Posts

#S2Roadshow Recap – Week Seven

Rochester (NY), Kansas City (MO), and Sacramento (CA)

A good week that started with serving a great FRSecure customer in Rochester before heading off to preach in Kansas City and Sacramento. This was the first week that we ran into a person (or group of people) who epitomized something that’s wrong with our industry. Read on.

SecurityStudio Roadshow Summary

If you’re new, or you’re confused about this #S2Roadshow thing, start here (maybe). It’s hard to believe that each week gets better, but it’s true, it does! Week #6 (this one) was the best yet.

Previous Week’s Recaps:

The purpose of the SecurityStudio Roadshow (#S2Roadhow) is to meet people and make partners. We want to meet people, understand their businesses, and help them grow using simple, fundamental, and compliant solutions (S2Score, S2Org, S2Vendor, and S2Team/S2Me).

Our mission is to fix the broken information security industry. Success requires collaboration, partnership, and transparency.

This is the first time we’ve done three cities in one week! It was tough, but very rewarding. The week started of in Rochester to work with a long-time FRSecure customer, then west to Kansas City (Greater Kansas City ISACA Chapter), then further west to Sacramento (Sacramento Valley ISSA Chapter).

Ryan Abraham from FRSecure joined me in Rochester. John Harmon was with me in Kansas City and Sacramento.

BBQ Reviews

In full transparency, we have a secondary mission on the #S2Roadshow. We eat as much BBQ as we can. After stuffing ourselves, I summarize our BBQ reviews at the end of each recap article (see below).

Rochester, New York

Flew to Rochester on Sunday evening. The week started off with some customer project work. I don’t get to work on many customer projects anymore, and I miss it sometimes. This project is a big one, and it requires the development of a new methodology (or two). Sort of cool. Here’s what I can tell you…

  • There are numerous projects.
  • Two of the projects include SecurityStudio products; S2Org and S2Team.
  • We’re putting together a board presentation for S2Org and their S2Score.
  • The customer wants to take the S2Org, S2Score, S2Team, and one of the new methodologies we developed to their group of other like companies. This could become a really big deal!

Honestly, these are some of my favorite people in the security business! We got a ton of work done and collaborated on some very cool things.

Ryan Abraham has worked at FRSecure for a couple of years now, and this is the first time we’ve had the opportunity to work on anything together. It was awesome! Ryan’s an incredible asset to FRSecure, our customers, and this industry. Had a great time getting a bunch of work done and preaching the good (security) news.

This slideshow requires JavaScript.

We nabbed some good BBQ at Dinosaur BBQ in Rochester (twice, review below).

This slideshow requires JavaScript.

It snowed 8(ish) inches while we were in Rochester. First snow storm of the year for me.

Got back to the Twin Cities late on Tuesday night. On to Kansas City Wednesday.

Kansas City, Missouri

The purpose of the trip to Kansas City is to meet with the local ISACA chapter and spread some love. Met John Harmon at the airport and we were off to Kansas City. On the way, we decided that we both needed a new pair of Bose noise cancelling headphones. Impulse buy, but these things are awesome!

This slideshow requires JavaScript.

John and I landed in Kansas City, grabbed our rental car, then got down to business. By business, I mean find BBQ. The rental car bus driver told us we had to try Q39, so that’s what we did (review below). After BBQ, I texted my Mexican son (long story that I’ll share in person if you find me), Officer Salinas of the Lenexa Police Department. We found him on patrol and hung out with him until he got a call he had to get to. I can’t begin to tell you how proud I am of this guy! He’s amazing.

This slideshow requires JavaScript.

Finished the day in Kansas City with some frozen yogurt (froyo) before checking in at the hotel and getting work done. You know, the real work.

Greater Kansas City ISACA Chapter

We met up with the great people who represent the Greater Kansas City ISACA Chapter on Thursday at the University of Kansas Edwards Campus. The venue was beautiful, and the people were even better. Preached the normal(ish) sermon about fixing our broken information security language problem, and encouraged everyone to get their free SecurityStudio account and complete their free  S2Org and S2Me assessments. Yes, they’re completely free!

