Posts

The UNSECURITY Podcast – Episode 86 Show Notes – Women in Security Pt3

Hoping everyone reading this is healthy and doing well. Losing focus on what matters is too easy in today’s craziness. Reach out to someone if you need a listen.

Women in Security Series

Well, we’re a couple weeks into the Women in Security Series, and so far the feedback has been great! Brad and I continue to learn great things from our guests. We’re not sure yet how long the series will go yet, but we have guests booked for the next six (6) shows (after this one). So, we DO know the Women in Security Series will go through (at least) episode 92 (August 10th). The guests we have lined up are incredible:

  • Today – Victoria Fogarty (see below)
  • Episode 87 – CEO of an information security-related non-profit
  • Episode 88 – A Senior, majoring in Cybersecurity Analytics and Operations at a leading university
  • Episode 89 – A CISO from a really cool large company
  • Episodes 90 through 92 – A CISO working in healthcare, a renowned educator, and a cool lady working in information security sales.

This journey is just getting started!

Women in Security Series – Part One

We kicked off the Women in Security series on June 15th, and we couldn’t have chosen a better first guest! Renay Rutter, FRSecure’s COO, got the series started with sharing her experience, wisdom, and insight she’s gained over her 30+ year IT career. Brad and I learned a ton!

If you missed this episode, you can catch up here; https://podcasts.apple.com/us/podcast/unsecurity-episode-84-women-in-security-pt-1-renay-rutter/id1442520920?i=1000478037575

Thank you Renay!

Women in Security Series – Part Two

We kept things in the FRSecure family for week two, hosting Lori Blair. Lori is a treasure chest of information security knowledge and wisdom, beginning from when she started her information security career in 1985. Think about that for a second; 1985?! For the math folks in the house, that’s 35 years!

I have a TON of respect for Lori, and her opinions carry weight for me (and many others). It’s not just her experience that makes Lori amazing, she’s a wonderful, practical, and level-headed person who loves mentoring others. This is a can’t miss episode, go give a listen here; https://podcasts.apple.com/us/podcast/unsecurity-episode-85-women-in-security-pt-2-lori-blair/id1442520920?i=1000479175255

Thank you Lori!

Women in Security Series – Part Three

Here we are, Part Three. In episode 86 (this one), we’ll introduce you to Victoria Fogarty. Victoria works at FRSecure and does some pretty cool things around here. You’ll get to meet her and hear her perspective on all sorts of things, including the information security industry (as a whole), her journey, what it’s like to do what she does, etc. Victoria is a pretty cool lady, and you’ll definitely enjoy her energy!

WELCOME VICTORIA!

Let’s get on with the show!

I’m (Evan) leading the show this week, and these are my notes…


SHOW NOTES – Episode 86

Date: Monday, June 29th, 2020

Episode 86 Topics

  • Opening
  • Introducing Our Special Guest: Victoria Fogarty
  • Catching Up (as per usual)
  • Women in Security
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey all! Welcome to this episode, number 86, of the UNSECURITY Podcast! For those of you who are new to the show, I’m your host, Evan Francen, and the date is June 29th, 2020. We’re a good 100(ish) days into the COVID pandemic here in the States, so it’s easy to lose track of the date. At least for me it is! Joining me this morning is my good friend and colleague, Mr. Brad Nigh. Morning Brad!

[Brad] <<<INSERT BRAD’S GREETING HERE>>>

[Evan] We’re on our 3rd week of the Women in Security series, and I’m super excited to welcome our guest, Victoria Fogarty! Victoria works here at FRSecure and is an all-around awesome person! Join me in welcoming Victoria. Welcome Victoria!

[Victoria] Every time I’ve talked with Victoria, she’s always got energy and a GREAT attitude. Let’s see if this is true at 7am on Monday morning (when we record the UNSECURITY Podcast)

[Evan] You all know what we do first before jumping into business, we check in quick. What’s up guys? How you doing, and how was your weekend?

Catching Up

Quick discussion about last week, the weekend, or whatever else comes to mind.

[Brad] Guessing he got outside, did some family stuff, did some yard/garden work, made some sweet BBQ, and other cool things.

[Evan] Victoria, how about you?

[Victoria] Looking forward to this. I don’t really know what Victoria does for fun, hobbies, etc. Opportunity to learn.

[Evan] Ugh. Interesting weekend (aren’t they all?) here…

Alright, now on to our series topic.

Women in Security, Part Three

[Evan] This is the 3rd week in the Women in Security Series. It’s been a blast so far! Feedback keeps rolling in, and so do the guests. I’m excited to hear about Victoria’s perspectives because honestly, I don’t know many (if any) of them. This will be a great discussion!

So, Victoria, thanks again for joining us. Let’s start out with how you got started with information security.

