June 20, 2025 • 42 mins
Helpful episodes to listen to first
Seven Critical Router Security Settings
Questions we answer in this episodeWhat are the 5 questions in the Bulletproof Stack Formula?
How do they help us?
Episode summaryThere are 5 questions we can ask to help us build a Security Stack. These questions help to ensure that our Security Stack is relevant.
This means there is a legitimate threat that I care about, and I'm willing and able to take the steps necessary to defend myself.
The 5 questions can be remembered with 5 words: assets, threats, risks, options, tradeoffs.
Assets: What am I protecting?
Threats: What are the threats?
Risks: What are the risks?
Options: What are my options for defense?
Tradeoffs: What tradeoffs am I willing to make?
Call to actionHelp me build a system that is going to work for you. How do you feel about the 5 words I chose to represent each question: assets, threats, risks, options, tradeoffs. Are there any you would replace? Let me know on the forum.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to Super Simple Security Principles. I'm Nick Jackson and I want to love computers.
(00:07):
They don't love me back. I'm learning how to stay safe online from my good buddy and master
guardian, Makani Mason. He wrote his first computer program at the age of six, sealing his fate as a
(00:28):
computer geek. That's it. He knows his stuff, folks. Now he spends his time teaching people like
me and you how to stay ahead of the digital threats we face and those bad guys. He keeps it simple
and we love it. Learn along with me each week. I'll ask the questions and make sure he keeps it
(00:55):
super relevant and super simple for us. If I can do it, you can do it too.
This is episode 68, Security Stacks. Five questions.
All right, here are the questions we'll be answering in today's episode.
But as you know, before we get to our questions, I'm going to weigh in a little bit. So today's
(01:18):
episodes, we're going to go over the five questions we need to ask ourselves as we continue to dive
into our series of series about how to build your security stacks. You're right. Do you like
that one, Makani? I know it's, yeah. Well, I introduced initially that, you know, because it
sounds funny to me, but I realized it might sound slightly confusing with the series of series.
(01:44):
Right. The series of series. No, more than anything, this series is about the foundation,
about building blocks and about where we start to build our security. And we talked about the
security stacks and the relevance. You know, today we're going to talk about the five questions
that we really need to be asking ourselves, moving, continuing on from the four piece that we learned
(02:08):
in last episode. So we're going to be talking about here's our questions. You ready?
What are the five questions in the Bulletproof Stack Formula? How do they help us? We're going
to keep it to those two simple questions today. I love it. Again, Makani, what was the three?
(02:32):
Remember the 3D? Yeah. Although I conceded your thing. I think we're just going to stick with
Bulletproof Stack Formula for now, at least. Okay, good. I saw that. I noticed the Bulletproof
Stack. Yeah. So, but yeah, there are three, right? Still, you know, I figure if nothing else,
(02:54):
it's certainly an easy way to remember it anyway. Yep. Three, four, five, six, there's,
and actually, so am I ready? Am I good to kind of start? Dude, let's roll, man.
Because, so what I'm going to start out with, this is a perfect introduction because,
as you know, I always have Kem review these. Yeah. And his primary feedback on this time was,
(03:17):
okay, he's liking the words, he's liking the concept, building a good architecture here.
But, and it was all making sense to him as he's reading it, but then like he got to the end,
he's like, okay. He couldn't quite remember what were the four, what were the five,
you know, four phases from last week, that kind of stuff. And so, you know, and he just kind of
(03:38):
gave me that as feedback that he wasn't remembering the whole big picture, right? Right. So what I
wanted to share with our listeners is just this, like the idea isn't necessarily that, you know,
you're remembering all of this. What we're doing is just kind of introducing the concepts gently
here, one episode at a time for each of the four, five, and six. But then we're going to be doing
(04:01):
episodes where you're going to be, we'll be revisiting these over and over with specifics
as we build different security stacks. So we'll be coming back to these. We'll also be building,
you know, PDFs that you can download, things you can look at online. Like we will be creating
visuals. This is all just kind of, you know, you're just kind of pioneers with us. We're
(04:23):
blazing the trail of building this system. So don't stress like remembering or perfecting any
of this right now. We're going to be building so much support around this. We're just introducing
it verbally on the podcast. You know, you're the first ones to get to it. So, you know, there's not
all that support stuff built right now. But for now, just, you know, just listen and hopefully
(04:47):
it's making sense. If there's questions or whatever, come to the forum and bring those up
so we can refine it or whatever. But don't stress trying to remember everything basically.
Yeah. Dude, that's awesome. Because do you know what? Just this week, I was having a conversation
with a faithful listener. Give her a shout out, Melissa. Thank you. And she was kind of asking me
(05:13):
exactly what Kem had kind of talked to you about. You know, she was like, okay. Because I was telling
her, I was like, wait, wait till you hear some of these. And so she asked, she's like, okay,
so if I'm capturing it correctly, the 3D is really only the fact that we're really trying to
(05:34):
enhance the picture. We're building this three dimensional type or this three pronged approach
is how she said it. And then she went on to say, and then we've got the four Ps, right?
And I was like, yeah. And we're going to ask ourselves five questions about what we need to
be aware of when we're building these building blocks and these pillars and these principles.
(05:59):
And I said, yeah. I said, yeah. And then I teased her again this morning. I sent her a text. I
usually do this, but I get some little bits of our episode. I'll send her a teaser. Guess what's
coming out. And so she was ready for six. I won't tease our audience yet with six,
because that's for later on in this episode. I'll get to that later. But
(06:23):
if that's what our listeners taking, how well are they doing?
Yeah, no, that sounds awesome. I do want to add one point of clarification though.
Yes, please.
So, because I noticed you kind of were taught this too. We have the four P formula and then
we have the four layers we talked about, or not four layers, four phases, excuse me.
(06:47):
Four phases, excuse me. Phases.
Yeah. No, and that's okay because there's four and the four P formula, we haven't really talked a ton
and exactly how it fits into the overall picture too much. We did talk about that a little bit.
And that may have been kind of a misstep on my part too, of we got the four phases and the four
(07:07):
P in the same episode, in the same context. It's just naturally going to blend together a bit in
your brain. So we may have to refine how we thought about that. Obviously, one thing that will help a
lot is once we have actually have visuals, you can see, here's how the four P formula.
So for now, what I would say is let's try to just completely forget about the four P formula.
(07:30):
It will come back in, it'll be relevant.
Stay with the four phases then, because that was easier for me, was the four phases.
And so knowing that I don't have to remember the four phases fit into the four P formula,
we're forgetting the four P formula. That's just the four phases we talked about.
Exactly.
So look, it gets super simple then. We're talking about 3D visualization,
(07:55):
the four phases, five questions you're going to ask, and I'll tell you what number six is later
on in the episode in case you forgot. We did talk about it earlier in case, but yeah.
Dude, I love it. So we're caught up to speed then, because that's about where I'm at.
Yeah. So for today, I want to start off with a little story,
(08:24):
because we want to understand basically the why of the five questions. What's kind of our overall,
what's the theme of these five questions? What are we trying to do?
Yeah.
And you know this story, this is from my life. This happened just in the last few months with me.
