The UNSECURITY Podcast – Episode 32 Show Notes

Heyo! It’s Friday again. Actually, it’s Sunday because I’m late. Oh well.

I/we (speaking for Brad too) hope you had a great week!

It was another crazy, but awesome week around here (@FRSecure and @SecurityStudio). Let’s see if I can give you a quick recap without boring you to death. I kid, you won’t actually die.

Monday – Meeting day. Monday’s are always meeting days at the office. The good; we all get to see each other and catchup with life. The bad; meetings. Who likes meetings? In our case, the good FAR outweighs the bad, and I’ll take it!

Tuesday – The highlight of Tuesday was attending the Star Tribune Minnesota 150 Top Workplaces luncheon. CONGRATS FRSecure! Several of us were able to attend the event. Check out the pictures!

This slideshow requires JavaScript.

I LOVE working with the people at FRSecure and SecurityStudio. It’s a great honor and privilege. Brad wasn’t there, even though he’s a tremendous part of our success. He was back at the office working on another IR.

Wednesday – A focus day. A focus day consists of focus time. Everyone needs focus time on a periodic/regular basis. It’s healthy. In the evening, we celebrated the end of the 2019 CISSP Mentor Program by hosting a free BBQ dinner for all local students. The 2019 CISSP Mentor Program was an amazing success; this new crop of information security pros is going to be great!

One of the students already passed his CISSP exam!

Thursday – Led a client’s first incident response tabletop exercise (ever) with FRSecure’s very own vCISO Team Lead, Megan Larkins. Occasionally I get the opportunity to work on something with one of FRSecure’s analysts, and it’s always a great experience for me. The client seemed to like it too!

Here’s a quote from the client’s email to us late Thursday/early Friday:

Hello Evan and Megan,

Thank you, the time you spent with us yesterday was exceptional. I felt a lot was accomplished and everyone was appreciative of your ability to teach without judgment. %COMPANY%  has a way to go but with great vendors like FRSecure, the path forward isn’t as difficult.”

Megan and I had a great time! Quick side note, for lunch we went to the place called D-Spot. It’s a place that’s known for their wings, and there are 50 or so different flavors to choose from. Here’s some of their flavors:

  • Ben Grimm
  • Kamikaze
  • War Machine
  • Widow Maker
  • Iron Maiden
  • Goat’s Blood
  • Tarantula
  • Incredible Hulk
  • El Loco
  • Rougarou

I went with something named “Brimstone”. I like hot stuff. I really like really hot stuff.

Took a bite. It started out sweet, then wait for it…

HOLY HELL WHAT IS HAPPENING TO MY TONGUE?!

WHY ARE MY EYES SWEATING?!

IS THAT A CRAMP IN MY ESOPHAGUS?! WHAT THE HELL IS A CRAMP IN MY ESOPHAGUS?!

JESUS, IS THAT YOU? ARE YOU MAD AT ME? I’M SORRY.

Poor Megan watched me progress from happy to concerned to sadness to panic to blackout and back. She looked genuinely concerned for my well being, but I came back to reality after a bit.

Only three more wings to go…

 

Needless to say, I finished all four of these death morsels from the center of the earth. Paid up front and paid again at about 8pm that night (no details available). My wife tells me, “you’re such a smart guy, so why do you do such obviously dumb things?”

She’s got a point.

Friday – Got the email above on Friday. Friday was another good day. Started with a ride, then a strategy meeting, the weekly FRSecure BBQ, and FRSecure Hawaiian shirt day.

The ride

Hawaiian shirt day

This slideshow requires JavaScript.

Seriously, what’s not to love about all this. We do security, sure, but what good is security without life? Do life first!

Crap, almost forgot about the show notes…


SHOW NOTES – Episode 32

Date: Monday, June 17th, 2019

Brad’s busy. Like, really busy. He’s been tied up all week working on an incident response (IR), so my notes (Evan).

Today’s Topics:

  • Security standards
  • ASCO Ransomware
  • News

[Evan] Happy Monday! This is Evan Francen, and this is episode 32 of the UNSECURITY Podcast. Brad was supposed to lead today’s show, but he’s been tied up with incident response work. Ain’t that right Brad?

[Brad] Queue Brad.

[Evan] We’ve got a good show planned for you today, so let’s get to it.

[Brad] Queue Brad (again).

[Evan] I had some good thinking time this weekend. One of the things that I was thinking about was the use of standards in our industry. There’s a boatload of them. ISO, COBIT, NIST SPs, etc. What do we use standards for?

[Brad] Queue Brad (again).

