Corporate Cyber Risk Mitigation - Managing Internal Cyber Risks - Podcast Ep. #40

welcome to the cyber rants podcast where

we're all about sharing the forbidden

secrets and slightly embellished truths

about corporate cyber security programs

we're ranting we're raving and we're

telling you the stuff that nobody talks

about on their fancy website and trade

show giveaways all to protect you from

cyber criminals and now here's your

hosts mike rotondo zack fuller and lauro

chavez hello and welcome to the cyber

ants podcast this is your co-host zach

fuller joined by mike rotondo and laro

chavez good podcast today as always good

looking group of listeners today too i

think we have the best looking listeners

probably of any podcast don't you guys

agree oh yeah sure i love looking at the

live audience love it i think they're

the most intelligent too

absolutely absolutely um yeah if you

don't know how we know that you're

looking sharp today it's a new new

technology we'll maybe we'll talk about

next next episode but uh for today we're

talking about technical controls

and uh putting protections around

users which is

super important but before we do that

mike do you want to play anchorman for

us

the arsonist had oddly shaped feet and

here we go there's a lot of headlines

this week there's a lot going on other

than what what else you're seeing in the

news about afghanistan and other things

so i'm just going to hit some highlights

but there's a lot that are going to be

posted at our site so combining this

into three microsoft exchange under

attack with proxy shelf laws

unpatched microsoft exchange servers hit

with proxy shell attack

and microsoft breaks silence on barrage

proxy shell attacks

long story short patch your exchange

servers if you haven't which is

basically microsoft's guidance on the

subject security researchers at hunter's

lab also reported seeing proxy cell

vulnerabilities being actively exploited

throughout the month of august to

install backdoor access once the proxy

shell exploit code was published on

august 6th the hunters reported a surge

in attacks after finding 140 web shells

launched against 1900 unpatched exchange

servers so this thing's back and if you

haven't haven't patched your exchange

server please do other news from

microsoft 38 million records exposed

from microsoft power apps of dozens of

organizations i love the irony of this

one of those is microsoft global payroll

38 million acre records from 47

different entities including the state

of indiana state of maryland new york

city american airlines and of course

microsoft global payroll google

publishes zero day vulnerability in what

windows firewall and app container

affecting every version with no patch

available so that's always good news

google's cyber security unit published

research detailing its analysis of the

firewall and app container and microsoft

runtime environment

it points to the detection of a severe

vulnerability in app container that

microsoft has not chosen to address

there's a good article i don't get too

too deeply into it but it's all

exploitable uh that can lead to

privilege escalation from the consumer

side over a third of smart device owners

do not take security measures so that's

your smart tv your alexa at home your

smart refrigerator smart washing machine

or whatever smart stuff you got at home

71 do not take the pressure proper

measures to secure those devices so

check that one out just some quick

headlines fbi sends its first ever alert

about ransomware affiliate definitely

worth a good read

since the shares guide shares guidance

on how to prevent ransomware data

breaches apple microsoft and amazon

chiefs to meet with biden over critical

infrastructure cyber attacks and then to

round that one out u.s state department

was recently hit by a cyber attack so

maybe

cisa needs to reach out to the state

department there's more there's more

headlines about data breaches in there

but we're going to leave it right there

so laurel any exploits we want to talk

about afternoon delight yeah thanks for

that mike um just one uh just one and

it's um it involves our best friend and

the coked out crazy minded wordpress

it's the only one worthy about talking

about i mean mike got the other one i

mean you know it's i don't want to i

don't want to talk about the you know

the proxy shell stuff right after he

talks about the proxy shell stuff so i

have to you know i have to filter i have

to filter my other exploit data around

you know the news which is really the

important stuff right so pay attention

to that everybody look at those look up

those headlines but

for all you crazy people out there

playing wordpress

i got one for you today uh if you're

using mail master well there's a local

file inclusion vulnerability they got

the code out there

very very nice code i give a nice shout

out to this guy for putting this

together for everybody to use looks

really really nice he's even got the

nice ascii

header at the top of the exploit code so

make sure you're running mail master and

you're playing wordpress that you got

that patched to the latest version or

you've got some form of compensation in

place to protect you from that local

file inclusion all right well first i do

want to tell the listeners that we do

not put the news and the uh exploits on

on repeat or no not play

replay articles and news from previous

episodes although we talk about

microsoft and wordpress a lot this is

actually all new material every episode

so just wanted to put that disclaimer

out there so important stuff you know of

course it affects so many people being

such

huge environments a lot of people are

looking for ways to you know exploit