My sermon has evolved a bit. The (newish) agenda goes from housekeeping (introduction) to the meat (our language, simplification, and fundamentals problem) to the dream (securing America) to the call to action (get our assessments, give us feedback by being part of our community, and preach). If you haven’t heard it yet, come get me. I’ll preach to you too!

I made some new friends including (but not limited to) J.J., Jennifer, Brian, Joan, and Beth. Seriously awesome people! They all stand out, and J.J. Widener is a champ. His support for what we’re doing is super helpful and appreciated! This guy gets it.

Here’s some pictures that John took at the event.

This slideshow requires JavaScript.

After the ISACA talk, we headed out for more BBQ and the airport. Last stop before heading home this week was Sacramento. The weather there doesn’t suck.

Sacramento, California

This turned out to be a quick stop for us. We arrived at 1am (local time) Friday, got some rest at the hotel, gave our talk at the Sacramento Valley ISSA chapter meeting, and got back on a plane for a long flight back to the Twin Cities. No BBQ, which was sort of sad, but I don’t know what kind of BBQ they have in Sacramento anyway.

Sacramento Valley ISSA

This was a relatively small gathering, and one where we hit our first snag on the SecurityStudio Roadshow. Seven weeks in, and our first snag, not bad! Here’s the deal.

We make numerous points in our Roadshow presentation, and two key points are #1, we need to simplify information security for “normal” people and #2, we need to get much better on agreeing what the hell it is we do as a profession. We learned the first point based on what “normal” people have told us after asking ~1,000 of them in a survey and through experience. Yes, we asked people what they think instead of telling them what they think. Big difference!

We learned the second point through basic logic.

The snag came not because the points are invalid, but because we had someone in the audience who liked to think that he was the smartest person in the room.

On point #1. We asked almost 1,000 “normal” people (business people and people who don’t do information security for a living) what we (information security people) can do to make information security more useful, and what we can do to serve them better. Once we received their answers, we made a word map of the raw data (see pic below). The most common word in their answers was “simple”. We need to make information security more simple. This is a good thing because complexity is the enemy of information security (thank you Bruce Schneier).

On this point, most people in this audience agreed (based upon their head nodding and facial expressions); however, I could already sense trouble brewing from the person I alluded to above.

My talk then goes on to tackle an issue that simplification requires a common agreement among security professionals. We will never effectively translate our language to “normal” people’s language until we agree on our language first. Logical, right? Let’s start with the most basic issue at hand, what is “information security”? We should all be able to agree on this fundamental definition. Things started to get sideways here.

Information Security is… (the question posed to the audience). Most audiences give some definitions, then I offer mine. Not that mine is the end all, be all.

I go on. Information Security is managing risk. On this point, I haven’t received disagreement from anyone before, but our guy starts starts chiming in. He doesn’t chime in from an angle of disagreement, but more to add his two cents.

Next. Information Security is NOT eliminating risk, despite what some people think. General agreement on this point too, but our guy still has to add his two cents.

Next. Information Security is NOT compliance, despite the fact that most information security dollars are spent from this motivator. Now our guy feels the need to completely sidetrack the conversation and before we know it, we’re deep in a rabbit hole.

It took almost full hour to get to what I was hoping would be our common definition of information security as “managing risk to unauthorized disclosure, alteration, and/or destruction of information using administrative, physical, and technical controls“. It’s not so much that our guy disagreed with the definition or (God-forbid) gave us an alternative definition as much as his deep desire to be the smartest guy in the room. I called him out for this during the presentation (whether I should have or not is debatable) and it got tense, but whatever. You call it like you see it.

Eventually, we got through the presentation. Due to the monopolization of time, we didn’t have any left for visiting afterwards. We had to run immediately after the talk to catch our flight back to the Twin Cities.

Here’s what I learned from this talk:

  • Everyone is entitled to their opinions.
  • There is a time and a place for opinions and wasting everyone’s time is not the place for your opinions.
  • I could have done a much better job of controlling the dialog during my talk.
  • As long as we’re all fighting to be the smartest guy in the room, we’ll never solve our industry’s problems.
  • Once you choose your hill to die on, you will probably die on that hill.

Made it back safe and sound in Minneapolis. Overall, it was an incredible week!

