Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall




Episode #24 - To Cloud or Not to Cloud?

The "cloud" is arguably one of the most common topics of discussion in technology today, primarily for its cost savings and accessibility benefits. Corporate cloud security can be tricky. However, it's also a hot topic for cybersecurity professionals and not always for the best reasons. This week, the guys discuss cloud considerations for organizations of all sizes, providing recommendations for transitioning to the cloud, the security risks of cloud computing, safely storing information, and avoiding data loss nightmares.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!


welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber security  criminals and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome to  the cyber ants podcast this is your co-host zach  
fuller joined by mike rotondo and lauro chavez  today we have a uh what i think is a good topic um  
something that comes up a lot is cloud migration  right a lot of organizations moving to cloud  
and there are a lot of considerations that come  with that and some myths we wanted to spell  
as well so before we do that mike why don't you  kick us off with the news good morning and welcome  
to the news fbi apt is actively exploiting  fortinet and vpn security holes this has been  
going around for a while but there's an advanced  persistent threat nation state actor that that is  
actively exploiting known security vulnerabilities  and fortinet florida os cyber security operating  
system so if you've got that get it patched  um there's multiple cds attached to that the  
evolution and rise of the avidon ransomware as  a service there's a ransomware as a service that  
started back in february 2020 called avadon it's  continued to expand it's tied to the russians  
so you know be aware that they're actually  providing they're now service companies like doing  
doing ransomware so life is good right hackers set  up fake security firm to target security experts a  
north korean government-backed campaign targeting  cyber security research with malware has reemerged  
with new new tactics in their arsenal  as part of a fresh social engineering  
attack they set up a fake security company  called secure elite and the slew of social  
media accounts across twitter and linkedin and  attempt to trick unsuspecting researchers into  
visiting the company's booby-trapped website  that was nice anomalous surge in dns queries  
not microsoft cloud off the web last week so  you know going back to talking about our cloud  
this week we had uh basically surge of dns  queries from across the globe targeting a set  
of domains hosted on azure knocked it offline  i'm sure was in the convenience for just about  
everybody hackers targeting professionals with  more eggs malware via linkedin job offers there's  
a new spearfishing campaign and targeting  professionals on linkedin with weaponized  
job offers an attempt to infect targets with  sophisticated backdoor trojans called more eggs  
to increase the odds of success the fishing lures  take advantage of melissa's zip archive files that  
have information on the jobs i can also with an  unconfirmed report i had heard that linkedin had  
also been hacked recently along with facebook uh  facebook 533 million records and linkedin as well  
firmware attacks a gray area in cyber security of  organizations this is always something that is uh  
quite often overlooked according to microsoft  we'll they revealed that 80 of enterprises were  
victims of at least one firmware attack in the  past two years the study showed that only 29  
of targeted targeted organizations have allocated  budgets to protect firmware so that's something  
to think about inside the ransomware campaigns  targeting exchange servers it's just more about  
the the whole thing that came out back in march  but they're using zero days and in the weekend  
in march 30th the number of attacks involving the  exchange server flaws have tripled to more than  
50 000 around the world it's an interesting read i  definitely recommend you check it out the trusted  
internet who governs who gets to buy spyware from  surveillance software companies so this is kind of  
an interesting one it's when hackers get hacked  that's when secrets get uncovered july 5th of  
2028 an italian-based surveillance technology  company team company released 400 gigabytes of  
torrent file with internal document source code  and emails to the public including the companies  
list client list of almost 60 customers include  countries such as sudan kazakhstan saudi arabia  
the elite documents strongly applied to  the southeast asian region government  
agencies from singapore thailand and malaysia had  purchased their most advanced spyware referred to  
as remote control systems and we're using these  against targets so it's an interesting dark web  
consideration of how governments are actually  doing this stuff security falls short and rapid  
covered cloud migration we're going to talk about  this a little bit but what we're seeing is that  
as clouds as covet hit many companies tried  to move their own structure the cloud quickly  
and they saw instance rise security incidents rise  some of them as much as 400 percent um so that's  
definitely a concern and there's a new office 365  phishing campaign using publicly hosted javascript  
out there so be really careful with your email on  office 365 don't click on anything you're not sure  
about tech support scammers lure victims with  fake antivirus billing emails this is more for  
your home users but they're sending out fake bills  asking you to click on it and pay your balance  
so don't click on that lastly or one of the  last ones as i saw this is kind of concerns  
arm climb armed conflict draws closer as  state-backed cyber security attacks intensify  
there's actually a study called nation state cyber  conflict in the web of profit that was done by an  
english university it claimed that 100 percent  increase in significant state based attacks  
between 2017 and 2020 and an average of an over  10 publicly attributed tax per month in 2020 alone  
um 50 featured surveillance tools 14 were  focused on damage or destruction you might  
