Posts

UNSECURITY Episode 126 Show Notes

Here we are, time for another episode of the UNSECURITY Podcast.

I came across another interesting article this week, “15 Cybersecurity Pitfalls and Fixes for SMBs“. I have a heart for underserved markets, and small to mid-sized businesses (SMBs) are certainly an underserved (or poorly served) market.

NOTE: The other underserved markets I’m especially interested in are state/local government, education (higher education & K12), and individual consumers.

This is a perfect time to talk about SMB information security. As we come out of COVID (Lord, I hope we are!), more and more SMBs are getting back on their feet. As they start on this next (or first) chapter of their SMB journey, it’s imperative they take information security seriously and do things right. The last thing anyone (except for attackers) wants is to start building/rebuilding a business with limited resources only to lose everything from an attack.

Looking forward to dissecting this with Brad on this episode!

Let’s get right to it, show notes for episode 126 of the UNSECURITY Podcast…


SHOW NOTES – Episode 126 – Wednesday April 7th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 126, and the date is April 7th, 2021. Joining me is my good friend, great guy, and infosec expert Brad Nigh. Welcome Brad!

Another good show today. We’re gonna talk about this article I came across the other day. The title of the article is “15 Cybersecurity Pitfalls and Fixes for SMBs”.

15 Cybersecurity Pitfalls and Fixes for SMBs

This article features a roundtable discussion between Timur Kovalev, CTO of Untangle, Erich Kron from KnowBe4 and Greg Murphy, CEO of Order. They give their take on what SMBs think about information security, the common mistakes they make, and how to do thinks better.

As you know, we have no shortage of information security “experts” in our industry. Let’s see if we agree, disagree, and/or have something to add to this discussion.

  1. Think they’re too small to be a target.
  2. Haven’t made a thorough asset inventory assessment.
  3. No network segmentation.
  4. Ignore fundamentals.
  5. Haven’t done a business risk evaluation.
  6. Insecure digital assets.
  7. Don’t know what “normal” activity looks like.
  8. No 2FA.
  9. Misconfigured cloud servers/confusion about move to the cloud.
  10. User security training.
  11. Haven’t evaluated their threat to the supply chain.
  12. Lack of business continuity plan.
  13. Aren’t thinking strategically about asset allocation and budgeting.
  14. Failing to backup.
  15. Lax patching.

NOTE: This is not our list, this is the list from the article.

If you had to pick your 15 most common information security mistakes made by SMBs, what would you pick? This will be a good discussion!

News

As of 9:15AM on 4/5/2021, the number of registered students in the FRSecure CISSP Mentor Program is 5,618!

Three interesting news articles this week:

Wrapping Up – Shout Outs

Good talk. Thank you Brad, and thank you listeners!

Who’s getting shout outs this week?

Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 125 Show Notes

A news article caught my eye this morning while getting ready for this episode of the UNSECURITY Podcast.

US Strategic Command Twitter account accessed by child: report

Link: https://www.foxnews.com/us/us-strategic-command-twitter-account-accessed-by-small-child-report

My first thought was “oh, that’s funny and sorta cute.” Then I thought some more. It seems innocent(ish) to walk away from your computer while you’re at home. What could happen? Well, this could happen, but it could have been much worse!

This is the Twitter account of the U.S. Strategic Command (“USSTRATCOM”). For those of you who don’t know what USSTRATCOM is, or what they do, here’s information from their “About” page:

“USSTRATCOM integrates and coordinates the necessary command and control capability to provide support with the most accurate and timely information for the President, the Secretary of Defense, other national leadership and combatant commanders.

The mission of USSTRATCOM is to deter strategic attack and employ forces, as directed, to guarantee the security of our Nation and our Allies. The command’s assigned responsibilities include strategic deterrence; nuclear operations; space operations; joint electronic spectrum operations; global strike; missile defense; and analysis and targeting. USSTRATCOM’s forces and capabilities underpin and enable all other Joint Force operations.

USSTRATCOM combines the synergy of the U.S. legacy nuclear command and control mission with responsibility for space operations, global strike, and global missile defense. This dynamic command gives national leadership a unified resource for greater understanding of specific threats around the world and the means to respond to those threats rapidly.”

Sounds pretty damn important! Social media is used by organizations (public and private) to disseminate information to the public and their customers. What if the information disseminated is harmful to others? In this particular case, a child typed “;l;gmlxzssaw”. The message was broadcast all over the world and caused a stir. Caused a stir, but not panic.

What if this wasn’t a child and/or the message was more nefarious. What is someone typed:

“The United States of America is under current attack. The President has raised our alert condition to DEFCON 1. THIS IS NOT A DRILL. DO NOT panic, but please be aware. Additional details forthcoming, including further instruction for protection of U.S. citizens and our assets.”