Open discussion about information security standards.

[Evan] We got an email from one of our listeners this past week that I’d like to talk about.

Hey Evan and Brad,

I have been a listener from the beginning of your podcast and just came across this news item from my home country:

https://www.helpnetsecurity.com/2019/06/13/asco-ransomware-attack/

To me this is weird, the HR manager being the PR person after a big cyber incident? I did a quick look on linkedin but could not find anyone in the company with “security” in their title.

Next thing: I look into the profile of the IT director, since security is sometimes put under IT. But on his profile I can not see any “indicators” that this guy might have any security qualifications or experience in the field.

So this company has have to give all 1500 employees “technical unemployment” and keep extending the end date of this unemployment.

They don’t really communicate on what actually happened, they don’t talk about ransomware either.

At this moment I am pretty confident that my incident response plan is way better than theirs, and we are a small non-profit media company with about 100 employees.

Open discussion about the what we know about the ASCO ransomware attack.

[Evan] BIG thank you to our listeners, and this one in particular. Good talk. Let’s get to some news.

News

Closing

[Evan] That’s a wrap! Thanks again to our listeners, and thank you Brad! Let’s go have a great week! Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com.

The UNSECURITY Podcast – Episode 31 Show Notes

Another week is in the books. Is it really true that the older you get, the faster time goes? God, it seems like it.

It was another great week, and there are so many things to be grateful for. FRSecure is cranking away at the mission (to fix the broken industry), and SecurityStudio is kicking tail too! I can only begin to tell you how awesome it is to work with the best information security people in the industry. When I say “best”, I mean the best in terms of quality of character. I LOVE these guys! They won’t brag about themselves, but I’ll brag all day about them. Crazy cool.

Some things going on at FRSecure:

  • Just finished the 10th annual CISSP Mentor Program. We had 500+ registered students at the beginning, and ended with a lot less than that. Some of it is attributed to normal attrition, and some of it is attributed to the quality of the instructors. 😉 The last event is Wednesday; Brad and I are BBQing for the students who can make it to our office in person. Come out and grab some good BBQ on Wednesday at 6pm!
  • We’re putting together our next Hacks & Hops event, actually our superstar marketing folks are. The next event is titled “BREACHED! WHAT TO DO WHEN YOUR DEFENSES FAIL” and it’s slated for September 19th at US Bank Stadium; not the whole stadium, a big meeting room inside the stadium (that would be nuts). We’re working on putting together an all-star panel for you, and there will be beer (lots for those who like lots). Mark you calendars now, and watch for the sign-up. It will sell out fast.
  • We’re hiring again! We’re sort of always hiring, I think. Anyway, the bar is high in terms of integrity, but we’ll learn all sorts of cool things together. Check out our positions, and apply. We like people and stuff! We have six (6) open positions at present, so if you know someone, send them our way!
  • Personally, I had some great meetings this week! The people in this industry are fascinating. Some highlights include the following… Had coffee with Matt Stellmacher on Monday. If you’re in this market, in Minnesota, you gotta know who Matt is! He’s a partner at White Oak Security, and an all around great guy. Had a great meeting with Jim O’Conner on Wednesday. Jim is Cargill’s CISO, and he’s a great guy with a TON of security wisdom. I spent most of the time listening intently to what he had to share. Had lunch with Red Team Security‘s CEO Ryan Manship on Thursday. Our hearts are aligned on some things in this industry.
  • Gave a talk at an event put on by Top Dog PC Services at Summit Brewery. Had a blast making a few new friends and giving away some more books. They recorded some of my talk and posted in online here. The audio and video quality are a little (or a lot) off, but somehow they made me seem like I made sense.
  • The icing on the cake came on Friday (today). Went to BrrCon. This was the best conference that I’d been to in a very long time. Ran into 10(ish) friends, talked to Dave Kennedy and spent a little time with Chris Roberts. These are two of my favorite influential people in our industry. It was a GREAT day!

Some of the things going on at SecurityStudio:

  • We’re finalizing our Board of Directors! In full transparency, this is the first board that I’ve ever put together, and I have (almost) no idea what I’m doing. Thank God for SecurityStudio’s president (James Williams) who’s put together awesome boards before. Also, thank God for the directors who have agreed to participate! Finishing touches are being worked on now, and an announcement is coming soon!
  • At SecurityStudio, we’re all about inclusion and integration. We met with the fine folks from Quill Security Technology this week, and they’ve got some VERY cool stuff! I’ve never seen a better physical security risk assessment methodology or tool than the one these guys have built. You know what they (or I) say, “nobody cares about your firewall when someone steals your server.” How about, “nobody cares about your firewall when someone is assaulted”? Good people over there and I’m sure we’ll figure out a way to integrate what each of us does well!
  • Lot’s a very cool development stuff and marketing stuff being done. You’ll hear more about this soon too!

