with the haps, be sure to follow me, Brad, and/or John on Twitter. I’m @evanfrancen, Brad’s @BradNigh, and John is @HarmonJohn. Email the show at unsecurity@protonmail.com. Have a great week everybody!

The UNSECURITY Podcast – Episode 37 Show Notes

On time this week? Absolutely! We take these things seriously around here, you know that!

Happy Friday UNSECURITY Podcast listeners! It was a great week for us, hope yours was good (or better).

Weeks like this one at FRSecure and SecurityStudio are always special. We held our end of quarter meeting at our Minnetonka, MN headquarters. Our people fly in from all over the country to celebrate, collaborate, and have fun. It’s AWESOME to see everyone and spend time catching up.

This slideshow requires JavaScript.

We are all family here, and it’s an amazing experience when everyone gets to come home. We have people fly in for the week from Florida, Nevada, Kentucky, and soon to be Missouri. It’s magical when everyone gets together. One of our core values is “work hard, play hard”, and it’s fun to see everyone collaborating then going out and having fun afterwards. Seriously amazing people doing incredible things.

I love these people!

Like almost every quarter, the team killed it again. It was another record quarter revenue and profit-wise, but this is secondary to the impact this team is making in our industry.

The mood was awesome. Blessings everywhere.

On to the show notes, eh? (What am I Canadian now?)

Originally, we were planning to cover a new SecurityStudio initiative we affectionately call “Project Bacon”. We’re going to put that off until next week because we have a special guest joining us for this show. Our special guest is Jim Nash, who represents District 47A in the Minnesota State House of Representatives.


SHOW NOTES – Episode 37

Date: Monday, July 22nd, 2019

Today’s Topics:

We’re going to touch on the following topics this week:

  • Civic Ransomware Awareness Project update
  • The #100DaysofTruth update
  • Calling BS on BS
  • Industry News

[Evan] – Hey oh. Good morning everyone. My name is Evan Francen. My show to host this week, so if you don’t like it, blame Brad. Speaking of Brad, he’s here. Hi Brad.

[Brad] Hi (or something similar)

[Evan] Also joining us this morning is Mr. Jim Nash. Now, I’ve got a special affinity for Jim. He’s a good friend, and he also represents my home district in the Minnesota State House of Representatives. Hi Jim.

[Jim] He also says “hi” or something of the like.

[Evan] Jim, I’m grateful for the work you do for the people of our district and I’m also very thankful for advocating like you do for information security. You’re a tremendous advocate for FRSecure, for the State, and for the US as a whole. Thank you.

[Jim] Graciously accepts my gratitude and says something wisdomy that will awe his constituents. I’ll probably have to cut him short because politicians sometimes like to talk.

[Evan] Let’s jump right in, shall we? We have a lot to cover in this week’s show. Real quick, like real real quick, what did you think about last week?

[ALL] Stuff.

[Evan] Yeah, it was a great week for sure. Quick update on the civic ransomware call to action stuff. I actually gave this thing a real name now, “Civic Ransomware Awareness Project”. We received a few more updates; a couple from our backyard here in Minnesota and one as far away as Idaho.

Civic Ransomware Awareness Project discussion

[Evan] I hope we’ll continue the efforts to work together, people from all walks and backgrounds, including the private and public sector, to make information security better for everybody.

[ALL] Maybe they say something maybe they don’t. It’s early Monday morning for crying out loud.

[Evan] Another thing from last week. Don’t know if you guys noticed, but I finished my #100DaysofTruth series. What did you think?

#100DaysofTruth discussion

[Evan] It was a fun exercise. People have been asking me “now what”? Here’s the plan, and you heard it here first. The FRSecure Marketing Team is summarizing all one hundred days into a single blog post, we’re going to produce an ebook out of the content, we’re going to create an audiobook, and I’m thinking about doing #100DaysofLies.

[ALL] Maybe some more comments, maybe I need to kick them under the table to wake them up.