Now, you may know that USSTRATCOM would never issue such a warning on Twitter, but do others? Even if others do know this, you’ve seen how some people throw logic and reason out the window when something panicky happens, right? What if the alert was more thought out with direct instructions to do certain things that could be destructive. Would this cause a panic? On the surface, this particular instance may seem funny. In reality, it’s sad. It’s sad that people often use computers without thinking of consequences and that we are STILL trying to get people to lock their computers when they step away.

Anyway, we’ve got a show to do. Let’s get right to it, show notes for episode 125 of the UNSECURITY Podcast…


SHOW NOTES – Episode 125 – Tuesday March 30th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 125, and the date is March 30th, 2021. Back again is my good friend and security ninja Brad Nigh. Welcome Brad!

Another good show today. We’re gonna talk about this FRSecure CISSP Mentor Program think you might have heard about.

FRSecure CISSP Mentor Program

  • What is it?
  • Who’s it for?
  • The history of the FRSecure CISSP Mentor Program
    • 1st class in 2010 – six students
    • 11th class in 2020 – ~2,400 students
    • 12th class this year (2021) – 5,300+ students
  • Why did we start this thing?
  • Why do we keep doing this thing?
  • Next class starts on April 12th (2021)
    • What are we expecting?
    • Who’s teaching?
    • Is there time to sign up still?
  • Is it really FREE?!
    • What strings are attached?
    • Will I be marketed to?
    • Will I be sold something?
    • Will you sell my information?
  • What’s the future of the FRSecure CISSP Mentor Program?
  • Where can I sign up?
  • Can I refer others?
  • What if I’m not planning to take the test?

And whatever other question we can think of. We’ll be transparent as we talk about the program and our experiences with it.

Want to know more? GO HERE: https://frsecure.com/cissp-mentor-program/

News

Three interesting news articles this week:

Wrapping Up – Shout Outs

Good talk. Thank you Brad, and thank you listeners!

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 124 Show Notes

Spring has sprung!

The first day of Spring was Saturday, March 20th. If you’re from Minnesota like Brad and I are, you’re happy about this. Speaking of Brad, he’s back this week!

Let’s get right to it, show notes for episode 124 of the UNSECURITY Podcast…


SHOW NOTES – Episode 124 – Tuesday March 23rd, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 124, and the date is March 23rd, 2021. Back from taking a couple weeks off from the show is my good friend and co-host Brad Nigh. Welcome back Brad!

We’ve got a good show planned for you today. Let’s talk passwords! Yay, right?!

Let’s try to tackle as many common questions about passwords as we can in one show!

Passwords

  • Why do we need passwords?
    • The basics of identity and authentication.
    • A password is proof.
  • What happens when a password is compromised?
  • How are passwords compromised?
    • Caused by you.
      • Disclosed.
      • Weak.
    • Caused by them (someone you shared it with).
  • What’s the risk is a password is compromised?
    • How do we protect against password disclosure?
    • How do we protect against weak passwords?
    • How do we protect against someone else disclosing a password?
  • @SecurityStudio, we just finished a new password strength/score algorithm.
    • Eighteen rules with weights applied according to risk.
    • Length, numbers(only), lowercase(only), uppercase(only), letters(only), letters & numbers(only), known compromise(s), dictionary, dictionary w/simple obfuscation, 80%+ dictionary, 80%+ dictionary w/simple obfuscation, 60%+ dictionary, 60%+ dictionary w/simple obfuscation, doubleword, common numeric sequences, words & numbers appended, and personally common/known things.
  • The average person has how many passwords?
    • How many passwords do you have?
    • How many passwords to Brad and I have?
  • Are passwords secure?
  • Are we stuck with passwords forever?
  • What do we do to protect our passwords?
  • Does anyone like passwords?

Other Things

  • The latest registration count for the FRSecure CISSP Mentor Program was 4,701 as of yesterday (3/22) morning!
    • The 2021 program kicks off in 20 days.
    • Will we top 5,000 registrations?!
    • What do we like best about the program?
  • New features for S2
    • Nested entities within S2Org.
    • S2Me Instant Score (coming soon).
    • S2PCI (coming next month).
  • What else?

News

Three interesting news articles this week:

(PSST… Want a good list of APT groups and their operations?! – https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#)

Wrapping Up – Shout Outs

Good talk. Thank you Brad, and thank you listeners!

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 123 Show Notes

Happy St. Patrick’s Day! For those of you who aren’t into this holiday (for whatever reason), Happy (everyday) Day!

This has been a week full of great experiences and awesome conversations with wonderful people. It’s the people we serve who inspire us to work as hard as we do. Here’s a small sampling:

  • Daytona Bike Week (last week) – if you’ve never been to a bike rally before, I recommend you try it out someday (even if you don’t ride). There are interesting people from all walks of life and the diversity (backgrounds, race, preferences, thought, etc.) would probably surprise you.
  • Co-workers – discussions about everything from mental health (many of us did the Mental Health First Aid certification course together last week), to life challenges (relationships, family, health, etc.), to work challenges, and everything in between. It’s a blessing (to them and to me) when I stop, listen, and invest in others.
  • Customers/peers – had some check-ins this week with a few enterprise CISOs I call friends. Life as a CISO can be extremely DIFFICULT. It’s encouraging to know people care about me, and I them. CISOs are human beings who need love just like all of us do!
  • Everyday people – we’re all beautifully unique. We are similar in some respects, but there are wonderful things that make me me and you you. We’re a hodge podge of emotions, biases, beliefs, perspectives, and experiences. Rather than fight because you think differently than I do, why don’t I embrace the uniqueness and differences? Why not try to understand them and you better?

