UNSECURITY PODCAST – Episode 17
Monday, March 4th, 2019 @ 6:45am
This podcast is led by yours truly (Evan, if you didn’t know me). If you’ve been following our podcasts for a while, hopefully you’re noticing that we continue to improve. Sound quality is better for sure, but Brad and I are also feeling more comfortable talking into microphones. Speaking into a microphone is neither of our strengths. This will be a relaxing week/podcast as we try to recover from last week’s visit with our wives. Actually, I’m kidding. Brad and I both loved spending time with them in episode 16, and we both learned some things about ourselves from our wive’s perspectives. We’re grateful for them, and we hope you enjoyed the listen! If you missed episode 16, check it out!
This week we’re going to dig in to our information security principles. When we started FRSecure in 2008, we documented our guiding principles, almost like our very own Ten Commandments. We revisit them every so often just to make sure that they’re still relevant. This podcast will be our review!
[Evan] Alright, here we are again. This is the UNSECURITY Podcast, and this is episode 17. My name is Evan Francen, and I’ll be your host for today’s show. Joining me as always is Mr. Brad Nigh. Brad, what’s up?
[Brad] He’ll surely say something here… If not, I’ll kick him under the table.
Discuss Last Week’s Show (Teaser Questions)
- What did you think of last week’s show?
- Did your wife listen to the show? If so, what did she think?
- What sort of feedback did we get from listeners?
[Evan] Before we dig in to the meat of the podcast, let’s share some of the highlights (or maybe lowlights) of our last week with the listeners. Brad, tell me about your week.
[Brad] He’ll surely say something here too… If not, I’ll kick him under the table again.
Discuss the important things about last week, including:
- More IRs. Why do you think we’re seeing such an increase? What are some of the commonalities between these incidents?
- Pentest and Political Capital
- Book Signing Event
- Stuff that Brad did last week that he hasn’t told me about yet.
Well, good. We have a lot to cover this week. So, let’s get started, but before we do, one more thing that we do every week. We want to remind everyone how to contact the show, and each of us. Send your suggestions, comments, or whatever else to email@example.com. If you’d like to be a guest on our show, you can email us there too. The best, least intrusive way to keep up and/or contact Brad or I is probably through Twitter. Brad is @BradNigh and I am @EvanFrancen.
Easy. Let’s move on now.
FRSecure’s Information Security Principles
As I stated in the opening, Brad and I are going to review FRSecure’s Information Security Principles together. Brad and I have never done this together, so it will be fun to get each other’s view on these things.
Principles are vital to us at FRSecure because they serve as boundaries and reminders. They keep us honest in all the work we do as security professionals. We first documented our principles in 2008, at the same time we established FRSecure. We wrote our principles down because we always wanted to remind ourselves why we’re different and why we wanted to start our own company in the first place.
Basically, we wanted to do information security right. Not just sometimes, but always. Lofty goal and a high (maybe unrealistic) standard for sure, but that’s the kind of people we are. Always striving for perfection, but never actually getting there.
That sort of sounds sad, doesn’t it?
[Evan] Brad, you’ve seen our principles once or twice right?
[Brad] He’ll surely say something here too, but I’m afraid if I kick him under the table again, he’s going to retaliate. I’ll nicely urge him to say stuff, like friends do.
[Evan] As you might now, I review these principles each year. I’m looking for relevance and alignment with what we believe in. If relevance and alignment are good, the principle is still good. Even though I review these each year, I’ve never had to make a change. This makes me believe that maybe these principles are timeless, after all this is the eleventh year.
Now, I’ve never reviewed these with anyone before. Today, I’ll review them with my good buddy and trusted cohort Brad. What do you say Brad? You cool with this?
[Brad] Now it’s totally up to him if he wants to say anything. If I really did have to kick him like I said I might have too, he’s probably not even be here anymore.
We’re going to cover each principle, one-by-one and give our thoughts on them. We’ll at least cover the following questions, but probably more:
- What does this principle mean to you?
- Do you think it still applies to the work we do everyday?
- How well do you think it aligns with our mission?
- Would you change it if you could? If so, how?
NOTE: As we cover each of the principles, do you notice any change in our tone? Do Brad or I seem to be more engaged? I’m guessing you’ll hear and sense how important these things are to us. We defend what we believe in.
#1 – A business is in business to make money
Information security must align with business objectives.
#2 – Information Security is a business issue
Information security is NOT an IT issue.
#3 – Information Security is fun
That’s right, we said “FUN”!
#4 – People are the biggest risk
#5 – “Compliant” and “secure” are different
We shouldn’t confuse the two.
#6 – There is no common sense in Information Security
If there were, we would have better information security.
#7 – “Secure” is relative
One of many reasons for ongoing measurements and comparisons.
#8 – Information Security should drive business
Identify and focus on information security benefits. Information security shouldn’t just be a cost-center.
#9 – Information Security is not one size fits all
No two businesses are exactly alike.
#10 – There is no “easy button”
So stop looking for one.
Other Bonus Security Wisdom
- If something is insecure at the core, then it will always be insecure at the perimeter.
- Gain an intimate understanding of “information security” and “risk”. All of security and compliance flows from these two definitions.
- You cannot prevent all breaches. You better be able to detect them and respond to them too.
- A wise man once said “Complexity is the Enemy of Security”.
Alright we made it through that. I was taking notes, so if we decided on changing anything, we’ll be sure to get those changes implemented in the next version or our principles. I’d actually be surprised if we did change anything, but who knows. This is the first time we’ve done this together.
OK, we like our news, yes? Let’s get to some news quick. I think we have some time.
- ICANN urges adopting DNSSEC now – https://www.networkworld.com/article/3343185/icann-urges-adopting-dnssec-now.html,https://nakedsecurity.sophos.com/2019/02/26/as-dns-hijacking-worsens-icann-demands-dnssec-security/, and https://www.zdnet.com/article/icann-there-is-an-ongoing-and-significant-risk-to-dns-infrastructure/
- Security Experts, Not Users, Are the Weakest Link – https://www.darkreading.com/careers-and-people/security-experts-not-users-are-the-weakest-link/a/d-id/1333916
[Evan] I’m not sure how newsworthy this article is, but I love the content. My show, my news.
- Half of business leaders say a breach could end their business, others remain unaware – https://www.helpnetsecurity.com/2019/03/01/half-of-business-leaders-say-a-breach-could-end-their-business/
- Security Pros Agree: Cloud Adoption Outpaces Security – https://www.darkreading.com/cloud/security-pros-agree-cloud-adoption-outpaces-security/d/d-id/1334013
[Evan] Well, what do you think Brad? Good show?
[Brad] Assuming Brad is still here or he came back…
Well, that’s episode 17 of the Unsecurity Podcast. I had fun, and I hope the listeners found the hour spent to be a valuable one.
Oh crap, I just remembered! RSA is this week. I’ll be out there, just for a day to see my friend Roger Grimes give his awesome talk on 12 ways to hack MFA. That’ll be cool.
Next week, we’re not sure what we’re doing yet. Brad, you have anything specific planned for next week’s show? We’ll wing it if we gotta. Another quick reminder to send your questions and suggestions to us at firstname.lastname@example.org
Thank you and see you next week!