The Security Swarm Podcast

For our 50th episode of the Security Swarm Podcast, Andy and Eric Siron look back at the last 49 episodes of the show. They go through some core security topics and discuss whether they’re still relevant, how they’ve changed in comparison to the evolving threat landscape and provide updates on some of the major stories discussed.

This is part 1 of a 2-part episode, with part 2 coming next week.

Key Takeaways:

• AI-powered tools are a double-edged sword, capable of both beneficial and malicious applications.
• Botnets and malware continue to be a persistent threat, as attackers adapt and find new ways to circumvent disruptions.
• Email-based social engineering remains a significant vulnerability, as human nature makes it a difficult problem to solve.
• Immutability and backups are critical for protecting against ransomware and data loss.
• Securing cloud-based platforms like Microsoft 365 requires a nuanced approach, as the responsibility is shared between the provider and the customer.
• Security awareness training can be challenging to implement effectively, requiring a balance between engagement and cost.
• Navigating the relationship between IT administrators and CISOs is crucial for effective security management.

Timestamps:

(00:31) Using ChatGPT to create ransomware – still a relevant and evolving topic

(02:22) How tech pros should handle security news and zero-days

(09:09) The re-emergence of Emotet and the challenges of disrupting botnets

(12:04) The persistent problem of social engineering and email attacks

(13:25) The importance of immutability and backups against ransomware

(16:29) The security of Microsoft 365

(19:35) Deep dive on the QuickBot malware

(20:20) The necessity of advanced threat protection (ATP)

(22:58) Guidance on effective security awareness training

(25:41) Tips for IT admins on working with CISOs

(26:07) Microsoft’s throttling of legacy on-premises Exchange servers

(28:11) Discussing Episodes 12 and 13, recorded live at InfoSecurity Europe, on compliance and security horror stories

In this episode of the Security Swarm Podcast, host Andy is joined by Romain Basset, the Director of Technology Strategy at Hornetsecurity. They’re exploring the topic of Open-Source Intelligence (OSINT) – what it is, how threat actors use it to launch effective attacks, and the dangers it poses.

Throughout the episode, they discuss the ease with which OSINT can gather information using AI and other tools and provide examples of how it can be used in phishing, business email compromise, and even deep fake attacks. The conversation also touches on the importance of privacy awareness and security awareness training to mitigate these threats.

Key Takeaways:

• OSINT refers to publicly available information that threat actors can easily gather to launch targeted attacks. This includes social media profiles, online forums, data breach databases, and more.
• Threat actors are using OSINT to not only target individuals, but also find vulnerabilities in organizations’ web-facing software and infrastructure.
• Combating OSINT-powered attacks requires a multi-pronged approach of improving privacy awareness and implementing robust security awareness training programs.

Timestamps:

(02:24) – Definition of OSINT

(07:17) – How AI makes OSINT-powered attacks easier

(15:22) – Using OSINT to target organizations

(25:35) – Mitigating OSINT-powered attacks

Episode Resources:

Train your users with a personalised Security Awareness Service

Business Email Compromise: The $43 Billion Scam

In this episode of the Security Swarm Podcast, host Andy and recurring guest, Paul, talk about the challenges and opportunities organizations face amidst the Broadcom acquisition of VMware. They discuss the steep price hikes for VMware licenses and the security vulnerabilities recently discovered in VMware products.

This acquisition has prompted many businesses to consider alternative solutions, and the episode provides a comprehensive overview of the available options within the Microsoft ecosystem. They cover a range of migration strategies, including moving to the Microsoft ecosystem through Azure, Azure Stack HCI, and on-premises Hyper-V solutions.  Andy and Paul offer valuable insights into ensuring a secure and seamless transition away from VMware, making this episode essential listening for IT professionals navigating these significant changes.

Key takeaways:

• Broadcom’s Acquisition of VMware is Causing Major Disruption due to massive license cost increases of 300-500% for many organizations.
• Microsoft Hyper-V is a Viable Alternative to VMware. It offers a mature, enterprise-ready hypervisor that can be a cost-effective replacement for VMware.
• Azure Stack HCI Provides an On-Premises VMware Alternative. It provides a hyperconverged infrastructure solution with Hyper-V at the core, along with integration to Azure services for management and modernization.
• Security pitfalls can arise when organizations rush to migrate away from VMware due to the Broadcom situation. Proper planning, understanding the security posture of the new platform, and ensuring critical configurations like backup are in place are essential to mitigate risks.