[Evan] Alright, next thing I wanted to talk about was something that you, Jim, brought to my attention last week. This should be a good discussion. Jim came to me an told me that there’s this guy (he didn’t recall his name at the time) who is out there preaching that there are companies in the United States that are unhackable. As you can probably imagine, I’m not buying it. So I wrote a blog post here at evanfrancen.comblog post here at evanfrancen.com, and I’d like to talk about it. Whatya say guys? Game?

[ALL] Of course they’re game!

Calling BS on BS discussion

NOTE: Go into the background some more, then talk about the BS.

[Evan] Alright. Good spirited discussion. Let’s wrap this thing up with some news, then get on with what is sure to be another great week!

Industry News

Here’s the news to discuss, just two this week because we covered so much other stuff and we’re running out of time:

Closing

[Evan] – Well, damn. That’s how it is. We do a ton of things around here and we talk about a lot of stuff. Special thanks to Jim Nash for joining us this week. Jim, you’re a good man. Also, a special thanks to our listeners. You guys give us awesome feedback every week and tips about what you’d like us to talk about. Be sure to follow me, Brad, and/or Jim on Twitter. I’m @evanfrancen, Brad’s @BradNigh, and Jim’s  @JimNashMN. Email the show at unsecurity@protonmail.com. Have a great week everybody!

The UNSECURITY Podcast – Episode 36 Show Notes

Happy Monday! What?! Yeah Monday. Friday came and went, then Saturday and Sunday did too. These show notes that are supposed to be put here on Friday, didn’t get here till now. Enjoy!

Last week was a great week until Thursday, that’s when the travel adventures began. I’ll write about being stuck in Newark, NJ in a another post. Regardless, it’s good to be back home and ready to go.

Here’s the show notes that my buddy Brad put together for this week’s rant.


SHOW NOTES – Episode 36

Date: Monday, July 15th, 2019

Today’s Topic: The Money Grab

[Brad] – Good morning this is Brad Nigh, your host for episode 36 of the UNSECURITY Podcast. Today is Monday July 15th and joining me as always is Evan Francen

[Evan]  – Says Evan-y things

[Brad] – I won’t lie, writing this episode was much harder than I expected.  I know a lot of what we wanted to cover but writing it and researching… I just struggled.

[Evan]  – Consoles and sympathizes with writers block (I hope)

[Brad] – I hit my breakthrough when I had my ‘DUH’ moment and opened your book to chapter 9.  Why in the world was I trying to reinvent the wheel when you’ve already done an amazing job spelling it out.

[Evan]  – Evan is probably to humble here but he will say something gracious.

[Brad] –  So with that let’s talk about the money grab – the money we steal from each other, or maybe “spend” is more politically correct.  In your book you cover 3 problems you have identified.

  1. There’s plenty of snake oil for sale.
  2. Fear and sex sells lots of stuff.
  3. Money spent poorly is bad money.

ISC2 just released a study that I think hammers home the issues we see.

Small Businesses Need New Security Solutions but Aren’t Always Sure Which Ones

Open Discussion with some articles

[Brad] That was a good discussion. As you can tell, both Evan and I can get pretty heated up about these things. Let’s get to a couple of news items before wrapping this episode up.

News

Closing

[Brad] That’s a wrap! Thanks again to our listeners, and thank you Evan! Let’s go have a great week! Don’t forget, you can follow me or Evan on Twitter; @BradNigh is me, and Evan’s at @evanfrancen. Email us on the show at unsecurity@protonmail.com.

The UNSECURITY Podcast – Episode 35 Show Notes

Happy (belated) Birthday America!

Hope you all had a great 4th of July holiday! Both Brad and I (sort of) took the week off last week. We got some much needed rest for the 2nd half 2019 push. Brad spent time with his family, catching some huge fish with his kids. I made a road trip on my bike from Minnesota to Ohio. My wife and 14-year-old daughter joined me and we spent the week celebrating our great country.

This slideshow requires JavaScript.

The first half of 2019 has been wildly successful on multiple fronts, and both Brad and I are grateful.

I left Brad alone this week. I didn’t even reach out to him for our podcast show notes, so I’m not sure if he was planning to write some. Out of respect for his time away from the office, I’m writing this week’s notes.