So I had an ear infection, right? And it seemed like it got better for a while. I went to a doctor
(08:52):
a number of different times. I thought it was going to be fixed. It wasn't fixed. I mean,
this was like months literally where I was having this problem. And in the end, finally,
when it actually got solved, the problem was that I had a fungus infection, not a viral infection.
(09:15):
Right? And so the meds-
Two different things, right?
Totally different things, right? And so anyway, the point of that story and kind of the purpose
of the why is we want to make sure that our security stack is relevant.
(09:37):
Right.
The tools that we're putting into it, the threats are relevant to us. It's a threat I care about.
And the layers that we're picking that you're willing and able to take the steps necessary
to defend yourself against those threats. It's all about relevancy. And so hopefully,
the right medicine, so to speak, unlike I had for months, for the things,
(10:04):
for the threats we're defending. Does that make sense?
Yes, absolutely. Because just like kind of your metaphor, if you will, we're all very,
very individualistic, right? And it was like you kind of said last episode in the four phases,
yes, there are going to be some very common similarities between what's built, right?
(10:27):
But the customization and the prioritization is going to be completely different on individuals
and their habits and things like that. And so, yeah, having a doctor treat an individual
for their individual needs makes sense. Now, having vitamins and certain health routines
(10:48):
is applicable to everybody, right? Or whatever general health purposes are. But yeah.
Yeah. Well, and a part of it too, there's the customization at the person level,
but then there's also, and I've seen this, I won't distract us with this, but sometimes I look in
(11:09):
the world and I look at, we'll just throw this one bit out, airport security or other kinds of
online security, where obviously I know a lot more. But sometimes I look at the solutions that
are proposed and the measures that are imposed to try to prevent different kinds of problems.
And I just, they seem so misaligned. Is that solution, is that measure, is that really
(11:35):
going to prevent the problem that you're trying to solve? It's like, I don't know about that.
I'm not sure that you thought about something that sounds good on paper,
or if we take it online security, we just, okay, well, Norton, you don't really know much
about the problems. And so you're just going to install this security suite because let's install
(12:00):
some security software to solve my problems. But how well does that solution match the problems
that you're trying to solve? How does it solve them? What problems are there? You know what I mean?
Yeah. Anytime you're trying to solve a problem,
if you think about this online security, protecting yourself as in the kind of a problem solution
(12:23):
mindset, you've got to understand the problem you're trying to solve
so you can actually find a solution that actually solves that problem.
Nice. So yeah, I like it. I like it. I had a few deviants that I really held in,
you know, wanted to bite my tongue, especially about the security stuff. I'm like,
(12:46):
how comes I got to take, right? Oh, that's a terrible way to say that. Sorry. That was
mispronounced. Why or how come I need to take off my shoes sometimes, but when they get
way behind or log back, it's like, ah, just keep your shoes on. We'll get this going quick.
You know, I guess this is some big acting commercial, like everybody walking around
(13:12):
either barefoot or in socks, like passing along like foot fungus all over the place. Like it's
one big conspiracy to get everybody spread their feet, you know? Yeah. Yeah. I hear you. Yep.
Anyways. So moving on, can I now ask the question I've been dying to ask?
(13:34):
Sure. What are those five questions? Right. Okay. So the five questions, first of all,
I have a single word to represent each of the five questions, make them a little bit easier to
remember, you know, encapsulate them into one word. So the five are assets, threats, risks,
options, and trade-offs. And of course, like with everything in, do you get the five?
(14:02):
Yeah, I got the five. What does it spell? Oh, it doesn't spell anything. That would be nice.
Oh, I was trying to figure out what words you were using. I was like, oh no, no. I mean,
I know that's a cool mnemonic and like that I would love, love. And so maybe we work drop them
even so we get one, I don't know, but no, we'll work on it. Yeah, exactly. Right. These are
(14:23):
not set in stone, something we will definitely be talking about and making sure we have the
best choices and ideally, right. Having ways to help remember them or whatever. But for now,
this is where we are. I like it. Okay. This is where we are. Anybody knows of a word that I'm
not aware of that can help us out? Yeah, exactly. Well, and it, yeah. So number one is assets.
(14:50):
The simple question version of that is what am I protecting? Yeah. And this could be almost
anything, but common answers are, you know, your passwords, money, devices, even, you know,
people that we love ourselves, of course, included. Right. It's pretty simple question
answer. This is the simplest, but it's kind of, it's an important starting point. We get,
(15:14):
because all the other questions kind of build off of it. Well, you understand what's at stake.
You understand what assets you're protecting. You want to protect it, right? Yeah. Well,
and it ties into the overall theme of relevance too, because sometimes the things, you know,
(15:35):
if you're protecting, I mean, there's a lot of overlap, of course, but, you know, protecting
your money versus protecting a password, you know, that's not, it's not going to be the exact
same set of things you're going to want to do. There's going to be some things that you'd use
in both cases, but there's going to be different things, if that makes sense. Yeah. So as we did
(15:57):
before, we want to kind of stick through this episode. We'll be using our home network as
our example to help, you know, look at these questions a little bit. Yeah. And I don't know,
so for the home network, what are the things that you are wanting to protect on your home network,
Nick? Do you know what, for me, I'm looking at the series as a whole, if you will, because we did a
(16:25):
home network security. Is this what you're referring to today? Yeah. The 10 episodes.
Okay. Yes. Yes. There are 10 episodes. So for me, what I really got to the point of what I wanted
to protect is a, I wanted to teach my kids good password management, password skills,
and I wanted to protect them from certain things that I was able to filter out from coming in
(16:50):
to make sure that they were protected. Right. I did see the importance of setting up a guest
network for us because I wanted to put certain devices on that guest network specifically,
as we identified some devices. I called them sleeping devices, those sleeping devices,
(17:11):
like I got lights that are connected to the internet that realistically,
they could probably be easily hacked if wanted, you know? And so for me, what it boiled down to
is the assets I was protecting was my son's online identity. That's what I identified,
(17:36):
you know, specifically, he's older, my sons and daughters, online identity.
I wanted to make sure that they understood password management and skills. And I wanted to
make sure we blocked some of those incoming calls, wanted to make sure that we really honed in on
what was coming in and going out. And those were the areas that we really wanted to protect
(18:05):
ourselves, right, for us. It was the starters. Again, for me, I don't have your wealth of
knowledge, you know? So for me, I have to keep it pretty simple. And so for me, that's where we
started. Yeah, no, that's great. Well, and you know, one thing that happened naturally in your
(18:28):
explanation is that, and this happens with these questions, especially in the first like three,
the assets, threats, and risks, you know, when you answer them, they tend to bleed together,
which is fine, because so, you know, you talked about keeping your kids safe from,
(18:48):
you know, kind of one of the way I say the ugliness that, you know, so easy to stumble
into on the internet, right? So that's, that's running, you know, that is implying the threat,
and even the risk to some degree there. Right. And so these first three are kind of a set together,
just to help make sure we break it down, though, and get all the details, but
it's talking about the problem. And gotcha. So, you know, you covered it. And one of the other
(19:16):
ones I would, one of the ways I would say that thinking about, you know, my network is I want
to prevent any of my devices from becoming infected with malware. Yeah, yeah. See, you,
you eloquently said what I couldn't say about the light. Thank you. Yeah, well, no worries. That's,
yeah. So anyway, so that leads us to number two, which is threats. And again, the question here
(19:42):
is simple, just what are the threats? And what I'm talking about here, you know, common answers
would be phishing, malware, hacking, scamming, harassment, spying. Okay. And with this one,
there are some good follow-up questions, like sub questions, whatever. And, and I break that down.
