Posts

The UNSECURITY Podcast – Episode 79 Show Notes – K12 Cybersecurity

56 days.

That’s how many days have passed since we officially closed our (physical) offices at FRSecure and SecurityStudio. The date was March 16th, 2020, and it’s a common closure date for many organizations. It’s crazy, but I hardly remember the month of April or the first week and a half of May! I’ve either lost context, or I’m losing it in a big way. These are times like no other.

This thought about context got me thinking about how it applies to our work as information security professionals. I believe one of the biggest tells about good or bad information security leadership is the ability or inability to put risk into context. I think there’s a whole series of podcasts we could do on this topic focusing on how we can help people understand context better. The better we understand context, the better our information security decisions will be. Maybe we’ll start tackling this in a series of podcasts, starting with episode 80 next week.

This week, we’ve got a slightly different topic.

Today, in episode 79, we’re going to focus our attention on a recent report from the Consortium for School Networking (CoSN) titled “The State of Edtech Leadership in 2020“. There’s some really good information in this report, and kudos to CoSN for pulling it together!

Let’s just get to it, episode 79 show notes below…


SHOW NOTES – Episode 79

Date: Monday, May 11th, 2020

Episode 79 Topics

  • Opening
  • Catching Up (as per usual)
  • The State of Edtech Leadership in 2020
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey everyone! Welcome to the UNSECURITY Podcast. This is episode 79, the date is May 11th, 2020, and I’m Evan Francen. With me today is my co-host, Brad Nigh. Good morning Brad!

[Brad] Brad’ll say good morning I bet. He’s a super nice guy like that! 

[Evan] We’ve got a good show planned today! You and I both love helping people, and I think we’re covering some things in this episode that should help all our listeners. Before we get too deep though, let’s catch up. It’s what we do! How you doing and what’s new Brad?

Catching Up

Quick discussion about COVID-19, life, and other stuff.

The State of Edtech Leadership in 2020

[Evan] Like you Brad, I get asked a lot for my opinion about this or that in information security. If the question I get is focused, it’s easier to provide a quick answer, but when a question is vague or open-ended, it takes much longer. This hit home for me this weekend when I was asked to chime in on this article; K-12 Tech Leaders Prioritize Cybersecurity, But Many Underestimate Risks, Survey Says. There’s a lot to unpack here, and a good opinion takes more time.

[Brad] He probably hasn’t read the article yet, but we’ll see…

[Evan] One thought that came to mind when I was asked for my opinion was the concept of context. Anything taken out of context can be made to look anyway we want, good, bad, and/or anything in between. When I read the article, one statement stood out right away:

fewer than 20 percent marked any items on a list of cybersecurity threats as “high-risk” from their perspective

[Evan] What caught my attention were the words “from their perspective”. Questions popped into my head. How do Edtech leaders define “cybersecurity”? What’s on their list of “cybersecurity threats”? What’s “high-risk”? This is a can of worms.

The following are key quotes directly from the CoSN report.

Cybersecurity remains the number one technology priority for IT Leaders, yet the threat is generally underestimated.

For the third straight year, cybersecurity has ranked as the top priority. When it comes to maintaining network security, 69% of districts say they are proactive or very proactive – up significantly over last year’s 52%. Districts employ a variety of strategies to minimize risk, including the vast majority in which IT staff training is a top practice and a majority requiring teachers and principals to receive training as well. Despite concerns, the survey also found that less than a fifth of respondents (18%) have a dedicated full-time employee (FTE) whose sole job is cybersecurity. IT Leaders feel phishing scams pose the greatest risk to network security, with almost half (49%) rating them medium/high risk to high risk. Despite this, results also showed an overall trend to underestimate risk—less than a fifth of respondents considered any specific threat as high risk. This runs counter to the reality that school systems are being specifically targeted by cybercriminals with reported cyber incidents tripling in one year.

Artificial Intelligence (AI) holds both promise and peril for IT Leaders.

The majority (55%) of IT Leaders anticipate that of the emerging technologies, AI will play a significant or transformational role in teaching and learning over the next five years. However, AI also poses concerns, with privacy being the biggest. Before AI becomes adopted at scale and can deliver on its promise, privacy issues will need to be addressed.

The top three challenges persist: budget, professional development, and department silos.

These three areas have been vexing IT Leaders since 2017. While budget is often beyond district control and directly affects professional development, it is within districts’ abilities to address the existence of silos. As outlined in CoSN’s “Digital Leap Success Matrix,” cross-functional executive team leadership is integral to the development of a successful digital learning environment. Until the executive leadership breaks down the silos, IT Leaders will continue to face difficulty in achieving their district’s own technology goals.