remember the ukrainian power grid uh while more  than 40 had a physical and digital component so  
cyber is moving into a very dark place it's also  claimed that 10 to 50 of dark web vendor sales  
now go to atypical purchasers like state-backed  apts this one's i added this one simply because  
of our political uh reason that we're in  here reveal our our evil ransomware now  
changes password to auto login in safe mode  guess what they change it to d trump forever  
uh the ransomware configures following uh registry  values so that windows will automatically log  
in with the new account information so  there you go that's the headlines laurel  
that was great at least you always know that some  of these individuals have somewhat of a sense of  
humor at times yeah exactly well interesting stuff  mike thanks for that for exploitation this week  
there's a couple things i'll talk about one of  them is done by the google security research team  
um it's on the linux kernel 5.4 and it exploits  the bluetooth zero click remote code execution uh  
capability it's there it's what you'd expect  from google research team andy nguyen and  
that team they just wrote this and see it's  elegant so they did a poc and they have the  
data there uh they estimate the accuracy of the  success rate rather than about eighty percent  
which is um and so they they were able to do this  on on a mac which is really cool um so check that  
out um certainly something to be aware of for  in-proximity attacks for more of your physical  
stuff like that which is you know pretty neat as  well but but i think the interesting one is kind  
of just been you know by one of the independents  that was shot out there was for the rockstar  
service there's an insecure file permission  on how rockstar service installs if you're if  
you're using it for online play on your pc and  stuff and so for those of you who who are not  
rockstar fans um you may have heard of grand theft  auto so this is um if you've got everybody who's  
playing gta 5 and so the the this is an authentic  kind of vulnerability so you have to already have  
an account of a local pc in order for for this  attack to work it's a clever attack um no doubt  
about that but um it certainly punches um punches  in the gut of a lot of everybody's favorite game  
so i'm a big fan of gta 5. i used  to play gta i used to play gta 1  
back in 1997 and play gta 1 and along with  it so if you've not heard of those and might  
not know what a voodoo one by 3dfx is or what  overclocking opinion 2 is like but in any case
what was that are those on the wii on the week  no i i think that's more of like a maybe it was  
nintendo ds or something i don't know okay yeah  yeah yeah my my two my two megabit on on on board  
voodoo one it was it was the most amazing thing  at the time anyways um gta has come a long way um  
yeah anyways so this is a really cool exploit that  they brought out i thought but that's pretty much  
it those two uh for this week that are of interest  everything else is in poc and on random items so  
always make sure you take a look at what your  attack surface looks like and then compare  
that to what you're seeing in the exploit  world zach turn it back over to you all  
right well thank you both um interesting stuff  happening and a little bit nerve-wracking but um  
hey that's the business we're in so um you know  there's going back to cloud migration right  
there are tremendous amount of benefits to this we  see a lot of organizations moving to the cloud but  
they're also downsides and i think one of the  myths that i want to dispel right off the bat  
is the myth that is catching a lot of companies  off guard right this myth is the idea that if  
you move to the cloud you're more secure or  you're automatically secure right and the  
cloud of course is just somebody else's computer  all right so same security considerations apply  
but what are your recommendations your thoughts  what have you seen out there in the wild as far as  
cloud migrations and and where people are screwing  it up there's a myriad of places they could screw  
it up but primarily what i see is even even at the  beginning of the negotiation of the contract of  
who actually owns the security and what there's a  misconception out there and hopefully it's going  
away to a certain extent but that automatically  by moving things to the cloud i'm safe  
and that the cloud provider will take care of  all my security will take care of all my things  
all my requirements all in my you know past past  passwords given all my patching you know that sort  
of thing and that is not the case depending  on the level of cloud service that you have  
um you know there there is some of that but if  you know you're just buying you know for lack of  
a better term bear steel in the cloud and then  you're putting your infrastructure on it that's  
all you right they'll take care of the you know  part of it but you know you have to still maintain  
uh a lot of your security measures and your  patching and everything else so it's a matter of  
you know being sure from the beginning what  you're getting and and i think that's just  
you know when you start with step one and then  you know goes from there exactly i think you  
mentioned i think you mentioned it you know on  the net when you said that they take care of  
requirements for you that's that should be right  the first step right we talked about diagrams um  
a couple episodes ago and you know this  stuff the stuff that you're trying to  
migrate you should have diagrams on and  you should certainly have requirements  
um kind of measured out fully measured out so that  you understand what is you're trying to accomplish  
once you get your technologies in the  cloud and make sure that what service  
levels that you've committed to from a  price perspective are going to meet those  
those requirements right i mean that's just like  you said that's that's rule number one and i think  
there's a lot of assumptions like oh we can just  deploy this and we test a lot of customers um from  
a technical assessment perspective that have  you know had vulnerabilities that were closed  