(20:05):
What are the sources, the objectives, and the strategies of each threat? Okay. So again,
if we look back to our home network, just to give this a little meat, so it's not so abstract as,
so let's, we'll talk with the sources. Where does the threats come from? Where does the, yeah,
where do the threats come from? Or where does the threat come from? Whatever, you got to have that
(20:28):
matching. Now, oftentimes knowing that like the super specific source doesn't matter,
but sometimes it helps. So in the case of the home network attacks, for example, we talked about,
there's at least two like sources or groups we discussed. The first is those hackers on the
(20:48):
internet, right? Right. We don't know exactly who the hackers are, but there's lots of them out
there that are trying to get in through our router, right? They make attacks on our router
because that's what's visible to them on the internet and then get in through our router
to our other devices. Or if we have other devices, anyway, that's, so it doesn't matter exactly who
(21:10):
they are, but we know there's just hackers on the internet. There's lots and lots of them. That's
main thing to know about that source is there's just, there's so many. Right. Right.
Got something you're thinking? Go ahead.
(21:32):
I've been listening to some security experts recently, some cyber security experts. You know
who I've been listening to and now is he a white hat hacker in some locations? I can't remember
(21:54):
exactly. I had no idea how many hackers were out there. Right there. I was maybe a little naive
thinking that there were a handful of good hackers in the world. Right. And once I heard him talk,
I was like, oh my gosh, there's a plethora of hackers out there. A ton of. So understanding
(22:25):
that again, going back to the threats, right? Like understanding, look, this isn't just a
handful of hackers out there. This is groups of hackers or groups of hackers. There's individual
hackers. There are a ton of threats out there. So yeah, I love this. Keep going. That's where
(22:48):
we're going to stay. It's big business. So yeah. Yeah. So the second group is, you know, and these
are just examples from there, but like the devices of guests that you invite onto your home network.
Right. That's another specific source that we identified as a threat.
Right. Right. So then objectives, what do they want?
(23:13):
And of course, for our home network, the first objective is just to get into our network
any way they can. Right. Once they're in there. We've learned in past episodes, sometimes they
just sit there quietly. That's exactly right. And that's part of what we want to talk about is like
the strategy, right? Like what they want to do in there. They want to stay hidden.
(23:36):
Right. They want to explore, spread if they can, find good hiding spots, so to speak,
caches of treasure. Right. And that's, but that hiding, I'm glad you picked up on that because
that is one of the most common, but I feel like under-recognized strategy because of its nature.
Right. Because when they use that strategy, as opposed to ransomware, obviously ransomware,
(24:00):
as soon as they do that, you know, they're demanding a ransom. Right. When they just
stay hidden, I mean, they can be doing that for a long time, you know? Right. Right. I mean,
there's, yeah, I mean, there's some, you know, in our, that we've seen in our infrastructure,
like in the telecommunication systems, you know, that we talked about in one of those episodes
(24:24):
where they're still in there. I mean, they're not exactly as hidden now because we know
somewhat about it, but even despite that, we haven't been able to boot them, you know,
apparently. And so anyway, there's, and who knows what other systems they're hiding in,
waiting to, you know, attack at the right moment. And anyway, in the case of home networks,
(24:48):
they'll bring it back here. One of the ways that they can get value along the way with hiding too
is just using the device resources. Like we talked about in episode 60 and the DDoS attacks,
where they use our processing power, our internet bandwidth. So anyway, that's part of the strategy
(25:09):
aspect. Like what are the, how do they attack us? You know, they hide and these other things. So
yeah. Anyway, I should give enough meat anyway for number two threats. Okay. So the last part
of kind of the problem, half of the questions is risks. So the word is risks and the question,
(25:30):
again, just what are the risks? And so, well, actually, let me start off with this question
for you. Yeah. How intuitive to you, like the distinction between risk and threat in this
context, Nick? Completely different, right? Okay. I don't know. I wasn't sure because that,
(25:56):
anyway, yeah. Share your thoughts. Let me show you. So I used to, I was never good,
like never good, but I rode motorcycles and I even raced specifically in a sport called motocross.
Again, I was never good, so I never made it big. I wasn't pro or anything like that. I just did it
(26:20):
more for fun. And in racing, you had to understand, A, there were some risks, right? And the risks
were like, obviously, look, there were some times that I was hitting big jumps and if I had some
engine failures or things like that in the air, it would make landing difficult. You know, it would
(26:45):
make some significant challenges. So there were some inherent risks that I was taking that I had
to be aware of. And this was whether I was riding alone or whether I was racing. There were certain
risks I was going to take. Now, when we raced, there were threats. Now, threats were different.
(27:09):
What if I was taking a corner perfect, just like I'd normally taken it and some other racer decided
to take my line and cut me off? Well, now I have a threat. I've just been pushed into a corner. I
have no place to go. I'm slammed into something that wasn't always a risk, but because the threat
came, you know, yeah. So that's how I looked at it. There are certain risks that we take,
(27:38):
that we choose to take, and then there are threats to where they're made towards us, you know, like
somebody threatens you. Yeah, that's interesting. Yeah, so, well, that's good exploration. So,
so the way I'm using it here, well, I'll tell you is this. So the risks that I'm talking about here
(28:01):
are not ones that we're voluntary, like you were kind of using it as, you know, ones that you are
more voluntarily participating in, right? And that's the distinction you're making. And that
makes sense, valid to me. What I was trying to differentiate here is, so the threats are,
you know, these people trying to hack you on the internet, you know, the malware trying to spread.
(28:23):
And so another possible word actually I consider is impact, because what I'm talking about with
this next question is examining what are the bad things that might happen to you as a result of
those threats, of the attacks that you might get attacked with, right? So for example, your device
might get infected with malware, someone might steal your password, someone might steal your
(28:46):
money, you might get, you know, a ransom demand, like what are the bad things that come from the
attacks and the threats? Does that make sense? That makes total sense. That's the kind of flow
that I was trying to make with the assets, threats, risks. Okay, so I'll love you. I'm
(29:12):
going to go ahead. I'll tell you why I didn't pick it. Okay, you could tell me why you didn't
pick it. I'll tell you why it resonated with me. Because when there is that threat,
and there is that impact, like absolutely, there was an escalation of risk if there was an
(29:36):
impact in racing. But absolutely, in this case, it made sense to me. Like,
okay, well here's the threat. Now what's next? What happens if that comes to fruition, man? What if that
bites? What's the impact going to be? And to me, that's completely different than the threat.
(30:00):
Oh, crap. Ransomware. Do I have to pay millions to get my stuff back?
So anyways, that's kind of what... Tell me your thoughts.
