The Security Shit Show

"Why going to the cloud means more work for security not less, shared responsiblity is 100% your problem - Am I going to treat this like a green field, or the next dumpster to throw the data, systems, and stuff we can’t deal with in real life? - What are my expectations? (planning, timing, longevity, migration, business, etc.)- Will we use it as an enclave to simply separate developers from anything else, or vice-versa, OR will we take a stance and work with ALL the teams to build it out successfully?- DOES my cloud governance align with the rest of my business and technology policies and goals?- AM I willing to implement the recommendations that most cloud providers offer TO make things safer and more secure?- Can I manage the audit and compliance of a new world, and HOW will I integrate it?- Speaking of integration, WILL my business and technology actually function IN/WITH the cloud?- The cloud is MUCH more than someone else’s computers OR a spare data centre, but it still has to live somewhere, so WHERE does it live, and HOW do you get to it?- Where’s YOUR staff, how do they talk with the cloud, what controls, management, etc.- How much control will I have over my data in YOUR cloud?- Who’s got access TO my little slice of the cloud, hardware, system, bare metal, data, etc.- How do I (OR who’s going to) monitor YOUR cloud infrastructure, and MY systems for access, etc. - And if it’s on your side, do I get to see the logs - What’s the charges FOR monitoring - SLA’s etc?- Who’s managing the encryption for my data, if it’s YOU then where’s my key’s if it’s me what help etc.- I don’t want to catch cooties from YOUR other clients, how to you maintain separation/segmentation?- What options exist to backup my data, my configs, and what happens if YOUR systems go down?- What areas of the technology, services, systems, and environments fall into shared responsibilities? - Who has to deal with what when it goes wrong - Who get’s to point fingers, and who has to fix things (AND what timeframe, etc.)- ALL my data belongs to YOU… what happens about uptime, distribution, redundancy, AND company stability. - Technology roadmap in here too - What dependencies, partnerships, and vendors do THEY rely upon?- Let’s talk security, compliance, regulatory stance, etc. What do you have, AND how do you maintain it?- When we fall OUT of love, what happens, how do I migrate, what options are out there (and costs, etc.)"

Information security tells us that the job it is all about protecting data, protecting the confidentiality, integrity, and availability of the data ultimately to protect the human(s) the data is about. On average each human creates 146,880 MB of data per day for a staggering total of 1.145 trillion MB a day or 2.5 Quintillion bytes WHOA that’s a lot of data, where is all this data coming from and more importantly where is it going, who has it and how is it being used?How do I know my data is safe? How do I know I can trust that it is accurate?How do I know where my data is, has been, and is going?How will my data be used to manipulate and or harm me?DUDE Where is my data? And what are you doing with it?

"Lots of us say that information security is EVERYONE'S responsibility. While this is sort of true, we use this as a copout more than anything else. The truth is, everyone has information security responsibilities but information security is NOT everyone's responsibility. See what we did there?Everyone has information security responsibilities. So, let's start at the top and work our way down. The Board of Directors, the CEO, other C-Levels, etc. Hey, CISO, what is it that you'd say you do here? The quality of your answer might say everything we need to know. You either know or you don't. If you know, share the answer with us (simpler, shorter answers are usually an indication of mastery, just sayin'). If you don't know, that's OK, BUT ONLY IF you don't pretend you do and you seek out the answer.Now that we got that squared away, MAYBE we can figure out what everyone else's responsibilities are. If we don't get this right, how the hell are we going to hold anyone accountable. If we can't hold anyone accountable, how the hell are we going to get any better?"

Let's talk intelligence, machine learning, quantum and ALL the various future technologies and things we should be asking OURSELVES and OTHERS (our vendors, partners, suppliers, etc.) As we go forth into this brave new world...