both but um

that said

especially with word i mean a lot of

microsoft you're kind of stuck with but

well some central bodies

no you don't some some bot in the future

is going to you know look through all

this and it's going to look through all

the headlines it's going to look it's

going to say exploit it's going to say

microsoft and it's going to see that a

whole bunch is going to exploit

microsoft exploit microsoft exploit

wordpress wordpress and it's going to

know it's going to be like microsoft bad

wordpress bad

because you know what i mean so i

imagine the bot someday will figure out

for us the

software is dangerous if you don't if

you don't play with it in the right ways

well there's a lot of linux ones out

there especially cloud-based linux right

now they didn't touch on that but

there was an article about the top 15

linux exploits and how cloud

environments aren't being properly

secured for linux and people are just

making the assumption because it's linux

it's secure and that's just not the case

so

not to be an apologist for microsoft but

they are not the only guilty party i

just wish you know if the government's

gonna tell us how to secure our stuff

that maybe they should secure their

stuff that's kind of my thing

yeah yeah i mean

yeah exactly

look at my straw house you want to build

a brick one

that's asking a lot

he's asking a lot

well maybe you know they'll they'll come

back and say well you should pay more

taxes so we can secure

we'll secure our stuff better we're

probably going to pay that either way

yeah that's for sure that would actually

be a worthy a worthy cause right i mean

yeah i'd be like you know if i can see

the security plans i'll agree to that

right

oh we have to plan

want even more cyber rants be sure to

subscribe to the cyber rants podcast get

your copy of our best-selling book cyber

rants on amazon today

this podcast is brought to you by silent

sector the firm dedicated to building

world-class cyber security programs for

mid-market and emerging companies across

the us silent sector also provides

industry-leading penetration tests and

cyber risk assessments visit

silentsector.com and contact us today

let's move on shall we yeah

is it time okay

technical controls for protection around

users of an organization now we've

talked a lot in the past

about other other types of controls

right and a lot around

governance right policies and procedures

and such we've talked a lot about

following different frameworks and all

that and here we want to get into kind

of the

a little bit of the nitty-gritty i guess

you could say

for

what you should actually do when you're

thinking about configurations when

you're thinking about your users what

should you be doing to protect i hate to

say it but protect the users from

themselves i think it's a critical thing

that

we every organization needs to be doing

what are your thoughts if you had to

give the top

36

tips

in order what would where would you

start

there's 36 i didn't know that number of

i'll settle i'll settle with three

how about that 42 let's just pick 42

it's like a good nice number though

friends don't let friends use microsoft

yeah

don't i guess number one don't don't let

them have administrative privileges at

all times

why not tell us more

well

so

it's funny there's no there's some

protections in place so as an example

you've you know you've got you've got

some stuff running right you maybe you

you enabled your windows firewall to

prevent some uh some inbound ports and

protocols from some bad sites and you

know maybe you uh maybe you've got

windows defender running um since we're

talking about windows and you've got

windows defender running as antivirus

you know to provide some protection for

your user but you've left your user to

um to be in an advent group or be part

of the local administrators group

and so

that individual now can become oh let's

just say disgruntled with the

configurations that you've laid forced

to you know enable that protection and

they can go in and disable that

protection right they can turn off

firewall

they can go inside and you know they can

disable the windows defender piece as

well right on the windows security side

so

you you kind of circumvent some of the

good security practices you're trying to

put in place by leaving the user to have

those types of root and administrative

privileges on the on the local machine

that they're that they're operating

that's one i think that's number one

talk about disgruntled i mean you could

have someone encrypt their disk and not

tell you how yeah yeah true or pull data

yeah absolutely or shut down their

antivirus because they don't like the

props that are popping up

yeah

yeah well that was that's what windows

defenders it's sort of

it's it's sort of antivirus i guess you

could kind of call it time you should

but yeah you shouldn't really that's

sort of yeah i would

i was talking about more serious

that's like an egg a souffle yeah

anyway so uh

yeah i think that's number one and then

you know to to add on to that if you you

know if you're installing any

third-party epp pieces you know if you

don't have the security installed on

those those agents to prevent tamper

even from local administrators then you

know your users can turn those off

because they may they may be scanning

the local disk at a bad time or they may

feel that their internet connection is

unstable because of the agent that's

running i mean you there's all kinds of

conspiracy theories around local agents

now right and security i think security

tools in general in the past have always

been part of them right i mean that's