Haven’t run this past Brad yet, but I think we’ve got the next three shows planned. We’ll see if he’s game. Here’s my plan:

  1. This week (episode 35) – Transfer of Wealth
  2. Episode 36 – The Money Grab
  3. Episode 37 – Project Bacon

Are you intrigued? Yeah, maybe.

OK, let’s get to it…


SHOW NOTES – Episode 35

Date: Monday, July 8th, 2019

Today’s Topics:

  • Civic Duty? – An update
  • Transfer of Wealth
  • News

[Evan] Hi everyone, this is Evan Francen, your host for episode 35 of the UNSECURITY Podcast. Welcome back from last week’s 4th of July holiday. My security bestie, Brad Nigh is joining me. He’s my co-host and stuff.

Welcome Brad.

[Brad] Brad probably greets me/us here. Assuming that he’s polite and engaged.

[Evan] How was your week off?

[Brad] Brad shares stuff about his time off.

[Evan] I’ll share some brief things about last week.

The meat of the show starts here.

[Evan] Over the past couple of weeks, we’ve been talking about ransomware. We haven’t been talking about the technical details related to how ransomware works because the attack vector essentially hasn’t changed drastically over the past, I don’t know, 20 years!

What we’ve been focused on is the destruction that ransomware is causing organizations, specifically local government organizations. We talked about cities that are suffering millions in losses and those that have chosen to pay ransoms to attackers. These things really strike a nerve in us, and we’ve encouraged people to do something about it.

For reference, see other related posts in chronological order:

Let’s catch up quick on this Brad.

Open Discussion – Civic Duty? – An update

[Evan] So, before we get too heated and deep into the ransomware discussion again, let’s talk a little about the money. The money in terms of how much attackers steal from us and in terms of how much money we steal from each other. We call the latter the “money grab”.

[Brad] Let’s do it! (and other stuff probably.)

[Evan] I was revisiting some of the research about our industry this week, and I wanted to talk about two things.

  1. The transfer of wealth – the money the attackers steal from us.
  2. The money grab – the money we steal from each other, or maybe “spend” is more politically correct.

We won’t have enough time to discuss these two topics with any depth in one show, so we we’ll need to split this up across multiple shows. Whatever, let’s discuss what we can now.

[Brad] Sounds good (hopefully).

[Evan] According to a study/predictions conducted/made by Cybersecurity Ventures, “Cybercriminal activity is one of the biggest challenges that humanity will face in the next two decades.” You’ve seen this study, right?

[Brad] Oh yes, of course!

[Evan] We know the source of the study, so we need to take it with a grain of salt, but listen to some of the claims:

  • Cybercrime is the greatest threat to every company in the world, and one of the biggest problems with mankind. The impact on society is reflected in the numbers.
  • In August of 2016, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.
  • Cyberattacks are the fastest growing crime in the U.S., and they are increasing in size, sophistication and cost.

Let that sink in a little. Are these numbers and claims accurate in your opinion. Do these numbers and claims just feed our scare tactics? Let’s discuss.

Open Discussion – Money – Transfer of Wealth

[Evan] Good talk Brad! We certainly have our share of opinions on this. Let’s hold off on the “money grab” discussion until next week, then we’ll contrast these issues. Sound good?

[Brad] He’ll agree because he’s a very agreeable man.

[Evan] Just two newsy things this week. We’ll cover them quick.

News

Just two quick stories today.

Closing

[Evan] That’s how it is. Thanks again to our listeners and thank you Brad! Have a great week friends. Don’t forget, you can follow me or Brad on Twitter; @evanfrancen is me, and Brad’s at @BradNigh. Email us on the show at unsecurity@protonmail.com if you want to be one of the cool kids.

The UNSECURITY Podcast – Episode 34 Show Notes

Happy Friday!

2019 is almost half-gone. The midpoint is coming next Monday/Tuesday, and that’s crazy to me. Hard to believe that half the year is already gone, but holy cow it’s been a good first half!

Hope yours was too!