We’re not doing this enough in society and we’re not doing this enough in our industry either.

    • Why?
    • Have we lost our respect for other human beings?
    • Have we lost our ability to reason?
    • Are we afraid to share who we really are out of fear? Fear of being marginalized, silenced, and attacked (physically and online)?

I believe people are AMAZING! I believe people are worthy of respect (even if it’s only a little). I believe people should be heard and understood. I believe information security isn’t about information or security as much as it is about people. I believe people are who we serve. I believe we must invest in people more. I believe in understanding people (better). I believe loving people gives us our best chance at doing our (information security) jobs effectively, and I believe loving people gives us our only chance of saving society.

Now on to show notes for episode 123…


SHOW NOTES – Episode 123 – Wednesday March 17th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 123, and the date is March 17th, 2021. Filling in for Brad again this week if my good friend and co-worker Ryan Cloutier. Welcome Ryan, glad to have you back!

  • We’ve got a great show planned today. We’ll start with the importance of reason and logic in information security, our jobs, and in life. There are many parallels between information security (or “cybersecurity” as some people call it) and life.
  • Then, if we have time, we’ll talk about passwords. Everybody hates passwords.
  • We’ll close the show with a few mentions; about the FRSecure CISSP Mentor Program and SecurityStudio’s free S2Me (very quickly growing in popularity).
  • Oh yeah, we’ve got a couple news stories too, but whatever.

Reason

  • Have we lost our ability to reason?
  • What is reason anyway?
  • Why is reason (and logic) critical to information security?
  • Why is reason (and logic) critical to risk (all risk)?
  • Why is reason (and logic) critical to life?
  • There are parallels here, like:
    • Information security is risk management.
    • There’s no such thing as risk elimination or infinite risk; they are two different ends of the spectrum.
    • There’s no such think as 100% reason/logic without emotion or vice versa; two different ends of the spectrum.
    • The goal is management.
  • If we’ve lost our ability to reason, how can we get it back? Or, if we never had the ability to reason, how do we learn it?
    • Ask “Why?” often, almost incessantly, like a three year-old.
    • Ask yourself “Why”.
      • Not in a way that beats yourself up, but in a way that you understand why you’re doing what you’re doing and/or why you believe what you believe.
      • Notice the difference between emotional response and logical response.
      • Learn to use logic and emotion where they are and how they are appropriate. Seems mechanical and awkward at first, but it should become natural/habitual over time.
    • Ask others “Why”.
      • Respectfully out of a desire to understand, and not in a confrontational manner.
      • Learn how to ask without offense. If the person your asking takes offense despite your best efforts, that’s on them.
      • Maybe they need help understanding logic versus emotion? Interesting tells about people who are unable or unwilling to use reason or logic to defend a position (or make a point):
        • They change the subject. You asked a question about one thing, and quickly find yourself in a discussion about something different.
        • They attack your character. This is a classic emotional response where the person you’re questioning probably isn’t sure why he/she believes what they do. Don’t take offense, but recognize this tactic for what it is.
    • Encourage others (especially people you trust) to question you.
      • Be prepared to defend why you believe what you believe. If you can’t (with reason), then maybe you should question what you believe.
      • When other people ask you “why”, view it as an opportunity to state your case.
      • When other people ask you “why”, it’s a great opportunity for you to learn (about perspective and reason).

NOTE: We could talk for a long time about Reason, so we might not get to the topic of “Passwords”. If we don’t get to Passwords in this episode, we’ll get to it in episode 124.

Passwords

  • Why do we need them?
  • What makes a password good versus bad?
  • What do we (Ryan and I) do to practice good password behavior? BTW, neither of us is perfect!

NOTE: Regardless of timing, we will discuss “Mentions” in this episode.

Mentions

  • FRSecure CISSP Mentor Program – We’re less than one month away from the start! I think there are more than 4,000 students signed up, so this is going to be AWESOME!
  • S2Me – the FREE SecurityStudio personal risk management tool has been growing very fast (in terms of popularity). Big news happening here, and we’re making a difference!

News

Wrapping Up – Shout Outs

Good talk. Thank you Ryan, and thank you listeners!

…and we’re done.

FRSecure CISSP Mentor Program Welcome Message

Only 46 more days. It’s almost time to start the FRSecure CISSP Mentor Program!