on-prem and then when they migrated some of those  changes didn't follow and so be because it's in  
their processes of mature organization to include  contests upon changes we were able to identify  
those weaknesses were then now kind of  showing up again and so they they realize  
um you know that that you know just moving your  code up there isn't going to also take all the  
nice configs that you've done and in place you  know behind application firewall profiles that  
you may have that aren't consistent in aws or  azure or something like self software right  
it doesn't matter um so that requirements  on what you have today understanding what  
you have today and how that's going to  translate is critical incredible stuff  
the other thing that comes to mind too is that  you know monitoring and reporting and auditing  
and logging um that's an add-on in a lot of cloud  services that's not an automatic right they're  
going to take care of you know the perimeter  of their you know they're going to take care of  
their piece but monitoring your application that's  up to you you have to be able to configure that  
that piece you know configure the alerts you have  to configure the process you have to configure  
you know all of that sort of thing  and add those pieces into the system  
um just because an application sits in the  cloud doesn't mean amazon or azure or google or  
you know whoever is taking care of it for you  um and and so that yeah that's the next step  
down the road is that people forget that  they have to actually add those pieces in  
um this is i think yeah and uh um you know and  then code yeah i mean code doesn't necessarily  
work the same in the cloud as it does on-prem  either right i mean can we see differences in  
that as well always always um there's there's  a lot of tweaking that needs to be done for you  
know changing some of this right it's not a it's  not a simple just you know copy pasta right if  
you will um there's there's some things there that  you have to do and again if you don't understand  
what your what your what your infrastructure looks  like today it makes it a more difficult challenge  
i think to make that smooth transition and like  we keep saying right there's a lot of things that  
that i think organizations assume that is  going to just be included in the package  
and it may be right some things may be included  that doesn't mean you don't need to go in and  
configure the settings so you know cloud doesn't  mean hands-off you know what i mean there's still  
you know through the snap-ins and everything  else there's still management you need to perform  
and you know us engineers had a saying back  in the day called rtfm and i'm not gonna for  
those that know no but in any case right they  have best practice guides that i think a lot of  
a lot of um technologists refuse to read  or research so do your homework because um  
all these all these vendors they put out a  best practices to cyber security and and in  
that as a checklist a lot of them call it that  right and you'll be able to go through that  
and find um you know what it is that you need  to do and how you need to go through that  
and you know what i think is interesting is is to  bring up one and again you know i i don't really  
like to talk about the brands but you know if you  look at aws security checklist which i think is  
pretty funny they talk about making sure that  you have an incident response plan and making  
sure that you're you're making run books and stuff  so they're they're like look we're not going to do  
this for you like these are things you know it's  almost like they don't put don't iron clothes  
while on body have you ever noticed that on that i  don't know how many people iron anymore right but  
for us military folk like we we know what  it's like to iron right so you know that  
sticker was on the iron right it's like  somebody did that and so you know in the  
beginning aws didn't have the security checklist  but everybody was getting hacked and they're like  
why aren't you guys in there like what do you mean  like that was in the terms of service like you're  
supposed to read that part anyway so they've  made a checklist now so that you can consume it  
and understand what what things you need to have  in place to better better reduce the risk you're  
going to have while while performing and and  conducting activities with your technologies  
and business software in these environments  super critical to read this document  
i just can't yeah can't enforce that enough  like read read the manual it's there for you  
right i mean if we put it on wikipedia more people  would read it but because you got to go dig for it  
you know wherever it makes it like so much harder  to understand but uh you know when we when we um  
you know we've been asked recently  to do a lot of these reviews  
and you know here's the thing is that everybody  has a way that they're going to deploy these um  
these technologies and in these in these  online you know online vendors and so the  
the best thing that we do as well to practice this  is with our customers that we're taking care of is  
that we we read the manuals right right and we and  we look at the consoles and and scroll through the  
settings and kind of evaluate what opportunities  we have in the licensing kit that's given to  
the organization it's like we have or go in there  and look you know i mean like what options do you  
have yeah you've got some logging capabilities  but you've got to enable some other things and  
like you said mike some things you have to pay  for like that really good telemetry that they have  
for the compliance uh area is you know that might  be an additional add-on you might want to pay  
for right so you want to look at that but you may  also if you get a tour of it as an example or tour  
of some of these capabilities um with the reps  then you may be surprised to watch some videos  
right and you may be surprised at the um  the capabilities you get but if you don't  
do that research and understanding requirements  it's just going to be a big headache for you
but as i said i think the value of the cloud is  that it enables you to do whatever you want the  
problem is it enables you to do whatever you want  there's no there's no guard rails right to say  