Other items from the report

Page 14:

Districts without a dedicated person on staff use a variety of methods to monitor network security. The most common approach is sharing the responsibility across several jobs (46%) followed by incorporating network security monitoring as part of another job (30%). Outsourcing is used by 11% of respondents. A concerning 10% of respondents have an ad hoc approach and do not have anyone assigned to monitoring their district’s network security. A makeshift approach to addressing cybersecurity is one reason why “school districts are proving to be particularly enticing to hackers.”

Page 15:

When it comes to maintaining network security, 69% of districts say they are proactive or very proactive. This represents a significant increase over the prior year’s 52%. Only 13% describe their activity as reactive or very reactive, a decrease from 23% the prior year. These year-over-year results indicate that districts are highly aware of increased network attacks in K-12 environments and are increasing efforts to thwart them. It is likely that lack of resources, not lack of awareness, is responsible for the 13% described as reactive/very reactive. As one respondent lamented: How is our small district able to fend off a multitude of possible cyber threats with the staff we have?

When asked to rate their perception of various risks to network security, respondents did not make significant distinctions between threat types. The largest segment fell into the Medium risk range—low/medium, medium, high/medium. With 49% rating it medium/high risk or high risk, phishing was deemed the greatest risk. It is surprising more did not consider it a greater risk. Phishing attacks have reached the “highest level in three years” with more than two-thirds of all phishing sites using SSL protection. With SSL decreasing as a reliable indicator of security, risks increase for users unable to spot phishing sites. Less than a third (31%) of respondents perceive ransomware attacks as medium/high riisk or high risk. This risk level assessment is also likely lower than it should be as the FBI is reporting ransomware schemes are being specifically designed to target public schools.8 With less than a fifth of respondents rating any threat as high risk (phishing received the most with 16%), threats overall appear underrated. Only 5% assessed student data to be at high risk, yet, according the most recent data on reported K-12 cybersecurity incidents, “the most frequently experienced type of school-related cyber incident…..were data breaches, primarily involving the unauthorized disclosure of student data.” With the number of reported K-12 cybersecurity incidents rising—nearly triple from 2018 to 201910—perceptions in perceived risks should start to realign more closely with reality.

[Evan] No doubt, we have a lot of work to do in K-12. It’s our obligation to do everything we can to help. Check out SecurityStudio’s free resources and do a holistic information security risk assessment like the S2School we developed earlier this year. Put information security risk into perspective and make much better choices.

News

[Evan] Alright. Good talk. Thanks Brad! Let’s cover a couple of interesting news stories before we wrap this up. Here are a couple stories that caught my attention:

Wrapping Up – Shout outs

[Evan] Sheesh! Lots of stuff. Well, that’s it for episode 79. Brad, you have any shoutouts?

[Brad] Maybe he does, maybe he doesn’t…

[Evan] Here’s mine…

[Evan] Seriously, a huge thank you to our listeners! We love your encouragement and we don’t take your advice lightly. You’re all great! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Have a great week!

The UNSECURITY Podcast – Episode 73 Show Notes – COVID-19 IR

Hope you and your loved ones are well! We can’t understate the importance of physical, mental, and spiritual health, especially in times like these.

If you missed last week’s show notes or episode 72 of the UNSECURITY Podcast, there’s some pretty good stuff there.

Episode 73 Topics

Topics for episode 73 of the UNSECURITY Podcast include:

  • Opening
  • Catching Up 
    • The first full week with a closed office.
    • Staying sane and healthy at home.
  • COVID-19 Affects on Information Security (some of them)
    • Introducing our special guest, FRSecure’s Director of Technical Solutions and Services
    • Incident Response During COVID-19
      • Current Events/Incidents
      • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
    • COVID-19 Scams and Attacks
      • What have we seen?
      • What are we planning for?
    • Physical Security Considerations
  • The Daily inSANITY Check-in
  • FRSecure CISSP Mentor Program Update
  • Wrapping Up – Shout outs

You can find the full show notes near the bottom of this post. Before getting there, I need to get some thoughts out.

Thoughts

It’s been 13 days since FRSecure and SecurityStudio closed their offices. All of us are still around and working, but it’s crazy how much life has changed. Personally, I’m still struggling to make sense of things and I’m mulling over COVID-19 data almost obsessively. The COVID-19 scoreboards plastered everywhere don’t help. On one hand, I like being informed. On the other, I’m tired of tracking the number of infections and deaths.

