The SysAdmin DOJO Podcast

In this eye-opening episode of the Security Swarm Podcast, host Andy Syrewicze and one of our regular guests, Eric Siron, examine the latest ransomware survey findings. They explore the evolving landscape of cyber threats, discussing key trends in ransomware attacks, including a decrease in overall incidents but an increase in the severity of successful breaches.  The conversation provides crucial insights for IT professionals and business leaders, highlighting the importance of user training, cybersecurity awareness, and strategic approaches to mitigating ransomware risks.  Do you want to join the conversation? Join us in our Security Lab LinkedIn Group! Key Takeaways:  Ransomware attacks decreased to 18.6% in 2024, continuing a downward trend. 16.3% of ransomware victims paid the ransom in 2024, a significant increase from 6.9% in 2023. 55.8% of ransomware attacks targeted small organizations with 50 or fewer employees. Over 52.3% of attacks were initiated through email/phishing attempts. 32.6% of ransomware victims were unsure if their data was exfiltrated. 81.3% of organizations provide end-user security awareness training. 54.6% of organizations have purchased ransomware-specific insurance. Threat actors are becoming more sophisticated in targeting and executing attacks. Living off the land attack techniques are increasingly common. Timestamps:  (01:15) History of Ransomware Attacks  (03:37) 2024 Ransomware Attack Statistics  (08:59) Double Extortion Tactics  (15:02) Target Selection and Organization Size  (29:52) Security Awareness Training Insights  (36:15) Ransomware Insurance Trends  (41:44) Disaster Recovery and Insurance Strategies  Episode Resources:  Hornetsecurity Q3 2024 Ransomware Attacks Survey What is ransomware? How can you protect against Ransomware?    --   Protect your organization from ransomware with Hornetsecurity's innovative Security Awareness Service - because your employees are your first line of defense!  Why Security Awareness Training is critical against ransomware:  52.3% of ransomware attacks are caused by email/phishing attempts  81.3% of organizations provide end-user security awareness training  Half of organizations want more time-friendly training methods  An effective security awareness training works best when it's bite-sized, consistent and a part of the organization's security culture. Click here to schedule a free consultation with a Hornetsecurity specialist.

In this episode of the Security Swarm Podcast, the dynamic duo Andy Syrewicze and Paul Schnackenburg discuss the software quality problem in the cybersecurity and technology industry, as highlighted by Jen Easterly, the director of CISA. They delve into the risks associated with software selection, the role of industry analysts, the importance of software stability and security over innovation, and the need for developers to focus on secure coding practices.  One area Andy and Paul focus on are the risks associated with software selection, highlighting the importance of evaluating factors such as the software's origin, reputation, and security features when making decisions. Andy and Paul also discuss the role of industry analysts like Gartner and Forrester, and how their focus on innovation and feature sets may not always align with the critical need for stability, security, and reliable support.  Do you want to join the conversation? Join us in our Security Lab LinkedIn Group! Key Takeaways:  The cybersecurity industry has a software quality problem, not just a security problem.  Selecting software requires careful risk assessment, considering factors like the software's origin, reputation, and security features.  Industry analysts often focus on innovation and features rather than software stability and security.  The technology industry should reward software that is stable, secure, and operates as intended, not just the latest innovative features.  Developers need to be trained in secure coding practices, as many graduates lack this knowledge.  Understanding how threat actors could exploit vulnerabilities is crucial for developers to write secure code.  The software landscape is constantly evolving, and the threat landscape is changing, requiring ongoing education and adaptation.  Supply chain risks, such as pre-installed malware on refurbished devices, highlight the need for comprehensive security measures.  Timestamps:  (06:04) Assessing Software Risks  (16:50) The Analyst Approach  (21:11) Rewarding Stability and Security  (27:16) Secure Coding Practices in Academia  (32:59) Developers Understanding Threat Actors  (34:33) Supply Chain Risks  (37:32) Valuing Stability and Security over Innovation Episode Resources:  Paul's Article   Andy and Eric's Episode on Vendor Risk   --   Proactively protect your organization's email from the growing threat of software vulnerabilities and malicious attacks. 365 Total Protection provides comprehensive security for Microsoft 365, safeguarding your business with advanced threat detection, spam filtering, and email encryption. Ensure your software is secure and your data is protected with Hornetsecurity's industry-leading 365 Total Protection.   Defend your organization against sophisticated cyber threats with Hornetsecurity's Advanced Threat Protection, powered by cutting-edge technology. Our advanced system analyzes email content and attachments to detect and block even the most evasive malware and phishing attempts. Stay one step ahead of threat actors and protect your business with Hornetsecurity's Advanced Threat Protection. 

In this episode, Andy and Paul, the dynamic duo of the Security Swarm Podcast, delve into the often-overlooked security of the Windows boot process, revealing how recent leaks have compromised its integrity.  Join Andy Syrewicze and Paul Schnackenburg as they break down how the boot process has evolved from the BIOS days to today's sophisticated UEFI system. They explore features like Trusted Boot and Secure Boot, which are designed to stop rootkits and other malware from hijacking the system.   But things aren't as secure as they seem. Recent leaks of platform keys, including the infamous "PKFail" incident, have exposed vulnerabilities that threaten the whole system. Listen on to discover how these vulnerabilities are being exploited by attackers, the potential risks they pose to your system, and what you can do to safeguard your devices.  Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  The Windows boot process is more complex than you think: It includes multiple phases, from basic hardware checks to kernel initialization and anti-malware checks, all before you even see the login screen.   Secure boot and measured boot aim to protect against rootkits and bootkits: These security features check for trusted components and fingerprint the boot process to detect unauthorized changes.   PKFail exposes a major vulnerability: A leaked test key used across 800 motherboard models allows attackers to bypass secure boot and load malicious software during the boot process as if it were legitimate.   Firmware vulnerabilities are widespread: The boot process isn't the only place where attackers can hide malware. Network cards, storage devices, and other components with firmware can also be compromised.   Rootkits and bootkits are persistent and difficult to remove: They can survive operating system reinstallation and are incredibly difficult to detect and remove, making them highly effective for attackers.   Updating firmware is crucial: You need to keep your firmware updated just like you update your operating system and software to protect yourself from vulnerabilities.   Beware of the dangers of compromised hardware: While less common than other attacks, these vulnerabilities should be addressed seriously. If you suspect a machine is infected, it's often best to discard it entirely.  Timestamps:  (01:27) Overview of Boot Process   (05:39) Breakdown of the Boot Process Steps   (08:44) Secure Boot and its Features   (12:13) The PKFail Leak: Leaked Platform Key Weakens Secure Boot   (17:18) Bootkits and Rootkits - The Types of Attacks   (22:41) Digital Supply Chain Issues and the Leaked Keys   (27:42) Mitigating PK Fail & Updating Firmware   (30:15) Balancing Risk Profile & Protecting Against Other Attacks   (31:39) Why Rootkits are a Major Persistence Threat  Episode Resources:  Github Repo of known compromised devices Ars Technica Article regarding UEFI Malware Intel Boot Guard News -- Hornetsecurity's Advanced Threat Protection (ATP) can help you stay ahead of these threats.  ATP provides:  Threat intelligence: Stay informed about emerging security threats like bootkit and rootkit vulnerabilities.   Advanced detection: Identify and block these highly sophisticated threats before they can compromise your systems.   Real-time protection: Prevent malicious code from executing, even at the boot level.  Don't wait for a breach! Contact Hornetsecurity today to learn how Advanced Threat Protection can help you secure your boot process and protect your organization from the most persistent malware threats. Click here to schedule a free consultation with a Hornetsecurity specialist. 