Oh yeah, I met Betty this week. We met on Tuesday and she’s mine now.

Well, it was one helluva week!

Alright, now onto the show notes…


SHOW NOTES – Episode 31

Date: Monday, June 10th, 2019

This is Evan’s turn to lead the show, and these are my notes.

Today’s Topics:

  • Solutions, not sales.
  • Important lessons this week.
  • News

[Evan] Hey, good morning. Today is Monday, June 10th, and this is episode 31 of the Unsecurity Podcast. This voice you hear is Evan Francen and joining me as usual is my co-worker and more importantly good friend Brad Nigh. Good morning Brad.

[Brad] Queue Brad.

[Evan] Brad, it’s good to hang out with you man. 

[Brad] Queue Brad (again).

[Evan] Can you believe that this is episode 31 already? Seems like episode one was only a few weeks ago, and here we are. We’ve learned a lot since the first show, eh?

[Brad] Queue Brad (again).

[Evan] How was your week last week? Tell us about some of the highlights?

[Brad] Queue Brad (again).

[Evan] Mine was awesome and nuts at the same time (read above).

[Brad] Queue Brad (again).

[Evan] I had one experience last week that I wanted to talk with you about. I was with a couple of sales guys from a VAR…

Open discussion about “solutions not sales”

This topic is sure to raise the blood pressure of both Brad and I. It will be a great discussion!

[Evan] You and I have been in this industry a long time. Between the two of us, we have 40 something years under our belt, but one thing I know, and I think you’ll agree with me, is that we NEVER stop learning. So, last week was full of good stuff. Give us one thing that you learned last week Brad, then I’ll go.

[Brad] Queue Brad (again).

Open discussion about “important lessons from last week”

[Evan] Alright man, good things! Let’s wrap up with some newsy stuff. Just four stories to share quick.

News

Closing

[Evan] Nice talk Brad! Let’s see if we have another week like the last. Hope everyone listening has a great week. Stay safe and stay healthy. Thank you Brad. Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com. That’s a wrap!

The UNSECURITY Podcast – Episode 30 Show Notes

Happy Sunday! That’s right, it’s Sunday. I’m late getting our show notes posted (again).

Hope you are having a great weekend. Last week’s show (episode 29) was posted on Memorial Day. I hope you took a moment to remember the men and women who made the ultimate sacrifice for our country and our freedom. That’s what Memorial Day is all about.

Our show last week was a new thing for us. We recorded and intro, listened to L0pht’s Capitol Hill testimony from May 19th 1998, and recorded a short close. I like to listen to this recording once each year as a reminder of where we came from and to help keep me grounded. It’s good stuff!

Last week was a short one, but it was busy. Spent a couple of days with some awesome people in Montvale, NJ before returning home for a full-day offsite strategy meeting (with the FRSecure executive leadership team). Friday was full of meetings, but much more low-key.

Yesterday (Saturday) was a no work day. Do you have a day that you’ve set aside for no work? Part of keeping balance in my life is to not work (at all) on Saturdays. I’ve compromised on this rule too many times in the past few months, and I’m actually a little ashamed about it. No more! Saturday’s are back to off limits. Today’s Sunday. 😉

What’s up this week? Brad’s leading the Unsecurity podcast, and he’s got some good things planned for us to talk about. These are his show notes.


SHOW NOTES – Episode 30

Date: Monday, June 3rd, 2019

Evan would have been on time but I got caught up with some IR work that totally threw off my Thursday and Friday, so show notes are coming out on Saturday (turned out to be Sunday).

Today’s Topics:

  • Incident Response
  • News

[Brad] Good morning, today is June 3rd (How is it already June?!?!) and it’s time for another episode of the Unsecurity podcast. I’m Brad Nigh and I will be hosting this week. With me again is Evan Francen, good morning Evan.

[Evan] Talks about something fun he did over the weekend. – (Added by Evan: not really. I cleaned gutters, stained my fence, did some landscaping, and mowed the lawn).

[Brad] Okay so a couple weeks ago you were at the Denver ISSA and did a workshop titled “Incident Management – Panic or Plan”. Let’s talk about that a little bit…

Open discussion around the IR workshop and IR in general

[Brad] There is so much around IR that people still struggle with, hopefully this discussion helped clear things up a bit. Let’s hit some news stories real quick.