what we always got blamed for anytime

something went down like are you guys

doing anything like what do you mean are

we doing anything like running any scans

take down the network like no

like your app failed because it didn't

have enough memory that'd have to do

with us but security in general has

always been the bad guy right so

yeah some of the you know from

administrative side of the house

it's always a good idea to schedule

things

at the appropriate time and i remember

one of the things that we did when when

antivirus way back way back first came

out when you could control it from a

centralized location

um you know you tried to schedule them

the scans to run around lunchtime not

log in or not at four o'clock in the

afternoon people are trying to get out

but you know

so smart scheduling will help some of

that but um

i just want to dovetail on the third

party controls though

one of the things we're seeing is people

have moved remotely is that they're

starting to install software that works

for them that's not necessarily part of

the

approved suite of software uh for for

your company and you need to really

prevent and lock down those kind of

tools because those tools are not

embedded those tools are not secure

necessarily and you know they're posting

critical ephi or pii or whatever on

web-based forums that you haven't

reviewed and that really needs to be

tied down

yeah yeah no no that's a great point

mike and controlling your users and

making sure that they they don't have

permissions more than they need

um is is super important especially now

with this work remote situation like

you're saying we're seeing organizations

that are actually letting users bring

their own device like their own home

they're using their own home machines

so you know yeah you might be in office

365 right so you're secured for the web

supposedly but if that individual is not

updating their home machine

and you know the kids are using it or

somebody else is coming in and using it

or

you know they get some form of you know

kind of hidden hidden malware that's

that's on the machine it's going to be

able to grab those tokens and those and

see that email and grab those passwords

and so

that security of the home device you

know now you've just introduced you know

even uh you know a more significant risk

to the business organization because now

you have an untrusted device

with the user um that you can't control

the permissions to that's accessing your

business data

so i think that you know that that's

been a i don't know it's been a pretty

big top-of-mind topic

recently at least i think with some of

our conversations right yeah so how do

you yeah how do you handle that how do

you handle that user security when the

device doesn't belong to you

i i have a an ancient infosec proverb

here that comes to mind um this is a new

one and it's

if you think

buying

devices for all your users is expensive

try going through a breach

yeah no doubt

good point so

so in short here's the thing is that

to protect the user account you have to

be able to provide the user controls

which in some cases may mean you need to

issue the device

because you're going to have to control

the configuration of the device right

you need to also you know removing

administrator privileges is not it's a

switch okay but it's unfortunately

doesn't matter if you're downloading

something like jumpcloud you're going to

do it or you're going to use azure

directory to do it

it yes it's a it's just a it's a boolean

um check

but it's harder in in reality because

you know you may not

be able to anticipate what your users

may or may not need from you so always

have a good process to request

elevated permissions temporarily or to

have somebody

have the capability to install something

if they need it for work purposes right

because otherwise you're gonna you're

gonna fill up your your help desk

tickets with users requesting for

install software or admin privileges and

not have a way to really do that in a

good way

and i think the other thing is is is

protecting the user accounts also means

protecting that

that user from themselves with with

passwords so

that's a whole nother conversation we

could have but i i you know i see that

you know federated you know federated

password methodologies like you know

single sign-on and oauth and things like

that are kind of working because you can

get some of your third-party vendors to

offer

like a saml hook in or something like

that where you can enforce to that

third-party portal that doesn't belong

to you

controls over the password and the user

that are specific to your organization

so you can um you can usually request

that so look into that if you're dealing

with third-party apps and you are using

a federated identity method today i

think that's uh that's probably a

helpful thing to try to make sure the

users aren't practicing bad passwords on

third-party applications you can't

control

yeah

so speaking of those third-party apps

one of the things that you do need to

get is get all those controls under i.t

and not let the business units manage

those especially for provisioning and

deprovisioning where there's critical

data in them

that's more of an operational

control

yeah and if you're if you're a small

yeah no great point mike if you're a

small shop

and you're you know one or two man i.t

and you're trying to figure out how to

do this you know the pride the hold of

the proverb i would try to get budgeting

to issue laptops for your if your

individuals that are

um that are bringing their own devices

from home i would do i would set that up

as a priority for the year and request

budget and there's all kinds of risks