This episode of the Security Swarm Podcast dives deep into the psychological landscape of cybersecurity, exploring the driving forces behind different threat actors. Host Andy Syrewicze welcomes first-time guest Angelica Ortega, Founder & CEO of Novify and an active member of the cybersecurity community with a sharp focus on the psychology of cybercriminals.  Together, they unravel the motivations of nation-state actors, hacktivists, and cybercriminals, highlighting the role of narcissism, risk-taking behavior, and ideological beliefs. Angelica shares personal experiences with pig butchering, a devastating form of romance scam, and discusses the emotional toll it took on a friend.   The episode also delves into the mental health challenges facing cybersecurity professionals, including burnout and the need for psychological safety in teams. Through insightful discussions and personal anecdotes, Andy and Angelica emphasize the importance of understanding and addressing the human element in cybersecurity, both on the defensive and offensive sides.   This episode sheds light on the often-overlooked psychological dimensions of cybercrime and cybersecurity, urging listeners to consider the human impact of these activities and the need for greater awareness and support for both professionals and victims.   Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  Threat actors can be categorized into three main groups: nation-state actors, hacktivists, and cybercriminals, each with distinct psychological motivations.   Narcissism and risk-taking behavior are common traits observed in cybercriminals, while hacktivists are driven by ideological beliefs, and nation-state actors are motivated by political goals.  Cybersecurity professionals, particularly blue teams and ethical hackers can also exhibit narcissistic tendencies due to the psychological stress and pressure of their roles.  The rise of cryptocurrency has enabled cybercriminals to more easily obfuscate illicit payments and profits, further fueling their motivations.   Romance scams and "pig butchering" schemes, where threat actors slowly gain the trust of victims over time, can have devastating psychological and financial consequences for the victims.   Educating the public, especially vulnerable groups like the young and elderly, and providing psychological support for victims of cybercrime are crucial in addressing the psychological aspects of cybersecurity.   The fear of missing out (FOMO) can be a powerful motivator for individuals to engage in risky or unwise financial decisions, which threat actors often exploit, particularly in the cryptocurrency space.   Timestamps:  (04:19) Categorization of threat actors   (07:17) Psychological traits of different threat actor groups   (09:50) Narcissism in cybersecurity professionals   (18:22) Impact of cryptocurrency on cybercrime   (25:16) Romance scams and "pig butchering" schemes   (31:36) Educating the public and providing psychological support for victims   (35:44) The role of FOMO in enabling cybercrime  Episode Resources:  Old Hornetsecurity Roundtable with some Psychology discssions -- Your organization is vulnerable to more than just technical exploits. Hackers target the human element, leveraging emotions like fear, greed, and trust to gain access and compromise systems. Learn how to protect your employees and organization with Hornetsecurity's Security Awareness Service. Hornetsecurity's Security Awareness Service empowers your employees to be your first line of defense against sophisticated attacks.   Don't wait until you've been a victim of a psychological attack. Schedule a demo today to learn about our comprehensive security solutions and protect your organization from the inside out. 

In this episode of the Security Swarm Podcast, the host Andy Syrewicze and the guest Philip Galea discuss the security implications of Microsoft's AI assistant Copilot, which is integrated into the Microsoft 365 suite. They explore how Copilot's ability to surface information from an organization's Microsoft 365 data can create significant security risks, especially for companies that lack the operational maturity to properly manage permissions and access controls.  The discussion also covers Microsoft's reactive approach to security in some of its products, where default settings are often not secure enough, and the company is slow to address these issues. The host and the guest emphasize the need for organizations to take a proactive approach to security, continuously reviewing and updating their security posture to mitigate the risks posed by Copilot and other Microsoft 365 features.   The episode also introduces Hornetsecurity's Tenant Manager tool, which aims to help organizations better manage and enforce their Microsoft 365 security settings, providing a centralized and automated way to ensure that their environments are configured according to best practices.   Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  Copilot makes it easy for nosy or malicious insiders to quickly surface sensitive information that they may not have proper access to.   Copilot could be abused by threat actors who compromise a user account with an active Copilot license, allowing them to easily gather intelligence and move laterally within the organization.   Microsoft's default security settings and permissions in Microsoft 365 are often too open, creating challenges for organizations to properly secure their data.   Jailbreaking Copilot to bypass its security restrictions is an ongoing concern, as it could allow users to access restricted information.   Solutions like sensitivity labels and disabling search on sensitive SharePoint sites have significant drawbacks and may not be practical for many organizations.   Tools like Hornetsecurity's Permission Manager and Tenant Manager can help organizations better manage and enforce security policies across Microsoft 365.   Continuous security awareness and training for employees is crucial to mitigate the risks posed by Copilot and other AI-powered tools.  Timestamps:  (04:37) Challenges with managing permissions and sharing in Microsoft 365   (11:20) Microsoft's history of security-related missteps and reactive responses   (16:17) Attempts to jailbreak Copilot and bypass its security restrictions   (21:08) Insider threat scenarios enabled by Copilot's data surfacing capabilities   (23:40) Threat actor scenarios and the potential impact of a compromised Copilot-enabled account   (34:16) Hornetsecurity's 365 Permission Manager and 365 Multi-Tenant Manager for MSPs solutions to help manage Microsoft 365 security. Episode Resources:  Andy and Phil's first Episode on Sharepoint Permissions 365 Multi-Tenant Manager --  As an MSP, managing security and compliance policies across multiple Microsoft 365 tenants can be a complex and time-consuming task. The new 365 Multi-Tenant Manager for MSPs from Hornetsecurity provides a centralized solution to easily configure, enforce and monitor security settings across all your clients' environments.   With 365 Multi-Tenant Manager, you can:   Quickly create and apply security baseline policies to new and existing tenants   Automatically remediate configuration drift to ensure continuous compliance   Monitor policy adherence and receive alerts on risky changes   Streamline Microsoft 365 administration and reduce your clients' security risks   Stop juggling multiple portals and start taking control of your clients' Microsoft 365 security. Try the 365 Multi-Tenant Manager for MSPs today and simplify your Microsoft 365 management. Schedule your demo today and learn more.  --  Streamline your Microsoft 365 security with 365 Permission Manager - the tool that provides visibility, control, and automated remediation of SharePoint, OneDrive, and Teams permissions. Take back control of your data and protect against insider threats and external breaches. 

In this episode of the Security Swarm Podcast, our host Andy Syrewicze and one of our regular guests, Eric Siron discuss the latest quarterly threat report from Hornetsecurity. They dive into data points such as the breakdown of email threats, most common malicious file types, targeted industry verticals, and brand impersonations.  The conversation also covers recent security news, including Microsoft's efforts to address the aftermath of the CrowdStrike incident and a high-severity vulnerability in the Linux CUPS system. The hosts provide valuable insights and analysis, highlighting trends in the threat landscape and the evolving tactics of cybercriminals.  Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  Quarterly threat report data shows an increase in email threats in Q3 compared to Q2, driven by the ending of the summer vacation months.  PDF, archive, and HTML files remain the top malicious file types used by threat actors.  Microsoft is exploring ways to reduce security vendors' kernel-mode access after the Crowdstrike incident.  NIST has updated password guidelines, including recommendations to remove password composition rules and avoid forced password rotations.  A high-severity vulnerability in the Linux CUPS system allows remote code execution, highlighting the need to secure critical services.  The importance of securing the digital supply chain and the risks of supply chain attacks.  The challenges of convincing users to adopt secure practices, such as using password managers.  Timestamps:  (03:33) Breakdown of email threats by category  (06:58) Most common malicious file types  (11:46) Targeted industry verticals  (19:52) Impersonated brands  (22:33) Discussion of Microsoft's efforts after the Crowdstrike incident  (37:19) NIST's updated password guidelines.  Episode Resources:  Hornetsecurity Monthly Threat Reports can be found here -- Protect Your Business from Advanced Threats! Ensure your organization is safeguarded against sophisticated attacks by leveraging Hornetsecurity's Advanced Threat Protection (ATP). Stay secure and informed—discover more here! 

In this episode of the Security Swarm Podcast, host Andy Syrewicze and guest Michael Posey discuss the new password guidelines and recommendations released by NIST (National Institute of Standards and Technology). They cover a range of topics related to password security, including the importance of password length over complexity, the move away from composition rules and periodic password changes, the risks associated with knowledge-based authentication, the concept of password entropy, and more!   Throughout the conversation, Andy and Michael draw on their extensive experience in the cybersecurity field to offer practical advice and perspectives on the changing landscape of password security.   Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  NIST recommends a minimum password length of 8 characters, with a suggested length of 15 characters or more.   NIST has recommended removal of the requirement for password composition rules, such as the need for special characters, numbers, and uppercase letters.   NIST states that password providers SHALL NOT require periodic password changes unless there is evidence of a breach, as this can lead to users creating predictable password patterns.   The use of ASCII and Unicode characters is now encouraged, allowing for more diverse and random password options.   Password entropy (randomness) is more important than password complexity, as modern computing power can quickly crack simple but complex-looking passwords.   For mission-critical systems, organizations may still choose to implement more rigorous password policies, even if they deviate from the NIST recommendations.   The industry is exploring new hashing methods and technologies, such as passkeys, to address the challenges posed by GPU-based brute-force attacks.  Timestamps:  (07:40) Credential Service Provider (CSP) Requirements and Recommendations   (10:02) Removing Password Composition Rules   (14:21) Ending Periodic Password Changes   (19:48) The Importance of Password Entropy and Length   (28:30) Phasing Out Knowledge-Based Authentication   (30:30) The Impact of Password Length on Cracking Time  Episode Resources:  NIST Publication 800-63B -- To enhance your organization's security posture, consider implementing Hornetsecurity's Advanced Threat Protection. This solution provides AI-powered defense against sophisticated attacks, ensuring your emails and data remain secure. By adopting best practices in password management and utilizing advanced security features, you can significantly reduce the risk of breaches. Protect your business today and stay one step ahead of cyber threats. Learn more about Advanced Threat Protection here. 

