Transcript

welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellished truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zack fuller and loro chavez
hello and welcome to cyber ants podcast
this is your co host zack fuller
joined by the usual suspects
mike ritano and laura chavez
how are you guys today
and i'm here
i don't have coffee
but i don't have coffee in a cool cyber ants coffee mug
like mike does
but i'm all right
well my sovereigns coffee mug is in the dishwasher
i haven't run that yet this morning so
sorry failed
bummer well don't
don't want you get this off of it
mike is our hr director
for those of you yeah know
and what that mug said
for those of you listening
and not seeing any video clips of this
i won't fill you in on the rest
so that being said
today we have a
another great episode go figure
we're in number seventy something
and we are going to talk about the cloud
and oh do i have a lot to say about the cloud
but before we start
let's do the news and the exploits
mike disgruntled developer
is the alleged source of a leak of loch bit three
dot o builder
the leak of the builder for the latest encryptor
of the loch bit ransomware gang made the headlines
it seems that the person who published it
is a disgruntled developer
yes they have
they have employment problems too
the latest version of the encrypted version three dot o
was released by the gang in june
according to the gang
lock bit three dot o has important novelties
such as a bug bounty program
is he cash payment and new extortion tactics
the gang has been active since at least twenty nineteen
and today is one of the most active ransomware gangs
the builder contained in a password protected
seven z archive
contained the bill bat
builder exe
config json and keygen exe
there's a hacker named al qushi
claims to have
hacked the servers of the ransomware gang
and stolen the ransomware encryptor
however according to bleeping computer
the research team vx underground
was informed by representative of the lock
bit operation that the infrastructure was not hacked
representative ad that the leak is
is the work of a disgruntled developer
i just love the fact that they have employee issues
hr team a communications team
for these hacker
organizations
now it's just kind of scary
um uber hacked
internal systems breached
invulnerability reports stolen
uber suffered cyber attack thursday afternoon
with an allegedly eighteen year old hacker
downloading hacker
one vulnerability
at reports and sharing screenshots of the company's
internal systems
went on dashboard and slack server
screenshots shared by the hacker
and seen by bleeping computer show what appears
to be a full access to many critical uber it systems
including the company's security software
and windows domain
other systems the hacker keys
accessed include the company's amazon
web services console
vmware esxi
virtual machines
google workspace
email admin dashboard
and slack server
towards the hacker posted messages
which were initially mocked by uber employees
turned into memes etc
so good on you for security
uber has since confirmed the attack
tweeting that they were in touch with law enforcement
and will post additional information
as it becomes available
in a conversation between the threat actor
and security researcher
the hacker said they were able to gain
access to uber's internet after conducting a social
engineering attack on an employee
as the uber account was protected with multifactric
authentication
the attacker allegedly used
an mfa fatigue attack
and pretended to be a uber it support
to convince the employee to accept the mfa request
dub telling off of that
mfa fatigue
is hackers new favorite tactic and hope
high profile breaches
there's a social engineering technique
called mfa fatigue
aka mfa push spam
it's rising in popularity among threat actors
as it does not require malware
or fishing infrastructure
and has been found to be successful in attacks
mfa fatigue is when the threat actor runs a script
that attempts to log in with stolen credentials
over and over
causing endless stream of mfa push
request to be sent to the accounts owners mobile device
the goal is to do this continually
to break down the target cyber security posture
and reflect
a sense of fatigue
regarding these mfa prompts
in many cases
the threat actors will push out repeated mfa
notifications
and then contact the target through mail
messaging platforms
over the phone
pretending to be it support
convinced them to user to accept an mfa prompt
alternatively
alternatively
the targets
get so overwhelmed
that they accidentally click on the approved button
or simply accepting my favorite class
to stop the deluge
or notifications they were receiving on their phone
credential stuffing accounts
for thirty four percent of all logging attempts
credential stuffing attacks
takes advantage of password recycling
which is bad practice
using the same credential
pairs login
name and password
across multiple sites
once the credentials are leaked out
leaked or brute force
from one site
threat actors
perform a credential stuffing attack
that attempts to use the same leak credentials
at other sites
to gain access to users accounts
as the fbi warned recently
these attacks are growing in volume
thanks to the readily available
aggregated list of league credentials