And actually, my first was impact. And the only reason I didn't, and I'm still very much on the
(30:24):
fence because I really like, I do, I really love the word impact. It's slightly weird to say in
plural impacts, but whatever, is the probability aspect. So because risk to me kind of combines
the two parts of what the impact is, is the first half, but what is the likelihood of that impact
(30:47):
happening? That's the other aspect. I mean, we could break it out in its own question. We could
still just say, what's the likelihood of the impact? We don't necessarily need to. I mean,
I'm just kind of, I get kind of crazy with words. So impact still might be a better,
because we can still say, what is the impact and how likely is the impact? That would be totally
(31:10):
fine. Because if a threat is extremely unlikely to affect me, then naturally I'm a lot less likely
to prioritize defending against it, right? In general. Right. Right. Right. But that makes
sense. I only chuckled because it all clicked. When you kind of said that, I was like, okay,
(31:35):
I can see. Okay. Right. But right. It's kind of a math equation. At least that's how I think about
it being a math. It's almost like multiplication because even if that likelihood is super tiny,
the greater the impact, then I'm back to, okay, well, maybe I will prioritize it. Because even
though it's super unlikely, it's super bad if it does happen, then maybe I'm going to
(31:59):
prioritize it. It's a balance between those two factors of how bad is it and how likely is it.
Does that make sense? And so that was why I kind of combined it into risk, but I don't know. I
think after talking through it, I think I'm more on the thing. We could still talk about
those two aspects easily even under the word impact. Right. So anyway. Okay. So we have that
(32:29):
group. Yep. Exactly. Assets, threats, and we'll call it impacts now for now. So yeah. So then the
last two kind of go into the solution part of it. Okay. We got options and trade-offs. So the
first question is options. What are my options for defense? Yeah. Okay. Okay. Or as we usually
(32:58):
talk about these options as layers, right? What are our layers of protection that available? Yeah.
Now this is one where of course, as a normal person and non-techie, whatever, non-guardian,
you may not know what all the options are available to you. Right. Right. And so this is
(33:22):
where, well, there's a couple of things. Obviously this is where one of my jobs comes in to help you
know what the good options are. Right. Right. Right. But as always, I want to give you as much
ability as possible to explore this on your own. Right. Okay. And so where that ties in is
(33:43):
the four phases and the six layers that we're going to talk about next episode are the tools
that I'm providing to help you explore that. Because then what you can do is you can at least
step through each of the four phases, you can walk through each of the six layers,
and you can kind of answer this question. Do I have a layer of protection in this area
(34:09):
or do I not? You can at least answer a yes or no about that one. Like, do I know of anything
that, if I don't, then I can say, well, okay, so I don't have anything, you know, for, so for
example, on the home network, how do I detect if a threat has gotten through past my prevention layer?
Right. Yeah. You know, you can just say that like, okay, so for my home network security stack,
(34:34):
do I have anything in the detect phase? Yes or no. Right. Like that at least gives you
something to work with. Right. You may not know what possible options are. It's not a multiple
choice, unfortunately, but you can at least know if it's missing or not. Does that make sense?
Makes total sense. Makes total sense. Yeah. I get what you're saying for sure. Okay. So,
(35:00):
you know, the, so the answer to this question means basically going through all those things
and kind of compiling everything together as our master list of protector layers that are available
for a given, you know, security stack. So for home networks, we, we had, you know, the inbound and
outbound firewall. We have the settings to your router and, you know, understanding phone calls,
(35:27):
you know, phone calls, how they work. Yep. And those sorts of things. Those are all parts of,
these are all the options that we have available. Yeah. Yeah. Okay. So then that leads into our
final question, trade-offs. Yeah. What trade-offs am I willing to make? You know, meaning what am
(35:52):
I willing to give up to, you know, for each specific layer of protection? What, you know,
which layers of protection are worth it to me? What isn't? Yeah. Yeah. Does that make sense?
Do your options. You just lined out. Now you got to pick which ones you're willing to do.
Yeah. Yeah, absolutely. Absolutely. Okay. Yeah. So, okay. I would say with your, your,
(36:20):
your eyes and your body language, I'm thinking that this works work for you because this is
another one I debated a lot of like costs, resources, investments, even I thought about,
but for me, trade-off, you know, like you might trade your money, but it also might be time
or convenience or even a feature, right? Like with home networks, one of the ones we discussed
(36:45):
was not enabling a certain feature where like remote administration, right? Like that's a
trade-off. It's kind of a bummer. It'd be nice for everybody to have remote administration in a way,
but it's also a big security risk. So, you know, each person has to decide what trade-off they're
willing to make. Absolutely. Absolutely. Absolutely. So yeah, dude, I love these words. These words,
(37:15):
I think you nailed, you know, option and trade, you know, trade-off because here's how I see it.
I looked at the financial world. That's where my mind went, you know, because
there are absolutely what you call stock options, you know, and on a different options there,
(37:36):
like we don't even want to go into how many different options there are, you know,
puts calls, et cetera. Like, yeah. Anyways, but there's always, always a trade-off.
Always. There's always handcuffs, right? There's always something that comes with that, right?
Maybe you might not make as much because you chose to be protected on the downside. So, okay,
(38:01):
while everybody else made more money than you, you might not have had the loss, but you didn't
get to participate in the full gains. And so absolutely, like these words make total sense
to me. Like, and you're absolutely right. Like, I get it. Not having that remote admin. I mean,
(38:21):
you've helped me multiple times using that remote admin feature, you know? Yeah. So love it, man.
Love it. Okay. Cool. It went long. That was a long one. Yeah. So we got to do our call to action
stuff. I know. That's why I was saying we still got some things to check off.
(38:46):
Yeah. Well, we had a lot of introduction at the start, so. Right. That's true.
And especially understanding this, because these are five questions, but
you outlined five questions, but also you had to teach what all these five questions entailed
and why's and because's and how's, et cetera. So it was a good episode. I really liked it. So
(39:11):
given everything we just took in, all these five questions and how we're going to utilize them,
what's going to be our call to action? Yeah. So we've got two more episodes where I'm doing
our call to actions is call for helps, and then we'll kind of get back to our normal
call to action where it's going to be something to improve, you know, your security. But for now,
(39:32):
we're asking for feedback on anything we talk about, but I always like to give a specific one
as well. And for today, really, it's those five words. I'm just curious to see how they strike
you, how they resonate with you. Obviously, we talked about, you know, maybe swapping out risks
for impacts, even though I have a hard time saying it in the plural. But, you know, we've got,
(39:58):
you know, assets, threats, risks, slash impacts, options, trade-offs, and they're all plural. So,
you know, impact singular can be any way, whatever. Are there any words that you'd want to,
you know, replace? Or do you like them? I mean, I'd be happy to hear either way,
you know, if they're making sense. Come to the forum and share your thoughts.
(40:19):
Right, right. And luckily, our listeners got to hear how simple it was. Like, they heard me
weigh in. So, this is a really easy call to action. Like, you got to hear me weigh in on
what words I liked, what words resonate with you, you know? And, you know, you got to hear the
description, like Makani said, these first few episodes as we're formulating our plan. You know,
(40:43):
we like to get your input on these ones. So, yeah. Good call to action. Great episode.
Do I get to tease them now? Do I get to tell them what's coming up?
Absolutely. Yeah. Okay. So, next week, we'll be discussing the third and final part of the
Bulletproof Stack Formula, which is going to be the six layers. So, this is going to be awesome
(41:07):
because we're finishing up this first section on, again, I'm going to throw it out there because
I love it. This series of series, you know, but we're wrapping up the first series
in this series of series. So, yeah. Tune in to hear how we're going to layer up, okay?