Every day we inch closer to a new computing reality, the arrival of commercially stable quantum computing, we hear about this new disruptive technology, that when unleashed will break the worlds strongest encryption in nanoseconds, that is a very scary proposition for any info-sec professional.There is work being done today to make quantum resistant encryption or so we hope. It is already difficult enough to secure and keep up with the systems that make up our modern world. Systems that are overly complex and running trillions and trillions of lines of code just using 1’s and 0’s, systems we already fail to protect every day, in part due to the complexity of them.If you think current technology is complex and at times confusing, you haven’t seen anything yet, quantum introduces a whole new level of complexity and way of thinking about what is happening, and why.What does this mean for us in the information security industry, will future system admins need PHD’s in quantum physics and discreet mathematics? Will we all need to get our CQISSP? Can we secure quantum? How will our world change? What new things we will be able to do? How will quantum be abused and misused by criminals and nation states.So may questions so little answers, tune in for a fun discussion on the impact of quantum computing and what the grey hairs have to say about it.All this and more on the Security Shit Show with Evan Francen, Chris Roberts, and Ryan CloutierThursdays' at 10pm central / 9pm mountain

Don't overthink this, human. Just take my word for it. Math is beautiful, math is your friend, and math is trustworthy. Math DOES NOT lie. Math can be used to figure out bank balances, areas of shapes, rates of acceleration, even the angle of the sun in Asunción Paraguay at 11:42am (local time) on May 7th, 2022. The list of useful things math can do is endless. You, human, you're a different story. You are also beautiful, and you might be my friend, but you are not trustworthy. Humans have emotions. Humans have bias. Worst of all, humans LIE! What do we do when the math doesn't match up with the story you've told? You mention risk, math (whom I trust) tells me one thing, but you tell me something different. Why?

I'm fortunate, I am surrounded by good people whom are NOT like me, they bring different experiences, lives, thoughts, deeds, and viewpoints to all of life's interactions. That pool of good people continues to ebb and flow, often going weeks, months, and years between conversations. Some are thankfully more regular, and like clockwork we sit, talk, share ideas and breath a sigh of relief that all IS good in the world, at least at the very table we're occupying...The key is to raising the geek right? Don't shelter them. Don't surround them with kin, and DO put them in a world that will challenge them, force them to reconsider their views, open their eyes, and look beyond what is presented simply with first sight.Why this?Because sometimes we loose sight of what is important, what keeps us grounded, and that the world around us IS different, and that IS a good thing, it's something that we should NOT label, not poke at, ridicule, attempt to redirect with humor, or discount.. OR something we should NOT let others do either.That village? It's family. My Family.

When I sit back and think about it so much has changed in the last 24 months almost every part of our life’s is in some way much different now then it was before, and in others it is very much the same old story, so how do we keep up with all this change while keeping our sanity intact.Even in the last couple of weeks the cybersecurity landscape has changed significantly. The world has gone from “not going to happen to me”, or “we are doing enough to be compliant” to I need all the security and I need it now. The rules have changed, the risk has changed, the pace has changed. We have changed as a society and as an industry. Many of us have new opportunities, new roles, and new responsibilities, and for those of us who care there is too much to do, to much to take on to meet our goals and God forbid find time to take care of ourselves to prevent burn out and dropping to many of the wrong things disappointing ourselves and those we care about.

We’ve talked a little in the past about inner voices, and how some folks don’t have one (which I still find fascinating, and would offer up one of mine if you aren’t fortunate enough to have a traveling companion in your noggin); however, this conversation takes it a little further. I’d like to unpack both some historic “what the heck” moments, as well as look at some of the current issues we see with folks opening their mouths before engaging their brain…. OR Is it that people still have an entitled mentality and think they can get away with it and simply apologize IF caught/found out/called out? We see the same behavior in our industry across numerous areas, from individuals grooming others, to put-downs, elitism, and denial…. (not the river) all of them COULD be mitigated if folks just paused, looked around, evaluated the situation, and then thought about things before inserting one or both feet in their mouth. Let’s talk about why this happens, and why we still don’t seem to be able to tackle it.

HAPPY NEW YEAR!Join us as we wrap up and do a recap of 2021 what a year it has been lots to unpack here. We will also be laying down our predictions for 2022, will Evan ever put on pants? Will Chris migrate his soul to the cloud? Will Ryan shut the Fark up? So many things to predict!Who will be the biggest breach?Will we finally see something other than "password" as the #1 bad password?How many critical vulnerabilities will be from the 90's in 2022?All this and more on the Security Shit Show New Year Special.

