Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

Episode 10 - Goodbye 2020, Hello 2021!

In the last episode of the year, Zach, Mike, and Lauro discuss the benefits of performing certain cybersecurity tasks earlier in the year rather than waiting for the last quarter. Cybersecurity news from 2020 are reviewed while the team tries to predict 2021 cybersecurity trends. They also discuss tips and tricks to avoid cyber criminals around the holiday season, along with what they liked and loathed in the year of cybersecurity news and blunders, plus their holiday wish lists.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!

10103417-small

Send Us Your Questions & Rants!

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber security  criminals and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome  to the cyber ants podcast this is your co-host  
zach fuller joined by mike rotondo and lauro  chavez hello how are you guys doing oh oh  
merry merry christmas merry christmas it's this is  our last recording of the year happy happy kwanzaa  
happy hanukkah throw those two in there too  sorry yep and all whatever others we're missing  
brothers there's more but um holidays happy yeah  what are you guys doing what are you guys doing  
for the holidays hoping santa comes here i don't  know that he's got the covid i think he's exempt  
from that so i'm hoping that he you know he flies  over and drops some new wi-fi pineapples my way  
i'll take a bash bunny what you're hoping for  huh yeah oh yeah i'll even take some you know  
some used uh top layer gear too it's fine  yeah pack five if you're listening you know  
lauro for christmas i've got the stockings just  large enough to fix the large boxes for the nanos  
for your pineapple so they'll just so you know  that they'll fit right in those stockings or i  
even labeled it put pineapple here how about some  more uh mac mini black boxes for internal pen  
tests oh yeah that's on my list too yeah i know  my list of santa this year was pretty ridiculous  
i'm i'm assuming he's snarking at me right now  but um i'm waiting to see if i get the the wi-fi  
pineapples the bash bunnies or yeah the black box  mac minis with 64 gigabytes last gen of the i7 i'm  
going to feel about this horizon chipset in my max  but um that's okay we'll roll it i mean they're  
already in there technically for some of the gear  but um from the for the pro series i'm i'm i'm  
hopeful well we'll we'll see what happens i saw an  article that some of the new macbooks actually may  
be going back to intel i don't know if there's a  truth in that or not but i didn't really read it  
what's santa bringing you for christmas  this year mike what'd you ask for a nap
a nap uh some new opus x and uh you know a  couple bottles of lag of one you know the usual  
birthday easter thanksgiving new year's eve  nice i like that your list is consistent so  
we're always going to get you for your birthday  too it's just it's right there nice that and my  
new black cat action figure got some vintage darth  vader coming so you know that kind of stuff nice  
i see uh you went you asked santa for the good  stuff yeah yeah i've got enough tech to keep  
me busy for a while i'd rather have toys  and boxes i can't open but can look at so
good point what's saying i'm  bringing you zach what'd you ask for  
oh i don't even know i haven't thought that far  ahead yet we've got so much going on right now  
that's uh that's still a week away i thought  he was going to bring you one of those electric  
mountain bikes so that you could um you know go  ahead and accept your role as a middle-aged human  
dare you how dare you tell me i would ride  an electric mountain bike no way i pedal the  
old-fashioned way i embrace the pain and suffering  of that sport and it's it's it's glorious in every  
way robotic knees man robotic knees i thought  i thought you told me that stan already brought  
you what you asked for man with that whole i got a  new whole new archery setup new bow release arrows  
whole nine yards and i'm i'm starting to get  halfway decent again after 22 years or so of not  
shooting so um but uh gotta gotta take more time  to practice makes practice makes perfect but uh  
but yeah it's gonna be a busy i think for us you  know the the as we all know this time of year is  
crazy especially in the cyber security industry  a lot of these initiatives get pushed to the end  
but um but why why why i think we should get into  that but we want to make sure that we cover the  
foundational elements of the podcast first which  of course are the news and the vulnerabilities  
mike you want to kick us off as anchorman santa  and the news so there's just a quick headline i  
i know we all know about the solarwinds thing so  i'm going to give you a couple quick headlines on  
that one but there is a new microsoft malware  out that affects over 30 000 pcs a day so it's  
browser based and delivered so you know keep an  eye out for that and that includes edge chrome  
yandex and mozilla so those are all out there you  know if you're really concerned about it use brave  
maybe that's not mentioned or used another thing  that's you know it's kind of getting an old story  
off all the remote issues that we're seeing all  the remote attacks we get people attacking kids  
now threat actors target k-12 distance learning  education uh this warning comes from cisa and the  
fbi and it's you know it's bad enough that you  know you've got politicians canceling snow days  
and uh you know you can't pull the ferris bueller  ducking out of school when mom and dad know where  
you're at uh so you know now we're attacking  kids over distance learning so that needs to stop  
that's terrible yeah you know uh the please read  me ransomware attacks 85k mySQL servers there's  
over 250 000 stolen databases on the website  and there's a whole list of uh and i don't want  
to bore you all but here's a you know quick one  highly evasive attacker leveraged the solarwinds  
supply chain to compromise multiple global victims  with sunburst backdoor 18 000 organizations  
possibly compromised in massive supply chain  and cyber attack solarwinds issues second hot  
fix foreign platform selection and supply chain  tech interestingly enough uh we've come across  