As of yesterday (2/23/21), we have more than 3,500 registered students for the 2021 class. That’s awesome! (and a little nuts) For context, we started the program in 2010 with six students. At the time, FRSecure was a teeny startup (3 employees), but our size didn’t matter. We started with a simple goal:

Provide quality information security training for free.

No strings. No ulterior motive. No marketing gimmicks. Nothing but helping people on their journey.

Why this goal?

We love people. By proxy, we love people in our industry, and by (another) proxy, we love the people served by our industry. Our mission (“to fix the broken industry”) is born from and rooted in love, and we will always do right by our mission. Makes sense, yeah? We’re all #MissionBeforeMoney around here!

Fast forward, this will be our 12th consecutive year. We’ve been a positive influence (to one degree or another) in the lives of more than 6,000 people through the CISSP Mentor Program in the past two years alone (3,500+ students this year so far, 2,400+ students last year). Everyone is welcome here, regardless of background, experience or education. If you don’t want to take the CISSP exam, or don’t feel ready, join us anyway. You’ll learn more about information security, and maybe you’ll pick up some life skills along the way!

Welcome Message

Posted in the 2021 CISSP Mentor Program Study Group on 2/19/21:

Hello 2021 FRSecure CISSP Mentor Program Class,

I’m Evan Francen, the founder and CEO of FRSecure (and SecurityStudio) and one of the instructors here. We’ll get to know each other once class gets going, but I wanted to introduce myself now and welcome you.

Welcome to the 2021 FRSecure CISSP Mentor Program!

I’m excited that you’re here and honored to be part of your journey.

A little history…

In 2008, we started FRSecure with this mission:

To fix the broken information security industry.

Our mission came from a deep passion to do things right and serve others. You see, information security isn’t about information or security as much as it is about people. People cause the havoc (intentionally or accidentally) and people suffer the consequences. If nobody suffered, nobody would care.

The information security industry is still young. There’s no shortage of work to do, and the sooner we get to work on the right things, the better off everyone will be. Two things are at (or near) the core of our information security industry problems:

  • People take advantage of other people. If there was a single motivator for me, this would be it.Attackers – people who don’t hide their intent to do others harm. Most people think we’re only concerned about the attackers, but there’s much more.Frenemies – people in our industry who sell products and services that are not in the best interests of the buyer and/or do not do what they claim.
    • “Experts” – yes, in quotes. There are people in our industry who are in it for the wrong reasons. They are motivated by selfishness and not to serve others. This wouldn’t seem so bad, but most of these people are charged with securing information that does not belong to them. Inflated egos intimidate and discourage others, ignorance leads to poor decisions, comfort leads to inactivity, etc., etc.
  • Information security fundamentals are not universally understood or applied. This is true in the public sector and private industry. It’s also true at home. If we (as an industry) mastered the application of fundamental information security concepts, we’d reduce the number of breaches by as much as ~80-90% (my conservative estimate) and significantly reduce the impact to society.

Fixing these problems is certainly easier said than done, but the pursuit continues…

So, where does the FRSecure CISSP Mentor Program fit in this equation, and what does it mean for you?

Simple. Our industry needs more good information security people. We need you!

The FRSecure CISSP Mentor Program was born out of our mission. In our first year (2010), there were six students. All six students went on to pass their exams and became CISSPs. Today, they are all working in our industry and making a positive difference in the lives of others. Last year was the 11th consecutive year for the program, and we had more than 2,400 registrations. It’s been an incredible experience for us, and for me personally. We do this because we love people, and we do it for no other reason. No strings, just #MissionBeforeMoney!

The 2021 CISSP Mentor Program

We’re sticking with the formula that works. Due to COVID still being COVID, we will once again teach all classes remotely. We’ve already surpassed last year’s record number of student registrations, and we’re on track for more than 5,000! This will be the best class yet, and I’m VERY excited to get to know some of you along the way! You’ll see me and some of the other FRSecure folks drop in here (the study group) from time to time. We’re here to help you as much as we are able (given day job and family stuff).

Once again, welcome! Thank you for letting us be part of your success. In know I speak for the other instructors (Brad Nigh and Ryan Cloutier) and the entire FRSecure team when I say that.

Let’s do this!

If you’ve thought about signing up, but haven’t yet, go do it. If you know somebody who could use some of this, tell them about it. See, more simple!

UNSECURITY Podcast – Ep 105 Show Notes – Honest IR

Alright, the U.S. election season is over. Now we can all focus again, right?

Maybe, maybe not.

Before we get too far, I want to call your attention to an article I wrote last week titled “Good People Didn’t Vote For Your Guy“. Healing and unity are long overdue in our country. I’m hoping we will find our way back to being countrymen/women working together for our common good. I’m also hoping that our elected officials don’t steal this opportunity for thier own selfish gain.

OK, now back to work…

Last week on the UNSECURITY Podcast, episode 104, we talked with a good friend Richie Breathe about the security industry’s perceived stigma against healthy stuff. It was a great episode and a real pleasure spending time with such a cool guy. If you missed the episode, go give it a listen.