Open Discussion (~30 minutes)

  • How you got into the industry?
  • Your journey in the industry.
  • Advice you have for someone starting out.
  • Do you think we need more women in our industry and why?
  • Opinions about the talent shortage in our industry.
  • What can we do better in recruiting more people, and specifically more women in our industry?
  • Whatever else we’d like to share.

[Evan] Thank you Victoria! Nice work! I’m sure our listeners learned some good things.

News

[Evan] Time for newsy things again. My God, there’s never a shortage of news, is there?! We could use an entire day and not cover it all. Our day jobs won’t allow us an entire day, so I’ll just take a few that caught my eye:

Wrapping Up – Shout outs

[Evan] There you have it. Episode 86 is almost in the books. Just wrapping up and shout outs before we go. Victoria, thank you for joining us. Also, thank you for sharing you story and your thoughts.

You’re going to enjoy next week’s guest too! We’re going outside FRSecure to get perspectives from women beyond these four walls. Going to be a great show!

Either of you have any shout outs this week?

[Brad and/or Victoria] We’ll see.

[Evan] Thank you listeners! You guys are pretty cool, I think. Send us your questions, feedback and suggestions by email at unsecurity@protonmail.com. We still need to talk about the whole Mandiant, Capital One, incident response, confidential legal report thing. Ugh! Maybe next week.

Online social people can follow us on Twitter. I’m @evanfrancen and Brad is @BradNigh. Victoria, you got somewhere you want people to follow/interact with you?

[Victoria] Maybe/maybe not.

The companies we work for are pretty social too. SecurityStudio’s Twitter is @studiosecurity and FRSecure’s Twiiter is @FRSecure.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 85 Show Notes – Women in Security Pt2

It’s been a good week around here. I hope you’re well.

Women in Security Series – Part One

We kicked off the Women in Security series last week, and we couldn’t have chosen a better first guest to help us off on the right track! Renay Rutter, FRSecure’s COO, shared some of the experience, wisdom, and insight she’s gained over her 30+ year IT career. Brad and I learned a ton!

If you missed last week’s episode, you can catch up here; https://podcasts.apple.com/us/podcast/unsecurity-episode-84-women-in-security-pt-1-renay-rutter/id1442520920?i=1000478037575

Women in Security Series – Part Two

Now we’re heading into Part Two of the Women in Security series on the UNSECURITY Podcast, and we’re VERY excited to announce this week’s guest, Lori Blair! Lori’s another veteran, and you’ll love her practical, level-headed approach to information security. She’s another person with a ton of experience and some great insight to share.

WELCOME LORI!

Women in Security Series – Future Guests & Episodes

There’s been great interest in this series. We love it!

Many of our listeners have reached out to us (Brad and I), recommending women that we should have on the show as guests. We could easily dedicate our entire podcast to the topic; however, we do need to limit how long the series goes (for a number of reasons). As it looks now, we will be running this series through the end of July (at least)! So far, we have an additional five women lined up to speak with us (and you). Our future guests include a lady who’s sort of new to the field, a lady who’s won multiple awards and runs her own organization, a lady who’s studying information security topics as a senior in a well-respected university, a lady who’s been CISO in multiple organizations, and a lady who helps organizations by selling information security consulting services.

We’ve got an all-star lineup of amazing women to share their stuff with us!

Let’s get on with the show!

Brad’s leading the show this week, and these are his notes…


SHOW NOTES – Episode 85

Date: Monday, June 22nd, 2020

Episode 85 Topics

  • Opening
  • Introducing Our Special Guest: Lori Blair
  • Catching Up (as per usual)
  • Women in Security
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 85 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is June 22nd, and joining me this morning as usual is Evan Francen.

[Evan] I’m guessing he has stories about deck building or motorcycle riding.

[Brad] We have our 2nd guest in the Women in Security series this week. FRSecure’s own Senior Security Analyst, Lori Blair. Lori is easily one of our most experienced and talented Analysts at FRSecure. She has over 20 years experience in information security and has experience across multiple industries as both a consultant and as a manager in organizations. Thank you for joining us this morning!

[Lori] This is where we find out if Lori is a morning person or not.

[Brad] Before we get going, let’s recap our week quick.

Catching Up

Quick discussion about last week, the weekend, or whatever else comes to mind.

[Evan] Evan struggles, as I do, to remember what happened last week.

[Brad] And what about you Lori?

[Lori] Hopefully, she does better than Evan and I did at recapping her last week.

Alright, now on to our series topic.

Women in Security, Part Two

[Brad] This is the second week of our series discussing the topic of women in the information security industry. We’ve already received a ton of positive feedback from Part One, so I’m excited to keep the momentum going with Lori here in Part Two.

Do we have a shortage of women in our industry? If so, what’s the big deal? Why is the topic important for us to talk about? Lot’s of questions and I’m sure just about everyone has an opinion. Instead of people listening to our opinions, we’re going to talk to the people this relates to the most; women! What better way to get a woman’s perspective on things than to talk to a woman? Let’s do this.