In this episode of the Security Swarm Podcast, host Andy Syrewicze and guest Romain Basset dive into the top spear phishing methods used in both the enterprise space and across all businesses, based on internal research conducted by Hornetsecurity. The conversation covers spear phishing techniques, including initial contact, tax/W2, C-suite/CEO, lawyer, banking, and gift card fraud. They analyze the differences in the prevalence of these methods between enterprises and smaller businesses and provide insights on how organizations can combat these threats through training and robust processes.   Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  Spear phishing attacks have evolved from obvious wire transfer requests to more subtle techniques like initial contact fraud, where threat actors establish a relationship to build credibility.  Tax fraud and W-2 phishing remain prevalent, especially around tax season, as attackers try to obtain personal information like Social Security numbers.  C-suite fraud, where attackers impersonate executives, continues to be a major threat, highlighting the importance of robust processes to verify requests.  Lawyer fraud, targeting enterprises more than smaller businesses, leverages the credibility of legal communications to extort money or gather information.  Gift card fraud has emerged as the top spear phishing attack across enterprises and smaller businesses, as it is less likely to raise red flags than larger financial transactions.  Adaptability and creativity of threat actors are key factors, as they continuously evolve their techniques to bypass security measures and user awareness.  Timestamps:  (03:26) Discussion on initial contact fraud  (07:12) Exploration of tax fraud and W-2 phishing  (13:35) Examination of C-suite fraud and the importance of processes  (19:25) Lawyer Fraud and Enterprise vs. SMB Differences  (23:47) Banking Fraud and Processes   (26:39) Gift Card Fraud  Episode Resources:  Security Lab LinkedIn Group What is a Spear Phishing attack? The Top 5 Spear Phishing Examples and Their Psychological Triggers -- Hornetsecurity's Phishing Simulation, as part of its Security Awareness Service, is invaluable for organizations looking to protect themselves from the evolving spear phishing threats discussed in this episode. This solution provides realistic phishing simulations and comprehensive security awareness training, enabling employees to recognize and respond effectively to spear phishing attempts. By fostering a culture of security awareness, SAS is crucial for businesses aiming to strengthen their overall security posture and mitigate the risk of successful phishing attacks.

In this episode of the Security Swarm Podcast, host Andy Syrewicze and guest Eric Siron provide a comprehensive monthly threat review. They cover several major cybersecurity incidents and trends from the past month, including:  The massive data breach at data broker National Public Data exposed over 2.9 billion personal information records. They discuss the risks of this breach, such as increased targeted phishing and social engineering attacks.  A joint government agency warning about the Ransom Hub ransomware has impacted over 200 victims since February 2022, including critical infrastructure and high-profile organizations.  A case study of an IT administrator who held his employer's systems for ransom by deploying logic bombs, highlighting the risks of insider threats even within trusted IT teams.  They also touch on the topics of vendor risk management and the history of election tampering and provide recommendations for organizations to mitigate these threats. In conclusion, EP62 provides valuable insights into the ever-changing cybersecurity landscape and offers practical advice for security professionals. -- Secure your organization against the evolving threat landscape! Discover how Hornetsecurity's Advanced Threat Protection, Security Awareness Service, and 365 Total Protection can safeguard your business from data breaches, insider threats, and more. Learn more and protect your organization today! -- Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  The National Public Data breach exposed a vast amount of personal information, including names, email addresses, phone numbers, Social Security numbers, and more. This creates risks of more targeted phishing and social engineering attacks.  The continued use of easily abused identification methods like Social Security numbers underscores the urgent need to explore more secure alternatives, such as cryptographic key pairs. This is crucial in reducing the risks of identity theft.  Insider threats from trusted IT staff members can pose a significant risk, as evidenced by the case of an IT admin holding their employer's systems for ransom. Implementing practices like just-in-time administration and least-privilege access is crucial to mitigate these potentially devastating threats.  Overreliance on cloud-based services and a single vendor for critical business functions can lead to vendor risk and single points of failure.  Election security remains a significant concern, with the threat of interference and disinformation campaigns continuing. Ensuring robust cybersecurity measures at the state and local levels is crucial for protecting the integrity of elections.  Timestamps:  (03:17) The National Public Data Breach  (12:21) The Issues with Social Security Numbers  (18:02) The Danger of Insider Threats  (27:10) The Risks of Vendor Dependence  (34:12) Recommendations for Protecting Against Threats  Episode Resources:  Security Lab LinkedIn Group - Security Lab LinkedIn Group  September Monthly Threat Report - In-depth analyses from Hornetsecurity's Security Lab  Joint Government Agency Announcement on RansomHub - #StopRansomware: RansomHub Ransomware | CISA  Security Swarm Passkeys Episode - Passkeys in Microsoft Entra: Benefits, Implementation Tips & More (hornetsecurity.com)  Security Swarm Election Tampering Episode - How Threat Actors Tamper with Elections (hornetsecurity.com) 

In this episode of the Security Swarm Podcast, host Andy Syrewicze and our regular guest, Paul Schnackenburg, provide a comprehensive overview of the Microsoft Defender ecosystem. They cover the various Defender products, including:  Defender for Endpoint - Microsoft's enterprise endpoint security solution with different licensing tiers  Defender for Identity - Cloud-based threat detection for on-premises Active Directory  Defender Vulnerability Management - Inventory and risk assessment of software on endpoints  Defender for IoT - Security for Internet of Things and operational technology environments  Defender for Cloud - Cloud security for Azure, AWS, and GCP resources  And Others!  They also discuss the "Defender adjacent" services like Microsoft Entra (identity), Microsoft Purview (data security/governance), and Microsoft Defender for Cloud Apps (CASB).  A key focus of the discussion is the complexity and management challenges that come with this expansive Defender suite. The host and the guest note the large number of different management portals, the difficulty of adequately configuring and leveraging all the features, and the need for dedicated security teams to utilize these enterprise-grade tools fully.   Further down the line, Andy and Paul explore the significant value that third-party security solutions can provide in augmenting or simplifying the M365 security experience. They highlight how third-party tools can offer easier deployment, management, and specialized capabilities that may be outside the core focus of the broader Defender ecosystem, thereby enhancing the overall security posture of an organization.   Overall, this episode takes a deep dive into the Microsoft Defender landscape, exploring the pros and cons of the comprehensive suite and offering insights on how organizations can optimize their security with a mix of Microsoft and third-party solutions.  CTA: Overwhelmed by the complexity of the Microsoft Defender ecosystem? Simplify your Microsoft 365 security, risk management, governance, compliance, and backup with 365 Total Protection by Hornetsecurity.  Key Takeaways:  The Microsoft Defender ecosystem has grown significantly beyond the basic antivirus/anti-malware solution, now encompassing a wide range of security products and services across endpoints, cloud, identity, and more.  Navigating the Defender suite can be challenging due to the sheer number of products, overlapping features, and disparate management portals, especially for smaller organizations without dedicated security teams.  Licensing for Defender products can be complex, with different SKUs (P1, P2, Business Premium, E3, E5) offering varying levels of functionality and requiring careful evaluation to ensure the right fit.  Third-party security solutions can provide value by offering simplified management, enhanced detection capabilities, and avoiding over-dependence on a single vendor (Microsoft) for an organization's security needs.  Proper configuration and ongoing optimization of Defender tools is difficult and time consuming, leaving the full potential of the suite to enterprises with dedicated security teams.  Microsoft Defender XDR (Extended Detection and Response) aims to integrate Defender products into a more cohesive security platform. Still, it requires significant resources and expertise to implement effectively.  Timestamps:  (02:00) Overview of the Microsoft Defender ecosystem  (07:00) Differences between Microsoft Defender for Endpoint P1, P2, and Business Premium  (13:00) Explanation of Microsoft Defender for Identity and its on-premises vs cloud components  (19:00) Discussion of Microsoft Defender Vulnerability Management and its challenges for small/medium businesses  (32:00) Value that third-party security solutions can provide compared to the Microsoft Defender suite  Episode Resources:  Security Swarm Episode on M365 Security Licensing

In this episode of the Security Swarm Podcast, host Andy and his guest Michael Posey discuss the email authentication protocols of SPF, DKIM, and DMARC. They explain what these protocols are, how they work, and why they are important for protecting against email spoofing and impersonation attacks.  Michael shares his insights from working with MSPs and the channel, noting that while these protocols are not overly complex, they are often overlooked or misunderstood by IT professionals. The hosts dive into the specifics of each protocol - SPF defines which mail servers are allowed to send email for a domain, DKIM adds a cryptographic signature to validate the message's origin and integrity, and DMARC ties the two together to specify how receivers should handle authentication failures.  The discussion covers the benefits of these protocols in improving email security and reputation, as well as the importance of adopting them industry-wide to reduce impersonation tactics used by threat actors. The hosts also touch on the history of cryptography and the need to layer security controls rather than relying on any single solution. Overall, this episode provides a comprehensive overview of these essential email authentication standards.  Key Takeaways:  SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. This helps prevent domain spoofing. DKIM Uses cryptographic digital signatures to verify that an email message was sent by the owner of a given domain and has not been tampered with in transit. This adds an extra layer of authentication.  DMARC Brings SPF and DKIM together, allowing domain owners to specify how the receiving mail server should handle messages that fail authentication checks (e.g. quarantine, reject). This provides a standardized policy for handling unauthenticated emails.  The adoption of these email authentication protocols is increasing, with SPF now used by over 90% of domains. As more organizations implement these standards, it becomes harder for threat actors to successfully impersonate domains through email.  While these protocols are valuable tools, they should not be relied upon as the sole security measure. They are one layer in a comprehensive email security strategy that also includes user education, spam filtering, and other security controls.  Timestamps:  (05:50) SPF (Sender Policy Framework)  (11:23) DKIM (DomainKeys Identified Mail)  (16:11) How DMARC brings SPF and DKIM together  (21:32) Key Protocols for Security and Compliance  (24:11) Defense in Depth  Episode Resources:  DMARC Pro Tips What is SPF?  What is DKIM?