BBQ Reviews

Three BBQ reviews this week. Three is better than two, which is all we got in the previous few weeks. Our BBQ visits this week included Dinosaur BBQ in Rochester, Q39 in Overland Park, and Iron Horse BBQ in Platte City.

Dinosaur BBQ – https://www.dinosaurbarbque.com/rochester/ – Overall: 8.25

  • Atmosphere – 8, it’s a cool place with a great vibe. The lighting is perfect for a BBQ joint, there’s a lot of wood, and the view of the river is super cool.
  • Service – 9, great service all-around. These people make you feel at home.
  • Portion/Value – 7, a little pricey for how much food you get, but what place isn’t?
  • Taste – 9, incredible, especially the ribs and wings.

In full transparency, I’ve eaten at Dinosaur BBQ in Rochester many times. It’s a great BBQ joint and I’ve enjoyed every visit I’ve made. This was Ryan Abraham’s first visit to Rochester, so we made sure to stop in. Actually, we ended up eating here twice during this trip. Poor us!

This slideshow requires JavaScript.

I’ve visited Rochester more than a dozen times and eaten BBQ at just about every place this city offers. Dinosaur is the best BBQ in Rochester. On this trip, I ate their ribs, brisket, wings, and pulled pork. The brisket and pulled pork were good, but the ribs and wings were friggin’ amazing! The ribs were arguably the best I’ve had on the SecurityStudio Roadshow so far. If you’re in Rochester, and you like BBQ (even if you don’t like BBQ), a visit to Dinosaur is a must!

Q39 – https://q39kc.com/ – Overall: 7.75

  • Atmosphere – 7, this is a little too upscale feeling for me. A very nice restaurant, but not down-homey enough for my taste.
  • Service – 8, great service. I was in the middle of a conference call at the beginning, so I might have missed something here. Guess, I’ll have to visit again!
  • Portion/Value – 7, a little spendy.
  • Taste – 9, super! The burnt ends and brisket were the bomb!

This was the first stop for me and John after landing in Kansas City. We received a tip to visit this place from our rental car terminal bus driver, and obviously this guy knew what he was talking about! Kansas City is known for their BBQ and we had dozens of places to choose from, but we made a good call here.

This slideshow requires JavaScript.

This was a great welcome to Kansas City and we highly recommend visiting Q39!

Iron Horse BBQ – no website – Overall: 7.0

  • Atmosphere – 5, I’m not a big fan of the strip mall BBQ joint vibe, so this was a downer.
  • Service – 9, great service! These guys gave us some free burnt ends and came out from behind the counter to visit with us. Really cool people here!
  • Portion/Value – 8, very reasonably priced for large portions of food.
  • Taste – 6, the taste was too bland and overall disappointing.

We were in a bit of a rush after the ISACA talk, but we had to fit in one more BBQ visit before we left. It’s Kansas City for crying out loud!

This slideshow requires JavaScript.

We’ll give these guys the benefit of the doubt. I think they recently moved into this new location, and I don’t think they’ve gotten completely settled yet. It’s worth trying again some time in the future, but it might be hard to get back here given all the awesome BBQ joints in Kansas City.

No promises.

BBQ Summary

Three new BBQ joints to add to our list. This was a good BBQ week. The winner this week was Dinosaur BBQ (Rochester). Pecan Lodge is still on top as the overall #S2Roadshow leader with a score of 9, and Bowlegged BBQ is still in the #2 spot. The current overall standings are listed below.

Overall Standings (at the end of #S2Roadshow Week Seven):

  • Pecan Lodge – 9
  • Bowlegged BBQ – 8.75
  • Divine Swine – 8.5
  • Dinosaur BBQ – 8.25
  • Big Ed’s BBQ – 8.25
  • Mission BBQ – 8
  • Q39 BBQ – 7.75
  • Cousin’s BBQ – 7.75
  • Blackwood BBQ – 7.5
  • Broad Street BBQ – 7.5
  • Hard Eight – 7.25
  • Spring Creek Barbeque – 7.25
  • Redd’s BBQ – 7.25
  • Iron Horse – 7
  • Lucille’s Smokehouse BBQ – 7
  • Texas Bar-B-Q Joint – 7
  • Smoque – 6.75
  • Sweet Lucy’s Smokehouse – 6.75
  • Red Coal BBQ – 6.75
  • Unkl Moe’s – 6.5
  • Hambone’s Smokehouse – 6.25
  • Shakedown BBQ – N/A (wasn’t open when it was supposed to be, wasted trip)