Also last week, Ryan Cloutier, Chris Roberts, and myself had a GREAT time chatting on the Security Shit Show. Our topic was “Seven Ways Security Can Improve Your Sex Life“. Chris found a “Fitbit for your man bits” online, and the conversation went on from there. Lots of fun!

Plenty of businessy stuff went on last week as well, including a half dozen (or so) partnership discussions with some great organizations. Things continue to hum along, so watch for announcements from FRSecure and SecurityStudio in the coming weeks.

On to the show!

Episode 105 Topic and Special Guest

FRSecure’s Director of Technical Solutions and Services, Oscar Minks is joining us on the show again this week. For those who don’t know Oscar, he’s the awesome leader of FRSecure’s Team Ambush and an all around incredible guy. We’ll ask him to tell us who Team Ambush is on the show, but these are essentially the people who do all (or at least most) things technical at FRSecure, including penetration testing, red/blue/purple teaming, incident response, CTF competitions, exploit development and training, etc. Seriously an INCREDIBLE team!

We’ve got Oscar on this week to talk primarily about what TO DO, and what NOT TO DO during an incident response. In the last few months, we’ve seen a significant increase in the number of reported incidents, and we’ve seen too many people make mistakes. Don’t get us wrong, there are people who do things right, but sadly this is too rare.

Should a great talk!

Let’s get on to the notes…

Brad’s leading the discussion today, and these are his notes.


SHOW NOTES – Episode 105

Date: Tuesday November 10th, 2020

Episode 105 Topics

  • Opening
  • Catching Up
    • What’s new?
    • How 4th quarter got you going? 😉
  •  Special Guest Oscar Minks – What TO DO, and what NOT TO DO during an incident response
    • First, tell us about “Team Ambush”
    • Recent Incidents/Stories
    • Top things to do
    • Top things NOT to do (examples)
    • What’s next for Team Ambush?
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 105 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is November 10th, and joining me this morning as usual is Evan Francen.

[Evan] Talks about mindfulness after the last three shows…

[Brad] We have Oscar Minks with us today. Good morning Oscar.

[Oscar] Says a few things in his sweet southern drawl…

[Brad] As is tradition, let’s catch up with what happened over the last week.

[Evan] The weather was really nice this weekend, so I think Evan got in a good ride (or two).

Quick Catchup

Brad, Evan, and Oscar do a little friendly catching up…

NOTE: We know this isn’t specifically security-related, but security folks gotta have a life too, right?

Transition

Special Guest Oscar Minks – What TO DO, and what NOT TO DO during an incident response

[Brad] Okay so it’s no surprise that IR work is keeping us busy, the report from DHS and Secret Service around healthcare is proof of that. I thought it would be a good discussion today to talk about what are some do’s and don’ts when working with an IR firm, which is why Oscar is joining us this morning.

Open discussion points:

  • Tell us about “Team Ambush”
  • Recent Incidents/Stories
  • Top things to do
  • Top things NOT to do (examples)
  • What’s next for Team Ambush?

Begin Discussion

[Brad] Great discussion. Here are some news stories.

News

[Brad] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Brad] That’s it for episode 105. Thank you Evan and Oscar, do you have any shout outs this week?

[Evan] We’ll see…

[Oscar] We’ll see…

[Brad] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 104 Show Notes – Stigma Against Healthy

Last week was nuts. Is “nuts” the norm? God, I hope not.

The week started off with what seemed like a run of the mill ransomware attack against a healthcare client. The investigation led us to threat hunting with another client. During the threat hunting exercise, Brian Krebs called. He claimed to have information about 427 healthcare organizations who could be attacked by Wednesday (10/28). This led us down all sorts of paths with a few renowned researchers, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Secret Service (don’t ask), and others.

Eventually, CISA issued a joint cybersecurity advisory with the FBI and Department of Health and Human Services (HHS). See: Ransomware Activity Targeting the Healthcare and Public Health Sector.

On Friday, FRSecure issued their own statement and hosted a very well-attended webinar. See: Situation Update: RYUK Ransomware in Healthcare.

One thing we learned is that incident response in the United States, in terms of our readiness across the public/private sector is in bad shape. It shouldn’t take 3+ days to legitimize a threat and coordinate a response. Thank God we didn’t witness a coordinated attack against 427 hospitals at once. Had this been a real attack against 427 hospitals, we would have been in a world of hurt!

Other things that happened last week include:

  • Episode 103 of the UNSECURITY Podcast, Part Two with Neal O’Farrell of the PsyberResilience Project was awesome! If you missed it, you should go check it out.
  • FRSecure is rocking it! We’re running on all cylinders and making a positive difference in our industry. I’m very proud and humbled at the same time.
  • SecurityStudio finished another incredible month! People are buying into the concept of focusing on the fundamentals and simplification. In case you didn’t know, complexity is the worst enemy of information security.
  • The Security Shit Show was awesome on Thursday night! Personally, I needed the time to talk shit with my peers, Ryan Cloutier and Chris Roberts. It’s like therapy. The title for our discussion was “Kiss and Make Up?” and we talked about what life might look like after the election.