and the automated tools were
made available to cybercriminals
engaging them
to test pairs
against the sites
okto reports that
the situations are worse than twenty two
twenty twenty two
as the identity
and access management firm
has recorded
over ten billion
credential stuffing events
on its platform
the first ninety days
of twenty twenty two
which represents roughly
thirty four percent
of all overall traffic
that is scary
backlog is larger
than a hundred thousand vulnerabilities
but two time
consuming to address
resilient and
ponyman institute announced
the release of
the state of vulnerability management
in dev sec ops
which reveals
that organizations
are losing thousands of hours
in time of productivity
dealing with massive
backlogs of vulnerabilities
that they have neither the time
or resources
to tackle effectively
the study finds
forty percent of security leaders
report that they have a backlog of applications
that have been identified as vulnerable
sixty six percent their back
sixty six percent say their backlog consists of
more than a hundred thousand vulnerabilities
and fifty four percent say they were
able to patch less than fifty percent
of the vulnerabilities in the backlog
thus seventy eight percent of respondents say
high responsibilities in the environment
take longer than three weeks to patch
some twenty nine percent
say it takes longer than five weeks
that's really scary
because just being patched
helps you mitigate a lot of problems
well it's an interesting time frame to think about
to start to jump in here
but we you know
we got to look at an application
it took them months to patch
if you remember
i think it was something like six or seven months
to resolve the vulnerabilities found in the pen test
so it's it's
it's concerning
to say the least
that there's a
there's a time there that the
the application is left at risk dead
that dove sock ops is a cool name isn't it
it's what we've been doing
we've been doing for twenty five years
and all of a sudden it's like oh now it's dove sock off
anyway pollution man
you got to change the name of it
to make it sound cool to the kids today you know
exactly like
threat hunter
hackers admit destroying intercontinental hotels groups
data for fun
this is the front
actors behind intercontinental hotels group cyberattack
reported earlier this month
admitted doing it for fun
the hackers made the admissions of the bbc
over the weekend
saying they're a couple from vietnam
who tried to conduct a ransomware attack against iig
upon failing
decided to leak the data they had originally obtained
in this instance
it fortunately looks like
ihg was able to prevent the attackers
from deploying ransomware
but retaliation
they deleted the data they had access
putting the hotel chain in the no one situation
the third actors gained initial access to ihc
ihg systems via a successful fishing attack
that tricked an employee into downloading malware
through an email attachment
and capturing their two factor authentication code
vmware and microsoft are a warning
of a widespread chrome loader malware campaign
that distributes several malware families
chrome loaders on malicious chrome browser extension
is classified as a pervasive browser hijack
that modifies browser settings to redirect user traffic
the malware is able to redirect the user traffic
and hijacking users search queries
popular search websites including google
yahoo and bing
the wishes code is also able to use powershell
to inject itself into the browser
and add the extensions of the browser
experts also observe that threat actors using dmt files
in order to target all mac os systems
so no one is safe
that's the end of the news
but i got a couple headlines
that you really want to check out
this one simply because
what you need to know about
evil colon attacks yep
that's one of the top ten names that we've seen so far
quantum computing already putting data at risk
sever pros agree
that is a very interesting read
if you're in the healthcare sector be aware
the fbi is warning the healthcare sector
surgeon payment scams
don't tell nana
and pop up this
but cyber vulnerability is discovered
in popular insulin pumps
so with that laura
i give you the vulnerabilities
gosh thank you
it really seems that you know
you know criminal
criminal you know
cybercrime is a full time business with
with hr and ping pong tables
and probably as well power beers
it's just it's ridiculous
um and then going off after
after nana's insulin pumps
pretty dirty
so yeah gotta watch yourself
and with that
got a couple other places
you should watch yourself this week
because we do have some exploit payloads
that will get you owned today
if you're using less than favorable cms tools
i've got a couple here arrow
and i'm not bashing on these companies
they're just
you know everybody
just like any other race
everybody's in a push to get their tools out
the next new gen
the next new wizard
the next new ui
whatever right
so if you're out there
and you're in the market for cms tools
make sure that you're looking at what you can afford
and make sure
that you're not trying to go with free stuff
arrow cms and
fhi cms both have critical vulnerabilities
that have payloads this week
one of them for arrow cms is a sql i
it is a time based sql i which is
which is a new type of sql injection attack