News

Closing

[Brad] Alright, another good show. We could talk about incident response every week and never run out of material. Lots of news and lots to do. Thank you Evan. Don’t forget, you can follow me or Evan on Twitter; @BradNigh and @evanfrancen. Email us on the show at unsecurity@protonmail.com. That’s a wrap! Have a great week.

The UNSECURITY Podcast – Episode 29 Show Notes

Hi again! It’s time for the episode 29 show notes, and I’m on time again. That’s three in a row if your keeping score.

Hope you all had a good week! Most of my time was spent trying to catch up, but that’s the norm. I only had one trip this week. On Thursday, I made my way out to Denver to give a talk (or workshop) about security incident management. The workshop was hosted by the Denver ISSA Chapter. The Denver ISSA Chapter is the largest ISSA chapters in the world, and you could argue it’s one of the best too. Some of the best people I have ever spoken to about information security. I’ll write a separate post about the experience. For now, we’ll just say it was awesome!

Last week, Brad and I discussed a crazy week that included five talks, four conferences, two classes, and a panel. Episode 28 was fun, as are most episodes. This week, we’re switching things up.


SHOW NOTES – Episode 29

Date: Monday, May 27th, 2019

Today’s Topic:

A special show and tribute. You’ll need to tune in for the details.

[Evan] Welcome! This is episode 29 of the Unsecurity Podcast! I’m Evan Francen, and joining me as almost always is my good friend Brad Nigh. How you doing Brad?

[Brad] Alive and well

[Evan] Brad, as you know, it’s Memorial Day. An important holiday in the United States. The holiday is specifically set aside to remember and celebrate the honorable men and women who have served our country and have passed on. We’re going to put a little remembrance about information security into today’s episode. What do you say?

[Brad] Yes. Let’s do that.

[Evan] The special treat for today’s episode is something that’s been around for a long time. Some of us who’ve been around for a long time will remember the day fondly, others will want to listen and know what life was like in information security.

[Brad] Sounds good! I know what you’re taking about and I think people will love it.

[Evan] A little more background and intro to the audio, then cut over.

Audio – A classic security discussion.

[Evan] Alright, we’re back. What did you think?

[Brad] Awesome. Such a classic.

Short discussion about the audio.

Less than three minutes.

Closing

[Evan] Alright. Thank you Brad. Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com. That’s a wrap! Have a great week.

The UNSECURITY Podcast – Episode 28 Show Notes

Whaaaaaaat?! Is this two Friday’s in a row? I’m on time two weeks in a row? Sort of a miracle.

It’s been a crazy, crazy week. I won’t speak too much for Brad, but I think his was probably crazy too.

We started the week off with episode 27 of the Unsecurity Podcast. Special thanks to our guest Ryan Cloutier. I was in Anaheim, California while Ryan and Brad were in studio. We talked about information security in K-12, and equipping children for today’s (and the future’s) most pressing security and privacy challenges. Ryan’s insights were awesome and well-received.

We record our podcasts every Monday morning at 6:45am CDT. That made it 4:45am for me in California. Early start, and we ran hard ever since. The quick summary of the week consisted of five talks, four conferences, two CISSP Mentor Program classes and a panel. It was a really good week, but one where we had to hustle from beginning to end.

The five talks (conference, title, speaker):

  1. ISACA North America CACS Conference, Why?, Evan

  2. Loffler 2019 Tech Fest, Speaking Information Security, Evan

  3. 2019 Secure360, Disaster doesn’t have to be debilitating: The best way to build your disaster recovery plan, Brad
  4. 2019 Secure360, Speaking Information Security, Evan
  5. Minnesota State IT Center for Excellence New Directions Faculty Conference, 7 Facts About Unicorns 38 of the 100 Truths About Information Security, Evan

I’ll write something up about each talk and share the presentations later.

Turned out to be ~350 PowerPoint slides this week for the five talks, and two CISSP Mentor Program classes. PowerPoint hell, is what it was.

OK, enough. About the show. Figured we share our week and our experiences with you this week. There’s plenty of good nuggets in there.

 

 


SHOW NOTES – Episode 28

Date: Monday, May 20th, 2019

Today’s Topics:

  • The Week That Was; 5 Talks, 4 Conferences, 2 Classes, and a Panel
  • News

[Evan] Hey, hey. It’s time for episode 28 of the Unsecurity Podcast! I’m Evan Francen, your host for this week, and sitting right here next to me is Brad Nigh. How ya doin’ Brad?

[Brad] Brad tells us that he’s doing awesome! Because awesome people are awesome, DUH!