Open Discussion

  • How you got into the industry?
  • Your journey in the industry.
  • Advice you have for someone starting out.
  • Do you think we need more women in our industry and why?
  • Opinions about the talent shortage in our industry.
  • What can we do better in recruiting more people, and specifically more women in our industry?
  • Whatever else we’d like to share.

[Brad] Thank you Lori! Good information and things to think about more. Much appreciated! How about some quick news stuff?

News

[Brad] Like every week, there is no shortage of news in our industry. Here are three stories I’d like to discuss quick:

Wrapping Up – Shout outs

[Brad] That’s it for episode 85. Thank you Lori for a great second installment of the Women in Security series. We’re lining up our guest for next week and it’s going to be another great show! Either of you have any shout outs this week?

[Evan and/or Lori] We’ll see.

[Brad] Thank you to all our listeners! Keep the questions, feedback and suggestions coming. One topic suggestion we just received this morning was to discuss Mandiant, Capital One, incident response, and confidential legal reports. Interesting story that Evan might pick up next week. If you’ve got something you’d like to hear us talk about, you can email us at unsecurity@protonmail.com. You social types can follow us on Twitter if you’d like. I’m @BradNigh and Evan is @evanfrancen.

The companies we work for are pretty social too. SecurityStudio’s Twitter is @studiosecurity and FRSecure’s Twiiter is @FRSecure.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 84 Show Notes – Women in Security Pt1

Happy Monday!

Last week was another blur. The world hasn’t quite ended yet, but it seems to be getting closer.

Women in Security Series

Brad and I are starting a Women in Security Series this week. This will be (at least) a four-part series where we’ll talk about the topic of women in the information security industry. We’ll have a special female guest each week to give us their experiences, advice, opinions, etc. At FRSecure, we work with some amazing women, and we’ll start the series talking with them. After talking with some of our own, and if things seem to be going well, we’ll reach out to other women outside of FRSecure for an even broader perspective.

Our first guest in the series is Renay Rutter, FRSecure’s Chief Operations Officer. She’s pretty much all around awesome, and it will be great talking with her this week!

Let’s get on with the show!


SHOW NOTES – Episode 84

Date: Monday, June 15th, 2020

Episode 84 Topics

  • Opening
  • Introducing Our Special Guest: Renay Rutter
  • Catching Up (as per usual)
  • Recap of the 2020 FRSecure CISSP Mentor Program
  • Women in Security
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi everyone. Episode 84 of the UNSECURITY Podcast is upon us. Wow, it’s already mid-June! June 15th, 2020 to be exact. I’m your host, Evan Francen and joining me as usual is Mr. Brad Nigh. Good morning Brad!

[Brad] Brad does Brad.

[Evan] Brad, last week I mentioned that I wanted to do a Women in Security series on our show and you seem pretty excited about it. Well, I was talking about this for a couple weeks with a close friend of ours and an awesome business person, Renay Rutter. Renay has more than 30 years of IT and business leadership experience, and we’ve had the pleasure of working with her here at FRSecure for the past 2(ish). She’s currently FRSecure’s Chief Operating Officer, and she’s pretty much kicking butt. Welcome to the show Renay!

[Renay] Renay does Renay.

[Evan] We have a lot to cover today, and before we jump into the meat of the show, let’s check in like we always do. What’s up you two?

Catching Up

Quick discussion about last week, the weekend, family, safety etc.

[Brad] Brad shares his things.

[Renay] Renay shares her things.

[Evan] Alright, that’s that. Was it last week or the week before that we finished up the 2020 FRSecure CISSP Mentor Program? Ugh. I can’t remember.

Recap of the 2020 FRSecure CISSP Mentor Program

This was the BEST year yet, by far. Just some of the highlights:

  • We had 1,444 total registrations at the beginning of class.
  • There were three instructors this year, which made life a lot smoother (me, Brad, and Ryan Cloutier)!
  • There have been 5,398 views of Session One.
  • Already had a dozen or so people inform us they’ve already passed the exam!
  • Renay (our guest) attended too!

[Evan] It was a great season and I’m pumped about what’s to come. The CISSP Mentor Program has been such a blessing for us ever since we started it 11 years ago. Huge thank you to our instructors, Brad and Ryan. Also, a huge shout out to the people behind the scenes who make this thing happen:

  • Brandon Matis, FRSecure Content Marketing Specialist
  • Lori Blair, FRSecure Senior Security Analyst
  • Ryan Abraham, FRSecure Senior Security Analyst
  • Chad Spoden, FRSecure Senior Security Analyst

A great team effort and a great success. Here’s to next year!

Alright, now on to our series topic.

Women in Security, Part One

[Evan] This could be the start of something cool. We’re going to take a big portion of the next four shows (or so) to get real and be honest about the topic of women in the information security industry. Do we have a shortage of women in our industry? If so, what’s the big deal? Why is the topic important for us to talk about? Lot’s of questions and I’m sure just about everyone has an opinion. Instead of people listening to our opinions Brad, we’re going to talk to the people this relates to the most; women! What better way to get a woman’s perspective on things than to talk to a woman?

