The Southern Fried Security Podcast
Join Andy Willingham, Martin Fisher,Steve Ragan, Yvette Johnson, and Joseph Sokoly as they discuss information security, news, and interview interesting people. Get in the discussion at

SFS Podcast - Episode 196


Wannacry: Woulda, Coulda, Shoulda 

First and foremost: Why was medical hit so hard by WannaCry? See Episode 189 - Medical Device Security and Risky Business 455 -

  1. The Lead-Up
    1. Threat Intelligence is A Thing
    2. Threat Intelligence is Hard
    3. Threat Intelligence Feeds are [REDACTED] for many/most
    1. Do
      1. Stay Calm
        1. You have finite human resources
        2. You have finite time
      2. Prioritize Your Responses
        1. Episode 192 - Security Waste
      3. Know what all your tools can do and be ready to use them
        1. Your Business Continuity Program can inform that
        2. You do have a BCP, right?
      4. Know what area to focus on first
      5. Be willing to cut off an arm to save the body
      6. When you can remember that Herd Immunity is a Thing.
      1. Scare the Children
      2. Waffle in decision making
        1. This is not the time to point out for the millionth time that your patching program is suboptimal
        2. This is not the time to point out that if you’d only gotten that BlinkyBox last capital season this wouldn’t be an issue
      3. Focus on what you can’t do
      4. Overpromise
    2. Don’t…
  2. When the Crisis Arrives
    1. Be sure you’re in Aftermath and not still in Crisis
    2. Do a Hot Wash and a full After Action Review/Post-Mortem
    3. Document your lessons learned and distribute them widely
    4. Follow Up, Follow Up, FOLLOW UP!!
  3. The Aftermath
Direct download: SFS_Podcast_Ep_-_196.mp3
Category:podcasts -- posted at: 8:54pm EDT

Episode 195 - Annual Policy Review - Making It Worthwhile


  1. Define policy vs. standards vs. procedures
    1. What is a Policy? It is a guiding principle to set the direction of an organization. High level, governing, statements. Do not include technical details.
      1. Example: Policy statement = Users must authenticate with a unique ID and password
      2. Standard: User passwords must be: # of characters, include one uppercase letter, one special character, be at least 10 characters in length. This type of information would go into an Access Control Standard.
    2. What is a Standard? Standards support the policy, make it more meaningful and effective.
    3. What is a Procedure? A procedure is a step by step, how to guide to which is consistent with the end result being the same. These are the steps for configuring your firewalls, setting up a new user, building a server, etc.
    1. Every policy guide everywhere says you need to review your policies regularly which almost always means annually.
    2. Failure to do the annual review can get you in hot water with your regulator and/or auditor.
    3. It just Makes Sense.
  2. Why review your policies?
    1. It’s the one time a year you can nudge the organization where it needs to go
      1. Past Problems
      2. Current Issues
      3. Future Challenges
    2. Killing off/modifying policies that get in the way of people doing work will Make Friends And Influence People
    3. There is no better way to ensure your team is working on what needs to be worked on than aligning with stated policy.
  3. Making Sense of Policy Review
    1. Alert The Approvers
    2. Line Them Up
    3. Divide and Conquer
    4. Bring The Business Into The Process
      1. Internal Audit
      2. Legal
      3. Risk
      4. Corporate Security
      5. IT
      6. Marketing / Public Relations
    5. As Needed Bring In
    6. Change Crosswalks FTW
    7. Communicate, Communicate, Communicate.
  4. The Review Process
    1. Have a process to deal with questions.  Route questions to the authoritative source for an answer - don’t answer stuff you can’t/shouldn’t
  5. Questions?
  6. Resources?


More Notes


  • Make sure what is being added is enforceable. This is a legal document and can be used in court. Statements support what is being done today, not what you would like to do or wish the program would do in the future.
  • Go back to those “parking lot” statements that were not added or removed from a draft because you couldn’t enforce them at the time. Can they be added? Don’t lose sight of them if they are important to your security program  
  • Does the corporate culture / C levels support statements in the policy? As a security practitioner you may firmly believe that your security program must abide by certain policy statements but the corporate culture or your CEO/CFO even CISO may not support it. They may become “parking lot” items for a future version or you may be able to successfully display that the program can support that statement without affecting the culture.
  • Legal is an important reviewer. It feels nitpicky during the review but Legal knows when “should” and “must” are appropriate.
  • Don’t reinvent the wheel. ISO 27001 is a good framework for your policy. Use it. Don’t try to come up with statements because you think you have to appear to be an Info Sec Policy God. KISS!
  • Don’t write standards and procedures in your policy! We’ve reviewed countless policies that had what we’d consider a standard or “step by step instructions for making firewall changes. That’s a procedure! Keep it out of your policy.
Direct download: SFS_Podcast_Ep_-_195.mp3
Category:podcasts -- posted at: 8:21pm EDT