that plays on the time parameter
right and then of course
the high cms got a remote code execution
so if you execute a payload
you might be able to dump the database
you can do the same with the arrow cms
in the time base sql i
so keep an eye out for those cms
applications that are out there
if you are using the tp link tapcoc
to monitor your home
i would make sure that you get the software updated
immediately
the remote code execution is out there
in payload form
beautiful python
written by an actor i won't mention
however one dot
one dot fifteen
on the tp linked tabco
is vulnerable to this remote code execution
so get that patched
you don't want anybody being able to
you know initiate code into that machine
and then have access to the console
of potentially other cameras
and then also be able to use the speaker
and the video on this camera
so you maybe have
remember some of the
couple years ago
someone was able to
exploit one of the similar camera
different manufacturing
it was a links us
but was able to speak crazy things into the baby's room
while all the kids were in their plan
and they were toddlers
so as a parent
that's creepy
anyway so tp link
should be concerned
check that out
and if you're using blink control if you're
if you're into the very cool
blink technology
out there by thing m
and you're using some of these smart leds to do
alerting for you
and giving you visual alerts
or using it for
accessibility options and those things
the blink control
two dot two seven
has weak password encryption
so the encryption
was found to be using
pretty ridiculous
sixty four bit ciphers
so you can you can very easily
pull the end node
right out of the url
and for these devices
to manage these devices
and break that with online tools
so you can get access to this
and somebody could
run them up with your controller
for all of your leds
so if you're using these smart leds
in any capacity
make sure that if you've
got the two
two seven version of blink control
you're gonna get that updated
and with that zach
we're talking about other people's computers
right you know
used to be that song in the nineties like opp
you know what i mean
and so we need to
opc other people's compute
because that's really what the cloud is right
it's just a bunch of hobos
with some hardware in their garage
giving you a business front
how dare you insult
insult leading technologies
like that yes
we're actually
going to talk about that in just a moment
i just had to laugh
because with the multi factor authentication
fatigue attacks
or mfa fatigue attacks
it just reminded me
of my four year old
she's figured this out
way before any cybercriminals did
can i have a lollipop
no not right now
please can i have a lollipop
i really want one
please please
please please
please please
please please
okay fine you can have a lollipop
boom she's in
you know she's in man
she's whenever
i have the same problem
persistent requests
it could be cybercriminals
or it could be a four year old
so we are absolutely going to
dive into the wonderful
and mysterious
world of the cloud
in just a moment
after a quick commercial break
want even more
cyber rants
be sure to subscribe
to the cyber rants podcast
get your copy of our best selling books
cyber rants
on amazon today
this podcast is
brought to you by
silent sector
the firm dedicated to building world class
cyber security programs
for bedmarket
and immersion companies
across the us
silent sector
also provides industry leading penetration tests
and cyber risk assessments
visit silent sector
com and contact us today
all right and
we are back
and today we
are talking
a little bit about
cloud security
now this is high
level right
we don't have
time to get into all
the nitty gritty
maybe in future episodes
we'll talk about different components
and get a little bit more detailed
but we want to talk about cloud security
and the reason is
there is a severe
and to me just a painful
misconception out there
and this was reminded
again when i got
when i got an email
the other day
from a major
major internet service provider
i won't i won't shame them
and say the name
through a major
publication
but i want to read
you an excerpt
from this ad
this is one of the reasons why unknowing people
and it is up to us as security professionals
up to those of you listening that are security
or technology professionals
to help us inform the public
the ad starts and it talks about giving you remote
access to important business data and applications
it says cloud migration saves you money
reducing infrastructure and iq costs
okay yeah i could see that
in a whole variety of scenarios
there are certainly benefits
the next paragraph goes on to say
has the audacity to say
plus the cloud defends your data from hackers
by consolidating multiple services into one
safeguarded source
yeah wizard gandalf's cloak
that's so the cloud defender data from hackers
okay so we need to dispel that that myth
i know we've touched on this in the past
but there are a tremendous amount of security risks
associate with the cloud
it doesn't make it bad
there are tremendous benefits to
before just so you know
so you listeners know we are not shaming the cloud
we use cloud products all the time
cloud platforms environments are
our clients are an aws and azure
and every other place you could imagine