Who better to start the series off with than Renay. Let’s do this.

Open Discussion

  • How you got into the industry?
  • Your journey in the industry.
  • Advice you have for someone starting out.
  • Do you think we need more women in our industry and why?
  • Opinions about the talent shortage in our industry.
  • What can we do better in recruiting more people, and specifically more women in our industry?
  • Whatever else we’d like to share.

[Evan] Thank you Renay. Good information and things to think about more. Much appreciated! How about some quick news stuff?

News

[Evan] Between COVID-19, the social justice things going on around the world, and everything else. Yes, there is plenty of information security news too! Here’s just a few stories to bring your attention to quick:

Wrapping Up – Shout outs

[Evan] There you go. That’s it for episode 84. Thank you Renay for giving a great start to the Women in Security series. We’re lining up our guest for next week and it’s going to be a great show too! Either of you have any shout outs this week?

[Brad and/or Renay] We’ll see.

[Evan] Thank you to all our listeners! We dig all you folks (mostly). Let us know what you think about this show or share your ideas with us. You can email us at unsecurity@protonmail.com. You social types can follow us on Twitter if you’d like. I’m @evanfrancen, Brad is @BradNigh, and even Renay’s got some Twitter foo; she’s at @RenayRutter. The companies we work for are social too, heck everyone’s social nowadays. SecurityStudio’s Twitter is @studiosecurity and FRSecure’s Twiiter is @FRSecure.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 83 Show Notes – It’s About People

Ever have so many things going on that you can’t remember what happened last week? Yeah, that’s where I’m at right now.

Pretty sure Brad’s in the same place I am. So, rather than recapping everything (or trying to), I’ll just get to the show notes.

These are Brad’s show notes this week…


SHOW NOTES – Episode 83

Date: Monday, June 8th, 2020

Episode 83 Topics

  • Opening
  • Catching Up (as per usual)
  • Information Security Isn’t About Information or Security
  • Work, Life, and Mental Health
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 83 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is June 8th, and joining me this morning as usual is Evan Francen.

[Evan] Regales us with stories from the weekend. Oh God!

[Brad] Before we get going let’s recap our week.

Catching Up

Quick discussion about last week, the weekend, family, safety etc.

[Brad] What would you say you do here Evan?

[Evan] Hmmm. Good question! This outta be interesting.

Information Security Isn’t About Information or Security

Discussion about people, information security, working remote, stress, and overall mental health.

[Brad] Your blog from last Tuesday (Information Security Isn’t About Information or Security) really inspired me for this week’s podcast.  There have been countless articles written about how to secure remote workers so we aren’t going to focus on that, though it will probably come up in the course of this discussion.

Here’s the reality, it’s no secret that InfoSec and IT staff struggle with stress and a healthy work/life balance (Mental Health and Cybersecurity).  There really is no “done for the day”, systems can be attacked or suffer an outage anytime.  Add to that the now nearly 3 months of social distancing and quarantine that add even more stress.  We’ve seen an increase in cyber attacks the last 3 months and if your staff is struggling and has lost focus or is more distracted than usual your risk increases even more. So what can we do about it?  (Disclaimer, neither Evan or I are licensed mental health professionals and this conversation should not be taken as professional advice).

From an information security perspective I think you really captured the increased risks to organizations during this unprecedented time in your blog.

As a leader in an organization the employees’ health is critical, looking at it from a business perspective if they are not able to work we cannot deliver for our customers, but to me that feels cold & cynical.  I really do care for every one of our employees, I have a personal, vested interest in their well-being and want to be aware and in-touch with their status… That has become incredibly difficult during this time when you can’t read them face-to-face.

So what I want to do is talk about how we can be more aware and help reduce these risks.  First is being aware, I found these articles that I thought were really good to help identify and be proactive.

And then some really solid advice for employees, or really anyone feeling additional stress right now.

[Brad] Good conversation. Thank you Evan.

Let’s do some news…

News

[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:

Wrapping Up – Shout outs

[Brad] Alright, that’s it. Episode 83 is a wrap. We got any shout outs this week?

[Evan] We’ll see.

[Brad] Next week is Evan’s show and I think he’s sort of itchin’ to tell us his idea.

[Evan] Yep. Tune in.

[Brad] Thank you to all our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh (B-R-A-D-N-I-G-H) and this other dude is @evanfrancen (just spell his name without a space). Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for goodies and things.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 82 Show Notes – World On Fire

So, in case you missed it, the world blew up last week. Again.