As I write this, there are 140,164 infections in the United States and 2,476 deaths. What does this mean in the context of everything else? How do I make sense of these numbers? Here’s one attempt:

What does a “normal” 30 days look like in the U.S. for deaths/mortality? According to the CDC, there were nearly 3,000,000 deaths in the U.S. in 2018 (the latest data available). Using this data, here are the number of people who died within an average 30 day window:

  • 53,867 from heart disease (the top killer in the U.S. with 655,381 deaths)
  • 49,255 from cancer (#2 – 599,274 deaths)
  • 13,736 from accidents/unintentional injuries (#3 – 167,127 deaths)
  • 10,029 from Alzheimer’s Disease (#6 – 122,019 deaths)
  • 3,973 from suicide (#10 – 48,344 deaths)

Compare these numbers to where we’re at now with COVID-19. I’m NOT at all minimizing the impact of COVID-19. I’m trying to make sense. I know the number of infected people and deaths will rise significantly over the coming weeks/months, and sadly, we’re in for more terrible news. I’m trying to understand what the numbers mean in the context of other things that aren’t as foreign to me.

A single sick person and/or a single death is sad enough, let alone thousands.

OK. Got that off my chest. Lots and lots of great things going on at FRSecure and SecurityStudio. The best place to keep up with them right now is probably on social media:

Let’s get to the show notes now!


SHOW NOTES – Episode 73

Date: Monday, March 30th, 2020

Show Topics:

  • Opening
  • Catching Up 
    • The first full week with a closed office.
    • Staying sane and healthy at home.
  • COVID-19 Affects on Information Security (some of them)
    • Introducing our special guest, FRSecure’s Director of Technical Solutions and Services
    • Incident Response During COVID-19
      • Current Events/Incidents
      • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
    • COVID-19 Scams and Attacks
      • What have we seen?
      • What are we planning for?
    • Physical Security Considerations
  • The Daily inSANITY Check-in
  • FRSecure CISSP Mentor Program Update
  • Wrapping Up – Shout outs
Opening

NOTE: The show notes were written by me (Evan), but Brad’s leading this episode.

[Brad] Hello listeners, this is another episode of the UNSECURITY Podcast. My name is Brad Nigh, this is episode 73, and the date is March 30th, 2020. Joining me is my co-host Evan Francen. Good morning Evan.

[Evan] Good morning Brad!

[Brad] Also joining us for the show is our special guest and FRSecure’s Director of Technical Solutions and Services, Oscar Minks. Good morning Oscar!

[Oscar] Says good morning or something with his cool southern accent.

[Brad] We’ve got lots to talk about! As is our custom, let’s get started by catching up quick.

Catching Up

Topics here include how we’re coping with COVID-19, the first full week with a closed office, and staying sane (and healthy) at home. Brad found a really good video online; Covid-19 Protecting Your Family, Dr. Dave Price

[Brad] Here’s a can of worms (maybe). Let’s talk about some of the effects that COVID-19 has on what we do. Some of the effects on information security, starting with incident response and physical security. We already mentioned that we’ve got our special guest Oscar Minks here. He’s got some good insights to share, and this should be a good discussion.

Discussion – COVID-19 Affects on Information Security (some of them)
  • Introducing our special guest (again), FRSecure’s Director of Technical Solutions and Services
  • Incident Response During COVID-19
    • Current Events/Incidents
    • FRSecure’s IR Risk Registration (what is it and why would I consider it?)
  • COVID-19 Scams and Attacks
    • What have we seen?
    • What are we planning for?
  • Physical Security Considerations

[Brad] Sadly, the frequency of scams and attacks only increases during times of distress. It’s important that we keep our eye on the ball and not compound our problems with an information security lapse.

OK, switching gears now. Some people are struggling right now. Struggling with making sense of things, struggling with employment, struggling with anxiety, or struggling with any number of things. We started this thing called the Daily inSANITY Check-in last week. Evan, tell the listeners about this thing.

Daily inSANITY Check-in Discussion

The purpose of the Daily inSANITY Check-in is to provide a safe place for people to discuss current events, information security things, challenges we’re facing, or whatever else comes to mind. The check-ins are short (30- to- 60-minute) daily meetings with discussion. People are always free to come and go as they please.

[Brad] The Daily inSANITY Check-in is just one place to get support out of many within our community. The point is to find help when you need it and to help people where you can. It’s cool to see so many people rally and help.