Timestamps:

(02:51) – Vulnerabilities in VMware

(07:30) – Migrating to the Microsoft Ecosystem

(13:38) – On-Premises Microsoft Options

(38:45) – Security Considerations for Migrations

(44:52) – Pragmatic Approach to Platform Selection

Episode Resources:

Microsoft and Broadcom to Support License Portability

Paul’s article on options for migrating from VMware to Microsoft 

VMware Sandbox Escape Bugs

In this episode of the Security Swarm Podcast, host Andy and recurring guest Eric Siron discuss the Monthly Threat Review for June 2024.  They explore a new threat campaign distributing the Darkgate Malware using a technique called pastejacking. Additionally, they touch upon the 911 S5 Proxy Botnet takedown and how threat actors are exploiting Stack Overflow to distribute malware.

Key takeaways:

• Awareness of common tactics like pacejacking can help prevent falling victim to malware campaigns.
• Read the details of the Darkgate attack methods we show in the report and adjust your security posture as needed. If you’re in need of powerful, next-gen email security software, we’ve got you covered.
• If your organization is leveraging software from any online, public repository, take the time to review that repository and do a risk assessment. Threat-actors are increasingly using public software repos for malicious purposes.

Timestamps:

(03:15) – Insights into Email Threat Trends and Industry Targeting in Cybersecurity Landscape

(13:15) – Unveiling New Cybersecurity Threat Campaign using  Pastejacking

(23:31) – Massive Botnet Take Down and Arrest of Operator: A Victory Against Cybercrime

(29:29) – Beware of Malicious Packages: A Cautionary Case Study from Stack Overflow

Episode Resources:

Full Monthly Threat Report

Enhance Security Awareness by Training Employees

In this podcast episode, Andy and Paul discuss the upcoming release of Windows Server 2025 and the myriad security enhancements it will bring. They delve into various topics such as improvements to Active Directory, delegated managed service accounts, Kerberos protocol enhancements, SMB enhancements, hot patching, REFS file system for confidential computing, and extended security updates.  

Key takeaways: 

• Windows Server 2025 brings a host of security enhancements. 
• The release date of Windows Server 2025 is speculated to be in September 2024, coinciding with the release of System Center 2025. 

Timestamps: 

(07:05) – Enhancements in Active Directory Security and Numa Support: A Deep Dive

(13:19) – Revolutionizing Service Accounts: Delegated Managed Service Accounts Explained 

(20:28) – Revamping Windows Server Security: Say Goodbye to NTLM and Hello to Kerberos 

(28:15) – Revolutionizing SMB with Quick Protocol and Hot Patching in Windows Server 2025 

(32:34) – Revolutionizing Patching with Hot Patching in Windows Server and Azure 

(36:02) – Revolutionizing Data Protection with Resilient File System and Confidential Computing 

(39:34) – Exploring Confidential Compute, Server Upgrades, and Extended Security Updates in Windows Server Environment 

(42:37) – Windows Server 2025 Release Date Speculations and Future Episode Teasers 

Episode Resources: 

What’s new in Windows Server 2025 from MS Learn

In this episode of the Security Swarm Podcast, our host Andy and guest speaker Jan Bakker discuss passkeys in the Microsoft ecosystem. They cover topics such as the definition of passkeys, prerequisites, tips for implementation, and the user experience. They also highlight the user-centric enrollment process, the role of conditional access, and the potential challenges and advantages of transitioning to passkeys. 

Key takeaways: 

• Passkeys are a new authentication mechanism using the FIDO2 standard, providing a secure and user-friendly passwordless experience. 
• Device-bound passkeys are more secure but not transferable between devices, while syncable passkeys offer convenience but may introduce potential security risks. 
• Passkeys enhance security by being phishing-resistant and replacing traditional passwords and MFA methods. 
• The enrollment process involves using the Microsoft Authenticator app and ensuring prerequisites like device compatibility and Bluetooth connectivity. 
• Admins can enforce authentication method policies and conditional access to control user access and enhance security. 
• User education, interface improvements, and conditional access play crucial roles in a successful transition to passkeys. 

Timestamps: 

(03:04) – Unlocking the Future of Passkeys and the Evolution of Authentication 

(06:18) – Exploring the Security Benefits of Device Bound and Syncable Passkeys 

(14:54) – How to Prepare for Passkeys in Microsoft 365 

(23:03) – Navigating the Rollout of Passkeys for Enhanced Security: Admins vs End Users 

(29:03) – Maximizing Security with Passkeys, Conditional Access, and Authentication Policies 

(33:01) – Unveiling the Convenience of Device-Bound Passkeys in Vasquez for Microsoft 365 

Episode Resources: 

Previous episode on Passkeys

Blog post of Jan

Microsoft has recently been criticized for not prioritizing security enough. Following the CSRB’s Report on the Storm-0558 attack, Microsoft announced that security is now a top priority, with a commitment to address security issues before new product innovations. In this podcast episode, Andy and Paul Schnackenburg discuss the blog post which analyzes the Secure Future Initiative and its advancements.  