(41:34):
Are you ready to take action and wondering where to start? Get my Bulletproof My Identity
Starter Kit for free. The seven most vital layers of protection everyone needs. I'll send
you one step at a time and help you if you get stuck. Just go to bulletproofmyid.com and enter
(41:55):
your name and email and I will send you the first step. Again, that's bulletproofmyid.com.
Welcome to Super Simple Security Principles. I'm Nick Jackson and I want to love computers.
(00:07):
They don't love me back. I'm learning how to stay safe online from my good buddy and master
guardian, Makani Mason. He wrote his first computer program at the age of six, sealing his fate as a
(00:28):
computer geek. That's it. He knows his stuff, folks. Now he spends his time teaching people like
me and you how to stay ahead of the digital threats we face and those bad guys. He keeps it simple
and we love it. Learn along with me each week. I'll ask the questions and make sure he keeps it
(00:55):
super relevant and super simple for us. If I can do it, you can do it too.
This is episode 68, Security Stacks. Five questions.
All right, here are the questions we'll be answering in today's episode.
But as you know, before we get to our questions, I'm going to weigh in a little bit. So today's
(01:18):
episodes, we're going to go over the five questions we need to ask ourselves as we continue to dive
into our series of series about how to build your security stacks. You're right. Do you like
that one, Makani? I know it's, yeah. Well, I introduced initially that, you know, because it
sounds funny to me, but I realized it might sound slightly confusing with the series of series.
(01:44):
Right. The series of series. No, more than anything, this series is about the foundation,
about building blocks and about where we start to build our security. And we talked about the
security stacks and the relevance. You know, today we're going to talk about the five questions
that we really need to be asking ourselves, moving, continuing on from the four piece that we learned
(02:08):
in last episode. So we're going to be talking about here's our questions. You ready?
What are the five questions in the Bulletproof Stack Formula? How do they help us? We're going
to keep it to those two simple questions today. I love it. Again, Makani, what was the three?
(02:32):
Remember the 3D? Yeah. Although I conceded your thing. I think we're just going to stick with
Bulletproof Stack Formula for now, at least. Okay, good. I saw that. I noticed the Bulletproof
Stack. Yeah. So, but yeah, there are three, right? Still, you know, I figure if nothing else,
(02:54):
it's certainly an easy way to remember it anyway. Yep. Three, four, five, six, there's,
and actually, so am I ready? Am I good to kind of start? Dude, let's roll, man.
Because, so what I'm going to start out with, this is a perfect introduction because,
as you know, I always have Kem review these. Yeah. And his primary feedback on this time was,
(03:17):
okay, he's liking the words, he's liking the concept, building a good architecture here.
But, and it was all making sense to him as he's reading it, but then like he got to the end,
he's like, okay. He couldn't quite remember what were the four, what were the five,
you know, four phases from last week, that kind of stuff. And so, you know, and he just kind of
(03:38):
gave me that as feedback that he wasn't remembering the whole big picture, right? Right. So what I
wanted to share with our listeners is just this, like the idea isn't necessarily that, you know,
you're remembering all of this. What we're doing is just kind of introducing the concepts gently
here, one episode at a time for each of the four, five, and six. But then we're going to be doing
(04:01):
episodes where you're going to be, we'll be revisiting these over and over with specifics
as we build different security stacks. So we'll be coming back to these. We'll also be building,
you know, PDFs that you can download, things you can look at online. Like we will be creating
visuals. This is all just kind of, you know, you're just kind of pioneers with us. We're
(04:23):
blazing the trail of building this system. So don't stress like remembering or perfecting any
of this right now. We're going to be building so much support around this. We're just introducing
it verbally on the podcast. You know, you're the first ones to get to it. So, you know, there's not
all that support stuff built right now. But for now, just, you know, just listen and hopefully
(04:47):
it's making sense. If there's questions or whatever, come to the forum and bring those up
so we can refine it or whatever. But don't stress trying to remember everything basically.
Yeah. Dude, that's awesome. Because do you know what? Just this week, I was having a conversation
with a faithful listener. Give her a shout out, Melissa. Thank you. And she was kind of asking me
(05:13):
exactly what Kem had kind of talked to you about. You know, she was like, okay. Because I was telling
her, I was like, wait, wait till you hear some of these. And so she asked, she's like, okay,
so if I'm capturing it correctly, the 3D is really only the fact that we're really trying to
(05:34):
enhance the picture. We're building this three dimensional type or this three pronged approach
is how she said it. And then she went on to say, and then we've got the four Ps, right?
And I was like, yeah. And we're going to ask ourselves five questions about what we need to
be aware of when we're building these building blocks and these pillars and these principles.
(05:59):
And I said, yeah. I said, yeah. And then I teased her again this morning. I sent her a text. I
usually do this, but I get some little bits of our episode. I'll send her a teaser. Guess what's
coming out. And so she was ready for six. I won't tease our audience yet with six,
because that's for later on in this episode. I'll get to that later. But
(06:23):
if that's what our listeners taking, how well are they doing?
Yeah, no, that sounds awesome. I do want to add one point of clarification though.
Yes, please.
So, because I noticed you kind of were taught this too. We have the four P formula and then
we have the four layers we talked about, or not four layers, four phases, excuse me.
(06:47):
Four phases, excuse me. Phases.
Yeah. No, and that's okay because there's four and the four P formula, we haven't really talked a ton
and exactly how it fits into the overall picture too much. We did talk about that a little bit.
And that may have been kind of a misstep on my part too, of we got the four phases and the four
(07:07):
P in the same episode, in the same context. It's just naturally going to blend together a bit in
your brain. So we may have to refine how we thought about that. Obviously, one thing that will help a
lot is once we have actually have visuals, you can see, here's how the four P formula.
So for now, what I would say is let's try to just completely forget about the four P formula.
(07:30):
It will come back in, it'll be relevant.
Stay with the four phases then, because that was easier for me, was the four phases.
And so knowing that I don't have to remember the four phases fit into the four P formula,
we're forgetting the four P formula. That's just the four phases we talked about.
Exactly.
So look, it gets super simple then. We're talking about 3D visualization,
(07:55):
the four phases, five questions you're going to ask, and I'll tell you what number six is later
on in the episode in case you forgot. We did talk about it earlier in case, but yeah.
Dude, I love it. So we're caught up to speed then, because that's about where I'm at.
Yeah. So for today, I want to start off with a little story,
(08:24):
because we want to understand basically the why of the five questions. What's kind of our overall,
what's the theme of these five questions? What are we trying to do?
Yeah.
And you know this story, this is from my life. This happened just in the last few months with me.
So I had an ear infection, right? And it seemed like it got better for a while. I went to a doctor
(08:52):
a number of different times. I thought it was going to be fixed. It wasn't fixed. I mean,
this was like months literally where I was having this problem. And in the end, finally,
when it actually got solved, the problem was that I had a fungus infection, not a viral infection.
(09:15):
Right? And so the meds-
Two different things, right?
Totally different things, right? And so anyway, the point of that story and kind of the purpose
of the why is we want to make sure that our security stack is relevant.
(09:37):
Right.
The tools that we're putting into it, the threats are relevant to us. It's a threat I care about.