FRSecure CISSP Mentor Program Update

[Brad] Real quick, we made an announcement last week about the FRSecure CISSP Mentor Program. We’re happy to say that we are still going through with this year’s class! The only change is that we have cancelled the in-person portion of the program. As of last Monday, the 23rd, we have 1,007 registered students! That’s crazy! Oh, and I should mention, if you haven’t registered yet, registration is still open.

Wrapping Up

[Brad] No news this week because we had so many other things to talk about. Two last things to mention:

  • Our pal Ryan Cloutier, aka “Cola” just wrapped up the second episode of his K12 Cybersecurity Podcast. It’s a great podcast and you should give it a listen!
  • A shout out to one of our regular listeners, Olga Hoogendoorn – Startseva. Evan promised to give her a shout out because she’s pretty awesome!

Well, that’s it for this week. Plenty going on and lots to do.

Thank you for listening. We’re a couple of guys who really care about you. We’re hoping you all stay healthy and sane! We love hearing from you, so if you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet like that. I’m @BradNigh, and this other guy is @evanfrancen. Also, don’t forget to check out @studiosecurity and @FRSecure. They post some good things! Let us know how we can help you!

That’s it. Talk to you all again next week!

The UNSECURITY Podcast – Episode 72 Show Notes – COVID-19

Hi everyone. We’re hoping and praying for everyone’s health and mental well-being right now. Take care of what really matters, yourself and your loved ones.

Episode 72 of the UNSECURITY Podcast will be dedicated to continued discussion about COVID-19 and what the pandemic means, in our daily lives and in our vocation as information security people. It’s the topic on everyone’s mind, so to not talk about it seems a little tone deaf.

Before we get to the show notes (below), I’d like to highlight a few things going on around here.

One Word

What one word would you use to describe your past week? If you’re a Twitterer, let us know by tweeting your word with the hashtag #UNSECURITYoneword. Be sure to include us (@evanfrancen and @bradnigh) in the conversation.

Not Adjusted Yet

Not sure about you, but I haven’t adjusted yet. I’m an introvert, so I was expecting to thrive in isolation. I was wrong (for now). I was surprised to learn how much personal interaction really means to me.

Everything seemed different this past week and I was definitely a little off my game. I had trouble focusing on tasks and struggled with processing events occurring all around me. Nothing made sense at times.

On Tuesday (3/17) we (FRSecure and SecurityStudio) closed the offices, and by the next day, almost everyone was online and functionally working from home. Since there was nobody at the office, I decided to work from there.

The empty office was quiet. Too quiet. The quiet forced me to realize how social we are in our office. Every (normal) day is like a family get together. A family get together where everybody actually likes each other.

In a quiet office there are no dumb office jokes. No laughter. No smiles. No fist bumps. A quiet office is just filled with empty. Our office was filled with empty and me. It was a eerie and it was lonely.

I’m assuming the adjustment will just take time. Between now and then, let’s all keep our head up and look for ways to help others. Helping others can be a great coping mechanism!

The Pledge

Also on Tuesday, I wrote a pledge and posted it on LinkedIn. This pledge is one that I plan to live by, especially now.

My pledge:

  • I will NOT panic.
  • I will NOT give in to fear.
  • I WILL think things through.
  • I WILL make prudent decisions based upon the best (non-biased) information available.
  • I WILL be the person I’ve always been and learn to be better.
  • I WILL help my fellow humans whenever and however I can, putting my family first.
  • I will NOT use this (or anything else) to take advantage of people, and
  • I will NEVER put someone in danger if I can help it.

coronavirus panic fear think prudence decisions learning helpingpeople

What Else

We did a lot this past week.

The Impact of COVID-19 on Information Security Webinar(s)

In the midst of the chaos, we decided to put together a last minute webinar for Wednesday (3/18) afternoon.  Our motivation for the webinar was to help people and bring calm to the storm. Despite last minute arrangements and everything else going on, we had ~250 people come to the first session. Participation and interaction was more than we expected! There were many unanswered questions after the first session, so we decided to do a second session on Friday (3/20).

The topics we discussed were:

  • Introductions.
  • Before we get started.
    • #1 – The current state of affairs.
    • #2 – My pledge.
    • #3 – FRSecure Open Letter.
    • #4 – Ideas we’re kicking around.
  • Topics:
    • What is the impact of COVID-19 on information security?
    • How to securely shift employees to remote work during social distancing.
    • Some of the current social engineering scams around COVID-19 and how to avoid them.
    • How to create or adjust your business’s disaster recovery plan.
  • Where to go if/when you need help.

I’ve posted a copy of the presentation online for everyone.