that we can put around the untrusted

device and using data even though it's

in a stream to a third party like a

google

um corporate or or microsoft office 365

or any other those types of

um outsourced third-party email

kind of work hubs right

if the endpoint device can be

compromised that data and streams

probably get compromised at some point

too

so um you know try to request budget try

to issue those devices try to get a

handle on what your users need

daily so that you don't really have to

enforce

you know giving everybody administrative

privileges because that's the easy way

out

it will it will take a little bit of

engineering a little bit of questioning

inquisition to your users to find out

what they need but that's really the

right way to go about it and i'm going

to say it

and i'll shut up

but all you administrators out there

you need to have two accounts too you

need to have an administrator account

that you do your admin work with and if

you guys are on you know nics or

whatever that's a suitors file okay you

need to be added to that there needs to

be a process around that and if you're

on windows you need to have two accounts

you need to have your admin account

admin group account you need to have

your user account you don't need to be

an admin all day long every day

surfing the internet and you know

checking on your you know checking on

your email that's you know going to

meetings right that's perfectly fine for

your user account and then you need to

elevate with your other account when you

actually need to do engineering level

work and that's what the audit

framework's going to look

for socks or anything else right mike oh

yeah yeah and i'm actually surprised

that how many companies don't do that

so i mean that's just common hygiene

well

thanks a lot lauro and mike because we

just lost a whole bunch of our listeners

a lot lots of unsubscribes

lots unsubscribed people don't want to

have two accounts it's terrible yeah i'm

watching our followers go down right now

it's like we just lost we just lost four

or five million we still got we still

got several hundred million so it's okay

but

well yeah that will be we'll be just

fine just fine

hey speaking of it let's let's talk

about the one of the things that we run

into quite a bit which is those

companies that kind of

are partially there those companies

especially mid-market and emerging

organizations

they went out and they they did the

right thing in buying a bunch of company

owned devices and issuing devices to

their users but they don't have any

management of them they're not they're

not using active directory or jump cloud

or anything similar so they're they're

basically leaving

the

user leaving the updates and everything

else up to the users

how how would you recommend they go from

that state into a managed state and and

deploy the you know proper hardening

images and all that across the board get

everybody together on the same page as

as appropriate and have it

have those devices managed from a

central location

yeah good question so built first off

you know define what your what your

environment is going to be where they're

going to be you know mac you're going to

use windows build yourself a stick for

you know the bare minimum secure

configuration that you're going to need

for that device for the user

and then build your if you're whatever

you're using build yourself a deploy

script if you don't if you want to be

old school and you can do it per device

and then issue the device after it's

after it's edits um

it's stig installed and

the permissions and all of that for the

user installed

all the necessary apps you know removed

and um necessary apps installed and then

you hand it off as part of the build

process

um that would be the next step if you're

you know not looking to you know try to

hook up into active directory or you

know it you know active directory cloud

type stuff or you know trying to use a a

bolt on like like a jump cloud like you

said um which is which which are all

viable options right to do that control

yeah i mean i really i mean that's

really the best way to do it as far as

i'm concerned you know and for for if

you're trying to implement that the best

thing to do is just start anything new

gets rolled out with the new config and

you know as you as you have time go back

and replace and replace and replace so

as as you take the depreciation on the

device then you then you replace it with

something new and you need to push up

those depreciation schedules to ensure

they're secure

yeah no that's super good idea too

um but i mean it's really

you know if if you got if you've got

budget to deploy a device i mean you

know if you're if you're not going to

use a mac i mean you know nothing

against that but you know it's it's it's

a little it's a little honestly it's a

little easier with uh with a windows

device to to build a script um to to to

secure the device and then deploy it

than it is with a mac it takes a little

more work

but um you know i think you can do it

either way and then if if if that

becomes the you know too much of a

a process

to repeat over and over again then you

can you can get into the whole agent

right based off like jump cloud there's

a few others out there i don't drop

their name don't get paid by those guys

or anything maybe we should get paid by

those guys but

well the other thing that's out there

too is that there are vars depending on

your size and your budget there are vars

out there that do computers as a service

so you just tell them what to config

they take care of all of it they take

care of your maintenance they take care

of applying the device repairing the