And the layers that we're picking that you're willing and able to take the steps necessary
to defend yourself against those threats. It's all about relevancy. And so hopefully,
the right medicine, so to speak, unlike I had for months, for the things,
(10:04):
for the threats we're defending. Does that make sense?
Yes, absolutely. Because just like kind of your metaphor, if you will, we're all very,
very individualistic, right? And it was like you kind of said last episode in the four phases,
yes, there are going to be some very common similarities between what's built, right?
(10:27):
But the customization and the prioritization is going to be completely different on individuals
and their habits and things like that. And so, yeah, having a doctor treat an individual
for their individual needs makes sense. Now, having vitamins and certain health routines
(10:48):
is applicable to everybody, right? Or whatever general health purposes are. But yeah.
Yeah. Well, and a part of it too, there's the customization at the person level,
but then there's also, and I've seen this, I won't distract us with this, but sometimes I look in
(11:09):
the world and I look at, we'll just throw this one bit out, airport security or other kinds of
online security, where obviously I know a lot more. But sometimes I look at the solutions that
are proposed and the measures that are imposed to try to prevent different kinds of problems.
And I just, they seem so misaligned. Is that solution, is that measure, is that really
(11:35):
going to prevent the problem that you're trying to solve? It's like, I don't know about that.
I'm not sure that you thought about something that sounds good on paper,
or if we take it online security, we just, okay, well, Norton, you don't really know much
about the problems. And so you're just going to install this security suite because let's install
(12:00):
some security software to solve my problems. But how well does that solution match the problems
that you're trying to solve? How does it solve them? What problems are there? You know what I mean?
Yeah. Anytime you're trying to solve a problem,
if you think about this online security, protecting yourself as in the kind of a problem solution
(12:23):
mindset, you've got to understand the problem you're trying to solve
so you can actually find a solution that actually solves that problem.
Nice. So yeah, I like it. I like it. I had a few deviants that I really held in,
you know, wanted to bite my tongue, especially about the security stuff. I'm like,
(12:46):
how comes I got to take, right? Oh, that's a terrible way to say that. Sorry. That was
mispronounced. Why or how come I need to take off my shoes sometimes, but when they get
way behind or log back, it's like, ah, just keep your shoes on. We'll get this going quick.
You know, I guess this is some big acting commercial, like everybody walking around
(13:12):
either barefoot or in socks, like passing along like foot fungus all over the place. Like it's
one big conspiracy to get everybody spread their feet, you know? Yeah. Yeah. I hear you. Yep.
Anyways. So moving on, can I now ask the question I've been dying to ask?
(13:34):
Sure. What are those five questions? Right. Okay. So the five questions, first of all,
I have a single word to represent each of the five questions, make them a little bit easier to
remember, you know, encapsulate them into one word. So the five are assets, threats, risks,
options, and trade-offs. And of course, like with everything in, do you get the five?
(14:02):
Yeah, I got the five. What does it spell? Oh, it doesn't spell anything. That would be nice.
Oh, I was trying to figure out what words you were using. I was like, oh no, no. I mean,
I know that's a cool mnemonic and like that I would love, love. And so maybe we work drop them
even so we get one, I don't know, but no, we'll work on it. Yeah, exactly. Right. These are
(14:23):
not set in stone, something we will definitely be talking about and making sure we have the
best choices and ideally, right. Having ways to help remember them or whatever. But for now,
this is where we are. I like it. Okay. This is where we are. Anybody knows of a word that I'm
not aware of that can help us out? Yeah, exactly. Well, and it, yeah. So number one is assets.
(14:50):
The simple question version of that is what am I protecting? Yeah. And this could be almost
anything, but common answers are, you know, your passwords, money, devices, even, you know,
people that we love ourselves, of course, included. Right. It's pretty simple question
answer. This is the simplest, but it's kind of, it's an important starting point. We get,
(15:14):
because all the other questions kind of build off of it. Well, you understand what's at stake.
You understand what assets you're protecting. You want to protect it, right? Yeah. Well,
and it ties into the overall theme of relevance too, because sometimes the things, you know,
(15:35):
if you're protecting, I mean, there's a lot of overlap, of course, but, you know, protecting
your money versus protecting a password, you know, that's not, it's not going to be the exact
same set of things you're going to want to do. There's going to be some things that you'd use
in both cases, but there's going to be different things, if that makes sense. Yeah. So as we did
(15:57):
before, we want to kind of stick through this episode. We'll be using our home network as
our example to help, you know, look at these questions a little bit. Yeah. And I don't know,
so for the home network, what are the things that you are wanting to protect on your home network,
Nick? Do you know what, for me, I'm looking at the series as a whole, if you will, because we did a
(16:25):
home network security. Is this what you're referring to today? Yeah. The 10 episodes.
Okay. Yes. Yes. There are 10 episodes. So for me, what I really got to the point of what I wanted
to protect is a, I wanted to teach my kids good password management, password skills,
and I wanted to protect them from certain things that I was able to filter out from coming in
(16:50):
to make sure that they were protected. Right. I did see the importance of setting up a guest
network for us because I wanted to put certain devices on that guest network specifically,
as we identified some devices. I called them sleeping devices, those sleeping devices,
(17:11):
like I got lights that are connected to the internet that realistically,
they could probably be easily hacked if wanted, you know? And so for me, what it boiled down to
is the assets I was protecting was my son's online identity. That's what I identified,
(17:36):
you know, specifically, he's older, my sons and daughters, online identity.
I wanted to make sure that they understood password management and skills. And I wanted to
make sure we blocked some of those incoming calls, wanted to make sure that we really honed in on
what was coming in and going out. And those were the areas that we really wanted to protect
(18:05):
ourselves, right, for us. It was the starters. Again, for me, I don't have your wealth of
knowledge, you know? So for me, I have to keep it pretty simple. And so for me, that's where we
started. Yeah, no, that's great. Well, and you know, one thing that happened naturally in your
(18:28):
explanation is that, and this happens with these questions, especially in the first like three,
the assets, threats, and risks, you know, when you answer them, they tend to bleed together,
which is fine, because so, you know, you talked about keeping your kids safe from,
(18:48):
you know, kind of one of the way I say the ugliness that, you know, so easy to stumble
into on the internet, right? So that's, that's running, you know, that is implying the threat,
and even the risk to some degree there. Right. And so these first three are kind of a set together,
just to help make sure we break it down, though, and get all the details, but
it's talking about the problem. And gotcha. So, you know, you covered it. And one of the other
(19:16):
ones I would, one of the ways I would say that thinking about, you know, my network is I want
to prevent any of my devices from becoming infected with malware. Yeah, yeah. See, you,
you eloquently said what I couldn't say about the light. Thank you. Yeah, well, no worries. That's,
yeah. So anyway, so that leads us to number two, which is threats. And again, the question here
(19:42):
is simple, just what are the threats? And what I'm talking about here, you know, common answers
would be phishing, malware, hacking, scamming, harassment, spying. Okay. And with this one,
there are some good follow-up questions, like sub questions, whatever. And, and I break that down.