Virtual Happy Hours

Our team started doing virtual happy hours on Thursday. Every organization should do these! We all get into an online Zoom meeting and hangout for a while. We share. We laugh. We joke. We smile. We love. These are amazing experiences that are healthy and good for the soul.

I prefer to sit and listen most of the time. Just taking it in. The sounds of my team laughing, their smiles, their dumb jokes (like really dumb), and sharing our day together are beyond magical. The joy these guys bring to my day is the best way to end it!

The Daily inSANITY Check-in

Nobody has this thing figured out and nobody has it all together.

We want to help, so we’re starting the Daily inSANITY Check-in webinar series. The purpose of the Daily inSANITY Check-in is to provide a safe place for people to discuss current events, information security things, challenges we’re facing, or whatever else comes to mind. The check-ins are short (30- to- 60-minute) daily meetings with discussion. People are always free to come and go as they please.

This is new, and we’re just getting started. Don’t expect all the kinks to be worked out day one. Visit the registration page for the full description and to signup.

K12 Cybersecurity Podcast

Good news! Our buddy Ryan Cloutier just released the first episode of the K12 Cybersecurity Podcast. His first episode is awesome! It’s so much better than our first UNSECURITY Podcast. In this episode, Ryan’s special guest is Amy McLaughlin. Amy is the Information Services Director at Oregon State University and cybersecurity project director for the Consortium for School Networking (CoSN).

This was a timely and well done episode. I recommend you subscribe to Ryan’s K12 Cybersecurity Podcast and get ready for more great content!

Pretty sure I forgot something, but that’s all for now. Let’s do a podcast (or something)!


SHOW NOTES – Episode 72

Date: Monday, March 23rd, 2020

Show Topics:

  • Opening
    • The week that was.
    • The week that is to come.
  • COVID-19
    • Priorities, and where does information security fit?
      • Mental and Physical Health
      • Yourself and Your Loved Ones
      • Business – Survival
    • The Bass and The Barracuda
      • Don’t be a bass. Be a barracuda.

This slideshow requires JavaScript.

Opening

[Evan] Hello listeners, this is another episode of the UNSECURITY Podcast. My name is Evan Francen, this is episode 72, and the date is March 23rd, 2020. Joining me in studio is my buddy Brad Nigh. Good morning Brad!

[Brad] If it’s a good morning for Brad, we’ll know by how he responds.

[Evan] Last week was nuts. You and I hardly had a chance to connect with all that’s going on, so we’re a little out of sorts. This would normally be your week to lead the podcast, but since we didn’t really connect, I’m hosting again. Hope that’s OK.

[Brad] He’s one of the nicest guys you’ll ever meet. He’s probably OK with this.

[Evan] We’ve got a lot to talk about this week. Top of mind or course is COVID-19 and what the pandemic is doing to our daily lives. Sort of hard to talk about much else right now, right?

[Brad] He might agree.

[Evan] Last week was crazy. Let’s talk about the week that was and then talk a little about what’s coming this week.

Catching Up Discussion

Discussing last week’s events and what we’re expecting this week.

[Evan] Alright, there has never been anything in my lifetime that’s been as disruptive as the COVID-19 pandemic. I sort of feel like we’d be tone deaf if we didn’t keep up the conversation.

COVID-19 Discussion

Our topics this week include:

  • Priorities, and where does information security fit?
    • Mental and Physical Health
    • Protecting Yourself and Your Loved Ones
    • Business – Survival
  • The Bass and The Barracuda
  • Another plug for S2Me.
  • Next Week:
    • Maybe a guest; it’s been a while.
    • What happens on the other side?
    • Daily inSANITY Check-in Update
    • What we’re doing to help.

[Evan] The world has hardly seemed any crazier than it is today. Do all you can to maintain (or restore) your health. Good talk. Now let’s get to some non-COVID-19-related news.

News

[Evan] Alright, let’s talk about a non-coronavirus story (or two or three). Remember, attacks aren’t going to stop. In fact, they are increasing and are expected to continue to increase. Don’t ever put anything past or too low for the lowest among us.

Here’s two news stories to consider this week:

Closing

[Evan] There you have it. Episode 72. Thank you for listening. We’re wishing everything health and sanity! Remember, we love hearing from you. If you’ve got something to say, email us at unsecurity@protonmail.com. If you would rather do the whole social thing, we tweet like that. I’m @evanfrancen, and Brad’s @BradNigh. Check out @studiosecurity and @FRSecure frequently. They’re always posting good things!

Be safe. That’s it. Talk to you all again next week!