devices providing the devices

and procure them so i mean if you don't

have the work resources to manage

something like this there are services

out there they do cost they aren't cheap

but uh

you know there are services out there

that can do that kind of stuff

yeah

and can i just remind everything it was

it was it was mentioned before but just

remind everybody that

this is not optional when you get into

filling out security questionnaires

especially for b2b technology companies

software as a service system

integrators people like that i mean

you have to have control over your end

user devices and you have to be pushing

patches you have to be on top of this

stuff that you cannot meet compliance

requirements

and really

you know achieve much at all

without doing this so it's at some point

you'll have to take the leap if your

organization is growing

i was just gonna say that you you know

if you're if you're out there listen to

this and you're you know a two or

three-man shop and you're just you know

you're buying machines you're just

sending them out to everybody and

telling them to log in and you know use

the office 365 whatever

um that's not good enough you need to

have a plan in place because it's going

to be an instantaneous fail on any

assessment for you not having end user

control over the devices if everybody

has administrative level permissions and

you don't have a way to control the them

turning off security

configurations or you know

mitigator you know bypassing security

configurations that you're trying to put

there to reduce risk you're going to

fail it on it

and and so be thinking of of ways to

cleverly get around that without having

to you know ask for a bunch of money you

can go back to google and start asking

all the nerds out there that have done

this a million times on how to build a

stig and a deploy script for your your

your endpoints

and um you know start you know just

start sending them out and and yeah like

pull them in and then replace them with

a new one

you can use them you can get from cis

too i mean cis has the the base images

the gold images i mean as long as you

get cis as a paid service

yeah absolutely and that's pretty cheap

it's not expensive i don't think and no

yeah

their their images are completely worth

it too i think yeah it's based on their

i think their fees the last time i

looked at was based on the number of

users company and if you're you know 150

person company it's not expense

so just something to keep in mind

probably a lot cheaper than hiring you

know an engineer to build these out for

you yeah yeah and i know i know what

every admin is out there thinking it's

like this has been in the back your mind

you just had other stuff to do yeah and

so yeah don't don't lose sight of this

right because it's it's going to come

back at some point the business you're

working with is going to get a

questionnaire we're going to need to

meet an audit requirement

and this is going to be one of those

catches that you're going to have to

solve and so solve it sooner than later

um it's yeah

you're hearing this message today for a

reason

it's it could be divine you never know

yeah get it yeah you want to get it done

though now that you know now that you're

right now that you know we're telling

you again yeah i'm looking at you don't

look at your radio like that you know

exactly who i'm talking to

you look you look wonderful today by the

way you you know who you are and yeah

great shirt well any final words of

wisdom before we wrap up

don't trust your users

yeah you well

programmatically you can't you shouldn't

take the risk to right so control those

actions yeah

they are i mean generally the greatest

threat to your company is the insider

yeah most of all the malware

right all the malware comes from easy

quick yeah i mean whether intended or

unintended

they are your biggest

you know your biggest risk whereas you

know the rogue admin story that's out

there does happen from time time to time

occasionally but uh it's more of your

you know

the secretary sitting at a desk or some

you know clerk in accounting that clicks

on the wrong email and all of a sudden

boom

yep call center employee decides that

they want 100 amazon gift card you know

what i mean it's that that's what we see

all the time

yeah the rogue admin certainly happens

but not as much as it does for you know

somebody who's you know kind of

you know maybe bored or have some board

time or be on lunch doing some stuff

right so

you never know

yep the

um the fact that you're using office 365

and

you know box and quickbooks cloud to run

the company is not is certainly not a

valid reason to not do these things

anymore just based on all the breaches

and stuff we've seen so

um get it done

uh i hope you enjoyed this podcast hope

it was valuable for you and you learned

some things um again

subscribe to the podcast if you if you

enjoy it

share with your friends other people

that might benefit from this information

might be able to learn

and go to

cyberrantspodcast.com if you have any

any ideas thoughts questions anything

like that we want to hear from you

there's a web form right there

next to the podcast list and you can

just

get in touch or

reach out on linkedin because we want to

talk about topics of interest that are

of interest to you and and beneficial to

you and your career so thank you again

for listening everybody and have a

wonderful day

pick up your copy of the cyber ants book

on amazon today and if you're looking to

take your cyber security program to the

next level visit us online at www dot

join us next time for another edition of

the cyber rants podcast