Lots of things happening as usual, but I’ll spare you the details and get right into this week’s show. My (Evan) show this week, so my notes. 😊


SHOW NOTES – Episode 34

Date: Monday, July 1st, 2019

Today’s Topics:

  • “Let’s get real”
  • News

[Evan] Hi everyone, this is Evan Francen, your host for episode 34 of the UNSECURITY Podcast. Joining me is my right-hand man, Brad Nigh. Good afternoon Brad!

[Brad] Spews wisdom, the kind you can’t find anywhere else…

[Evan] If you were paying attention to the opening, you might have heard me say “afternoon”. That’s because we’re recording on Friday afternoon for Monday’s release. Both Brad and I will be out of the office next week doing some vactiony things. Right Brad?

[Brad] Spews more wisdom. He’s a wisdom spewer.

[Evan] Should we share our vacation plans or should we keep ‘em confidential? We tell others to keep vacation stuff non-public for privacy and safety reasons, so maybe we should follow suit. Whatya think?

[Brad] Brad confirms because of he’s like a wisdom volcano. Hot wisdom.

[Evan] So the last few weeks, we’ve talked about ransomware attacks.

A couple of weeks ago we talked about ASCO, the Belgian aircraft parts maker that was hit with ransomware and lost production for some undisclosed amount of time (globally, so likely lacking proper network segmentation/isolation as well as proper response processes). That news has sort of died out.

Last week we discussed the City of Riviera Beach and how their city council voted unanimously to pay the $600,000+ ransom. This one ticked me off. So, I wrote a blog post about it; DON’T SUCK – STOP PAYING RANSOMS.

We also talked about the fact that we’re not powerless to stop these things, so that prompted another blog post; ASK QUESTIONS – GET ANSWERS (HOPEFULLY). We discussed in reaching out to our local government officials in episode 33, so I gave instructions on how to do so (including an email template). Some people reached out to their local governments and shared their responses! To those who did this, kudos and thank you for making a difference.

Next, we read about another Florida city (Lake City) that voted to pay the ransom. Sunnuva!

So, what did I do? I wrote yet another blog post; CALL TO ACTION – DO SOMETHING ABOUT CIVIC RANSOMWARE. I also reached out to one of our local news stations. The declined the story. No skin off my back, but when are we going to get serious?!

My reply:

“OK. I’d expect the next one to hit within a week. Cities are under siege right now. Have a great weekend and 4th of July!”

All of this leads us to now. The good: there are good people who want to help. The bad: most don’t seem to give a rat.

My question for our discussion is:

Do people even want to be secure?

Open discussion.

[Evan] Good talk. Jason Dance, one of our loyal listeners had some good advice to share:

  1. The same things apply at schools. Reach out to schools and ask questions too.
  2. If you don’t get answers:
    • Ask during a town/city meeting.
    • File a FOIL for the specific information.
    • Ask by Facebook/Twitter/Other social media.

Awesome advice! Thank you, Jason.

We must get our sh_t together, or the pain will only get worse. Now for some news.

News

Just two quick stories today.

Closing

[Evan] That’s how it is! Thanks again to our listeners and thank you Brad (the wise)! Hope you have a wonderful week and a safe 4th of July. God bless America for crying out loud! Don’t forget, you can follow me or Brad on Twitter; @evanfrancen is me, and Brad’s at @BradNigh. Email us on the show at unsecurity@protonmail.com if you want to be one of the cool kids.

The UNSECURITY Podcast – Episode 33 Show Notes

Brad is leading this week’s show, but it’s NOT his fault that I didn’t get the show notes posted until now (Sunday).

As always, I hope everyone/anyone reading this had a great week last week. I believe that every week holds something special if you look for it with the right frame of mind.

I got back to writing the 2nd book last week, finally. I’m behind on getting this thing done. In case you didn’t know, I’m in the middle of writing a 2nd book right now. This book is “information security for normal people” for lack of a better title. I’m excited and happy to be back working on it again.