(20:05):
What are the sources, the objectives, and the strategies of each threat? Okay. So again,
if we look back to our home network, just to give this a little meat, so it's not so abstract as,
so let's, we'll talk with the sources. Where does the threats come from? Where does the, yeah,
where do the threats come from? Or where does the threat come from? Whatever, you got to have that
(20:28):
matching. Now, oftentimes knowing that like the super specific source doesn't matter,
but sometimes it helps. So in the case of the home network attacks, for example, we talked about,
there's at least two like sources or groups we discussed. The first is those hackers on the
(20:48):
internet, right? Right. We don't know exactly who the hackers are, but there's lots of them out
there that are trying to get in through our router, right? They make attacks on our router
because that's what's visible to them on the internet and then get in through our router
to our other devices. Or if we have other devices, anyway, that's, so it doesn't matter exactly who
(21:10):
they are, but we know there's just hackers on the internet. There's lots and lots of them. That's
main thing to know about that source is there's just, there's so many. Right. Right.
Got something you're thinking? Go ahead.
(21:32):
I've been listening to some security experts recently, some cyber security experts. You know
who I've been listening to and now is he a white hat hacker in some locations? I can't remember
(21:54):
exactly. I had no idea how many hackers were out there. Right there. I was maybe a little naive
thinking that there were a handful of good hackers in the world. Right. And once I heard him talk,
I was like, oh my gosh, there's a plethora of hackers out there. A ton of. So understanding
(22:25):
that again, going back to the threats, right? Like understanding, look, this isn't just a
handful of hackers out there. This is groups of hackers or groups of hackers. There's individual
hackers. There are a ton of threats out there. So yeah, I love this. Keep going. That's where
(22:48):
we're going to stay. It's big business. So yeah. Yeah. So the second group is, you know, and these
are just examples from there, but like the devices of guests that you invite onto your home network.
Right. That's another specific source that we identified as a threat.
Right. Right. So then objectives, what do they want?
(23:13):
And of course, for our home network, the first objective is just to get into our network
any way they can. Right. Once they're in there. We've learned in past episodes, sometimes they
just sit there quietly. That's exactly right. And that's part of what we want to talk about is like
the strategy, right? Like what they want to do in there. They want to stay hidden.
(23:36):
Right. They want to explore, spread if they can, find good hiding spots, so to speak,
caches of treasure. Right. And that's, but that hiding, I'm glad you picked up on that because
that is one of the most common, but I feel like under-recognized strategy because of its nature.
Right. Because when they use that strategy, as opposed to ransomware, obviously ransomware,
(24:00):
as soon as they do that, you know, they're demanding a ransom. Right. When they just
stay hidden, I mean, they can be doing that for a long time, you know? Right. Right. I mean,
there's, yeah, I mean, there's some, you know, in our, that we've seen in our infrastructure,
like in the telecommunication systems, you know, that we talked about in one of those episodes
(24:24):
where they're still in there. I mean, they're not exactly as hidden now because we know
somewhat about it, but even despite that, we haven't been able to boot them, you know,
apparently. And so anyway, there's, and who knows what other systems they're hiding in,
waiting to, you know, attack at the right moment. And anyway, in the case of home networks,
(24:48):
they'll bring it back here. One of the ways that they can get value along the way with hiding too
is just using the device resources. Like we talked about in episode 60 and the DDoS attacks,
where they use our processing power, our internet bandwidth. So anyway, that's part of the strategy
(25:09):
aspect. Like what are the, how do they attack us? You know, they hide and these other things. So
yeah. Anyway, I should give enough meat anyway for number two threats. Okay. So the last part
of kind of the problem, half of the questions is risks. So the word is risks and the question,
(25:30):
again, just what are the risks? And so, well, actually, let me start off with this question
for you. Yeah. How intuitive to you, like the distinction between risk and threat in this
context, Nick? Completely different, right? Okay. I don't know. I wasn't sure because that,
(25:56):
anyway, yeah. Share your thoughts. Let me show you. So I used to, I was never good,
like never good, but I rode motorcycles and I even raced specifically in a sport called motocross.
Again, I was never good, so I never made it big. I wasn't pro or anything like that. I just did it
(26:20):
more for fun. And in racing, you had to understand, A, there were some risks, right? And the risks
were like, obviously, look, there were some times that I was hitting big jumps and if I had some
engine failures or things like that in the air, it would make landing difficult. You know, it would
(26:45):
make some significant challenges. So there were some inherent risks that I was taking that I had
to be aware of. And this was whether I was riding alone or whether I was racing. There were certain
risks I was going to take. Now, when we raced, there were threats. Now, threats were different.
(27:09):
What if I was taking a corner perfect, just like I'd normally taken it and some other racer decided
to take my line and cut me off? Well, now I have a threat. I've just been pushed into a corner. I
have no place to go. I'm slammed into something that wasn't always a risk, but because the threat
came, you know, yeah. So that's how I looked at it. There are certain risks that we take,
(27:38):
that we choose to take, and then there are threats to where they're made towards us, you know, like
somebody threatens you. Yeah, that's interesting. Yeah, so, well, that's good exploration. So,
so the way I'm using it here, well, I'll tell you is this. So the risks that I'm talking about here
(28:01):
are not ones that we're voluntary, like you were kind of using it as, you know, ones that you are
more voluntarily participating in, right? And that's the distinction you're making. And that
makes sense, valid to me. What I was trying to differentiate here is, so the threats are,
you know, these people trying to hack you on the internet, you know, the malware trying to spread.
(28:23):
And so another possible word actually I consider is impact, because what I'm talking about with
this next question is examining what are the bad things that might happen to you as a result of
those threats, of the attacks that you might get attacked with, right? So for example, your device
might get infected with malware, someone might steal your password, someone might steal your
(28:46):
money, you might get, you know, a ransom demand, like what are the bad things that come from the
attacks and the threats? Does that make sense? That makes total sense. That's the kind of flow
that I was trying to make with the assets, threats, risks. Okay, so I'll love you. I'm
(29:12):
going to go ahead. I'll tell you why I didn't pick it. Okay, you could tell me why you didn't
pick it. I'll tell you why it resonated with me. Because when there is that threat,
and there is that impact, like absolutely, there was an escalation of risk if there was an
(29:36):
impact in racing. But absolutely, in this case, it made sense to me. Like,
okay, well here's the threat. Now what's next? What happens if that comes to fruition, man? What if that
bites? What's the impact going to be? And to me, that's completely different than the threat.
(30:00):
Oh, crap. Ransomware. Do I have to pay millions to get my stuff back?
So anyways, that's kind of what... Tell me your thoughts.
And actually, my first was impact. And the only reason I didn't, and I'm still very much on the
(30:24):
fence because I really like, I do, I really love the word impact. It's slightly weird to say in
plural impacts, but whatever, is the probability aspect. So because risk to me kind of combines
the two parts of what the impact is, is the first half, but what is the likelihood of that impact
(30:47):
happening? That's the other aspect. I mean, we could break it out in its own question. We could
still just say, what's the likelihood of the impact? We don't necessarily need to. I mean,
I'm just kind of, I get kind of crazy with words. So impact still might be a better,
because we can still say, what is the impact and how likely is the impact? That would be totally
(31:10):
fine. Because if a threat is extremely unlikely to affect me, then naturally I'm a lot less likely
to prioritize defending against it, right? In general. Right. Right. Right. But that makes
sense. I only chuckled because it all clicked. When you kind of said that, I was like, okay,
(31:35):
I can see. Okay. Right. But right. It's kind of a math equation. At least that's how I think about
it being a math. It's almost like multiplication because even if that likelihood is super tiny,
the greater the impact, then I'm back to, okay, well, maybe I will prioritize it. Because even
though it's super unlikely, it's super bad if it does happen, then maybe I'm going to
(31:59):
prioritize it. It's a balance between those two factors of how bad is it and how likely is it.