Merry Christmas to all!! The Security Shit Show crew wants to take a moment to show our appreciation for all of you! This Christmas special is just a small token of our appreciation for you. Tune in for what is sure to be some holiday joy filled antics. No topic, no agenda just some good friends, good beverages, laughs and love. Come join us and be in your ugliest Christmas sweater, we may be bringing you on the show live to share your holiday joy with the listeners.

Humans are creatures of energy conservation; it is baked into our DNA as part of our natural survival instincts, this natural tendency is what lead us to invent tools to help us get more done with less effort.We are always looking for ways to make things easier on ourselves, usually with little to no regard for the long-term impact of such a convenience. This is true in every part of the human experience but it's magnified 100 times in the world of information and cyber security. The reason that “Easy button” marketing works is because we all want an easier path to the win, the problem is hard work is not easy, no magic button or set of technology can eliminate hard work. it can evolve it, move it, reduce it, but all we are doing is shuffling the hard work to some other place or person.For example, when we go to the grocery store it is easy to pick up our produce, meat, our prepackaged and prepared meals and put it in our cart. Very rarely do we stop to think of all the people involved, and the very hard work they put in to get that food on the shelf. Growing food is hard work, running the logistics to get that food from the farm to the store is hard work even with the help of machines and computers.Information and cyber security are no different, it takes a ton of hard work to do it right, we preach that the enemy of good information security is complexity, so then simple is its ally, easy right?Simple is not easy simple is a ton of hard work, it is asking tough questions, digging for answers, it is building understanding, communication, documentation, trial, and error. Now knowing that humans prefer to limit the amount of hard work they do, to conserve energy incase they need to run away from a saber tooth tiger, or some other primal drivers, how do we shift this paradigm?We do not ask enough of the right questions; we are in a hurry to find a solution that will make it easier on us to accomplish our goals, we need to do a better job of connecting on that primal level and showing that doing the hard work saves energy and resources in the long run.For me this begins with speaking simply to the business, avoiding technical terms as much as possible, showing that I am as invested in helping them to conserve energy as they are, working hard to understand the business driver and value behind the ask, helping them to identify existing solutions that meet their needs, without needing to add another magic button to the environment, that will most certainly not be magic or easy. Helping them to understand the impact later to convenience now.Most business leaders will not want to create a situation in the future where the business is unable to function because someone wanted one less step in their day.All this and more on the Security Shit Show Thursday at 2100 Mountain/2200 Central

Let's try this again.Read the title of the episode. Are you singing the song in your head right now?You know, the hit song by Fleetwood Mac? Here, I'll help you out. If I could turn the page In time then I'd rearrange just a day or two Close my, close my, close my eyes But I couldn't find a way So I'll settle for one day to believe in you Tell me, tell me, tell me liesHaha, now you got it!What the hell does this have to do with information security? Well, nothing really, if we're just talking about the song. The theme for this episode of the Security Shit Show is just "LIES", not the song Little Lies, but when I started writing this introduction, I squirreled. OK, let's get to it...Lies are everywhere in our industry. Hell, they're everywhere in general! We ARE the Security Shit Show, so we'll keep it to information security (I think).Lies are told and believed so often in the information security industry, we start to question what reality we're living in! In case you missed it, Chris wrote a LinkedIn post earlier this week:https://www.linkedin.com/posts/sidrag...At the end of his post, he posed a question (with a poll). Which LIE is the worst we tell everyone? Option 1: We CAN protect you! Option 2: Endpoint will solve it ALL! Option 3: Just install “x” technology Option 4: “Other” leave No.x below :)Interesting, eh? Got me thinking... Why do we lie so much in this industry? Is it OK to lie in certain circumstances? Is it OK to lie if everyone else is? Is one lie worse than another? Do people even realize they're lying? Do we just accept the lies? What about lies of omission, clearly they aren't as bad as lies of commission, right? Am I a liar? Are you?The truth is... (watch the show to find out)! We're going to tear this one up and you'll enjoy the fireworks! If not, drinks are on Chris.