a couple clients that were not keeping up to date  with their solar wind patches so they were spared  
that is the exception that is not the rule that  is not a proper strategy going forward security  
through obscurity right there working yeah not  highly recommended to not patch and you know hope  
you're you're dodging the bullet that being said  in this case it did work um concerns run high as  
more details of sire solarwinds hack emerge as we  know homeland security got hit treasury got hit  
red eye got or FireEye got hit um satellite sector  did not get breached so you know we got that going  
for us microsoft partnered with security firms  to sinkhole the command and control servers uh  
domain excuse me used in the cyber solomon's hack  microsoft is quarantining solarwinds apps linked  
to the recent hacks starting tomorrow we're not  saying this is how solarwinds is backdoor but  
there is an ftp password linked on github in plain  text and guess what the guess what the password  
was it was solarwinds one two three i guess if  they'd had solarwinds one two four three four  
maybe they wouldn't have gotten hacked  uh solon's hackers capabilities include  
bypassing mfa this is kind of scary  because if you can bypass mfa that's great  
there's a whole other thing behind beyond solar  winds if you're if you're getting an mfa which  
is you know arguably one of the better pieces  of cyber of uh authentication security we got  
bigger problems google had an outage as  we all know but it wasn't tied to solar uh  
defected youtube gmail and more google out  is tied to authentication system manage  
not the supply chain attack so you lastly end  on a high note for all your christmas shoppers  
security issues in pos terminals open consumers to  fraud anybody familiar with pci is aware this is  
always a concern apparently it's becoming a bigger  issue due to some missing patches in pos terminals  
used by retailers worldwide so be careful when  you're using that credit card keep an eye on  
eye on your next statement and make sure that  uh you know you're not buying oil and lumber in  
uh uzbekistan instead of buying things at macy's  where am i gonna get my lumber and oil well you  
know maybe local closer to home okay well i guess  i get i've always got good deals in uzbekistan so  
yeah yeah lucific has the best deal on oil i hear  lauro what are the vulnerabilities of concern  
for the concern well i mean that microsoft is back  on the list is no big surprise but uh really the  
only thing for this week if the grinch is bringing  in this bag of vulnerabilities is more oracle  
enterprise stuff so it doesn't matter if you're  on if you're using it in gnome or you're using  
it on linux or you're using it on windows or  you're using it on unbreakable enterprise linux  
it doesn't matter if you use it in oracle  in any fashion or form please patch it um  
i've not i've been just shocked at how many  oracle vulnerabilities have been out the last  
couple months so lots of stuff going on there but  that's it nothing else really to talk about from a  
vulnerabilities perspective grinch brought his bag  of tricks and other fascist ways this this time i  
guess it's certainly been a interesting year to  say the least um i know a lot of people are are  
going to be glad to see it over um but uh you know  just the reminder of course um cyber criminals are  
have been ramping up their activities and they're  certainly not going to stop for the holidays  
be extra vigilant dust off that ir plan you know  make sure that you have good visibility in your  
environment because um these activities aren't  going to stop they're not going to take a break  
for the holidays but but yeah it has been an  interesting year um there have been a couple  
things that to me kind of stood out you know one  that with the the lawsuit um against capital one  
from the big breach you all heard about that but  that really opened up kind of a whole can of worms  
related to attorney-client privilege and how  incident response responses handled granted the  
way the way it was done from a legal perspective  and i'm no attorney was was blatantly wrong um  
and and so in essence if you didn't follow that  the opposing counsel was able to get the uh  
all the forensics and like post breach reports  that were done for for a capital one that they  
didn't know were going to get out and so that  you know the opposing council was able to  
poke a bunch of holes in their in their security  program and practices and and uh resulted in  
major major fines so um with that being said a  lot of people that are in the incident response  
space are being extra vigilant now and that  will kind of change how things are done  
forever when it comes to uh use an organization  getting and engaging incident response services  
so if you don't um already have a deep  understanding of that we won't go into depth  
today but maybe another episode but really  um it comes down to consult your attorneys  
and make sure you have good ones that focus  on that stuff and then the other development  
i thought was interesting was the governments the  us governments kind of shift in perspective and i  
think it's a good shift i'm really ma imposing uh  very steep fines on companies that pay ransoms to  
uh known threat actors even if the companies  don't know that that is a known threat  
actor that they're paying a ransom to the  government can come and investigate and um  
charge them outrageous amounts um and rightfully  so i think i think that's a step in the right  
direction the we have to get away from the  incentives you know we have to have to make it  
we have to take out the economic benefits for  um cyber criminals to go out their business  
and do what they do so and and this is one of  the few things that stuck out stuck out to me  
no that's great and and i think man i could say  santa probably brought me my present already  
this year if that's you know since that's  been in place um kind of forgot about that  
you know we got to stop incentifying these  organizations for bad security practices with  
insurance coverage you know what i mean because  they they feel if they pay the rent you know they  
don't prepare something happens they can't  back you know right they don't have backups  