[Evan] Well, we survived the week that was. I wrote a little diddy online about my week. How was yours?

[Brad] His week was awesome! See above.

[Evan] I figured we take a week off from a guest and talk about our week. I learned a boatload of stuff last week and the talks were really fun. Whatya say Brad? You game?

[Brad] Awesome! Again, see above. You’ll notice a pattern. 🙂

The Week That Was; 5 Talks, 4 Conferences, 2 Classes, and a Panel

[Evan] Last week was a crazy week, but it was a fun week, and it was a really valuable week. I want to take some time to chat about our experiences. I gave four talks last week, and I learned some really good stuff in each of them. Let’s start with your talk at Secure360 though. Tell us about it.

[Brad] Tells the story.

[Evan] Start with the ISACA talk, leading to open discussion.

Open Discussion About Talks, Classes, and the Panel

Blah, blah, blah and such…

[Evan] Cool! It was a great week for both of us. Everything taking us steps closer to our mission. Can’t say how grateful I am to do this stuff with our amazing team, especially you sir. [I’ll probably give Brad some sort of wink or nudge, like friends do] Let’s talk news.

News

Microsoft worm warning: Windows users urged to patch now

Microsoft Warns of a Monster Computer Bug, in a Week of Them

Two Years Later WannaCry Continues to Spread to Vulnerable Devices, Nearly 5M Devices Affected

Hacktivist attacks dropped by 95% since 2015

Why Are Cryptographers Being Denied Entry into the US?

Report Reveals TeamViewer Was Breached By Chinese Hackers In 2016

Closing

[Evan] That’s the meat of the show right there. What’s your week look like Brad?

[Brad] Awesome! (default now)

[Evan] Have anything special planned for next week’s show?

[Brad] We’ll see…

[Evan] Alright. Thank you Brad. Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com. That’s a wrap!

The UNSECURITY Podcast – Episode 27 Show Notes

Yes! It’s Friday, the sun is shining and we’re on time.

Hope you had a good week. Things are crazy busy at FRSecure and SecurityStudio which is good. It’s part of why we play this game.

Brad leads the show this week, and he’s put together the show notes. I’m currently in (or on my way to) Anaheim, California for the North America CACS 2019 Conference. For those who are unaware (and care), it’s one of ISACAs big annual events. I’ll be speaking at the conference on Monday morning. I’ll post some stuff about the experience in a future post.

Anyway, back to the show. Last week Brad and I discussed the topic of Ego and Arrogance in Information Security. It was a good topic. We could have talked about it much longer than we did, but we spared you. 😉

This week, Brad is joined by a special guest while I call in from Cali. The cool kids call it “Cali”. Our special guest is none other than Mr. Ryan Cloutier, a cool cat with some good security chops and a noble mission. Yeah, I just said that.


SHOW NOTES – Episode 27

Date: Monday, May 13th, 2019

Today’s Topics:

  • Introduction and Discussion with Ryan Cloutier
  • InfoSec in K-12
  • News

[Brad] It’s another Monday morning here at FRSecure/SecurityStudio world headquarters which means it’s time for another episode of the Unsecurity podcast. It’s Monday, May 13 2019 and this is episode 27. I’m Brad Nigh and I’m your host this week. Evan’s not physically here today but is joining us by phone. Evan, are you awake this early on the West Coast?

[Evan] Hopefully he’s had enough caffeine to be awake.

[Brad] Evan is out in Anaheim to speak at the ISACA CACS conference.  So today I’m joined in studio by a special guest. Joining us today is Ryan Cloutier! Welcome Ryan.

[Ryan] Probably says something here if his coffee has kicked in.

Introduction

We’re excited to have Ryan join us today. He’s very passionate about training and teaching children about Information Security. Things to talk about with Ryan:

  • What got you into information security?
  • What part of information security gets you excited?
  • Do you have a personal mission or purpose in the field?
  • I noticed that you do a lot of volunteer work, tells us about it?
  • In episode 20 we covered the topic of staying healthy in the information security industry. How do you keep a good balance between personal time, work, volunteering, social media (LinkedIn), etc.?
  • What sorts of things are you working on now?

Open Discussion around Information Security in K-12

[Brad] When we met last week it came up that you and I have a similar personal mission, teaching and protecting kids regarding Information Security in the K-12 space.  I’m a volunteer for (ISC)² Safe & Secure Online, https://iamcybersafe.org/.  Tell us a little bit about what you’ve been doing around this.

[Ryan] Talks about the things he’s doing

[Brad] Do you follow  https://k12cybersecure.com/?