The conversation brings up the burning question: Was it the Cyber Safety Review Board (CSRB) that catalyzed Microsoft’s proactive stance on security? 

Key takeaways: 

• Microsoft is taking proactive steps to address security vulnerabilities and enhance its security measures following recent incidents. 
• The focus on protecting identities, enforcing multi-factor authentication, and improving network segmentation are crucial for bolstering security. 
• Efforts to align security actions with recommendations from the CSRB demonstrate a commitment to addressing criticisms directly. 

Timestamps:

(06:52)  Key Insights from Charlie Bell’s Blog Post Addressing Cyber Security Concerns

(11:22)  Enhancing Security Measures in Response to the CSRB’s Report

(21:22) Top Security Practices for Protecting Tenants and Production Systems

(24:46)  Enhancing Cloud Security with Micro Segmentation and Software Supply Chain Protection

(30:44)  Challenges and Considerations in Cloud Security Logging and Storage

(34:37)  Enhancing Cloud Security with Microsoft Sentinel and Vulnerability Reporting

(37:37)  Unveiling Common Vulnerabilities and the Importance of Secure Authentication in Cloud Environments

(42:34) Analyzing Microsoft’s Response to a Security Incident

Episode Resources:

The Blog Post from Charlie Bell

EP39: Are Passkeys the Future of Authentication?

Subcribe to our new YouTube Channel for more

In this week’s episode, Andy and guest Eric Siron discuss the cybersecurity landscape based on data from the Monthly Threat Report for May 2024. They cover a range of news items, including Microsoft’s recent announcement to expand the Secure Future Initiative, the new PSTI (Product Security and Telecommunications Infrastructure) Act in the UK and a significant brand impersonation campaign targeting the German financial entity Commerzbank. Additionally, they provide updates on the Change Healthcare ransomware attack. 

Key takeaways: 

• Microsoft’s acknowledgement of security issues is crucial for building customer trust. 
• The PSTI Act in the UK sets standards for consumer device security and compliance. 
• Payment of ransoms in ransomware attacks needs to be carefully evaluated. 
• Data breaches in healthcare can have widespread and long-term consequences for patients and organizations. 

Timestamps: 

(04:02)  Insights from the Latest Monthly Threat Report: Decrease in Email Threats, Top Targeted Industries, and Impersonated Brands

(14:02)  Breaking Bad Habits: QR Codes, OAuth, and User Training

(15:18) Microsoft’s Security Issues and Response to CSRB’s Criticism: Committed to Improve Security

(25:23)  New UK Law Mandates Security Standards for Consumer IoT Devices

(34:02) Impact of Ransomware Attack on Change Healthcare and the Dilemma of Paying Ransom 

Episode Resources:

Full Monthly Threat Report May 2024

Sharpen your Instincts with Security Awareness Training

Today’s episode of the Security Swarm Podcast is a continuation from last week’s episode where Andy and Paul discussed the CSRB’s findings on Microsoft’s Storm-0558 Breach. In their discussion, they continue picking apart the findings and providing their insights.

Episode Resources:

Cyber Safety Review Board Report

In this episode of The Security Swarm Podcast, Andy and Paul discuss the Cyber Safety Review Board’s findings of the Microsoft Storm-0558 breach. During the episode, they talk about the implications of the breach and explore Microsoft’s security culture, stressing the need to prioritize robust security measures over rapid feature developments.

Key Takeaways:

• Microsoft’s security culture requires a significant overhaul to address existing vulnerabilities and prevent future breaches.
• Transparency and accurate risk assessments are crucial in understanding and mitigating security threats in cloud environments.
• Prioritizing security over rapid feature development is essential to prevent security risks and enhance overall product integrity.
• Standardized audit logging practices should be a fundamental offering in cloud services to enable effective intrusion detection and investigation.

Timestamps:

(10:07) – Microsoft’s Security Culture: Past, Present, and Future

(15:45) – Uncovering Lack of Transparency and Accountability in Major Cloud Vendors

(20:09) – Microsoft’s Security Standards: A Critical Assessment and Call for Action

(28:53) – A Discussion on Cloud Audit Logging

Episode Resources:

Cyber Safety Review Board Report

Microsoft Trustworty Computing Memo