The original show (outlined below) is DEFERRED to next week. One of the show hosts was unavailable for this one.Are you singing the song in your head right now?You know, the hit song by Fleetwood Mac? Here, I'll help you out. If I could turn the page In time then I'd rearrange just a day or two Close my, close my, close my eyes But I couldn't find a way So I'll settle for one day to believe in you Tell me, tell me, tell me liesHaha, now you got it!What the hell does this have to do with information security? Well, nothing really, if we're just talking about the song. The theme for this episode of the Security Shit Show is just "LIES", not the song Little Lies, but when I started writing this introduction, I squirreled. OK, let's get to it...Lies are everywhere in our industry. Hell, they're everywhere in general! We ARE the Security Shit Show, so we'll keep it to information security (I think).Lies are told and believed so often in the information security industry, we start to question what reality we're living in! In case you missed it, Chris wrote a LinkedIn post earlier this week:https://www.linkedin.com/posts/sidragon1_oh-the-lies-we-tell-having-just-landed-activity-6871732134323765248-VokQAt the end of his post, he posed a question (with a poll). Which LIE is the worst we tell everyone? Option 1: We CAN protect you! Option 2: Endpoint will solve it ALL! Option 3: Just install “x” technology Option 4: “Other” leave No.x below :)Interesting, eh? Got me thinking... Why do we lie so much in this industry? Is it OK to lie in certain circumstances? Is it OK to lie if everyone else is? Is one lie worse than another? Do people even realize they're lying? Do we just accept the lies? What about lies of omission, clearly they aren't as bad as lies of commission, right? Am I a liar? Are you?The truth is... (watch the show to find out)! We're going to tear this one up and you'll enjoy the fireworks! If not, drinks are on Chris.

Every time I encounter an ego in our industry, I immediately think they are channeling their inner Robert Denerio. Or when I run into a vendor who is in the protection racket, buy my tool or else. I remember We are here to protect people not to provide “protection”Why do we feel the need to act like gangsters and thugs, bullying our way around, scaring the people we are supposed to be protecting. Our industry is rife with extortion tactics and borderline criminal business practices all in the name of helping, but the only thing we seem to be helping is our pockets to get fatter. When your sales strategy is a quote from Vito Corleone “I’m gonna make him an offer he can’t refuse.” Something is wrong.You say you want to help, yet your help is behind a registration wall, your “help” comes with a constant barrage of unsolicited emails telling me how if I just buy more of your shit, I can stop the cybercriminals. Forget the fact your own security is probably in shambles and your marketing email is how your customer is going to get infected.If you need to behave like a quote from a gangster, I suggest you quote Tony Montana“All I have in this world is my balls and my word, and I don’t break them for no one.”Remember this sage wisdom from Mario Puzo “The lawyer with the briefcase can steal more money than the man with the gun.”“Listen to me very carefully. There are three ways of doing things around here: the right way, the wrong way, and the way that I do it. You understand?” – Ace Rothstein If we are going to keep acting like the criminals, we are trying to stop then we should have gangster names so at least there is some authenticity to our actions.Join Spotted Dick Roberts, Mind Fuck Francen and Pretty Face Cloutier for a lively discussion tonight on the Security Shit Show.

Remember those days?Remember the scene?Remember when that was semi-acceptable?Yea… long time ago, in a country pub a LONG ways away.You might still have the luxury OF doing that in your favorite restaurant, bar, pub, or location…. Heck when you go to a hotel or entertainment location you can put things on the tab, HOWEVER in those cases they’ve already charged you for the room, and they DO have your credit card on file.Yet we think it’s ok to run up a tab with people in this industry?We think it’s ok to have folks do work for us, then invoice us, and THEN maybe pay in 30 days?We think it’s ok to get services for free while WE invoice our clients ahead of time?We think it’s ok to take advantage of people’s kindness and then when it comes time to pay we throw roadblocks, request, and all sorts of ridiculous demands (can you send a canceled check, proof of a bank account, a letter from the financial institution, can you copy 4 people from accounting, and BTW one is on holiday for the next 2 weeks, etc.)This is something that’s affecting me at a personal level, and I don’t think folks realize, understand, or simply want to acknowledge that we ALL have bills to pay, we ALL have folks depending upon us, and we ALL value our time, services, and work efforts to a point where you don’t get to take advantage of them for a month or two before paying at least something FOR those services.Not only that, when was the last time you called out a plumber, electrician, or other professional trade, and when presented with the invoice explained that you’ll pay in 30 days IF they provide you with 3 references, their first born and a blood sample? They’d rip out your new shiny HVAC unit and walk off in disgust, same with any contractor coming into your home, they have expenses, costs, systems to purchase and don’t need your numpty ass defaulting on things. It’s risk management 101 and we ALL have to deal with it.SO, next time someone send in an RFP, SOW, LOI, or document asking for some of the funds up front realize it’s because they’re also human, they rely upon income, and YOU are a risk to them. Treat them like a human and don’t be an ass about paying up front for a portion of the work effort, after all BOTH parties are risking something. Yes, you can get something for nothing, and yes many of us want to (and often DO) help, often putting mission before money, but that doesn’t put food on the table… that invoice you have DOES… remember that please.And no, you can’t put it on your tab….