[Evan] hopefully chimes in and doesn’t nod off since it will be 4:45am for him when we start

[Brad] OK. Thanks guys. Now some quick news stories from the past week.

News

Scott County Schools victim of $3.7 million scam (update: they recovered it!)

‘Unhackable’ Biometric USB Offers Up Passwords in Plain Text

Americans Overly Confident in Cyber Hygiene

Closing

[Brad] Well that’s all the time we have, although I suspect we could go for another hour without a problem. A special thanks to Ryan for visiting with us today! Thank you. Don’t forget, you can follow me or Evan on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com. Ryan, how do you like people finding you?

[Ryan] Tells us how to find him

[Brad] Awesome. Thanks again! That’s it for episode 27.

Have a great week everyone!

The UNSECURITY Podcast – Episode 26 Show Notes

Happy Friday! Er, I mean Saturday. I’m a day late again, but whatever. I had work to do and stuff.

Spring (finally) seems like it’s in full swing now here in Minnesota. That’s a good thing because the snow was really getting old. Actually, it got old in February and everything else since then was Nordic hell (so to speak).

Always a bunch of really good and cool things happening at FRSecure and SecurityStudio. At least we think they’re cool. Stay tuned for some announcements over the next couple of weeks/months.

Last week (episode 25) was the first time we featured a dial-in guest. A really fascinating guy, Christophe Foulon joined us from DC. It was a great show! Click the link above if you missed it. Some of the ways you can stay current with what Christophe is doing, also in case you missed it:

Christophe is a great asset to the information security community and we were very happy to have him join us last week.

OK, so on with it. What’s to come this week?

We’re switching things up a little this week. Normally, Brad would lead this one, but we’re going to sort of co-lead instead. We’re doing this for two reasons (primarily), 1) I will be dialing in for episode 27 from Los Angeles (more on this later), and 2) Brad may have forgotten to write his notes for this episode. Naughty Brad.

Episode 26

Date: Monday, May 6th, 2019

Today’s Topic: Ego and Arrogance in Information Security

[%name%] Good morning world. It’s time for another episode of the Unsecurity podcast. It’s Monday, May 1st, 2019, I’m %name%, and this is episode 26. Joining me as (almost) always is %othername%. Good morning, %othername%.

[%othername%] Good morning %name%. How’s things?

[%name%] Things are great! Transition into chit-chat.

This is where we chit-chat a bit. Either you like our chit-chat or you don’t. We’ll try to appeal to both sides as best we can…

[Evan] So %name%/%othername% (Oops, sorry. I mean Brad). Last week I wrote an article on my blog where I posed a question. Actually, the title of the article was “Are Information Security People Arrogant?”. Did you happen to read it?

[Brad] No. I don’t read your stuff.

[Evan] Oh. OK. Well, I wrote this blog post. I learned that people don’t like to be called “arrogant”. Imagine that. Let’s talk about it.

Are Information Security People Arrogant?

Discussion about:

  • Comments that were received.
  • Personal stories.
  • General thoughts on the matter.

[Evan] I have another thing I’m working on too that I’d like to get your thoughts on. As you know, I’m in the middle of writing the 2nd book. This one is about information security for “normal” people. You knew that right?

[Brad] Ugh. Yes. I know. &rolling eyes& (I’m kidding! Brad is super encouraging and I love him)

[Evan] So, I’m writing a chapter of the book, and I’m writing a section about how we assume that we know what “normal” people think. I claim that we don’t. Then it dawned on me, have I ever asked “normal” people what they think about information security, privacy, or online safety? No! No, I hadn’t. Have you ever made the mistake of assuming you know what someone else thinks, and been wrong?

[Brad] No. (Just kidding again. I’m in a mood.)

What “normal” people are telling us.

Communication is one of those skills that we’ll always be working to improve (hopefully), and we’re trying to figure it out (better).

  1. Discussion about the research survey responses (so far).
  2. Could always use more data (See: https://evanfrancen.com/must-have-more-data/)

Disclaimer: I use the word “normal” affectionately and not in any way as a disparaging remark.

Open Discussion

(time permitting)

Anything else we might cover, but probably not too much babbling.

[%name%] OK. Good discussion! Now some quick news stories from the past week.

News

Man, there’s a ton of news to cover. These were the three that stuck out to me last week. Another story that’s very intriguing is this story from Motherboard.com; Someone Is Hacking GitHub Repositories and Holding Code Ransom. Check it out. Comment. Send us your thoughts. Whatever.