Lots of other cool things last week too. I’ll just pick two for now:

  1. Managers were in town last week for their quarterly strategy meetings. I don’t really participate in the meetings, but I do get to see the people who come in from out of town! Seeing Oscar Minks (Director of Technical Services from Kentucky) and Tyler Briggs (Project Management Team Lead from Florida) is always awesome!
  2. We secured two panelists for the upcoming Hacks & Hops event on September 19th. The event is titled “BREACHED! What to Do When Your Defenses Fail“. Seriously, check this out! Mark Lanterman (Chief Technology Officer of Computer Forensic Services) and Chris Roberts (Chief Security Strategist for Attivo, Advisor for Cympire, OverWatchID, HHS and others…) will both be on the panel! So friggin’ pumped about this. These guys are the real deal and it’s an honor to be on the same stage with them.

If you don’t have tickets already for Hacks & Hops, you better get them soon. This thing is definitely going to sell out! Watch for more announcements soon.

OK, that’s enough. I need to get to it. Here are Brad’s show notes!


SHOW NOTES – Episode 33

Date: Monday, June 24th, 2019

Today’s Topics:

  • More Ransomware – City Riviera Beach
  • News

[Brad] Good morning! This is Brad Nigh, and this is episode 33 of the UNSECURITY Podcast. I actually did my part and got show notes prepped and ready this week.  With me as usual is Evan Francen, good morning Evan.

[Evan] Says Evan things

[Brad] I had our offsite VTO last week which is also so amazing.  It is recharging despite being a lot of work, if that makes sense.  I’m also wrapping up the IR I had, but we had yet another one come in last week, this one was a web app that a client found a vulnerability in (the exposed the DB to the internet, not just the app, among other things).  So with that lead in,  How was your week last week Evan?

[Evan] Starts getting riled up

[Brad] This week we are jumping right in to the discussion because this is a topic we are both very passionate about and want to spend some time discussing.  We are going to talk about the Riviera Beach City Ransomware incident today.

Open discussion about the Riviera Beach City Ransomware

Reference Riviera Beach City ransomware articles:

[Brad] I didn’t do a lot of extra news stories this week but I wanted to include these two because of their relevance to our topic today.

News

Closing

[Brad] That’s a wrap! Thanks again to our listeners, and thank you Evan! Let’s go have a great week! Don’t forget, you can follow me or Evan on Twitter; @BradNigh is me, and Evan’s at @evanfrancen. Email us on the show at unsecurity@protonmail.com.

The UNSECURITY Podcast – Episode 32 Show Notes

Heyo! It’s Friday again. Actually, it’s Sunday because I’m late. Oh well.

I/we (speaking for Brad too) hope you had a great week!

It was another crazy, but awesome week around here (@FRSecure and @SecurityStudio). Let’s see if I can give you a quick recap without boring you to death. I kid, you won’t actually die.

Monday – Meeting day. Monday’s are always meeting days at the office. The good; we all get to see each other and catchup with life. The bad; meetings. Who likes meetings? In our case, the good FAR outweighs the bad, and I’ll take it!

Tuesday – The highlight of Tuesday was attending the Star Tribune Minnesota 150 Top Workplaces luncheon. CONGRATS FRSecure! Several of us were able to attend the event. Check out the pictures!

This slideshow requires JavaScript.

I LOVE working with the people at FRSecure and SecurityStudio. It’s a great honor and privilege. Brad wasn’t there, even though he’s a tremendous part of our success. He was back at the office working on another IR.

Wednesday – A focus day. A focus day consists of focus time. Everyone needs focus time on a periodic/regular basis. It’s healthy. In the evening, we celebrated the end of the 2019 CISSP Mentor Program by hosting a free BBQ dinner for all local students. The 2019 CISSP Mentor Program was an amazing success; this new crop of information security pros is going to be great!

One of the students already passed his CISSP exam!

Thursday – Led a client’s first incident response tabletop exercise (ever) with FRSecure’s very own vCISO Team Lead, Megan Larkins. Occasionally I get the opportunity to work on something with one of FRSecure’s analysts, and it’s always a great experience for me. The client seemed to like it too!

