UNSECURITY Podcast Episode 24 Show Notes

Happy Friday! It’s Good Friday. 

If you missed episode 23 of the Unsecurity Podcast, you can still check it out here.

Brad’s hosting episode 24. He sent me his notes to post. So, these are his notes, but I might have put a little of my own flavor to ‘em.

We had another great week here at FRSecure and SecurityStudio. Our quarterly meeting was held on Monday. I love the weeks when we have our quarterly meetings because we fly everyone in from all over the country to our headquarters in Minnesota. We all get together, collaborate on cool stuff, hang out after work, play games, etc. The week is full of fun; sort of like a week long FRSecure/SecurityStudio party.

This slideshow requires JavaScript.

The only people who aren’t able to attend in person are the great Bulgarians! Shout out to those guys because they’re fricken amazing!

Anyway, like I stated earlier, it’s Brad’s week. Let’s see what he has in store…

Episode 24

Date: Monday, April 22nd, 2019

Today’s Topic(s): Compliant vs Secure

[Brad] Hello listeners! Here we are, today is Monday, April 22nd, 2019 and this is episode 24 of the Unsecurity podcast. I’m Brad Nigh, and I’m your host for today’s show. Joining me is Evan Francen. Hello Evan

[Evan] Evan says “Hi” and other things

[Brad] We also have a special guest this week. As you may know, FRSecure participates in several mentorship opportunities, including some in our own back yard. As part of one mentorship program in particular, we have to do a real world experience exercise with the student. So, here we are, we’ve invited one of our students to sit in with us today. He may just sit and listen but he’s more than welcome to join in and ask questions.

[Evan] Says stuff to the guest, probably…

(may be some open discussion here but maybe not… tune in to find out!)

[Brad] Anything exciting you want to talk about from last week? How’s the survey going?

[Evan] Gives a recap of his week…

[Brad] Alright, we’ve got some good topics for today’s show. I chose today’s topic after responses from a couple of calls this week. It’s something that I think we are both passionate about and honestly gets me fired up. So let’s talk “Compliant vs Secure”. The one comment that triggered this was a potential client seeing our proposed services to address several issues responding with “what is the absolute minimum I have to do to be compliant with (insert regulation here)?” 

[Evan] Goes off on rant, just as I planned. 😉

[Brad] This isn’t something new either but we are still seeing it.

Krebs wrote an article in 2016 around it.

The sad truth is that far too many organizations spend only what they have to on security, which is often to meet some kind of compliance obligation such as HIPAA to protect healthcare records, or PCI certification to be able to handle credit card data, for example. However, real and effective security is about going beyond compliance — by focusing on rapidly detecting and responding to intrusions, and constantly doing that gap analysis to identify and shore up your organization’s weak spots before the bad guys can exploit them. https://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/

Forbes mentioned in in 2014

But here’s the kicker: being compliant won’t necessarily save you from being hacked.

We know that is rough to hear, but requirements are not the same as best practices. Basic prescriptive requirements are often the bare necessities of information security. To truly defend against all-purpose attacks, full information security programs and best practices must be implemented. https://www.forbes.com/sites/sungardas/2014/05/01/can-your-company-be-pci-compliant-and-still-get-hacked/#1f6fdfb4ea90

Open discussion around the differences and how can we, as InfoSec professionals help change this mindset

[Brad] Okay we should probably talk about a couple news stories, there are some big ones out there.

News

Easter Attack Affects Half a Billion Apple iOS Users via Chrome Bug (https://threatpost.com/easter-attack-apple-ios/143901/)

Wipro breach

• How Not to Acknowledge a Data Breach (https://krebsonsecurity.com/2019/04/how-not-to-acknowledge-a-data-breach/)
• Wipro Intruders Targeted Other Major IT Firms (https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/)
• Experts: Breach at IT Outsourcing Giant Wipro (https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/)
• https://www.forbes.com/sites/kateoflahertyuk/2019/04/16/breaking-down-the-wipro-breach-and-what-it-means-for-supply-chain-security/#7b157af75259
• https://www.csoonline.com/article/3389685/wipro-breach-highlights-third-party-risk-from-large-it-services-providers.html

Facebook: we logged 100x more Instagram plaintext passwords than we thought (https://nakedsecurity.sophos.com/2019/04/19/facebook-we-logged-100x-more-instagram-plaintext-passwords-than-we-thought/)

Closing

[Brad] Don’t forget, you can follow me or Evan on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com.

That’s it for episode 24. Have a great week everyone! Thank you and see you next week!