In this episode of the Security Swarm Podcast, host Andy and his regular guest, Eric, talk about the worst workplace security practices they've seen. From weak password policies to unsecured devices and poor data management, they share real-life stories and insights that will make you cringe - and hopefully inspire you to tighten up your organization's security posture. They also discuss the importance of employee security training, the challenges of software patching, and the dangers of "security by personality" - when people make decisions based on gut feelings rather than data. It's a candid, sometimes humorous look at the security nightmares that keep IT pros up at night. Whether you're an infosec professional or just someone who wants to keep your company's data safe, this episode is packed with valuable lessons. Grab a pen and paper - you'll want to take notes on what not to do when it comes to workplace cybersecurity. Key Takeaways: Weak password policies can lead to poor password hygiene, like using predictable patterns or writing down passwords. However, the risk profile should be considered - what may be a security risk for one organization may not be for another. Effective employee security training is crucial, but it needs to be the right amount - too little leaves employees vulnerable, while too much can lead to disengagement. Training should cover both technical security concepts and social engineering awareness. Unsecured devices, especially mobile ones, can create significant security risks through shadow IT and data exposure. Proper device management policies and user education are needed to mitigate these threats. While ignoring software updates is a common security pitfall, the underlying issue is often that patching infrastructure and processes are not well-developed. Vendors need to improve the tools and experience around keeping systems up-to-date. Timestamps: (00:00) Welcome to the Security Swarm Podcast (03:19) Exploring Weak Password Policies (11:26) The Importance of Employee Security Training (19:16) Unsecured Devices: A Dangerous Vulnerability (27:34) Mismanaging Data: Risky Business (37:40) The Perils of Ignoring Software Updates (45:30) Security Decisions Driven by Personality, Not Data Episode Resources: Password Verifiers Security Risks of Always on Remote Access GM shared our driving data with insurers without consent, lawsuit claims

In this episode of the Security Swarm Podcast, host Andy is joined by Umut Alemdar, Head of Security Lab at Hornetsecurity, to explore the escalating threat of election interference by cyber threat actors across the globe. They talk about motivations driving these actors and the various tactics used to infiltrate political parties, target election equipment, and spread misinformation, including the use of deepfakes.   The episode also revisits significant cases of election meddling, from the 2015 German Bundestag hack to the 2020 Iranian hack of U.S. city election websites, highlighting the ongoing risks. Andy and Umut conclude with strategies to combat these threats, emphasizing the importance of policy changes, enhanced public communication, and rigorous cybersecurity training for election officials.  Key Takeaways:  Threat actors use various tactics to meddle in elections, including infiltrating political parties, targeting election equipment, and spreading misinformation/disinformation to sow chaos and mistrust in the democratic process. These attacks have led to significant data breaches, leaks of sensitive information, and an erosion of public trust in the integrity of elections.  Timestamps:  (01:00) Introduction and Categorizing Threat Actors  (08:00) Infiltrating Political Parties and Targeting Election Equipment  (09:44) Consequences of Spreading Misinformation   (14:00) Past Attacks: Germany, France, and Ukraine  (21:32) US-Based Attacks: 2016 Presidential Election and Breaching City Websites    (28:30) What Can Be Done? Policies, Communication, and Monitoring  Episode Resources:  EU Sanctions Russian Hackers for German Bundestag Hack  Webinar containing deep fake materials   Washington Post Article about Local Election Website Hacks 

In today's episode of the Security Swarm Podcast, Andy and Eric Siron discuss the Monthly Threat Report of August 2024. They cover the aftermath of the CrowdStrike incident, Microsoft's proposed enhancements to improve the security of their ecosystem, as well as the discovery of a vulnerability in AMD processors that could allow persistent malware.  Additionally, they discuss the emergence of new AI jailbreak attacks, which can bypass content restrictions and generate harmful outputs and a VMware ESXi vulnerability that could allow attackers to gain access to virtual machines.  Key Takeaways:  The CrowdStrike incident highlights the need for rigorous software testing. Microsoft is moving forward with some changes and guidance on kernel access as a direct response to the CrowdStrike incident. Researchers have discovered a vulnerability in AMD processors that could allow threat actors to embed persistent malware, underscoring the ongoing battle against advanced threats. The Olympic Games have been the target of dozens of foiled cyberattacks, demonstrating the high-stakes nature of nation-state cyber conflicts. There is a new critical vulnerability in the VMware ESXi Hypervisor that allows authentication bypass. Broadcom has released a patch  Timestamps:  (01:00) CrowdStrike Incident and Lessons Learned   (04:14) Importance of Proper Software Testing and Development Processes  (7:21) Potential Consequences of Rushed Software Updates   (28:18) AI Jailbreak Attacks and Generative AI Risks   (33:43) VMware ESXi Vulnerability and Potential Ransomware Implications   (37:53) Bumblebee Loader and the Threat of Rapid Active Directory Compromise   (39:41) HealthEquity Data Breach and the Normalization of PII Breaches   (40:17) Anonymous Sudan and Their Disruptive DDOS Attacks  (41:54) Cyber Attacks on the Olympic Games and the Role of Nation-State Actors   Episode Resources: Full Monthly Threat Report Podcast episode on Anonymous Sudan AMD CPU Vulnerability Info Webinar where Andy covers the ways threat actors use Generative AI  VMware ESXi Authentication Bypass Exploit Security Swarm Podcast re: threat actor attacks on the Olympic Games

This episode of the Security Swarm podcast features guest Eric Siron, a Microsoft MVP in cloud and data center management. Eric works primarily with healthcare organizations and small-to-medium businesses, helping them navigate security and IT challenges. The episode focuses on the important topic of vetting and selecting third-party software vendors.   Andy and Eric discuss the recent CrowdStrike incident that caused major disruptions for many businesses. They use this as a case study to explore best practices for evaluating vendors, including assessing their security track record, testing their solutions thoroughly, understanding their update and patch management processes, and having contingency plans in place in case of vendor failures.  Key takeaways:  Thoroughly vet third-party vendors before choosing them, looking at factors like their security track record, update/patch processes, and internal testing procedures.  When evaluating vendors, focus not just on features and capabilities, but also on their stability as a company, their customer base, and their ability to handle issues and outages.   Develop contingency plans and mitigation strategies for when a critical third-party vendor experiences issues or outages.   Assume that failures will happen, and be prepared for them.   Timestamps:  (02:20) - CrowdStrike Incident  (04:17) - Vetting Third-Party Vendors  (11:42) - Compliance and Industry-Specific Considerations  (13:46) - Detailed Testing of Solutions  (19:26) - Common Problems with Third-Party Vendors  (22:40) - The CrowdStrike Incident and Vendor Processes  (29:10) - Mitigation Strategies 

Romain Basset is back for another podcast episode. Today, Andy and Romain discuss the notorious threat actor group, Anonymous Sudan. They explore who this group is, their affiliations, motivations, and the tactics, techniques, and procedures (TTPs) they employ.   The discussion includes an overview of various types of threat actor groups, situating Anonymous Sudan within this landscape, and providing a detailed background on the group's emergence, targets, and the significant impact of their attacks.  Key Takeaways:  Anonymous Sudan is a threat actor group that sits between being an activist group and a state-sponsored cyber-criminal group.    The group is known for highly disruptive and visible DDoS attacks, often targeting large organizations and infrastructure like Microsoft's Azure, OneDrive, and Outlook.com.  Anonymous Sudan utilizes a variety of DDoS techniques and tools, including HTTP floods, SYN floods, UDP floods, and ICMP floods, often coordinating with other botnets to amplify the impact. Anonymous Sudan's tactics appear focused on disruption and visibility, aiming to make a public impact and spread their political/religious messaging.    Timestamps:  (02:43) - Categories of Threat Actor Groups  (05:44) - Ties Between Anonymous Sudan and Russia  (10:59) - Tools Used by Anonymous Sudan  (15:47) - Techniques and Procedures of Anonymous Sudan  (24:08) - Typical DDoS Attack Procedure  Episode Resources:  Next-gen Microsoft Security and Compliance Management to meet your Requirements  

In this episode, host Andy is joined by Paul to provide a comprehensive overview of confidential computing - what it is, why it's important, and how it's being implemented in cloud platforms like Microsoft Azure.   Key Takeaways:  Confidential computing aims to protect data while it is being processed by the CPU or stored in memory, supplementing traditional protections like encryption of data at rest and in transit. Confidential computing can enable use cases like confidential AI model training, secure multi-party data sharing, protecting sensitive data in cloud VMs, and securing blockchain/distributed ledger systems. Establishing a root of trust from the hardware up through the software stack is critical for confidential computing.    Timestamps:  (03:00) The Need for Confidential Computing  (06:28) How Confidential Computing Works  (14:38) Trusted Execution Environments and Trusted Computing Base   (21:47) Confidential Computing in Azure and Beyond   (27:58) Confidential Computing in Apple's AI   Episode Resources: The Confidential Computing Consortium NVIDA Confidential Computing Apple's Article Watch: BlueHat IL 2024 - Ben Hania, Yair Netzer - Compromising confidential VMs and then fixing it