so it the cloud
we're not shaming the cloud
we're not saying don't go to the cloud
the tremendous capabilities
awesome things you can do
and most organizations are either going to be
a hybrid of on pram and cloud
or all cloud at this point
right so it is it is
but this misconception
this false advertising about moving to the cloud
will make you safe
we need to topple that
we need to come out and say look
like laurel just said
there is no cloud
it's just somebody else's computer
right except for your
except for your
that you probably have some magical cloud instances
you've created that are
that are actually in the clouds
but for the most part it's
it's really just somebody else's environment
so let's talk about that today
let's talk about some of the risks
i think most people know the benefits right
there are all kinds of scalability
cost savings
accessibility
all kinds of different things you can do
access to different tools and such
but let's talk about some of the benefits
do you want to start
i mean i have a couple
but do you want to start with any
stories about cloud breaches or cloud examples
to just showcase that hey
moving the cloud doesn't make you safe
and if not i'll share one
you share one
i mean i know you're not here to bash the cloud
but i'll happily bash the cloud
yeah i'll happily bash the cloud
because to me
cloud is like canned water
it looks fancy
but it's water
you know what i mean
and so it's a little overrated
i think the clouds overrated because you're
you're putting your data and
we'll get into this right
i want to hear your stories
i have a couple too
but you know
yes the cloud can cost
give you cost savings
could also add complexity
it can also cause greater outages
and it also puts the data in the hands of somebody
other than the physical people on your team
it's all great until you try and get the data out
so all right
tell us a brief story
oh sorry well
one of the things i want to say real quick is that one
of the major failings of the cloud
is people make that assumption
based on that first line of that paragraph
that put in the clouds are safe
the problem is they don't
look at the contract
and see what side is your responsibility
and what part is the clouds responsibility
and just assume because i'm in the cloud
i'm safe and someone else is taking care of it
it's a huge mistake
so that's like
it's like driving in a city
and the department of transportation saying that
our roads will keep you out of accidents
our traffic lights work so well
you'll never have a fender bender
not in our city not ever
and so to me are you
first let me ask zach
are you sure that's not a fishing email
trying to keep you
click on ransom
it's complete bs and it sounds like it's fish
i clicked here and it just gave me a nice executable
i opened it nothing happened
but i know i couldn't have been
couldn't have been a fishing email
now this was
this was actually
this is not the first of these kinds of
marketing emails
i've got from this particular publication
and this particular major internet service provider and
and business technology services provider
but i wanted to start with with
and you've already covered a lot of great stuff
you know we're talking service level agreements
and things like that
we should get into that
but one of the i get calls
probably too often from
from people in our network
people that are referred to us and such
and the number one call i get was
somebody that has a problem is
business email compromise
through office three sixty five
not through their exchange server
not through their own prem
stuff that through office three sixty five
and the assumption is always
oh well we put our stuff in office three sixty five
so microsoft is supposed to be handling security
but no that wasn't the case
it turns out
who knew right
and it always goes like this
last couple calls
last few calls it just
just basically
somebody's email account was compromised right
and oh guess what
they did have multi factor authentication
turns out that doesn't stop all attacks
like some of the mfa vendors would tell you
but they their email account was compromised
and won't get into the how and all that stuff
but long story short
now the attackers have access to all their emails
they're going through
they're taking their time
to look at who's communicating with who in the company
how transfers from money are requests
these are especially
especially focused on financial
financial companies right
but a lot of
doctored wire information gets sent out and such
from what seems like it's within the company
right so the
you know the controller is saying hey
we're wiring this money to this account whatever
but it's not really
the controller
sending that email from their own account
so these types of attacks happen
and then before you know it
people are moving money left and right
and hopefully they catch it
or hopefully they have some other controls
but it's always a scary situation
the other thing that they don't realize
that i have to break
the unfortunate news to them
is when that happens guess what
the attacker just downloaded
the tens of thousands of emails
that this employee has in their inbox
from you know
back in you know
the early two thousands
or however long they've been working there
you know they've have all this