Here’s a quote from the client’s email to us late Thursday/early Friday:

Hello Evan and Megan,

Thank you, the time you spent with us yesterday was exceptional. I felt a lot was accomplished and everyone was appreciative of your ability to teach without judgment. %COMPANY%  has a way to go but with great vendors like FRSecure, the path forward isn’t as difficult.”

Megan and I had a great time! Quick side note, for lunch we went to the place called D-Spot. It’s a place that’s known for their wings, and there are 50 or so different flavors to choose from. Here’s some of their flavors:

  • Ben Grimm
  • Kamikaze
  • War Machine
  • Widow Maker
  • Iron Maiden
  • Goat’s Blood
  • Tarantula
  • Incredible Hulk
  • El Loco
  • Rougarou

I went with something named “Brimstone”. I like hot stuff. I really like really hot stuff.

Took a bite. It started out sweet, then wait for it…

HOLY HELL WHAT IS HAPPENING TO MY TONGUE?!

WHY ARE MY EYES SWEATING?!

IS THAT A CRAMP IN MY ESOPHAGUS?! WHAT THE HELL IS A CRAMP IN MY ESOPHAGUS?!

JESUS, IS THAT YOU? ARE YOU MAD AT ME? I’M SORRY.

Poor Megan watched me progress from happy to concerned to sadness to panic to blackout and back. She looked genuinely concerned for my well being, but I came back to reality after a bit.

Only three more wings to go…

 

Needless to say, I finished all four of these death morsels from the center of the earth. Paid up front and paid again at about 8pm that night (no details available). My wife tells me, “you’re such a smart guy, so why do you do such obviously dumb things?”

She’s got a point.

Friday – Got the email above on Friday. Friday was another good day. Started with a ride, then a strategy meeting, the weekly FRSecure BBQ, and FRSecure Hawaiian shirt day.

The ride

Hawaiian shirt day

This slideshow requires JavaScript.

Seriously, what’s not to love about all this. We do security, sure, but what good is security without life? Do life first!

Crap, almost forgot about the show notes…


SHOW NOTES – Episode 32

Date: Monday, June 17th, 2019

Brad’s busy. Like, really busy. He’s been tied up all week working on an incident response (IR), so my notes (Evan).

Today’s Topics:

  • Security standards
  • ASCO Ransomware
  • News

[Evan] Happy Monday! This is Evan Francen, and this is episode 32 of the UNSECURITY Podcast. Brad was supposed to lead today’s show, but he’s been tied up with incident response work. Ain’t that right Brad?

[Brad] Queue Brad.

[Evan] We’ve got a good show planned for you today, so let’s get to it.

[Brad] Queue Brad (again).

[Evan] I had some good thinking time this weekend. One of the things that I was thinking about was the use of standards in our industry. There’s a boatload of them. ISO, COBIT, NIST SPs, etc. What do we use standards for?

[Brad] Queue Brad (again).

Open discussion about information security standards.

[Evan] We got an email from one of our listeners this past week that I’d like to talk about.

Hey Evan and Brad,

I have been a listener from the beginning of your podcast and just came across this news item from my home country:

https://www.helpnetsecurity.com/2019/06/13/asco-ransomware-attack/

To me this is weird, the HR manager being the PR person after a big cyber incident? I did a quick look on linkedin but could not find anyone in the company with “security” in their title.

Next thing: I look into the profile of the IT director, since security is sometimes put under IT. But on his profile I can not see any “indicators” that this guy might have any security qualifications or experience in the field.

So this company has have to give all 1500 employees “technical unemployment” and keep extending the end date of this unemployment.

They don’t really communicate on what actually happened, they don’t talk about ransomware either.

At this moment I am pretty confident that my incident response plan is way better than theirs, and we are a small non-profit media company with about 100 employees.

Open discussion about the what we know about the ASCO ransomware attack.

[Evan] BIG thank you to our listeners, and this one in particular. Good talk. Let’s get to some news.

News

Closing

[Evan] That’s a wrap! Thanks again to our listeners, and thank you Brad! Let’s go have a great week! Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com.