In this episode, Andy sits down once again with Paul to continue their conversation about Microsoft's struggles with security. The episode focuses on a recent report from ProPublica about a Microsoft whistleblower named Andrew Harris. The report alleges that Microsoft was aware of a serious vulnerability in its on-premises Active Directory Federation Services (ADFS) software that could have enabled the SolarWinds supply chain attack, but chose not to fix it or disclose it to customers.  Andy and Paul discuss how Microsoft's focus on new features and cloud growth over security, as well as the desire to win lucrative government contracts, may have contributed to this decision. They also touch on the challenges faced by Microsoft's security response team and the broader issue of security being seen as a cost center rather than a profit driver.    Key Takeaways:  Microsoft ignored a serious ADFS vulnerability that could have enabled widespread attacks. Security is often viewed as a cost center at Microsoft, rather than a profit driver. This mindset led to the ADFS vulnerability being ignored, as fixing it was not seen as a priority compared to delivering new features and products. Microsoft was criticized for not being transparent about the ADFS vulnerability and not giving customers the option to implement mitigations, even if it meant sacrificing some functionality. The ADFS incident is symptomatic of broader security culture problems at Microsoft, where security is not always prioritized, and technical debt or legacy systems are not adequately addressed.  Timestamps:  (02:22) - Explaining the Whistleblower's Allegations and the SolarWinds Attack  (07:32) - Vulnerability in ADFS and Microsoft's "Security Boundaries" Argument  (13:06) - Why Was the Issue Swept Under the Rug?  (19:16) - The Challenges Faced by the Microsoft Security Response Center (MSRC)  (26:24) - Satya Nadella's Comments on Prioritizing Security over New Features  (27:38) - The Controversy Around the "Recall" Feature in Windows 11  Episode Resources:  ProPublica Article

In this episode of the Security Swarm podcast, host Andy is joined by Romain Basset from Hornetsecurity to discuss the cybersecurity implications of the upcoming 2024 Olympic Games in Paris, France. The conversation explores how the geopolitical landscape, with ongoing global tensions and conflicts, creates a high-profile stage that threat actors may target for hacktivism, financial gain, or destabilization.  Throughout the episode, they highlight the increased risks leading up to the 2024 Games, noting that French infrastructure has already been targeted by various threat actor groups, including DDoS attacks. They discuss the blurring lines between cybercrime and geopolitical threats, with many threat actors now engaging in both financially and politically motivated attacks.  Key takeaways:  The Olympics are a prime target for cyber-attacks due to the global attention and geopolitical tensions surrounding the event. Past Olympic games have seen a variety of cyber-attacks, including distributed denial-of-service (DDoS) attacks, malware, and false flag operations to mislead attribution.  Cyber-attacks targeting the Olympics can have far-reaching consequences, including international chaos, disinformation campaigns, and real-world impacts on businesses and infrastructure.   While the threat landscape is complex, the best defense is to focus on cybersecurity basics like user training, multi-factor authentication, and regular backups - rather than getting distracted by the latest "shiny object" threat.   Timestamps:  (01:15) - Why Cybersecurity is Important for the Olympics   (02:25) - Geopolitical Tensions and Threat Actors   (04:31) - Potential Cyber Attacks - Scams, Extortion, Disinformation   (06:50) - The 2018 Pyeongchang Olympics Cyber Attack   (12:48) - False Flags and Attribution Challenges   (16:05) - Overlap Between Cybercrime and Geopolitical Destabilization   (19:13) - Real-World Impacts of Geopolitical Cyber Tensions   (23:08) - Cybersecurity Best Practices and Advice  Episode Resources: Read our blog about Russia's notorious history of attacking the Olympics Protect your business before it's too late with 365 Total Protection Train your users to spot phishing emails during the Olympics with Security Awareness Service

For our 50th episode of the Security Swarm Podcast, Andy and Eric Siron look back at the last 49 episodes of the show. They go through some core security topics and discuss whether they're still relevant, how they've changed in comparison to the evolving threat landscape and provide updates on some of the major stories discussed.  This is part 2 of a 2-part episode. 

For our 50th episode of the Security Swarm Podcast, Andy and Eric Siron look back at the last 49 episodes of the show. They go through some core security topics and discuss whether they're still relevant, how they've changed in comparison to the evolving threat landscape and provide updates on some of the major stories discussed.  This is part 1 of a 2-part episode, with part 2 coming next week.  Key Takeaways: AI-powered tools are a double-edged sword, capable of both beneficial and malicious applications.  Botnets and malware continue to be a persistent threat, as attackers adapt and find new ways to circumvent disruptions.  Email-based social engineering remains a significant vulnerability, as human nature makes it a difficult problem to solve.  Immutability and backups are critical for protecting against ransomware and data loss.  Securing cloud-based platforms like Microsoft 365 requires a nuanced approach, as the responsibility is shared between the provider and the customer.  Security awareness training can be challenging to implement effectively, requiring a balance between engagement and cost.  Navigating the relationship between IT administrators and CISOs is crucial for effective security management.  Timestamps: (00:31) Using ChatGPT to create ransomware - still a relevant and evolving topic  (02:22) How tech pros should handle security news and zero-days  (09:09) The re-emergence of Emotet and the challenges of disrupting botnets  (12:04) The persistent problem of social engineering and email attacks  (13:25) The importance of immutability and backups against ransomware  (16:29) The security of Microsoft 365  (19:35) Deep dive on the QuickBot malware  (20:20) The necessity of advanced threat protection (ATP)  (22:58) Guidance on effective security awareness training  (25:41) Tips for IT admins on working with CISOs  (26:07) Microsoft's throttling of legacy on-premises Exchange servers  (28:11) Discussing Episodes 12 and 13, recorded live at InfoSecurity Europe, on compliance and security horror stories   

In this episode of the Security Swarm Podcast, host Andy is joined by Romain Basset, the Director of Technology Strategy at Hornetsecurity. They're exploring the topic of Open-Source Intelligence (OSINT) - what it is, how threat actors use it to launch effective attacks, and the dangers it poses.   Throughout the episode, they discuss the ease with which OSINT can gather information using AI and other tools and provide examples of how it can be used in phishing, business email compromise, and even deep fake attacks. The conversation also touches on the importance of privacy awareness and security awareness training to mitigate these threats.  Key Takeaways:  OSINT refers to publicly available information that threat actors can easily gather to launch targeted attacks. This includes social media profiles, online forums, data breach databases, and more.    Threat actors are using OSINT to not only target individuals, but also find vulnerabilities in organizations' web-facing software and infrastructure.    Combating OSINT-powered attacks requires a multi-pronged approach of improving privacy awareness and implementing robust security awareness training programs.  Timestamps:  (02:24) - Definition of OSINT  (07:17) - How AI makes OSINT-powered attacks easier  (15:22) - Using OSINT to target organizations  (25:35) - Mitigating OSINT-powered attacks  Episode Resources: Train your users with a personalised Security Awareness Service Business Email Compromise: The $43 Billion Scam  

In this episode of the Security Swarm Podcast, host Andy and recurring guest, Paul, talk about the challenges and opportunities organizations face amidst the Broadcom acquisition of VMware. They discuss the steep price hikes for VMware licenses and the security vulnerabilities recently discovered in VMware products.   This acquisition has prompted many businesses to consider alternative solutions, and the episode provides a comprehensive overview of the available options within the Microsoft ecosystem. They cover a range of migration strategies, including moving to the Microsoft ecosystem through Azure, Azure Stack HCI, and on-premises Hyper-V solutions.  Andy and Paul offer valuable insights into ensuring a secure and seamless transition away from VMware, making this episode essential listening for IT professionals navigating these significant changes.  Key takeaways: Broadcom's Acquisition of VMware is Causing Major Disruption due to massive license cost increases of 300-500% for many organizations.  Microsoft Hyper-V is a Viable Alternative to VMware. It offers a mature, enterprise-ready hypervisor that can be a cost-effective replacement for VMware.  Azure Stack HCI Provides an On-Premises VMware Alternative. It provides a hyperconverged infrastructure solution with Hyper-V at the core, along with integration to Azure services for management and modernization.  Security pitfalls can arise when organizations rush to migrate away from VMware due to the Broadcom situation. Proper planning, understanding the security posture of the new platform, and ensuring critical configurations like backup are in place are essential to mitigate risks.  Timestamps: (02:51) - Vulnerabilities in VMware  (07:30) - Migrating to the Microsoft Ecosystem  (13:38) - On-Premises Microsoft Options  (38:45) - Security Considerations for Migrations  (44:52) - Pragmatic Approach to Platform Selection  Episode Resources: Microsoft and Broadcom to Support License Portability  Paul's article on options for migrating from VMware to Microsoft  VMware Sandbox Escape Bugs 