access to all this information
customer data
all that stuff
just your emails right
so not to mention
ability to pivot into other accounts
and things like that
using same credentials all that
so i won't go too far down that rabbit hole
but that is the number one
attack that i've been hearing about
this isn't based on any studies or surveys
or anything like that
just based on simply people reaching out to us
so that's the
one example one of
one of any cloud examples
we could go down a rabbit hole here
but but with
we could talk about cryptocurrency
and dropbox and other things if you guys want
but let's not waste all that time
well the other
yeah that you know
and that's a good
i think that's a good statistic to bring
to bring forward of the community to that
the lodge of the
you know we don't
we don't do the forensic analysis post
you know post breach stuff anymore
but when we did
you know and people like you said zach
they reach out to us right
because when you're
i like to say when you're falling down a tree
you're grabbing for branches
you know what i mean
and we happen to be one of those branches
when organizations are in a pickle
and you know
unfortunately not all the time can we help them
but it is an interesting statistics to see that office
three sixty five with multi factor authentication
is one of the number one
number one breached
locations for financial organizations
the second one i think is probably that
i see and you know
one of the last post breaches that we looked at
you know in the last times we were doing this was
we talked up
you know i was just i was just
i was just giving
i was just giving exploit advice
for patching on two cms products
right content
content management right
or contact management
everyone see it
you've got data in this right
it might deal with your business and everything else
and so there was a company
that specifically did cms related aggregation
data aggregation
one of the consultants that worked here
wasn't getting the compute
that they needed to do the work on these two clients
that the you know
this organization and the cms aggregator had
and so they went to
you know aws
you know got some compute built
and put the data up there to better aggregate it on
you know using the cloud horsepower
well like you said zach
you know and
and mike we touched on this
you never read the terms of service right
few people will actually you know
peruse through the legalese to understand where they're
where their responsibilities begin and end
and where the vendors responsibilities begin and end
and this is one of those cases where
you assume that the compute that you building
the cloud is gonna come out of the box secure
and no one's gonna be able to hack you
there's firewalls up
there's intrusion detection
you got all the logging in enabled
there's multi factor authentication already there
there's antivirus
there's all these features
that are already there for you
and that's an illusion
it's exactly the same
if you went to goodwill or walmart or anywhere else
and bought a used computer and turned it on
then someone said
i wiped it for you
you know it's ready to go
all of the configurations to do
and that's where this business
i think made the short sidedness
of allowing this consultant first to go beyond
any of the change control processes
you know leverage
some cloud computed
amazon not secure
put the data up there
and as we know
the cybercriminals are fully
fully organized right
they have hr departments
and ping pong and foosball and the whole bed
and so they're scanning the net
they come across the server
happen chance it probably done up for a couple months
and they reach in and they pull all that data out
and so it was a double breach
because there were two clients of data that existed
in this environment
two third party clients
right big giant
can't name them
big clients
and this small
on this small cms aggregator
essentially one
one consulted in that company
would you know
cause almost the downfall of the entire organization
so i mean that's a
that's a one story that i've got of it
as an example in recent times
where someone has really believed
i think falsely
in the security that the cloud gives you versus
what you actually have to configure to make it give you
let's talk about service level agreements
because that's come up a couple times
what are your recommendations
or what would you have people look for in those slas
when they're evaluating their cloud vendors
of course read them number one
well every yeah
go ahead mike
he was gonna say you got this one man
you gotta determine
determine what
who is responsible for what and why and what
what level are you responsible to
if you don't turn on the firewall
if you don't turn on mfa
if you don't turn on the vpn with mfa
those things are not on
if you don't turn on you know
elastic search
you don't turn on
i mean all these features that are available to you
are wonderful
that the cloud provides a
they come with additional cost
but you have to turn them on
you also have to deal with the alerting and monitoring
and event notification
and mitigation of these issues as well
the cloud is not going to do that for you either
and that's what a lot of people miss
so you have to read and realize
what is actually being done in the cloud
is not a sas solution