This time it’s not COVID-19 that takes the headlines, it’s rioting. Rioting that was triggered by (NOT caused by) one of the most disturbing videos I’ve ever watched, that of Minneapolis Police officer Derek Chauvin kneeling on the neck of George Floyd. As I write this, riots are taking place (or have taken place) in Atlanta, Bakersfield, Boston, Chicago, Columbus, Dallas/Fort Worth, Des Moines, Denver, Detroit, District of Columbia, Houston, Los Angeles, Louisville, Memphis, Minneapolis, New York City, Phoenix, Portland, Sacramento, and San Jose, among many others. The media is reporting riots are even taking place in other countries!

Seems like the world is on fire. While this isn’t the place for us to dig into the debate about racial injustice and inequality, we’ve all got opinions (and I’ll share mine later, in another place/time). The UNSECURITY Podcast is dedicated to information security, so we’ll stay on topic. Today’s current events are hard to process, but a relevant question is, what do current events mean to/for information security? This will be our topic.

I’m not going to recap last week/weekend personal events here either. We might discuss these things a little during the time that Brad and I catch up with each other, but otherwise, we have plenty to discuss in this episode. Let’s get to it!

These are my (Evan) show notes…


SHOW NOTES – Episode 82

Date: Monday, June 1st, 2020

Episode 82 Topics

  • Opening
  • Catching Up (as per usual)
  • World On Fire
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there! Welcome to episode 82 of the UNSECURITY Podcast. Today’s date is June 1st, 2020. Due to a lack of personal hygiene, well mostly a hair cut, I’m your information security chia pet, Evan Francen. Joining me is my good friend and co-host Brad Nigh. Good morning Brad!

[Brad] He wishes all the listeners nothing but the best of mornings!

[Evan] Some serious stuff to talk about in today’s show, but one of the most serious things, for me at least, is checking in with you. How you doing Mr. Nigh?

Catching Up

Quick discussion about last week, the weekend, family, safety etc.

[Brad] Gives us the low down on his haps.

[Evan] I give the low down on my haps. Also, I hit a deer on my motorcycle on Saturday (again). What the?!?! Who does this?

World On Fire

[Evan] It was easy to pick a topic for this week’s show. Just when you think the world couldn’t get any crazier, we encounter the events of last week. There are so many thoughts and emotions running through our heads. Everything from sorrow to anger to frustration and everything in between. We don’t ever want to shy away from tough issues, but we also need to keep things on topic (information security) for the show. What I’d like to do is discuss today’s current events and apply them to what we do. Ultimately, what do all these things mean to information security?

Whatya say Brad, you game?

[Brad] He’s a smart and competitive son of a gun. You know he’s game!

Things to discuss:

  • FRSecure’s Information Security Principle #1; a business is in business to make money.
  • Physical security implications, lessons, ideas, etc.
  • What does this mean for cyber/technical security?
  • Some organizations are targets.
  • Personnel information security implications.
  • If COVID-19 wasn’t enough to motivate better response planning, does this?
  • Whatever other pertinent thoughts come to mind.

[Evan] Great discussion and lots of good advice I think! Let’s do some newsy stuff.

News

[Evan] Even though information security may not be dominating the news, there are still plenty of information security news stories to choose from. Here are three news stories that caught my eye.

Wrapping Up – Shout outs

[Evan] Alright listeners! That’s episode 82. Brad, who you got a shout out for?

[Brad] Somebody special for sure!

[Evan] Here’s mine…

[Evan] Thank you to all our listeners! You guys are a big deal to us. PLEASE be safe out there; physically, mentally, and electronically. Let us know what you think of this episode or whatever else is on your mind. Send us things (preferably not malware, but whatever) by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and you can find this Brad guy @BradNigh. If you wanna follow our company’s stuff, you can follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for whatever cool things they’re up to.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 81 Show Notes – Hard Truths

Welcome back! Episode 81 is sure to be a good one, but before I get started, just a few thoughts…

We just went through our first Memorial Day weekend under COVID-19. I don’t know what to say about it, other than the world seems as crazy, or crazier, than ever. Seems like 1/2 the country is out and about like everything’s normal while the other 1/2 of the country stays cooped up as though the apocalypse were upon us. To complicate matters, both halves seem to look upon each other with disdain.

We’re learning more and more each day about this coronavirus we call COVID-19. One thing appears certain, we’ve had crappy data to work with since day one. Crappy data leads to crappy decisions and crappy decisions lead to crappy outcomes. I’ll just leave it at that.

Memorial Day

This is one of my favorite holidays. I wonder how many of us know what it stands for or what it means. I wonder because I was wished a Happy Memorial Day numerous times yesterday, yet there’s nothing “happy” about it. The day is set aside to remember and honor our nation’s war dead from the Civil War onwards. It’s a day to stop what you’re doing, spend (at least) a few moments remembering the sacrifices that were made by our soldiers, and be grateful.

I suppose there are happy parts too, but these are mostly the product of what somebody else gave for you and me.

Not sure if I’m in a pissier mood today or what. No matter, I’ll snap out of it soon. Let’s get to Brad’s show notes!