Closing

[%name%] Another full show and another full week ahead. We have another special guest planned for next week’s show (episode 27), and there’s always bound to be some drama here or there. Be sure to look for next week’s show notes.

If you wanna be cool, you’ll probably wanna follow us on Twitter. Just sayin’. Brad’s at @BradNigh and Evan’s at @evanfrancen.

Email us on the show at unsecurity@protonmail.com.

Until next week…

UNSECURITY Podcast Episode 25 Show Notes

Yes! Made it to another Friday. I didn’t get enough stuff done this week, but whatever. It’s always good to make it to another Friday!

We have a special guest this week! Read on…

If you’re new to this thing, these are our show notes for the Unsecurity Podcast. This is episode 25 already, can you believe it? If you missed episode 24, you can find the shows in a bunch of places:

There’s a few other places, but these are the most common ones.

So, I hope you all had a good week! Mine, well it was busy. Work highlights had to be the CISSP Mentor Program class on Wednesday and the great time I spent with the only client I work with on a recurring basis, Flight Centre. 

I attended the Mentor Program remotely from New York, while Brad Nigh led the class in person from Minnesota. I had some fun chiming in with random crap during class. Brad being the pro that he is, took it all in stride.

We held the Spring 2019 Flight Centre Americas Security Summit on Wednesday. They’re a very large global company, and they’re really rocking it. I won’t bore you with the details, but it was really fun. Great people, great conversation, great collaboration, great progress, etc., etc. See the pic.

47867A93-B2DF-40B7-ACF3-052F54ED3908

I’m sure Brad had a week too. He mentioned something to me about three incident response (IR) calls. We’ll find out on the show.

Episode 25

Date: Monday, April 29th, 2019

Today’s Topic(s):

  • Introduction and Discussion with Christophe Foulon
  • More Password Guidance
  • News

[Evan] It’s another Monday morning here at FRSecure/SecurityStudio world headquarters, and you know what that means? It’s time for another episode of the Unsecurity podcast. It’s Monday, April 29th 2019 and this is episode 25. I’m Evan Francen and I’m your host this week. Brad’s here. You know he’s my guy. Say “Hi” Brad.

[Brad] Hi.

[Evan] I’m pumped today Brad! We have a special guest today. Joining us today is Christophe Foulon! Welcome Christophe.

[Christophe] Probably says something here.

Introduction

We’re excited to have Christophe join us today. He’s one of the good guys that I’ve grown to admire.

Christophe’s LinkedIn Profile

D4B2D7E5-DA28-43C5-9EFE-8F7664C7289A

Things to talk about with Christophe:

  • What got you into information security?
  • What part of information security gets you excited?
  • Do you have a personal mission or purpose in the field?
  • I noticed that you do a lot of volunteer work, tells us about it?
  • You’re the co-host of the Breaking into Cybersecurity podcast (https://www.crowdcast.io/e/breaking-into-2/register), let’s talk about that for a bit.
  • In episode 20 we covered the topic of staying healthy in the information security industry. How do you keep a good balance between personal time, work, volunteering, social media (LinkedIn), etc.?
  • What sorts of things are you working on now?
  • You appear to be very active on LinkedIn, posting articles regularly and commenting often. I find you posting good content all the time. How important is LinkedIn to an information security professional’s career?

Segue into More Password Guidance

One of the posts you (Christophe) made this last week in particular caught my eye. You posted a reference to a Microsoft Security Guidance blog article titled “Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903” . In the article written by Aaron Margosis, he writes about Microsoft’s plans about “Dropping the password expiration policies.”

We’re going to discuss this revelation and the recent(ish) NIST guidance in SP 800-63-3. Interesting changes to the NIST guidance included:

  • Focus on Making Passwords Easy to Remember and Hard to Guess
  • The Use of Special Characters Is No Longer a Requirement
  • Character Allowances Increase and a Minimum Number Required
  • No Longer Requiring Password Time Periods or Expirations
  • Copy and Paste Functionality in Password Fields Are Enabled

Open Discussion

We talk about the new guidance, whether we agree or not, what it means for us, what it means for users, and how it differs so much from what we grew up with.

I’m sure it will be a good discussion. 🙂

[Evan] OK. Thanks guys. Now some quick news stories from the past week.

News

Facebook is facing a big fine, but…

How a Nigerian ISP Accidentally Hijacked the Internet https://www.darkreading.com/cloud/how-a-nigerian-isp-accidentally-hijacked-the-internet/a/d-id/1334482

Cybersecurity Job Openings Boom, Pool of U.S. Job Seekers Shrinks https://spectrum.ieee.org/view-from-the-valley/at-work/tech-careers/cybersecurity-job-openings-boom-pool-of-us-jobseekers-shrinks.amp.html

One last thing. Some drama last week as Brian Krebs doxxed a couple of good security folks. Causing quite a stir on Twitter. Here’s a screen shot of the since-deleted tweet.