a cloud is not a third party software application
where they do everything for you
the cloud is a platform in on somebody else's computer
and you're leveraging those resources
so you really have to dig into what you're going to do
and you still need a team to deal with those issues
you still need a security team
you still need
you know architectures you still
so the cost savings in people is not necessarily there
it's a different class of people
and guess what
cloud architects ain't cheap
so
that's what you know you
so you have to determine what those slas
are going to be from the cloud
from your internal resources
and it's a marrying of multiple organizations
that make it that much more difficult
so you need to go in why eyes wide open
that you're not a hundred percent
you know golden
one thing i want to circle back to
what laura was talking about
about the hacking
there's one common theme that we see
in a lot of these stories
and some of them we talked about today is fishing
fishing fishing fishing
so train your people on fishing
but fishing
they're getting better at it you know
used to be that you'd find a fishing email and said
do the needful and press this button
and you knew
kind of knew that this was wrong
now it's not that way
so be really careful with that
but yeah i mean
the slas know specifically what you're responsible for
and don't just determine that
the clouds gonna save you all this money
because the marketing brochure says it is
yeah they that's good stuff to mike
and they pile on things like
you know you
what you're getting is compute
right it's like
it's like you might as well have a storage building
you know at one of these u haul storage building places
i mean that's really it
they're part of it is like hey
we give you a storage shed and you can access it
twenty four seven
that's our end of the deal
the rest is all on you
what you put in it
how you wrap up your stuff
if something gets broke in there
it gets water damaged
you can't sue the storage vendor
they're like hey
all we do is give you a building and let you access it
what you do in there
and how you secure everything is completely up to you
you guys stored everything in cardboard boxes
and it rained sorry
maybe you should have used rubbermaid tubs
you know you can't sue us because you didn't plan
and that's exactly at a high level that the
the sla that that
that is kind of in play with
with cloud vendors now
they have architects on staff
they have security features that you can purchase
these things are not complimentary
and that's what you need to understand is what
you know what service are you buying
what service tier you buying
what does it come with
and then what parts are
am i responsible for
and am i gonna have to roll into my own internal change
management and security processes
in the whole bit
in my mind you're almost better leveraging a colo
and putting your own steel in there
yeah it's more secure
it is and in reality
what's the difference
it's a computer somewhere off site
the physical controls are managed by somebody else
you still have to manage everything else
you know well
well i think it could be argued
and i think this is where
you know that the engineers and the leadership
the budget leadership have a
have a gap of clarity in cohesion is that
there's cost savings there because
you don't have to pay the depreciation on the metal
you don't always have to be looking at drive upgrades
and all this kind of hardware depreciation
depreciation costs that are gonna occur
when you own the metal
the engineers and the security individuals and
and hopefully everybody will back me out here
we see the cost benefit
in the fact that you have hands on
you own the metal
you own the systems
you can walk down to the data center
get escorted in
and see your equipment
pull your own drives if you have to
you can't do that in an amazon data center
or an azure data center
or haroku or any of the other database providers
or sas cloud providers
or cloud providers in general that are out there
you can't do that
and you're going to be distributed over many
many systems
that is going to be shared space with other clients
that have either separated data on guid
or some sort of a crypto key or something right
where they're separating your data that way
but you're going to be in a multi tenet environment
and i think that's something
that's not really understood either right
you're in a virtualized environment
you're sharing the same physical hardware
with a bunch of other people
in other companies
and you have risk of bleed over
i don't know
the cloud salute question was solved for me
a long time ago
when i was working for a bank
when we were working with the security team
and they said we're
there's no way in hell we're going to cloud
will build our own
now if one of the largest banks in the country says
i'm gonna keep my data in my own cloud
why would you
take the step and put your data in someone else's cloud
if they value their data that much
you should value your data that much
and since to this day
i don't use icloud
i don't use any of that stuff
everything's controlled locally
and reality is though
i mean a lot of
a lot especially
you think of you know
a ten person software startup or something like that
they don't have the expertise or the
you know the
the people to go in and actually do this