There was probably other important stuff sprinkled in last week too, but the brain can only handle so much!

On to the show!

Episode 104 Topic and Special Guest

A few important things about this episode:

  • This is episode 104, the two-year anniversary of the UNSECURITY Podcast! Holy crap, where did the time go?! It’s been an incredible ride so far, and we’ve met 100s of amazing people along the way.
  • Our topic (or, I guess title) is “The security industry’s stigma against healthy stuff“. Is there a stigma against healthy stuff in our industry? Maybe. We’ll look into it in this episode.
  • We have another special guest, and he’s a good one! We call him Richie Breathe, and he’s a great guy with interesting perspectives on wellness. He’s the perfect guest to wrap up what turned into another semi-series about us and our health.
  • Next week, we’re going to dive back in to incident response. We’ve seen some very interesting (and alarming) trends, and it’ll be good to share with you.

Let’s get on to the notes…

Oh yeah, one more thing before we forget.

GO VOTE!


SHOW NOTES – Episode 104

Date: Tuesday November 3rd, 2020

Episode 104 Topics

  • Opening
  • Happy Anniversary (to us)
    • What’s been your favorite thing about the UNSECURITY Podcast?
    • What’s been your favorite moment or episode?
  •  Special Guest Richie Breathe and the security industry’s stigma against healthy stuff
    • Who’s Richie Breathe?
    • Is there a stigma? If so, how bad do we think it is?
    • Ideas for improving wellness in our industry.
    • Where to go next.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi again everyone. Welcome to another episode of the UNSECURITY Podcast! This is episode 104, the date is November 3rd, 2020, and I’m Evan Francen, your host. Joining me is my good friend and co-worker, Brad Nigh. Good morning Brad.

[Brad] Cue Brad.

[Evan] Also joining us, is a good friend Richie Breathe. Good morning Richie.

[Richie] Cue Richie.

[Evan] First things first. Today is election day. Did you guys vote?

[Brad & Richie] Well, did they?

Happy Anniversary (to us)

[Evan] This is our 104th episode in a row, meaning 104 weeks in a row, meaning two years! I can hardly believe it. Seems like yesterday we did our first episode together Brad. Happy anniversary!

[Brad] Cue Brad

[Evan] I gotta tell you man. I’ve loved every minute of this with you. Sincere gratitude for being my pal in this journey.

[Brad] Cue Brad

[Evan] Now, Richie. You’ve been listening for a while, and we actually met through the podcast, didn’t we?

[Richie] Cue Richie

[Evan] I’ve met 100s of amazing people over the past two years from this show. So many incredible memories. Brad, what’s your favorite thing about the UNSECURITY Podcast?

[Brad] Cue Brad

[Evan] How about you Richie?

[Richie] Cue Richie

[Evan] My favorite thing.

I couldn’t have imagined so much and I’m VERY grateful. How about a favorite moment or episode? Brad?

[Brad] Cue Brad

[Evan] Richie?

[Richie] Cue Richie

[Evan] My favorite moment/episode.

Like I said, it’s been an amazing ride. Here’s to many more episodes and lots more memories!

Transition

Special Guest –  Richie Breathe and the security industry’s stigma against healthy stuff

[Evan] Richie, thanks for being here man. I know we talked about this a while back, and the time has finally come. You first learned about me and Brad through the UNSECURITY Podcast, then started coming to the Daily inSANITY Checkin, right?

[Richie] Cue Richie.

[Evan] The Daily inSANITY Checkin is another HUGE blessing for me. I’ve met some incredible people there and I love sharing life with them. Shout out to you guys!

For people who want to know more, the Daily inSANITY Checkin is just what it says. It’s a daily informal meeting with people who care about each other. It’s a safe place to come, share thoughts, share ideas, or share whatever else comes to mind. The only real rules are to show respect and be yourself. Simple.

We started the Daily inSANITY Checkin immediately after the COVID-19 lockdowns started in March and we’ve been going strong ever since. It’s been incredible. So, Richie. You’re there almost every day, and I’m grateful to have gotten to know you. I know you, but tell the listeners a little about yourself.

[Richie] Cue Richie.

Begin Discussion

The security industry’s stigma against healthy stuff

  • Who’s Richie Breathe?
  • Is there a stigma? If so, how bad do we think it is?
  • Ideas for improving wellness in our industry.
  • Where to go next.

[Evan] Awesome! Great discussion. Thanks again Richie!

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Richie, please feel free to comment anytime too!

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] Great! Episode 104 is just about complete. Thanks guys! Next week we’re going to tackle some incident response stuff. Things like what’s going on, what people are doing wrong, and how to do things better. Episode 105 will be great, and maybe we’ll invite a guest to boot!