In this episode of the Security Swarm Podcast, host Andy and recurring guest Eric Siron discuss the Monthly Threat Review for June 2024.  They explore a new threat campaign distributing the Darkgate Malware using a technique called pastejacking. Additionally, they touch upon the 911 S5 Proxy Botnet takedown and how threat actors are exploiting Stack Overflow to distribute malware.   Key takeaways:  Awareness of common tactics like pacejacking can help prevent falling victim to malware campaigns.  Read the details of the Darkgate attack methods we show in the report and adjust your security posture as needed. If you're in need of powerful, next-gen email security software, we've got you covered.  If your organization is leveraging software from any online, public repository, take the time to review that repository and do a risk assessment. Threat-actors are increasingly using public software repos for malicious purposes.  Timestamps:  (03:15) - Insights into Email Threat Trends and Industry Targeting in Cybersecurity Landscape (13:15) - Unveiling New Cybersecurity Threat Campaign using  Pastejacking (23:31) - Massive Botnet Take Down and Arrest of Operator: A Victory Against Cybercrime (29:29) - Beware of Malicious Packages: A Cautionary Case Study from Stack Overflow  Episode Resources:  Full Monthly Threat Report Enhance Security Awareness by Training Employees

In this podcast episode, Andy and Paul discuss the upcoming release of Windows Server 2025 and the myriad security enhancements it will bring. They delve into various topics such as improvements to Active Directory, delegated managed service accounts, Kerberos protocol enhancements, SMB enhancements, hot patching, REFS file system for confidential computing, and extended security updates.   Key takeaways:  Windows Server 2025 brings a host of security enhancements.  The release date of Windows Server 2025 is speculated to be in September 2024, coinciding with the release of System Center 2025.  Timestamps:  (07:05) - Enhancements in Active Directory Security and Numa Support: A Deep Dive (13:19) - Revolutionizing Service Accounts: Delegated Managed Service Accounts Explained  (20:28) - Revamping Windows Server Security: Say Goodbye to NTLM and Hello to Kerberos  (28:15) - Revolutionizing SMB with Quick Protocol and Hot Patching in Windows Server 2025  (32:34) - Revolutionizing Patching with Hot Patching in Windows Server and Azure  (36:02) - Revolutionizing Data Protection with Resilient File System and Confidential Computing  (39:34) - Exploring Confidential Compute, Server Upgrades, and Extended Security Updates in Windows Server Environment  (42:37) - Windows Server 2025 Release Date Speculations and Future Episode Teasers  Episode Resources:  What's new in Windows Server 2025 from MS Learn

In this episode of the Security Swarm Podcast, our host Andy and guest speaker Jan Bakker discuss passkeys in the Microsoft ecosystem. They cover topics such as the definition of passkeys, prerequisites, tips for implementation, and the user experience. They also highlight the user-centric enrollment process, the role of conditional access, and the potential challenges and advantages of transitioning to passkeys.  Key takeaways:  Passkeys are a new authentication mechanism using the FIDO2 standard, providing a secure and user-friendly passwordless experience.  Device-bound passkeys are more secure but not transferable between devices, while syncable passkeys offer convenience but may introduce potential security risks.  Passkeys enhance security by being phishing-resistant and replacing traditional passwords and MFA methods.  The enrollment process involves using the Microsoft Authenticator app and ensuring prerequisites like device compatibility and Bluetooth connectivity.  Admins can enforce authentication method policies and conditional access to control user access and enhance security.  User education, interface improvements, and conditional access play crucial roles in a successful transition to passkeys.    Timestamps:  (03:04) - Unlocking the Future of Passkeys and the Evolution of Authentication  (06:18) - Exploring the Security Benefits of Device Bound and Syncable Passkeys  (14:54) - How to Prepare for Passkeys in Microsoft 365  (23:03) - Navigating the Rollout of Passkeys for Enhanced Security: Admins vs End Users  (29:03) - Maximizing Security with Passkeys, Conditional Access, and Authentication Policies  (33:01) - Unveiling the Convenience of Device-Bound Passkeys in Vasquez for Microsoft 365    Episode Resources:  Previous episode on Passkeys Blog post of Jan  

Microsoft has recently been criticized for not prioritizing security enough. Following the CSRB's Report on the Storm-0558 attack, Microsoft announced that security is now a top priority, with a commitment to address security issues before new product innovations. In this podcast episode, Andy and Paul Schnackenburg discuss the blog post which analyzes the Secure Future Initiative and its advancements.   The conversation brings up the burning question: Was it the Cyber Safety Review Board (CSRB) that catalyzed Microsoft's proactive stance on security?  Key takeaways:  Microsoft is taking proactive steps to address security vulnerabilities and enhance its security measures following recent incidents.  The focus on protecting identities, enforcing multi-factor authentication, and improving network segmentation are crucial for bolstering security.  Efforts to align security actions with recommendations from the CSRB demonstrate a commitment to addressing criticisms directly.  Timestamps: (06:52)  Key Insights from Charlie Bell's Blog Post Addressing Cyber Security Concerns (11:22)  Enhancing Security Measures in Response to the CSRB's Report (21:22) Top Security Practices for Protecting Tenants and Production Systems (24:46)  Enhancing Cloud Security with Micro Segmentation and Software Supply Chain Protection (30:44)  Challenges and Considerations in Cloud Security Logging and Storage (34:37)  Enhancing Cloud Security with Microsoft Sentinel and Vulnerability Reporting (37:37)  Unveiling Common Vulnerabilities and the Importance of Secure Authentication in Cloud Environments (42:34) Analyzing Microsoft's Response to a Security Incident Episode Resources: The Blog Post from Charlie Bell EP39: Are Passkeys the Future of Authentication? Subcribe to our new YouTube Channel for more

In this week's episode, Andy and guest Eric Siron discuss the cybersecurity landscape based on data from the Monthly Threat Report for May 2024. They cover a range of news items, including Microsoft's recent announcement to expand the Secure Future Initiative, the new PSTI (Product Security and Telecommunications Infrastructure) Act in the UK and a significant brand impersonation campaign targeting the German financial entity Commerzbank. Additionally, they provide updates on the Change Healthcare ransomware attack.  Key takeaways:  Microsoft's acknowledgement of security issues is crucial for building customer trust.  The PSTI Act in the UK sets standards for consumer device security and compliance.  Payment of ransoms in ransomware attacks needs to be carefully evaluated.  Data breaches in healthcare can have widespread and long-term consequences for patients and organizations.    Timestamps:  (04:02)  Insights from the Latest Monthly Threat Report: Decrease in Email Threats, Top Targeted Industries, and Impersonated Brands (14:02)  Breaking Bad Habits: QR Codes, OAuth, and User Training (15:18) Microsoft's Security Issues and Response to CSRB's Criticism: Committed to Improve Security (25:23)  New UK Law Mandates Security Standards for Consumer IoT Devices (34:02) Impact of Ransomware Attack on Change Healthcare and the Dilemma of Paying Ransom    Episode Resources: Full Monthly Threat Report May 2024 Sharpen your Instincts with Security Awareness Training  

Today's episode of the Security Swarm Podcast is a continuation from last week's episode where Andy and Paul discussed the CSRB's findings on Microsoft's Storm-0558 Breach. In their discussion, they continue picking apart the findings and providing their insights.  Episode Resources: Cyber Safety Review Board Report - https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf 

In this episode of The Security Swarm Podcast, Andy and Paul discuss the Cyber Safety Review Board's findings of the Microsoft Storm-0558 breach. During the episode, they talk about the implications of the breach and explore Microsoft's security culture, stressing the need to prioritize robust security measures over rapid feature developments.  Key Takeaways:  Microsoft's security culture requires a significant overhaul to address existing vulnerabilities and prevent future breaches.  Transparency and accurate risk assessments are crucial in understanding and mitigating security threats in cloud environments.  Prioritizing security over rapid feature development is essential to prevent security risks and enhance overall product integrity.  Standardized audit logging practices should be a fundamental offering in cloud services to enable effective intrusion detection and investigation.  Timestamps:  (10:07) - Microsoft's Security Culture: Past, Present, and Future (15:45) - Uncovering Lack of Transparency and Accountability in Major Cloud Vendors (20:09) - Microsoft's Security Standards: A Critical Assessment and Call for Action (28:53) - A Discussion on Cloud Audit Logging  Episode Resources:  Cyber Safety Review Board Report - https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf  Microsoft Trustworty Computing Memo - https://news.microsoft.com/2012/01/11/memo-from-bill-gates/   