SHOW NOTES – Episode 81

Date: Tuesday, May 26th, 2020

Episode 81 Topics

  • Opening
  • Catching Up (as per usual)
  • Hard Truths
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 81 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is May 26th, and joining me this morning as usual is Evan Francen.

[Evan] Has some sort of story for us I’m sure

[Brad] We’ve got a good show planned today! Before we get going though, let’s recap our week.

Catching Up

Quick discussion about last week, Memorial Day, last weekend, COVID-19, life, and other stuff.

[Evan] Evan talks about the cool things he did.

[Brad] I talk about the cool things I did.

Hard Truths

[Brad] So interestingly, at least to me, this is the first time I struggled with what to cover in our podcast.  Maybe the monotony of quarantine, the tidal wave of news around breaches and new attack vectors, or just plain old writer’s block but even sitting down to write this I don’t know where it ended up.

Because I was stuck I decided to start with news, there have been several really interesting things that have come out lately and that’s when I found this article from CSO Online 6 hard truths security pros must learn to live with and, yeah we can talk about this.

The Hard Truths

Discussion about the hard truths outlined in the CSO Online article:

  1. Hackers are probably inside your network right now
  2. You can do everything right and a careless end user can ruin everything
  3. You face critical staffing and skills shortages
  4. IoT creates new and unforeseen security problems
  5. You sometimes feel misunderstood and underappreciated
  6. Stress, anxiety and burnout come with the territory

[Brad] Good conversation, thank you Evan.

Let’s do some news…

News

[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye

Wrapping Up – Shout outs

[Brad] That’s it, Episode 81 is a wrap. Evan, you have any shout outs?

[Evan] Of course he does!

[Brad] Here’s mine…

[Brad] Huge thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen. Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.

That’s it! Talk to you all again next week!

Don’t Suck – STOP Paying Ransoms

So, in case you haven’t heard, we have this problem. Yeah, there’s this thing called ransomware, and it’s sort of all over the news.

    • Colorado-based NEO Urology paid a $75,000 ransom
    • Colorado-based Estes Park Health (EPH) – they had an incident response plan, but the insurance company paid the ransom. EPH paid the $10,000 insurance deductible for their ransom payment, but it’s not known how much the attacker’s ransom was.
    • Boston-based ResiDex Software – the ransomware attack was discovered on April 9th but was only disclosed this past week. ResiDex appears to have restored their systems from backup, not paying the ransom.
    • New York-based Olean Medical Group – they were hit this past week, and it appears they won’t pay the ransom. According to news reports “Olean plans to begin setting up a new system and will work to regain the encrypted records to populate a new computer system, helped by partner healthcare providers.
    • Seneca Nation Health System – calls their attack a “computer system failure” (the computer system wasn’t what failed, just sayin’). Not sure if there are plans to pay, but the CEO says “We are working feverishly to rebuild our system”.
    • California-based Shingle Springs Health and Wellness Center (SSHWC) – reported that their ransomware attack affects all 21,513 patients, but I don’t think they’re planning to pay the ransom. SSHWC is working to restore their systems by installing new servers and putting workstation upgrades on a “fast track”.

Then there’s this particular attack and response that caught my attention this past week.

The Riviera Beach City Council voted unanimously this week to pay the 65 bitcoin (more than $600,000) ransom.

At what point do we say enough is enough? What’s your excuse for not preparing or planning for a ransomware attack? It’s not like you don’t know that they’re a problem.

What would be your acceptable excuse for not planning for a ransomware attack?

Simple answer. There is no valid excuse. Stop looking for one and stop making sh_t up. If you’re offended, maybe that’s good. It’s the truth. You might have all sorts of excuses that you think are legitimate, but they’re all BS. You’ve run out of excuses. Regardless of being legitimate or not, here are some common ones that people try to pass off:

  1. Management support – you couldn’t get management to “buy in” and do the right thing. Sorry, not a valid excuse. Part of your job is to get management buy in, and you failed. If management has their heads so far up their @55, you should find another place to work where they will champion security. To management – get your head out of your @55, you’re not helping your company, your customers, your partners, or anyone else.
  2. Priorities – you have so much stuff on your plate, that you couldn’t get around to protecting yourself from ransomware. Hard to fathom how good information stewardship isn’t a top priority. I know you might have a thousand other things too, but ransomware protection should be near the top. If it isn’t, revisit your priorities and get to it.
  3. We don’t know how to protect ourselves – take the Ransomware Readiness Assessment that I mention at the end of this post/article or read some self-help articles online (there are hundreds of them).
  4. We have insurance – good for you. That’s probably prudent, but it will never make up for your lack of stewardship. When your insurance company pays, we all pay. Insurance companies aren’t in the business of losing money, so they’ll just jack up the rates and everyone will pay more. Simple economics, right?
  5. You need help – don’t we all? This isn’t as much of an excuse as it is an admission. It’s an excuse if you don’t do anything about it. There are hundreds of online articles full of good advice, and there are probably hundreds (if not thousands) of security professionals that would love to help. Heck, I’m not writing this article for my health. If anything, it’s probably bad for my health (you know, blood pressure and stuff).