Richie, loved having you join us this week. Thank you!

Any shout outs for either of you?

[Brad and/or Richie] We’ll see.

[Evan] Always grateful for our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Richie, how can listeners find you?

[Richie] Cue Richie.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 103 Show Notes – PsyberReslience Project Pt. 2

Happy Tuesday (again)!

There are always 100s of things to talk about each week, and if you’re ADHD like me, you know how hard it can be to stay focused on one thing for too long!

Here are a few things that are top of mind right now:

  • Security ABCs:
  • Election is next week. Please vote. Regardless of who you vote for, you have a voice. The voice might seem insignificant, but when millions of voices speak together, you have something special. This election season has been crazy, just like 2020 has been crazy. I’m looking forward to it being over, so we can return our focus to serious issues facing all of us.
  • Last week on the Security Shit Show, we talked about election security. The title of the show was “Is My Vote Secure?”. This week it’s Chris Roberts‘ topic, and he hasn’t announced it yet. Stay tuned!
  • Business is good – FRSecure is running at or near full capacity and SecurityStudio is serving people well with simple, fundamental, and effective information security risk tools. Good things! FRSecure is hiring BTW.
  • Incidents and calls for our incident response team continue to roll in. There was an incident that occurred this past weekend. Sadly, the way the incident was handled by the client provided good examples of what NOT to do. I’ll right a separate blog post on this story later, but here’s two things you need to do RIGHT NOW. Drop what you’re doing and make sure you’re squared away on:
    1. Check your incident response plan and be sure you know who to call.
      • Double-check the contact information.
      • Is there 24×7 response? Incidents will inevitably happen at the worst time.
      • Who do you call, and who do you call first? Your incident responders, your insurance provider, your legal team, executive management, law enforcement, or…?
    2. Make sure your preferred 3rd-party incident handler/provider is on your insurance provider’s approved list for reimbursement.
      • You waste precious time, energy, and money when you don’t know.
      • Engaging with a 3rd-party incident responder who isn’t on the list will force you into declined reimbursements and/or changed providers (losing more time).
  •  Not a sales push at all, but here’s what FRSecure provides. At a minimum, it makes sense to register with your incident responder (See: IR Registration Services).

  • Not digging the cold weather, but I do live in Minnesota, so…

Episode 102 Quick Recap

Originally, we weren’t planning on making the discussion with Neal O’Farrell into a series, but the talk in episode 102 was too AWESOME! Brad was out sick for the show, but Neal and I had a great talk about his 40(ish) years in our industry, his background growing up in Ireland, his organization (the PsyberResilience Project), our personal mental health issues (stress, burnout, etc.), and mental health in our industry. This is a serious issue in our industry, and we’re not doing a good enough job in tackling our problems.

I’m VERY excited to welcome Neal back again! We’ll talk about resources people can use to improve their lives. Sure to be another great discussion!

These are my (Evan) notes.


SHOW NOTES – Episode 103

Date: Tuesday October 27th, 2020

Episode 103 Topics

  • Opening
  • Special Guest – Neal O’Farrell from the PsyberReslience Project
    • Recap episode 102 – Where we left off.
    • Mental Health Discussion.
    • Specific self-help approaches, what we’ve learned from trying them.
    • Other resources and what you can do to help.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi everybody. Welcome to another episode of the UNSECURITY Podcast! This is episode 103, the date is October 27th, 2020, and I’m Evan Francen, your host. Joining me is my good friend and co-worker, Brad Nigh. Good morning Brad.

[Brad] Cue Brad.

[Evan] Also joining us, for the second week in a row is our good friend and founder of the PsyberResilience Project, Neal O’Farrell. Good morning Neal.

[Neal] Cue Neal.

[Evan] How are you guys today? What’s new?

Quick Catch-up

Discussion about any current events, life or otherwise…

Transition

 

Special Guest – Neal O’Farrell from the PsyberReslience Project

[Evan] Neal, thanks for joining us for the podcast again this week. Last week we had a great talk. So great, in fact, we didn’t leave any time for news stuff. No matter though, people can always read news things for themselves.

Anyway, we talked about your background, both of us shared our personal struggles with mental health, and we talked about your organization (the PsyberResilience Project). This week Brad’s joining us, and we’re going to focus on specific self-help approaches that we’ve tried. Before we jump in, Brad, did you get a chance to listen to last week’s podcast?

[Brad] Cue Brad.

[Evan] What did you think about it?

[Brad] Cue Brad.

[Evan] Great! Let’s dig in.

Begin Discussion

Topics to discuss (or ideas):

  • Recap episode 102 – Where we left off.
  • Mental Health Discussion.
  • Specific self-help approaches, what we’ve learned from trying them.
  • Other resources and what you can do to help.

Discuss whatever else comes to mind.

[Evan] Excellent discussion, and I’m sure our listeners found value in it!

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Neal, please feel free to comment anytime too!