absolutely so um yeah i mean that's that's that's  a big that's a big concern right there i mean  
and people don't read the manual and a lot  of times these migrations are done out of  
desperation because we're cutting staff we  need to migrate everything in cloud because  
there's a financial there's a  belief in the financial offices that  
we're going to save all this money  you know x percent in reality  
by doing it in a hurry you're creating issues  where you have 400 percent increasing incidence  
because you haven't taken the due diligence to do  care cloud migration is not a 30-day migration it  
is a well-planned out 12 to 18 month migration  if you're moving your entire infrastructure  
and to do it while cutting staff  that's just you know not a good idea  
yeah no you you net you nailed it mike it's it's  it here's the thing is it's cheaper to a lot of  
a lot of individuals say it's cheaper especially  something like covid right where we have a remote  
workforce it's like oh we got metal um we've  got to buy vpn now to access the stuff and you  
know it makes it more complicated more expensive  it's probably in those cases cheaper to migrate  
things to the cloud and then just have everybody  access it through the portal you know what i  
mean and then there's no yes there's no need to  manage more infrastructure devices right and so  
it's the perfect storm and that remote that  like you said at haste like what are we gonna do  
we don't have you know x amount of dollars  to spend on these updated vpn licenses and  
to get everybody you know updated on this let's  let's move this stuff to the cloud right yeah  
let's say i'm a business leader that just  went through kind of a hasty cloud migration  
so to speak and i want to understand where i  stand in terms of security with this migration  
in this new environment what recommendations would  you give to me and or somebody in that situation  
first off you don't come on the show and ask  questions like that random stranger you have  
to purchase the appropriate manner  and second did you do your diagrams  
that's what i'm going to ask you yeah i  did my diagrams i didn't have your dogs  
they're in crayon on a napkin but i i did  my diagrams i'm not here to judge hey the  
muffler works you know i'm i'm just checking  to make sure the smog system works i don't care  
what color your car is or if the door handles  there you know what i mean hey that's fine if  
it's it's there we've got a if the ones we have a  detailed understanding of what your of what your  
migration looks like then you know that's step  one right and step two is that have you read the  
manual did you read the manual did you read the  best practices for your deployment well i was  
hoping you guys would do that well you can i mean  that's fine that's fine we can do that for you  
did you lock down your global admin for that  did you give everybody just administrative  
access so that we're working we're working  you know you didn't have to figure out how to  
identify access management okay there's a lot of  questions right but a lot of these questions i  
think i could just you know pass off we could save  some time i could just i could just pass you this  
thumb this checklist here you can you can read it  so look through the checklist what about pen tests
that's always a smart idea mike i don't  know what do you think should we should we  
i mean he just interrupted our show and started  talking about what advice would we give him  
i mean i don't know yeah i think the first thing  is a contest but the also the other thing that you  
need to look at is the process of procedures right  have you uh translated your processes that are an  
internal for your bare metal to um cloud processes  you know yeah did you yeah did you did you do that  
well i'll have to check yeah okay that's fine  get back to it make sure you save that napkin  
i don't care if it's got a drink stain on  it well thank you guys dirty olives dirty
cigars we laugh but this is this is a  conversation of course we have regularly  
right with organizations that just need guidance  
right we're uh maybe inflating it a  bit but um but yeah good considerations
no we certainly don't approach clients  in the same manner i just you know  
we're sort of more professional
that's the point of podcasting right it's all  good fun um yeah now we get you know we get a  
lot of a lot of questions i would try to bring  those bring those scenarios up and kind of the  
the worst case scenario right and uh hopefully um  you know the the listeners out there in a better  
spot right but we can always learn from these  situations that uh can and will happen um but  
we are coming up on time any final thoughts  ideas words of wisdom to share yeah remember  
don't forget and read the manual read the manual  read the manual uh anything that was worth doing  
is worth doing slowly and properly don't rush  when you're getting into this stuff there are  
emergencies acting in an emergent acting in  a manner that you see as an emergency without  
careful consideration of all the response or all  the risks will create problems in the long term  
so very well said very well said and i'm  sorry for interrupting your show lauro  
that's fine i don't know who you are still what  are you doing again i promise zach who's this  
person i'm just calling in just a random call  in asking asking questions but uh well thank you  
first time calling first time caller do i win  anything do i get was i like the 100th caller
hey look you got your crayons and your napkin into  the drink stain and diagram that's all you get and  
some free advice there you go thank you and thank  you everyone for listening hope you enjoyed the  
show hope you found some information that was  valuable and uh if you did go ahead and give  
us a rating or subscribe to the channel and uh  we'd love to hear your comments uh feedback ideas  
for future episodes thanks a lot and have a great  day pick up your copy of the cyber rants book on  
amazon today and if you're looking to take your  cyber security program to the next level visit us  
online at join us next time  for another edition of the cyber rants podcast