The show MUST go on. The show ALWAYS goes on. The show goes on regardless of your wishes and regardless of your participation.Do you remember signing up for the show?You did. Maybe you didn't know you signed up, maybe you don't remember signing up, or maybe you didn't know what you were signing up for, but you DID sign up.Welcome to the show!Now that you're in the show. Get out there and show 'em what you got!The show is AMAZING and you'll do fine. Keep you head up, play your part, and keep your mouth shut. Play your role and you'll be fine. The show has its stars, but you're probably not one of them. The stars are only stars in the show. This is all for show.Some days we put on a great show, some days not so much. No matter, you still get paid (probably) and you'll be paid well (probably).What about those days you don't want to perform?What about those days when you want to quit the show?Go ahead and quit, but the show MUST go on.What about those times when the entire show goes to shit?When does the show end?The show does NOT end. The show MUST go on!Even when people know it's all for show, we keep on playing. Don't you get it yet? THE SHOW MUST GO ON!This is certain to be a great conversation between myself (Evan), Chris, and Ryan. Rachel will do her best to keep us in line. Join us LIVE @ 10pm and tell how the show looks to you.

Words matter, your choice of words can have a profound impact on the outcome, we love to speak OUR language the language of tech and engineering. Our language is complex and full of unique terms, it is a beautiful language that no one outside of tech understands.We must ask ourselves why we would speak tech talk to non-technical people. This is like trying to speak Sanskrit to a person who doesn’t speak Sanskrit. We need subtitles or translators because our language is not helping to get the message across to our users. We bitch and moan they are not doing what we told them to do and that’s why we got breached, but we are failing to realize we told them in a language that to them sounds like Charlie Browns parents.Our language is full of $50 dollar words, acronyms, negative and aggressive words, complex words that require a novels worth of information to put into context.If we hope to fix what is broken, to do more with less, to increase security, to reduce risk and make an ethical sale or two along the way, then we need to find a way to communicate that resonates with every person. Simple and understandable, easy to connect with and internalize, relatable and personal these are the corner stones of effective communication.