News

[Evan] Some interesting nation-state stuff caught my attention this week. God knows, there’s always plenty of nation-state stuff going on!

Wrapping Up – Shout outs

[Evan] Great! Episode 103 is just about complete. Thanks guys! Neal, it was great having you on the show again this week. I’m looking forward to working together to make our industry better. Brad, always happy when you’re here. Glad you’re feeling better this week!

Any shout outs for either of you?

[Brad and/or Neal] We’ll see.

[Evan] Always grateful for our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Neal, remind our listeners again how they can get in touch with you.

[Neal] Cue Neal.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 102 Show Notes – PsyberReslience Project

Happy Tuesday (again)!

There are always 100s of things to talk about each week, and if you’re ADHD* like me, you know how hard it can be to stay focused on one thing for too long!

Here are a few things that are top of mind right now:

  • Security ABCs – I’ve been writing the information security ABCs the last week or two. This is a journey through the basics and fundamentals of information security. The “experts” can use the reminders and the inexperienced can use the direction (I think). The reception has been great so far, and I love the comments I’ve been getting, in my LinkedIn feed and on Twitter! So far, I’m through “D”. Stay tuned for “E” and “F” which are both scheduled for this week.
  • Election is only two weeks away – Have you already voted or are you planning to? If not, shame. Every U.S. citizen should voice their support for who they want leading this country. If you’re like me, I’m not wild about either of the two leading candidates, but it won’t stop me from casting a vote for who I think is best (out of my limited options). Last week, we talked about election security in episode 101. The notes for that episode have some good resources in them.
  • Disinformation is rampant – Last Thursday, Ryan Cloutier, Chris Roberts, and I opened our three-part series about election disinformation on the Security Shit Show. This first episode was titled “Disunited States of America (Election Disinformation)” and despite our share of technical difficulties, it was a great talk!
  • Business is good – FRSecure is running at near full capacity and SecurityStudio is serving people well with simple, fundamental, and effective information security risk tools. Good things! FRSecure is hiring BTW.
  • Cold/Winter

Lot’s of blessings, despite the crazy society we’re living in.

*Speaking of ADHD, mental health is a serious issue in our society and our industry. Helping people with mental health disorders is important for all of us, and it’s a cause that I’m deeply committed to. This is the topic for today’s show.

I’m VERY excited to welcome a special guest this week. He’s the Founder of the PsyberReslience Project, and a long time information security advisor and expert; Neal O’Farrell!

On to the show! Brad is out with a sinus infection (or something), so it’s just me and our guest. These are my notes.


SHOW NOTES – Episode 102

Date: Tuesday October 20th, 2020

Episode 102 Topics

  • Opening
  • Special Guest – Neal O’Farrell from the PsyberReslience Project
    • Introduction to Neal
    • About the PsyberReslience Project
    • Mental Health Discussion
    • What can we do to help?
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi everybody. Welcome to another episode of the UNSECURITY Podcast! This is episode 102, the date is October 20th, 2020, and I’m Evan Francen, your host.

Unfortunately, Brad Nigh, my good friend and regular co-host, is out with a sinus infection (I think) today. So, it’s me flying solo, but not really.

I’m REALLY excited to introduce you to a great guy and tremendous asset to the information security community; Neal O’Farrell.

Hi Neal.

[Neal] Cue Neal.

Special Guest – Neal O’Farrell from the PsyberReslience Project

[Evan] Neal, thanks for joining us for the podcast. Tell us about you and your journey through the information security industry.

Begin Discussion

Topics to discuss (or ideas):

  • Neal’s background.
  • The PsyberResilience Project
    • Its purpose.
    • Why Neal started it.
    • What makes it different?
    • Current initiatives and goals.
    • How can people find you?
  • Mental Health
    • What’s wrong with our industry, in terms of mental health?
    • Have problems gotten worse, especially with today’s current events?
    • Have we fixed/solved anything?
    • Personal mental health issues.
    • What do we need to do?
  • What we’re doing together (SecurityStudio and the PsyberResilience Project

Discuss whatever else comes to mind.

[Evan] Thank you Neal! Great discussion and I’m thrilled to be doing good things with you.

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Neal, please feel free to comment anytime too!

News

[Evan] Just one large news reference for this week. From the Register:

First, Patch Tuesday. Now, Oh Hell, Monday: Microsoft emits bonus fixes for Visual Studio, Windows 10 security bugshttps://www.theregister.com/2020/10/19/security_in_brief/

[Evan] For the most part, I like reading the Register for news. Neal, do you have a favorite news source in our industry?

[Neal] Cue Neal.

Wrapping Up – Shout outs

[Evan] Great! Episode 102 is just about complete. Thanks Neal! It was great having you join us this week and I’m very happy to have you fighting on the good side. Once again, how can we help?

[Neal] Cue Neal.

[Evan] Always grateful for our listeners! We’re behind on email still, but we’ll get there! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Neal, do you have a way you prefer people get in touch with you?

[Neal] Cue Neal.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!