Here we are again, another Tuesday, and another episode of the UNSECURITY Podcast!
Tons going on, as usual.
Last week we released a couple new FREE things at SecurityStudio:
- Work From Home Security Policy Template – Located at the bottom of our S2Team page. If you don’t know what S2Team is, you should definitely take a look. If you just want the template and don’t care, here it is.
- Ransomware Recovery Contract – A simple contract between executive management and IT to ensure accountability for ransomware recovery. Executive management likes it because they finally know what to ask for, and IT likes it because they can use it to show they’re doing what they should/can to prevent a prolonged ransomware outage. I’ve uploaded the contract to my site here.
ADDED: Brad reminded me on the show that FRSecure made a free Incident Response Plan Template available last week. Take a look. It’s really, really good (and free)!
Other goings on include developing and improvement of new services (including the release of SecurityStudio v3.9 and an incident response capability assessment), continued collaboration with great partners, a few speaking engagements, episode 19 of the Security Shit Show, deployment of S2Team, and other things.
Alright, enough about that. Let’s get to the show notes, shall we? These are my (Evan) notes.
SHOW NOTES – Episode 98
Date: Tuesday, September 22nd, 2020
Episode 98 Topics
- Catching Up
- Wrapping Up – Shout outs
[Evan] Good morning everyone. Thanks for tuning in to episode 98 of the UNSECURITY Podcast. Today is September 22nd, 2020 and joining me is my co-host and friend Brad Nigh.
Good morning Brad.
[Brad] Cue Brad.
[Evan] I think we have a good show planned for listeners this week. This episode is all about accountability. I’d like to discuss how accountability works in information security, who should be accountable for what, and give some tips for improving accountability where we work and in the world around us.
Lots to cover on the topic of accountability. Before we jump in, quick catchup with Brad.
[Evan] Brad, how you doing? What’s new?
[Brad] Cue Brad.
[Evan] Cue Evan.
[Evan] Alright, let’s talk about accountability, or maybe the lack of accountability, in information security. This has been a topic that’s been dominating my thoughts again for the past couple weeks. I say “again” because this isn’t the first time we’ve talked about it.
During an episode of the Security Shit Show a couple weeks ago, I think it was episode 18, we were talking about ransomware. The talk was great, but the frustration we all felt was apparent. Why do we keep doing the same things over and over again? Why don’t people do the basics? My take was the lack of accountability. So, I drafted a Ransomware Recovery Contract to help.
Have you seen the Ransomware Recovery Contract?
[Brad] Cue Brad (I’m sort of springing this on him).
[Evan] So, the greater issue of accountability in general. Let’s talk about it here, for our benefit and the benefit of our listeners.
- The importance of accountability.
- Repeating the same mistakes over and over.
- Safe to assume people know?
- People die now.
- When to define accountability.
- Who’s ultimately accountable for what?
- In tech – buggy software, social media (see the social dilemma), etc.
- Big organizations.
- Small organizations.
- Public organizations.
- School districts.
- Examples of accountability disfunction.
- Examples of good accountability.
- What to do about it.
- Get out ahead. Better now than never (or later).
- Will CEOs be personally liable someday?
[Evan] This is a deep subject with much to be said. Everything moves so fast, and sadly accountability is severely lagging behind.
[Evan] For listeners who are wondering about us doing a series titled “Politics and Information Security”, it’s still being considered. We just have to put it all together.
[Evan] OK, news. Let’s do some quick news stories.
[Evan] Three news stories to talk about briefly this week:
- Hospital patient dies following botched ransomware attack – https://grahamcluley.com/hospital-patient-dies-following-botched-ransomware-attack/
- Google Play Bans Stalkerware and ‘Misrepresentation’ – https://threatpost.com/google-play-bans-stalkerware/159328/
- U.S. House Passes IoT Cybersecurity Bill – https://www.securityweek.com/us-house-passes-iot-cybersecurity-bill