Choices

If you get hit with ransomware, you have one of five choices:

  1. Take your chances by paying the ransom. This is a terrible choice (read below), but it is a choice nonetheless.
  2. Don’t pay the ransom and follow a planned and tested incident response process. Your incident response process should include investigation (looking for the source), containment, and mitigation (at a minimum).
  3. Don’t pay the ransom and struggle mightily because you didn’t plan well. Think Baltimore, Atlanta, and hundreds of other organizations that paid hundreds of thousands (or millions) of dollars in attempted recovery operations.
  4. Start over. Only differs from the previous choice because recovery efforts, in terms of data recovery, are no longer on the table.
  5. Shut down operations. Sadly, I’ve seen this more than once, and once was too many times.

There is only one good option among the five. That’s option #2, don’t pay because you can recover. You planned, you’re a good steward of the information entrusted to you (at least in this respect), and you serve your organization well.

The other four options are bad ones, but if you didn’t plan well, option #2 is off the table anyway.

The first option was the only one that considered paying the ransom, while the other four options did not. So, if you didn’t plan well, you must decide whether to pay the ransom or not.

Not paying the ransom

You either prepared well, or you didn’t.

  • If you did, then kudos to you. You’re more likely to be back up and running within a relatively short period, and your organization owes you a big debt of gratitude.
  • If you didn’t, you’re in for a doozy of a response. Get out your checkbook, because it’s probably going to get expensive. It might be so expensive, in fact, that your organization may not survive the ordeal.

The key is planning well! If you didn’t properly protect your data (air-gapped/offline backups, prudent access control, etc.), and if you didn’t plan, you’re a poor steward of the information that’s been entrusted to you. You should slap yourself (hard), update your resume, and maybe find another line of work. People have suffered and/or will suffer because of your poor choices.

Paying the ransom

If you planned (or think you planned), and pay the ransom anyway, take Estes Park Health (noted above) for instance, they claimed to have “incident response program”, but paid the ransom anyway (or their insurance company did).

What’s wrong with this picture?!

Maybe they thought they had planned but didn’t, or the maybe the plan just sucked. If you didn’t plan, or you didn’t plan well, you find yourself in a pickle.

We cited two examples earlier where the organization paid the ransom; Estes Park Health (EPH) and the City of Riviera Beach (FL). It appears from the news reports that one of the two might have had a choice in paying, while the other one did not appear to have a choice.

Estes Park Health (EPH) – the organization was hit by a ransomware attack on June 2nd. According to their own investigation, there was no data exfiltrated (common). The source of the attack wasn’t disclosed, but it was discovered (allegedly) when an on-call IT technician logged in from home and noticed files encrypting live, while he/she was on the system.

Sounds like just about everything was locked down; phones, network access, imaging files, etc. According to one news report, EPH had an “incident response program”, but determined at some point “the only way to restore the software in the clinic and the only way we were able to restore the imaging and so forth is because our insurance company paid the ransom money and we were able to get the keys to unlock those files.

No other significant details are available, like the type of ransomware used, how the ransomware got in, how much was paid, or what the “incident response program” called for. Two things are certain:

  1. The “incident response program” sucked.
  2. The criminals won.

Not only did the insurance company pay the ransom, they paid two ransoms! The insurance company paid two separate ransoms, as EPH discovered more locked files when decrypting its systems.

Riviera Beach City Council – on June 20th, it was reported that the Riviera Beach City Council voted unanimously to award attackers more than $600,000 for the privilege of accessing their own files. Attackers had broken in three weeks prior, and at some point, locked things up. The attackers held all/most of/some of the data entrusted to the city for ransom. Like most cases, the city had been working with “security consultants”, and it was determined the only way to decrypt the information was to pay the ransom.

The attack began on May 29th, when an employee at the Riviera Beach police department opened a malicious email. Initially, the city council decided to not pay the ransom, but due to the difficulties in restoring the operations, they eventually opted to pay.

Interesting isn’t it? By proxy, it’s the police paying criminals. Supposedly, the payment is being covered by insurance, but so what?

If you pay the ransom, you suck

People don’t like to be told that they suck, because it sucks to suck. Maybe not sucking will motivate you to change some things and be better.