Does that make sense? And so that was why I kind of combined it into risk, but I don't know. I
think after talking through it, I think I'm more on the thing. We could still talk about
those two aspects easily even under the word impact. Right. So anyway. Okay. So we have that
(32:29):
group. Yep. Exactly. Assets, threats, and we'll call it impacts now for now. So yeah. So then the
last two kind of go into the solution part of it. Okay. We got options and trade-offs. So the
first question is options. What are my options for defense? Yeah. Okay. Okay. Or as we usually
(32:58):
talk about these options as layers, right? What are our layers of protection that available? Yeah.
Now this is one where of course, as a normal person and non-techie, whatever, non-guardian,
you may not know what all the options are available to you. Right. Right. And so this is
(33:22):
where, well, there's a couple of things. Obviously this is where one of my jobs comes in to help you
know what the good options are. Right. Right. Right. But as always, I want to give you as much
ability as possible to explore this on your own. Right. Okay. And so where that ties in is
(33:43):
the four phases and the six layers that we're going to talk about next episode are the tools
that I'm providing to help you explore that. Because then what you can do is you can at least
step through each of the four phases, you can walk through each of the six layers,
and you can kind of answer this question. Do I have a layer of protection in this area
(34:09):
or do I not? You can at least answer a yes or no about that one. Like, do I know of anything
that, if I don't, then I can say, well, okay, so I don't have anything, you know, for, so for
example, on the home network, how do I detect if a threat has gotten through past my prevention layer?
Right. Yeah. You know, you can just say that like, okay, so for my home network security stack,
(34:34):
do I have anything in the detect phase? Yes or no. Right. Like that at least gives you
something to work with. Right. You may not know what possible options are. It's not a multiple
choice, unfortunately, but you can at least know if it's missing or not. Does that make sense?
Makes total sense. Makes total sense. Yeah. I get what you're saying for sure. Okay. So,
(35:00):
you know, the, so the answer to this question means basically going through all those things
and kind of compiling everything together as our master list of protector layers that are available
for a given, you know, security stack. So for home networks, we, we had, you know, the inbound and
outbound firewall. We have the settings to your router and, you know, understanding phone calls,
(35:27):
you know, phone calls, how they work. Yep. And those sorts of things. Those are all parts of,
these are all the options that we have available. Yeah. Yeah. Okay. So then that leads into our
final question, trade-offs. Yeah. What trade-offs am I willing to make? You know, meaning what am
(35:52):
I willing to give up to, you know, for each specific layer of protection? What, you know,
which layers of protection are worth it to me? What isn't? Yeah. Yeah. Does that make sense?
Do your options. You just lined out. Now you got to pick which ones you're willing to do.
Yeah. Yeah, absolutely. Absolutely. Okay. Yeah. So, okay. I would say with your, your,
(36:20):
your eyes and your body language, I'm thinking that this works work for you because this is
another one I debated a lot of like costs, resources, investments, even I thought about,
but for me, trade-off, you know, like you might trade your money, but it also might be time
or convenience or even a feature, right? Like with home networks, one of the ones we discussed
(36:45):
was not enabling a certain feature where like remote administration, right? Like that's a
trade-off. It's kind of a bummer. It'd be nice for everybody to have remote administration in a way,
but it's also a big security risk. So, you know, each person has to decide what trade-off they're
willing to make. Absolutely. Absolutely. Absolutely. So yeah, dude, I love these words. These words,
(37:15):
I think you nailed, you know, option and trade, you know, trade-off because here's how I see it.
I looked at the financial world. That's where my mind went, you know, because
there are absolutely what you call stock options, you know, and on a different options there,
(37:36):
like we don't even want to go into how many different options there are, you know,
puts calls, et cetera. Like, yeah. Anyways, but there's always, always a trade-off.
Always. There's always handcuffs, right? There's always something that comes with that, right?
Maybe you might not make as much because you chose to be protected on the downside. So, okay,
(38:01):
while everybody else made more money than you, you might not have had the loss, but you didn't
get to participate in the full gains. And so absolutely, like these words make total sense
to me. Like, and you're absolutely right. Like, I get it. Not having that remote admin. I mean,
(38:21):
you've helped me multiple times using that remote admin feature, you know? Yeah. So love it, man.
Love it. Okay. Cool. It went long. That was a long one. Yeah. So we got to do our call to action
stuff. I know. That's why I was saying we still got some things to check off.
(38:46):
Yeah. Well, we had a lot of introduction at the start, so. Right. That's true.
And especially understanding this, because these are five questions, but
you outlined five questions, but also you had to teach what all these five questions entailed
and why's and because's and how's, et cetera. So it was a good episode. I really liked it. So
(39:11):
given everything we just took in, all these five questions and how we're going to utilize them,
what's going to be our call to action? Yeah. So we've got two more episodes where I'm doing
our call to actions is call for helps, and then we'll kind of get back to our normal
call to action where it's going to be something to improve, you know, your security. But for now,
(39:32):
we're asking for feedback on anything we talk about, but I always like to give a specific one
as well. And for today, really, it's those five words. I'm just curious to see how they strike
you, how they resonate with you. Obviously, we talked about, you know, maybe swapping out risks
for impacts, even though I have a hard time saying it in the plural. But, you know, we've got,
(39:58):
you know, assets, threats, risks, slash impacts, options, trade-offs, and they're all plural. So,
you know, impact singular can be any way, whatever. Are there any words that you'd want to,
you know, replace? Or do you like them? I mean, I'd be happy to hear either way,
you know, if they're making sense. Come to the forum and share your thoughts.
(40:19):
Right, right. And luckily, our listeners got to hear how simple it was. Like, they heard me
weigh in. So, this is a really easy call to action. Like, you got to hear me weigh in on
what words I liked, what words resonate with you, you know? And, you know, you got to hear the
description, like Makani said, these first few episodes as we're formulating our plan. You know,
(40:43):
we like to get your input on these ones. So, yeah. Good call to action. Great episode.
Do I get to tease them now? Do I get to tell them what's coming up?
Absolutely. Yeah. Okay. So, next week, we'll be discussing the third and final part of the
Bulletproof Stack Formula, which is going to be the six layers. So, this is going to be awesome
(41:07):
because we're finishing up this first section on, again, I'm going to throw it out there because
I love it. This series of series, you know, but we're wrapping up the first series
in this series of series. So, yeah. Tune in to hear how we're going to layer up, okay?
(41:34):
Are you ready to take action and wondering where to start? Get my Bulletproof My Identity
Starter Kit for free. The seven most vital layers of protection everyone needs. I'll send
you one step at a time and help you if you get stuck. Just go to bulletproofmyid.com and enter
(41:55):
your name and email and I will send you the first step. Again, that's bulletproofmyid.com.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com