In this episode of the Security Swarm Podcast, our host Andy Syrewicze discusses the key findings from Hornetsecurity's Monthly Threat Report with guest Michael Posey. The Monthly Threat Report is a valuable resource that provides monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space.   In this episode, Andy and Michael talk about recent security events such as the Cyber Safety Review Board's (CSRB) report assessment of the Storm-0558 attack, the FTC's reports on impersonation attacks, and an alarming potential supply chain attack on the XZ Utils package in open-source Linux distributions.  Key takeaways:  The cybersecurity landscape is evolving rapidly with a variety of threats, from supply chain attacks to impersonation scams.  Transparency and security diligence are crucial in preventing and mitigating cyber threats.  End-user training and awareness play a significant role in enhancing overall cybersecurity posture.  Timestamps:  (05:26) - Rising Trends in Email Threats and Cybersecurity Impersonation Tactics (15:26) - The Importance of Email Security and Supply Chain Attacks in Today's Cyber Landscape (18:12) - Uncovering the Storm-0558 Breach: Analysis and Recommendations (27:33) - FTC Reports on Impersonation Attacks and the Importance of End User Training in Cybersecurity (34:25) - Major Security Threat Uncovered in XZ Utils Package in Open Source Linux Distributions (40:22) - Insights on Cybersecurity Issues and Mitigations  Episode Resources:  The Full Monthly Threat Report for April 2024 Fully automated Security Awareness Training Demo 

In this episode of The Security Swarm Podcast, host Andy Syrewicze is joined by Matt Lee from Pax8 to discuss the risks associated with deploying always on remote access software on managed endpoints.   The conversation spans various topics, including Matt Lee's extensive background in the MSP space, where he shares insights gained from his experience with a mass ransomware event. Together, they explore the risks and implications of constant remote access, emphasizing the need for organizations to adopt a more proactive stance toward cybersecurity.   Key takeaways:  Embrace the journey of continuous improvement in cybersecurity practices, focusing on being reasonable and defensible rather than striving for perfection.  Follow established cybersecurity controls and be willing to adapt and improve security measures over time.  Consider the risks associated with constant remote access and prioritize security measures that reduce exposure to threats.  Take small steps towards improving cybersecurity practices and be open to learning from past failures to enhance security protocols.  Timestamps:  (11:08) - Navigating Remote Access in Highly Regulated Managed Service Provider (MSP) Environments  (14:02) - Maximizing Security with Just in Time, Just Enough Access  (17:41) – The ConnectWise ScreenConnect Vulnerability and the Importance of Communication  (26:32) – The Need for Maturity in the Cybersecurity Space  (31:10) – Don't Let Perfect be the Enemy of Good  Episode Resources:  Matt Lee  Hornetsecurity  

We're thrilled to have Jan Bakker, a seasoned Cloud Consultant with over 10 years of IT experience, joining us from the Netherlands. In this episode, Andy and Jan explore the revolutionary concept of passkeys, a technology that aims to replace traditional passwords and enhance security by providing phishing resistance. The conversation delves into the significance of passkeys and their value in improving user experience and security measures. The guys even discuss what is currently known publicly about passkeys in M365.  Key takeaways  Passkeys offer a more secure and user-friendly alternative to traditional passwords by eliminating the need for storing secrets on the server side.  Public key cryptography forms the foundation of passkeys, ensuring strong authentication without the risk of password breaches.  Passkeys provide phishing resistance and streamline the authentication process for end users, reducing the reliance on complex passwords and additional MFA steps.  While passkeys offer significant security benefits, they are not a standalone solution and should be complemented with other security measures such as phishing prevention and identity protection strategies.  Timestamps:  (00:13) - Unveiling the Power of Pass Keys in Cybersecurity with Jan Bucker  (03:47) - The Rise of MFA Bypass Kits and Adversary in the Middle Attacks  (14:55) - Unlocking the Future of Passwordless Authentication with Passkeys  (24:55) - Addressing Persistent Access in Malicious Apps and OAuth: A Call for Improved Security Practices  (29:59) - Unpacking the Importance of Phishing Resistance and Token Security in Cybersecurity  (33:01) - Enhancing Security with Passkeys and Onboarding Procedures in Public Services  Episode resources:  Passkeys Directory  Jan Bakker's website  The Security Swarm Podcast - EP24: The Danger of Malicious OAuth Apps in M365  Start your free trial of M365 Total Protection  

In today's fast-paced world, digital transformation has become a necessity for businesses to stay ahead of the game. With the increasing reliance on digital tools, however, there has been a seemingly corresponding rise in security incidents. Coincidence?   The evolving landscape of IT and technology has brought to the forefront the question of whether the latest tech "innovations" are actually accelerating security threats.   In this episode, Andy and Paul delve deeper into this issue, exploring how businesses can balance their need for technological advancements with maintaining robust security measures to protect against cyber threats.  Timestamps:  (2:54) – Commentary on the Rate of Change in Technology  (13:21) – How has Innovation in Microsoft Cloud Services Contributed?  (23:33) – What is the Cost of Innovation on Security Postures?  Episode Resources: Article from Andy Robbins Listen to episode 34 Listen to episode 22 365 Total Protection Free Trial  

Ever wondered what it takes to break into the exciting world of cybersecurity? Join us in our latest podcast episode as we sit down with Grant Collins, an infrastructure security engineer and cybersecurity career coach. From choosing the right degree to navigating the hiring process, acquiring essential skills, and building a robust professional network, Grant and Andy share their personal experiences and insights.  Throughout the episode, they debate on academic vs practical learning by comparing the merits of pursuing a cybersecurity/IT degree versus gaining real-world experience and self-directed training. They discuss the pros and cons of each approach, offering valuable insights to help you chart your own path in the cybersecurity landscape.  Timestamps:  (5:08) – Why Should You Consider a Career in Cybersecurity?  (11:30) – What Educational Pathways Can I Take to Learn Cybersecurity?  (26:15) – How can I Cultivate Practical Skills in Cybersecurity?  (34:13) – What are Some Tips and Tricks for Landing a Job in Cybersecurity?  Episode Resources: Check out Grant's YouTube Channel cybersecurity (reddit.com) TryHackMe | Cyber Security Training Hack The Box: Hacking Training For The Best | Individuals & Companies

Security headlines have been buzzing with major security events this month. In this podcast episode, Andy and Eric Siron discuss Hornetsecurity's Monthly Threat Report, analyzing recent security incidents and sharing expert insights.   Tune in for more information on Lockbit's takedown and its reemergence days later, the CVSS 10 vulnerability in ConnectWise Screenconnect, and the Change Healthcare cyber-attack that has practically paralyzed prescription refills and is likely contributing to numerous deaths in the US.  Timestamps:  3:32 – Hornetsecurity Industry Data Review for Feb 1st to March 1st   14:10 – The “takedown” and re-emergence of LockBit  18:33 – CVSS 10 Vulnerability in ConnectWise ScreenConnect  31:11 – Optum/Change Healthcare Ransomware Attack  Episode Resources: Read the full report  Lockbit Takedown Notice ScreenConnect Vulnerability – CVE-2024-1709 Ransomware Attack on Optum / Change Healthcare 365 Total Protection

Join host Andy and special guest Philip Galea, R&D Manager at Hornetsecurity, as they explore insider threats within Microsoft 365. In this episode, the focus is on SharePoint Online and OneDrive for Business, shedding light on the nuances of insider threats and offering valuable insights on safeguarding against them.  Tune in for expert analysis and practical tips on fortifying your defenses and protecting your organization's sensitive data in the evolving landscape of cloud-hosted infrastructures.  Episode Resources: Effortlessly manage Microsoft 365 permissions 

During last week's episode, we briefly spoke about major security incidents that took place between January and February 2024, including the Midnight Blizzard attack. Today, we're delving deeper into the specifics of this attack. From exploiting OAuth mechanics to navigating Microsoft's corporate environment, the attackers demonstrated a level of sophistication that evaded conventional detection controls.   Tune in to hear Andy and Paul examine its intricate attack chain and discuss their insights on what Microsoft should do in response.   Timestamps:  (2:00) – What does the attack chain for this breach look like?  (7:11) – Timeline of the Attack  (8:53) – Thoughts on Microsoft's Response  (18:55) – A Definition of an OAuth App and a Service Principal  (27:36) – What do Admins need to do about this?  (33:20) – Does the speed of change and the scale of Cloud Services negatively impact security?  Episode Resources:  Andy and Paul Discuss Malicious OAuth Apps YouTube Video from Andy Robbins BingBang 

The Monthly Threat Report by Hornetsecurity is a valuable resource that provides monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. For this episode, Andy is joined by Hornetsecurity's CTO – Yvonne Bernard, for an in-depth analysis of major security breaches and ransomware attacks that occurred between January and February 2024.  From the Midnight Blizzard attack on Microsoft to a ransomware attack that cost Johnson Controls 27 million USD, our hosts explore what went wrong and provide expert recommendations from the Security Lab at Hornetsecurity on how to protect your business from similar threats.  Timestamps:  (3:20) – Email Threat Trends from January  (6:51) – What were the Most Targeted Industries for January?  (9:52) – What were the most impersonated brands in January?  (12:30) – A Discussion on the Midnight Blizzard attack on Microsoft  (22:38) – The Recent Breach of AnyDesk  (27:15) – $27 Million Cost of Ransomware attack on Johnson Controls  (32:34) – A C-Suite Look at Microsoft 365 Co-Pilot and the Danger of Misconfigured Permissions  Episode Resources: Episode on Malicious OAuth Applications Microsoft post on Midnight Blizzard Attack Detailed Tactics Post from Microsoft on Midnight Blizzard Attack Any Desk Public Announcement Effortlessly manage Microsoft 365 permissions, enforce compliance policies, and monitor violations with 365 Permission Manager Monthly Threat Report - February 2024