A true story with four realities (or versions of reality).1. The public version. 2. The employee version. 3. The management version. 4. The Security Analyst’s version.To the public, -ORGANIZATION- seems to be doing a great job. -ORGANIZATION- has a noble mission and appears to be serving the mission well. They don’t think about information security at -ORGANIZATION- because it doesn’t come up in conversation. All they care about is that -ORGANIZATION- is fulfilling their mission, and they seem to be treating the public OK.To the employee, -ORGANIZATION- is doing OK. Sure, there are plenty of challenges, and politics sometimes gets in the way, but employee's like what they do. As long as employees do their job well, they’ll be fine. Information security isn’t a concern because the employees don’t really know what it is. Just stay focused on the job, keep your head down, and you'll be OK.To management, -ORGANIZATION- has a mission, but personal missions far outweigh the -ORGANIZATION- one! The personal mission is to keep this job and get some kudos along the way. In order to keep the job, they have to play the game. The game is politics, and sometimes politics are cutthroat. Management spends more time defending itself and attacking each other than they do on accomplishing anything. As long as the public and the employees see management as great (or good) leaders, they’ll be safe. Problem is, they suck at the job. Focus #1 is "MY JOB" (at all costs). They love the job because it comes with a lot of perks. Information security is a pain in the ass and management doesn't have time to learn about it. Who cares anyway?To the Security Analyst, -ORGANIZATION- has a mission and information security is (and must be) part of the mission. There are so many risks to deal with and there's not enough support. The Security Analyst is a team of one and has no support from management. People keep clicking on links, people keep choosing crappy passwords, management wants new blinkly lights, and the Security Analyst can’t cope anymore. The Security Analyst is not paid well (by industry standards), but they're here because they care. The Security Analyst doesn't want people to get hurt, and they believe in the mission, but they need help!The true reality? Most of three realities are bullshit. To some extent, the public has been deceived, employees are misled, management is shitty, and the Security Analyst needs some support.The Security Analyst works at -ORGANIZATION- for the right reasons. The Security Analyst loves people and wants to protect -ORGANIZATION-. The Security Analyst wants to protect -ORGANIZATION-'s employees, customers, and the public.The Security Analyst doesn't want to make a name for themselves, but desperately wants to do the right thing. The Security Analyst has tried again and again to get their message through to the alternate realities, but the results are very disappointing. The Security Analyst feels it's their moral responsibility to do something. To this end, the Security Analyst sends a VERY respectable email to the -TOP MANAGER-'s executive assistant. The email is respectful, informative, fact-driven, and was NOT threatening in any way. The sole purpose of the email is to get help and to help (the public, employees, and management).The next day...The Security Analyst is called into a meeting, and here's what the Security Analyst is told: - "The Board and most people don't give a shit about Security and it's not our job to educate them." - "Our job is only to deal with internal concerns and stay in our lane." - You "didn't follow the chain of command and need to be mindful of the bigger picture and their concerns, and realize that (your) focus isn't theirs."This story is REAL. It just happened last week. Let's talk about this and the alternate realities we live in. What the hell do we do about this?Join myself, Ryan, Chris, and Rachel LIVE and give your thoughts...

Repeat After Me:I am NOT a neanderthal(Even if I look like one) I do NOT walk around with a permanent hard on(IF you do, then you’re taking too many blue pills) I do NOT need to treat every interaction with a female in InfoSec/IT/Cyber/Tech as an opportunity to peacock, and prove my manliness by dry humping the server rack. I will NOT step away from chivalry, HOWEVER, I will not use it as a shield to hide bad behavior OR ulterior motives. IF I don’t tell Chris that he looks pretty, then there is NO place to do the same to anyone else.(And if you DO tell me I’m pretty you STILL don’t get a hallway pass to do the same to others…) IF I cannot walk shoulder TO shoulder with my female counterparts, then I do NOT deserve a place in this industry(…and I’m on shaky ground elsewhere in society!) A meeting is NOT a date A LACK of wedding ring is NOT an invitation to drool and act the fool A wedding ring is NOT a challenge I will NOT mansplain, and IF I’m going to argue, then I AM going to go and look at the awesome flowchart from Kim Goodwin Done? Need to repeat it? Tattoo it on a body part? SO: If ANY of this is jogging a memory then y’all might want to go find that second voice and listen to it BEFORE engaging in a conversation with the opposite sex. If YOU are offended by this, then go look in a mirror and ask WHY If YOU laughed at this, then I hope it’s a laugh of clarity, and not of ignorance. If YOU know anyone that NEEDS to read this, forward TO them, blame me, it’s simpler and I’ve been blamed for worse. IF you are a narcissist you’ve likely recognized yourself and simply don’t care… for you I have tasers.(Although you’d probably enjoy that too…) If your regional, religious, back-arsed belief system has put “you” as superior, then please go boil your head, and GTFO of our industry, you have NO place here, none of us want you. ‘Enough said for now, a HUGE thanks to both Christy F. and Sky Kennedy for the inspiration! Feel free to print, forward, blame, but FFS get the word out that this shit has got to stop. ‘all for now ChrisJoin us tonight on the Security Shit Show 2200 Central 2100 Mountain #respect #infosec #cyber #inspiration #society #technology #culture #change #womenincyber