51215F1B-0812-4AD8-A9C5-E1B24B0B769C

Closing

[Evan] Man, that was a full show! A special thanks to Christophe for visiting with us today! Thank you.

Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com. Christophe, how do you like people finding you?

[Christophe] Gives some info.

[Evan] Awesome. Thanks again! That’s it for episode 25. Have a great week everyone! Until next week, eh?

UNSECURITY Podcast Episode 24 Show Notes

Happy Friday! It’s Good Friday. 

If you missed episode 23 of the Unsecurity Podcast, you can still check it out here.

Brad’s hosting episode 24. He sent me his notes to post. So, these are his notes, but I might have put a little of my own flavor to ‘em.

We had another great week here at FRSecure and SecurityStudio. Our quarterly meeting was held on Monday. I love the weeks when we have our quarterly meetings because we fly everyone in from all over the country to our headquarters in Minnesota. We all get together, collaborate on cool stuff, hang out after work, play games, etc. The week is full of fun; sort of like a week long FRSecure/SecurityStudio party.

This slideshow requires JavaScript.

The only people who aren’t able to attend in person are the great Bulgarians! Shout out to those guys because they’re fricken amazing!

Anyway, like I stated earlier, it’s Brad’s week. Let’s see what he has in store…

Episode 24

Date: Monday, April 22nd, 2019

Today’s Topic(s): Compliant vs Secure

[Brad] Hello listeners! Here we are, today is Monday, April 22nd, 2019 and this is episode 24 of the Unsecurity podcast. I’m Brad Nigh, and I’m your host for today’s show. Joining me is Evan Francen. Hello Evan

[Evan] Evan says “Hi” and other things

[Brad] We also have a special guest this week. As you may know, FRSecure participates in several mentorship opportunities, including some in our own back yard. As part of one mentorship program in particular, we have to do a real world experience exercise with the student. So, here we are, we’ve invited one of our students to sit in with us today. He may just sit and listen but he’s more than welcome to join in and ask questions.

[Evan] Says stuff to the guest, probably…

(may be some open discussion here but maybe not… tune in to find out!)

[Brad] Anything exciting you want to talk about from last week? How’s the survey going?

[EvanGives a recap of his week…

[Brad] Alright, we’ve got some good topics for today’s show. I chose today’s topic after responses from a couple of calls this week. It’s something that I think we are both passionate about and honestly gets me fired up. So let’s talk “Compliant vs Secure”. The one comment that triggered this was a potential client seeing our proposed services to address several issues responding with “what is the absolute minimum I have to do to be compliant with (insert regulation here)?” 

[EvanGoes off on rant, just as I planned. 😉

[Brad] This isn’t something new either but we are still seeing it.

Krebs wrote an article in 2016 around it.

The sad truth is that far too many organizations spend only what they have to on security, which is often to meet some kind of compliance obligation such as HIPAA to protect healthcare records, or PCI certification to be able to handle credit card data, for example. However, real and effective security is about going beyond compliance — by focusing on rapidly detecting and responding to intrusions, and constantly doing that gap analysis to identify and shore up your organization’s weak spots before the bad guys can exploit them. https://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/

Forbes mentioned in in 2014

But here’s the kicker: being compliant won’t necessarily save you from being hacked.

We know that is rough to hear, but requirements are not the same as best practices. Basic prescriptive requirements are often the bare necessities of information security. To truly defend against all-purpose attacks, full information security programs and best practices must be implemented. https://www.forbes.com/sites/sungardas/2014/05/01/can-your-company-be-pci-compliant-and-still-get-hacked/#1f6fdfb4ea90

Open discussion around the differences and how can we, as InfoSec professionals help change this mindset

[Brad] Okay we should probably talk about a couple news stories, there are some big ones out there.

News

Easter Attack Affects Half a Billion Apple iOS Users via Chrome Bug (https://threatpost.com/easter-attack-apple-ios/143901/)

Wipro breach

Facebook: we logged 100x more Instagram plaintext passwords than we thought (https://nakedsecurity.sophos.com/2019/04/19/facebook-we-logged-100x-more-instagram-plaintext-passwords-than-we-thought/)

Closing

[Brad] Don’t forget, you can follow me or Evan on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com.

That’s it for episode 24. Have a great week everyone! Thank you and see you next week!