The use of Large Language Models (LLMs), like ChatGPT has skyrocketed, infiltrating multiple facets of modern life. In today's podcast episode, Andy and Paul Schnackenburg explore Microsoft 365 Co-Pilot and some surprising risks it can surface. Microsoft 365 Co-Pilot is more than just a virtual assistant: it's a powerhouse of productivity! It is a versatile generative AI tool that is embedded within various Microsoft 365 applications, and as such, it can execute various tasks across different software platforms in seconds.  Amidst discussions about Co-Pilot's unique features and functionalities, many wonder: How does M365 Co-Pilot differ from other LLMs, and what implications does this hold for data security and privacy? Tune in to learn more! Timestamps: (4:16) – How is Co-Pilot different from other Large Language Models?  (11:40) – How are misconfigured permissions a special danger with Co-Pilot?  (16:53) – How do M365 tenant permission get so “misconfigured”?  (21:53) – How can your organization use Co-Pilot safely?  (26:11) – How can you easily right-size your M365 permissions before enabling Co-Pilot?  Episode Resources: Paul's article on preparing for Co-Pilot Webinar with demo showcasing the theft of M365 credentials Start your free trial of M365 Total Protection Effortlessly manage your Microsoft 365 permissions  

QR Codes are used everywhere in our society, from reading restaurant menus to accessing Wi-Fi networks and authenticating payments. However, as with any technological advancement, there's a flip side. While QR codes are not malicious in their essence, the landscape has shifted in recent years.   Threat actors have evolved their tactics to exploit QR codes in various ways, posing new cybersecurity challenges. In this episode, host Andy teams up with Microsoft Certified Trainer Paul Schnackenburg to discuss the darker side of QR codes and the different ways in which threat actors are deceiving individuals.  Episode Resources: The Danger of Malicious OAuth Apps in M365 Train your users to spot malicious emails with the Security Awareness Services Demo Safeguard your users from malicious QR codes with Advanced Threat Protection  

In this two-part episode, Andy and Paul Schnackenburg discuss Microsoft's recently announced Secure Future Initiative, a multi-year commitment to revolutionize the design, building, testing and operation of technology for enhanced security standards in the age of AI. The discussion stems from the aftermath of the Storm 0558 breach that occurred in July 2023, orchestrated by Chinese nation-state threat actors.  Tune in to gain a comprehensive understanding of the Secure Future Initiative and its implications.  Episode Resources: Episode 17: On-Prem Security vs. Cloud Security Microsoft's Announcement Regarding the Secure Future Initiative

In this two-part episode, Andy and Paul Schnackenburg discuss Microsoft's recently announced Secure Future Initiative, a multi-year commitment to revolutionize the design, building, testing and operation of technology for enhanced security standards in the age of AI. The discussion stems from the aftermath of the Storm 0558 breach that occurred in July 2023, orchestrated by Chinese nation-state threat actors.  Tune in to gain a comprehensive understanding of the Secure Future Initiative and its implications.   Stay tuned for part 2!  Timestamps:  (2:55) – An Update on the Microsoft Storm-0558 Breach  (8:40) – The Microsoft Secure Future Initiative (SFI)  (12:12) – Comparison with the 2002 Trustworthy Computing Initiative Memo  (17:39) – The Trustworthiness of On-Prem vs. The Cloud  (23:04) – How Does Microsoft Want to Use AI in Security?    Episode Resources: 365TP Compliance & Awareness Free Trial EP17: On-Prem Security vs Cloud Security EP18: Generative AI in Defensive Tools EP22: Can you trust Microsoft with Security?  

We're kicking off 2024 with our Monthly Threat Report analysis. Every month, our Security Lab looks into M365 security trends and email-based threats and provides commentary on current events in the cybersecurity space.  In this episode, Andy and Eric Siron discuss the Monthly Threat Report for January 2024. Tune in to learn about the top-targeted industries, brand impersonations, the MOVEit supply chain attack, the active attack by the Iranian hacking group "Homeland Justice" on the Albanian government, and much more!  Episode Resources: Full Monthly Threat Report for January 2024 Annual Cyber Security Report 2024 Andy on LinkedIn , Twitter , Mastodon Eric on Twitter

Our final episode for 2023 is here! To wrap up the year, Andy and Umut Alemdar will be discussing our Monthly Threat Report for December 2023. The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. In this episode, Andy and Umut are focusing on data from the month of November.  Tune in to hear about Microsoft's recent zero-day vulnerabilities, the most common file types used to deliver malicious payloads, M365 brand impersonations and a lot more!  Episode Resources: Full Monthly Threat Report - December 2023 Annual Cyber Security Report 2024 - Free Download

As the year comes to a close, the Security Swarm podcast takes a reflective journey, comparing the landscape of security then and now. In this special episode, Andy and Eric Siron explore the intriguing evolution of cybersecurity from the days of floppy disks and DOS to the complex, interconnected world of today.  Tune in to learn about the significant shifts in security incidents, drawing correlations and highlighting differences. From the era of viruses attempting to one-up each other with floppy disks to the present, where data theft and ransomware dominate the landscape.  Timestamps: (2:56) – What was security like in the early days of IT and how does it compare to now?  (12:18) – Why are threat-actors more persistent now than they used to be?  (23:33) – Security horror stories then vs. now  (44:40) – How has Andy and Eric's Stances on Security Changed from then vs. now?  Episode Resources: Central African Republic and El Salvador Adopt Cryptocurrency as Legal Tender Download Hornetsecurity's Annual Cyber Security Report 2024

Remember the days of DNS route-based email security? It's been a steadfast approach, but in recent years, the landscape has shifted towards API-driven solutions, particularly evident in platforms like Microsoft 365 utilizing the Graph API for enhanced security.   In this episode, Umut Alemdar from Hornetsecurity's Security Lab joins Andy once again to discuss email filtration, particularly the DNS route-based approach versus the emerging API-based method. Tune in as they compare these two methodologies, weighing the pros and cons, discussing caveats, and navigating the intricacies of email security.   Episode Resources: 365 Total Protection Free Trial

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from October.  During the episode, Andy and Eric Siron explore the rise of PDF-delivered malicious payloads, shifts in target industries, and escalating brand impersonation attempts in shipping and finance. They delve into Microsoft's response to a recent cloud services attack and a significant vulnerability in Citrix NetScalers dubbed CitrixBleed, shedding light on the evolving threat landscape.   Join us for an insightful analysis of the latest cybersecurity developments, providing valuable insights for both professionals and enthusiasts alike.  Timestamps: (3:07) – What is the general state of email threats during the last month?  (6:31) – What types of files are being used to deliver malicious files?  (9:38) – What industries are being targeted the most throughout the data period?  (14:40) – What are the most impersonated brands during the last month?  (18:52) – An update on the Microsoft Storm-0558 breach  (23:01) – The CitrixBleed Vulnerability Impacting Citrix NetScaler  (30:31) – Commentary on the SEC's charges against SolarWinds and their CISO  Episode Resources: Full Monthly Threat Report for November Law Enforcement Shutdown of Qakbot Paul and Andy Discuss Storm-0558 Security Awareness Service - Request Demo Andy on LinkedIn , Twitter , Mastodon Eric on Twitter

Paul Schnackenburg is back for another episode with Andy and this time, to discuss the story of backup and recovery inside of Microsoft 365. M365 backup has been a confusing experience over the years, especially with Microsoft's contradictory "no backup needed" guidance. To add to the confusion, Microsoft has introduced its own M365 backup product.  During the episode, we'll look at the various methods and tools that have been used natively within M365 to help with backup, as well as why these methods frequently fall short. Don't miss out on this informative discussion as we delve into the complexities of data protection and recovery in M365!  Episode Resources: Free eBook - Microsoft 365: The Essential Companion Guide 365 Total Backup – Request a Trial VM Backup - Free Trial Find Andy on LinkedIn, Twitter or Mastadon Find Paul on LinkedIn or Twitter

In today's episode, we're delighted to welcome back Eric Siron, who's no stranger to our show. Andy and Eric will be exploring some historical methods devised by the security community to safeguard backups against ransomware such as air gapping, removable media and application whitelisting. But here's the twist: we're approaching these protective measures from the mindset of a relentless threat actor, someone who's determined to breach your defenses and make your backups their own.  Throughout the episode, we will discuss common misconceptions surrounding these historical solutions, often described as the ultimate ransomware defenses. Do they genuinely live up to the hype? Why do they seem to fall short when used in a vacuum? Tune in to learn more!  Episode Resources:  The Backup Bible by Eric Siron EP22: Can You Trust Microsoft with Security? Immutable Protection Against Ransomware Andy on LinkedIn , Twitter , Mastodon Eric on Twitter

Get a glimpse into The Security Swarm Podcast