there's something simple like that where they're  like oh we're only taking snapshots we weren't  
really backing anything up and and so now they've  got to rebuild which is even more critical  
exactly and so now you got to pay the  cyber criminals because you didn't prepare  
you you should be punished for that i mean you  should have you should have already prepared and  
and your insurance shouldn't cover you  i don't think and so i'm certainly glad  
to see this because i i do believe that that bad  security posturing should should at this point be  
some form of you know i don't want to say  punishment but you certainly shouldn't get  
a free ride from an insurance company because you  made a bad decisions that led to a you know a hack  
that you know cost a bunch of individuals  like us and you and everybody out there  
listening their data right well i think  we talked about this in a previous uh  
podcast is that you know people got lazy because  of cyber security insurance you know they're like  
i'm insured you know it's kind of like a fender  bender no big deal insurance company will cover it  
not realizing the long-term damage or long-term  financial impact of that kind of thing and i think  
it's incumbent upon these insurance companies  to start doing an actual risk assessment prior  
to writing a policy i know there's a lot  of you know competition in the market but  
you know to get the policies out and get them  written but i would start demanding you know  
at least some kind of attestation from a third  party before uh writing a cyber security policy  
yeah couldn't agree more absolutely otherwise it's  like me you know getting you know going having 14  
shots of jameson or something that's probably a  bad example for those whiskey drinkers out there  
but anyways i will use something better like yeah  you really should be ashamed of yourself for that  
yeah i should okay i was fine okay so i'll i'll  i'll i'll be posh and i'll say i'll drink a fifth  
of whistle pig 15 year okay fine there you go and  then i'm going to get in my corvette i'm going  
to drive like a maniac on the highway and i'm  going to do it because i know it doesn't matter  
if i wreck my car because i have insurance right  right i mean that's it's exactly the same type of  
misbehavior these organizations are conducting  with not being proactive with their programs in  
in in the thought in the mindset that it doesn't  matter because i have cyber insurance yep and  
then we could certainly go you know go deep into  the into the topic but um but yeah it's you know  
it's an interesting kind of dynamic of um at first  it was you know companies were almost rewarded  
you know there's like oh yeah good you paid the  ransom got your data back that and that's terrible  
thinking but are they actually really getting  their data back i mean they're getting data  
but that doesn't mean that company that  whoever hacked them still doesn't have that  
well here's the work too you've got to you've  got to decrypt all the files yeah you don't  
it doesn't just magically go back when you've  you've had a you know a crypto locker attack  
or equivalent i mean you've got you've got to you  got to put the keys in there to unlock everything  
so anyways yeah don't get don't get grinched  this year remember the grinch the wrench  
the grinch took whoville on christmas eve it's a  it's a sad state of affairs but i think you know  
there's some moves in the right direction  i'm optimistic to see what comes next year  
i think um you know it's going to be a it i  think a lot of people are looking forward to next  
year but i know that companies at least the ones  that we see and work with in the marketplace are  
seem to be kind of getting used to this tempo  and this kind of new way of life they are um  
you know being being proactive again getting  things done again of course a lot of that  
stacks up be you know for year end because a  lot of the work stopped you know earlier in  
the year when covert hit but next year you know  something to think about we wanted to share for  
for those organizations out there it's very  common for companies to push a lot of cyber  
security compliance initiatives especially like  pen testing and risk assessments and such into q4  
um so as you're planning for next year um one just  a piece of advice we would provide is that you um  
think about your kind of the cyclical nature of  your security program think about the kind of the  
operational tempo of what you're doing when and  i'd recommend putting some of these activities  
that you traditionally do in q4 move them up to  q2 or 3 and the reason for that is you're going  
to get better deals and more attention from a lot  of cyber security companies because you won't be  
kind of trying to trying to cram everything in  at the last minute like a lot of companies do  
so there's just my thoughts kind of advice for  for next year as people are uh as people are  
are going about their planning and business thank  you for that zach i'm gonna follow that advice  
next year that was awesome you got any more more  good stuff for me that i can well in the next year  
um eat lots of vegetables oh that's good that's  good i eat lots of vegetables lean meats as  
well you know i asked santa for lean meats  cut back on your you lost me already sorry
i was about to say cut back on your  alcohol intake your caffeine intake  
all those things and uh yeah  whatever man you talk about grange
yeah right he's inside the  grinch is here already oh no
i'm only allowed one piece of wisdom per episode  and that was it so i'm i'm i'm out i'm done we're  
done well that's that's probably good that's a  good place to in the show for the year man and um  
yeah so i hope everybody has a wonderful holiday  season including the two of you i can't wait to  
see you in the new year so i just want to thank  you know thank all of our listeners please please  
uh rate our show provide your comments good bad  and different rant away we want to hear you know  
we we want to share things that are relevant um to  you and uh continue to improve this make it better  
into the new year so um thank you again for  joining us uh happy holidays i hope you get to  
take some time off uh much deserved especially  after this year and uh we're looking forward  
to a great 2021