Next Week’s #S2Roadshow

A less busy week, but still a great one planned. The Roadshow starts on Tuesday with another visit to Kansas City, then it’s on to Webster University in Irvine, California. We’re giving the standard sermon at a joint seminar between Webster University, ISSA, ISACA, and OWASP. Pretty pumped!

Looking forward to another great week!

Stay tuned for next week’s #S2Roadshow updates. You can follow us on Twitter (@evanfrancen, @HarmonJohn, @StudioSecurity, and the #S2Roadshow hashtag) and on LinkedIn.

See you next week! If you want to collaborate with us, get in touch!

The UNSECURITY Podcast – Episode 51 Show Notes

Things have gotten wild at work lately. The #S2Roadshow is in full swing, Brad’s been VERY busy, and business is good. John Harmon and I are four weeks into the SecurityStudio Roadshow (#S2Roadshow). Last week he was at BSides in Virginia and I was at the San Diego ISSA chapter. I’ll write the week four recap on my blog (here) soon.

Brad’s on the East coast this weekend and won’t make it back until Tuesday morning.

All of this means that we’re going to be a day late recording this episode of the UNSECURITY Podcast. We’ve got a great show planned though! Special guest, Eric Hanson (FRSecure’s Penetration Testing Lead) will join us from Reno, NV.

Brad’s show this week, and these are his notes.


SHOW NOTES – Episode 51

Date: Tuesday, October 29th, 2019

Show Topics:

Our topics this week:

  • Quick Catch-up/Roadshow Week #4
  • Penetration Testing Discussion
    • Introduction to Pentesting
    • Common Questions
    • FRSecure’s Penetration Testing Team
    • Other Stuff
  • Industry News
Opening

[Brad] – Hi everybody, and welcome to another episode of the UNSECURITY Podcast! This is episode 51, and I’m  Brad Nigh, your host.  Joining me today is my good friend, Evan Francen. Good Morning Evan.

[Evan] Evan has been traveling a lot, I’m hoping he’s functional.

[Brad] Joining us as a special guest this week is FRSecure’s Lead Pentester, Eric Hanson. Welcome Eric!

[Eric] Says “hi”. Eric is one of the nicest guys you’ll meet.

[Brad] We’re very excited to talk to Eric, but before we dive head first into pentesting stuff, let’s catch up real quick. We’ve all been very busy. Evan, you just wrapped up week four of the SecurityStudio Roadshow, how’d it go?

[Evan] Some things. Evan’s been meeting some awesome people all over the country. Let’s get some #truth.

[Brad] Good stuff. We’ve been doing a lot of preaching lately! I just got back from speaking myself… (tell about it). OK, back to Eric now. Eric, do you do any speaking?

[Eric] Tells it like it is.

[Brad] One member of your team, “Ben” has been doing some awesome research and will be speaking again soon. I think he’s speaking at a big ISACA conference in Chicago. Let’s talk about that and let’s talk about this whole pentesting “thing”.

I’d like to spend most of the show talking about this.

Penetration Testing Discussion
  • Introduction to Pentesting
  • Common Questions
  • FRSecure’s Penetration Testing Team
  • Other Stuff

[Brad] Great discussion. Hopefully we covered some of the common questions and misconceptions people have about penetration testing. Penetration testing is serious business, and we’re VERY grateful to have such a highly-skilled team like we do here at FRSecure.

Let’s dig into some news stories before we close this episode out.

News

[Brad] We’ve got four news stories to discuss this week:

Closing

[Brad] There you go, episode 51 is a wrap! Like many of you listening, we’ve got another busy week ahead.

Special thanks to Eric for joining us this week.

Thank you to our loyal listeners! Thank you for your tips and feedback. Send us your wisdom, questions, advice, whatever, by email to unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen. Also, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies!

That’s it! Talk to you all again next week!