they're basically gonna write code
throw it on iws right
and that's that
i think i think the
most organizations now just realize that
hey we're just
they're just flat out not gonna do it
i mean there's certainly benefits i think
to what you're saying
but it just
reality is they're gonna be
yeah it's not
it's not realistic to everybody
no i understand that
if you're a startup
that makes perfect sense
right i mean
if you don't
i'm talking about a stable company
that's grown
and that has their own hardware
and just up and going to the cloud
because i think they're gonna save a bunch of money
and doing so
right it should be
yeah it should be
part of your digital evolution right
as a business
you may start small
and you sure
you've got to use some
cloud compute for now
but as you grow
and you expand
as a great example
would be like
a twitter okay
how you know
jack dorsey
and this came
like real quick
and next thing you know
like you know
twitter is not really a big deal
and now they're massive
and it happened in a very short amount of time
that's that's when you need to visualize
okay you know
now that the money really isn't an object
what do i want
do i want the budgetary
freedom to say
we're saving all this cost
by using you know
other people's computers
order i want
the security mind set
and the peace of mind to say
i have my own medal
in a data center
in a physical location
that's pretty dr
safe and that's in a couple backup
physical locations that we own
you know and so
it's not for everybody
right but yeah
there's a point
in your business
in depending on what size of business you are
that you can make that determination
on if it's you know
gonna be the right choice for you or not
but you shouldn't have the illusion that
anytime you go to the cloud
it's going to be secured for you
a lot of companies do end up moving back right
as they grow
not everybody
but a lot of organizations will actually
do a cost benefit analysis
and realize that hey
maybe instead of
having these third party
cloud providers
actually make sense
to go back to our own solution right
to manage our own hardware
and at a certain point
it can become more cost effective
so not to say
not for everybody but
and i also think a lot of organizations
depend on what they're doing
they're going
to have a blend
no matter what
i'd say take
look at your most critical data
what is it that really drives
your business forward
that you really rely on
if you're going to do that
switch back
then i would
out of the cloud then
or to your own
managed cloud
then not say
something that you could do
in part not
you don't necessarily
have to move the whole organization over
yeah and i just reiterate
one of the things that really concerns me
is a lot of people think the cloud is just another
sas solution
and it's not
you can't you can't make that assumption
but that's the way that
that marketing brochure spins it
it's oh yeah we'll take care of it all for you
but you know everything costs
and then the biggest cost
and still go back to this
wait till you try and get it out of the cloud
because you can put as much in there
when you pull it out it costs
so another thing you have to consider as well
is physically where that data is
right i mean
and there are controls depending on who you're using
you can specify
but your data may be
and data centers all over the world you know
and i just don't
there are great resources
great people all over the world but
you know and in the us likewise
there are also malicious insiders
there are people that are working for the dark side
also and so you need to consider that where
where physically
is your data going to be going when you
well a data security
data security laws
and cybercriminal laws vary from country to country
and state to state
so you know
first of all
certain regular pieces of regular data
cannot be stored overseas
second of all you know
if you have your stuff in a data center and tajikistan
and it gets hacked
who's got jurisdiction right
i mean it's
it's that kind of thing
you don't know where that data is
and the laws are
pulls not going to help you
yeah interpols not gonna help you
yeah that's why it wasn't a boss right
ninety percent of all cyber crimes don't get
don't get prosecuted because jurisdictional issues
no one knows
i mean if i'm in arizona and i'm
i get i get
someone hacks me from california
who has jurisdiction
arizona california
you know they
i'm gonna go out in a limb and pretty much tell
tell you that your data even though you specify east
west coast or united states based
only if they are a worldwide data center
and meaning they're globe
they have global presence
even in china
your data is being replicated there
even in a backup file there
these are preferences
right just like
just like a
just like a web config is gonna have a preference for
tls one two
that doesn't mean that one dot one and one dot o
and ssl and all that stuff's not in that as well
right so it's preferred
you prefer the united states
that doesn't
that doesn't stop google from being like yeah
well to protect your data
we're gonna make sure that it's balanced
across all of our global data centers
that way in case we lose two or three
when we can get your data back
because that's what they care about
they don't really care about their