There are at least four reasons why paying a ransom pisses me off, and why it should piss you off too:

  1. You fund future attacks (against me and my friends). What do you think the attackers will do with the money they collect from you? They’ll take some for their own enjoyment, then they’ll funnel the rest into making their future attacks more effective. If you don’t pay, they have no money. Simple, right? If you think this is only about you, you’re selfish. Selfish people suck.
  2. It shows that you’re not a good steward. Somebody entrusted you with information, and they deserve better. The information (in most cases) isn’t yours, it belongs to someone else. If you can’t take good care of it, you shouldn’t have it. If you need it to run your business, then maybe you shouldn’t be in business.
  3. Attackers win. You might not be as competitive as I am, but you have to admit that it sucks when some jerk beats you at something. If the game was fair and you lost to a good person in a straight-up competition (like chess with a buddy), that wouldn’t be so bad. Here, you lost to a straight up jerk face and there’ll be no gentlemanly handshake at the end. You got taken and you’ll have to just suck it up (or just suck).
  4. Money that can’t be used for good. Every dollar we spend on information security is precious. Businesses are in business to make money and/or serve a mission. Money diverted from either one of these two purposes, takes away from your ability to succeed. What could the City of Riviera Beach have done with the $600,000+ if it were spent on something worthwhile. Wouldn’t the taxpayers rather have a nice new community pool, better streets, a few more safety personnel, etc.? Nope.

There are more reasons why we don’t pay ransoms, see what you can come up with yourself.

Now what?

Get to work. Do what you can to protect your organization from a ransomware attack and plan for one if (when) it were to occur.

Don’t know where to start?

Try our free FISASCORE® Ransomware Readiness Assessment

There aren’t any strings attached, there isn’t any registration required, and it’s freely distributable through a Creative Commons License (so, share it too!). I whipped this thing up in early 2017 for a bank customer then forgot I had it.

Are there other obstacles in your way?

Identify the obstacles and figure out how to remove them, go around them, go under them, etc.

Need help?

Reach out to any number of us information security people. Many of us will help you, including myself.

Moral of the story is 1) prepare and plan, 2) DO NOT pay ransoms, and 3) we’re all in this together. Good luck!

2019 New Directions in IT Education Conference

This was a wonderful opportunity to talk to some fascinating people; people tasked with helping us create the future talent of our industry.

It was also the fourth talk at the fourth conference of the week, so things were getting a little weird. Regardless, I always enjoy this and I’m having fun!

About the 2019 New Directions in IT Education Conference

This is an annual conference attended by “educators and industry experts”, sponsored by the Minnesota State IT Center of Excellence.

According to the conference website:

Minnesota State IT Center of Excellence, invites industry professionals, employers, and Minnesota State faculty members to convene at our annual free IT conference that takes place in May.  Explore emerging employer needs, identify specific implications for student learning outcomes, and map out actions that individual faculty and departments can implement, and identify comprehensive innovations to be developed collaboratively.

A really cool opportunity to speak and collaborate! I was here for two reasons:

  1. Deliver a keynote talk
  2. Participate on a panel of experts

I was with some experts, but I’ll apply that word loosely to myself. The full conference schedule is here.

Keynote Plan A

If you know me, you know that I wing it a lot. This makes me very hard to manage, and it can get frustrating for people who work with me. It’s just how I roll.

I prepared my talk for this conference four (maybe five) days ahead of time. That’s crazy good for me! My talk was/is titled “Seven Facts About Unicorns”. I put a lot of work into the presentation and I was excited to give the talk (at the time I wrote it).

Keynote Plan B

There wouldn’t be a need for Plan B if I had just stuck with Plan A, but what fun would that be? Driving on the way to the venue, I changed my mind. I didn’t want to talk about unicorns anymore. I even said to myself in the truck, “Seriously Evan?! Don’t do it.” Thankfully, I was 45 minutes ahead of schedule, so I pulled off at a local coffee shop to create a new presentation.

Some people (I/me) never learn.

I grabbed a cup of coffee, tore my laptop out of my bag, and begin pounding away on the keyboard. What would I talk about though? Hmm. Got it! I will cover the first 38 of 100 truths about information security. I started the #100DaysofTruth series 38 days ago, at the time of the talk (at the time of this writing, I’m on day 50). I felt like hitting some hard truth with the educators in the audience. So, that’s what I did. The title of Plan B was “38 of the 100 Truths About Information Security”.

Whipped the slides together, and away we went!

The talk went extremely well. The audience was engaged, and there were some great questions afterwards. We’ll save the unicorn talk for another day. 😉

Here’s a copy of the presentation if you want to look at it or use it.

Want to see the Seven Facts About Unicorns talk? What’s it worth to you? Just kidding, here it is. I still might deliver this talk someday.

Panel of Experts

This was cool! I just got to sit there and answer questions. Not all the questions, but only the ones where the other two panelists didn’t answer. I suppose I also added a few things here and there to their answers, but the other panelists were dead on I think. You know how you have to add something once in a while to make people think 1) you’re still paying attention and 2) you’re smart and stuff? I did some of that.

It was an honor to sit on the panel with Ryan Manship from RedTeam Security and Sahar Ismail from Legacy Armour

Overall, it was an awesome conference and a great way to end a crazy week.