care about their service uptime
they don't really care about
you caring about where your data is at
they're gonna take care of your uptime
because they're gonna be like look
they're not gonna care their data was in china
as long as we can get it back to them
right and that's
we've got four nines
if you don't care where it's at
i think you could look at it like every
every benefit also has another side to the coin
so for instance
if one of the benefits is
somebody else manages the equipment
manages the metal right
you're not having to do that yourself and go in there
get badged in and all that stuff
somebody else is going to deal with that
well the other side of that coin is
you don't know that somebody else
you don't know who else is going to be touching that
right and what their
what their capabilities are
so any pro i think can azikon
so all good things to think about the
i think you know what
what users can do is one
the service level agreements
terms of services
get to understand them
but also know that they change
right the provider can
most of them can just change at any time
and they'll send you a notice
hey terms of service change
well everything's up there
you're not just gonna jump ship
or if you do it can be extremely costly
and cost and time prohibited both
but consider these facts when you're going in
and just realize your
cloud environments are only as secure as you make them
it's not their job in most cases
to secure your information
and i can't
we can't wrap this up without mentioning
application security right
just because you host your application in a and aws
and you're paying for additional security features
and you got the environment locked down
that does not make your web application secure
and that's a misconception we hear a lot
from software companies
from actual software companies
so that's i
feel like we shouldn't have to bring this stuff up
but because we keep hearing about it
we got to bring that up
you know that's good
deprecated authentication tool
or something of that nature
that's gonna be a problem
well you know
probably about yeah
and about sixty percent of the apps that we look at
are hosted in the cloud
and we always find
we're always finding vulnerabilities
and exactly the
you know it's your code your code
it doesn't matter if
you're fronting on someone else's compute
you're still your code's crap
somebody's gonna find a hole in it
yeah it doesn't
it doesn't fix anything
and then one thing i'll mention zach
you know for the listeners
there's best practices out there
that you can just google and get
so i do a best practice for like office
three sixty five
make sure that you've got all those things checked
and that you're looking at what microsoft recommends
for you to do to secure your environment
because microsoft is one of the few vendors
as much as i dislike them
it'll be like hey
we don't know what we're doing
we're not really secure
we're just giving you this stuff
but you should read this
to secure your environment right
and at least they
they kind of own up to the fact that
you know you
you should apply these things
we're not gonna just do this for you
some of the other vendors don't really do that
you know i think they're
they're kind of hidden in the
in the marketing language
and then also in the
the extra services you just got to pay to pile on
whether that's logging or firewalls or antivirus
things like that
in the cloud that you can get now cost extra money
so keep that in mind
mike any final words of wisdom before we wrap
it is it you still have to secure your stuff
it doesn't matter where it's at so
mm hmm that would be my thinking you know
know what you're getting know what you're buying
don't make decisions solely for financial reasons
make sure that they have sound underpinnings
yeah and one final thing for me too is
you know i think it's important of that
that you realize that
everything needs to flow through change control
even your cloud environments
and a lot of times that'll get
that'll get left out of the change control processes
and so if you've got people making willy nilly changes
to your cloud environment you can
you can have some problems and we
i can tell you some more stories
about organizations that have made mistakes with azure
actor director and things like that
so
war stories from the trenches
that'll have to be another episode
i think we sprinkle them throughout
but that could be a whole series in itself
well outstanding
thank you for listening to the cyber ranch podcast
jump online on linkedin
or go to cyberranspodcast com
and let us know who your favorite co host is
is it me is it mike
is it laurel
give us your vote
no seriously
we don't really care
seriously though let us know
future future talks
future episodes
we're always trying to bring you what we're seeing
actually being in the business
doing this day in and day out
let us know what's of interest to you
be sure to rate the podcast
subscribe share all that good stuff
help us get the word out
to secure the backbone of the american economy
and our way of life
that is what we're here for
and have a great day
we'll see you on the next episode
pick up your copy of the cyber ants
book on amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at silentsector com
join us next time
for another edition of the cyber rants podcast