April 12, 2021

The Cyber Rants Podcast

Episode #24 - To Cloud or Not to Cloud?

The "cloud" is arguably one of the most common topics of discussion in technology today, primarily for its cost savings and accessibility benefits. Corporate cloud security can be tricky. However, it's also a hot topic for cybersecurity professionals and not always for the best reasons. This week, the guys discuss cloud considerations for organizations of all sizes, providing recommendations for transitioning to the cloud, the security risks of cloud computing, safely storing information, and avoiding data loss nightmares.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber security criminals and now here's your hosts mike rotondo

zach fuller and lauro chavez hello and welcome to the cyber ants podcast this is your co-host zach

fuller joined by mike rotondo and lauro chavez today we have a uh what i think is a good topic um

something that comes up a lot is cloud migration right a lot of organizations moving to cloud

and there are a lot of considerations that come with that and some myths we wanted to spell

as well so before we do that mike why don't you kick us off with the news good morning and welcome

to the news fbi apt is actively exploiting fortinet and vpn security holes this has been

going around for a while but there's an advanced persistent threat nation state actor that that is

actively exploiting known security vulnerabilities and fortinet florida os cyber security operating

system so if you've got that get it patched um there's multiple cds attached to that the

evolution and rise of the avidon ransomware as a service there's a ransomware as a service that

started back in february 2020 called avadon it's continued to expand it's tied to the russians

so you know be aware that they're actually providing they're now service companies like doing

doing ransomware so life is good right hackers set up fake security firm to target security experts a

north korean government-backed campaign targeting cyber security research with malware has reemerged

with new new tactics in their arsenal as part of a fresh social engineering

attack they set up a fake security company called secure elite and the slew of social

media accounts across twitter and linkedin and attempt to trick unsuspecting researchers into

visiting the company's booby-trapped website that was nice anomalous surge in dns queries

not microsoft cloud off the web last week so you know going back to talking about our cloud

this week we had uh basically surge of dns queries from across the globe targeting a set

of domains hosted on azure knocked it offline i'm sure was in the convenience for just about

everybody hackers targeting professionals with more eggs malware via linkedin job offers there's

a new spearfishing campaign and targeting professionals on linkedin with weaponized

job offers an attempt to infect targets with sophisticated backdoor trojans called more eggs

to increase the odds of success the fishing lures take advantage of melissa's zip archive files that

have information on the jobs i can also with an unconfirmed report i had heard that linkedin had

also been hacked recently along with facebook uh facebook 533 million records and linkedin as well

firmware attacks a gray area in cyber security of organizations this is always something that is uh

quite often overlooked according to microsoft we'll they revealed that 80 of enterprises were

victims of at least one firmware attack in the past two years the study showed that only 29

of targeted targeted organizations have allocated budgets to protect firmware so that's something

to think about inside the ransomware campaigns targeting exchange servers it's just more about

the the whole thing that came out back in march but they're using zero days and in the weekend

in march 30th the number of attacks involving the exchange server flaws have tripled to more than

50 000 around the world it's an interesting read i definitely recommend you check it out the trusted

internet who governs who gets to buy spyware from surveillance software companies so this is kind of

an interesting one it's when hackers get hacked that's when secrets get uncovered july 5th of

2028 an italian-based surveillance technology company team company released 400 gigabytes of

torrent file with internal document source code and emails to the public including the companies

list client list of almost 60 customers include countries such as sudan kazakhstan saudi arabia

the elite documents strongly applied to the southeast asian region government

agencies from singapore thailand and malaysia had purchased their most advanced spyware referred to

as remote control systems and we're using these against targets so it's an interesting dark web

consideration of how governments are actually doing this stuff security falls short and rapid

covered cloud migration we're going to talk about this a little bit but what we're seeing is that

as clouds as covet hit many companies tried to move their own structure the cloud quickly

and they saw instance rise security incidents rise some of them as much as 400 percent um so that's

definitely a concern and there's a new office 365 phishing campaign using publicly hosted javascript

out there so be really careful with your email on office 365 don't click on anything you're not sure

about tech support scammers lure victims with fake antivirus billing emails this is more for

your home users but they're sending out fake bills asking you to click on it and pay your balance

so don't click on that lastly or one of the last ones as i saw this is kind of concerns

arm climb armed conflict draws closer as state-backed cyber security attacks intensify

there's actually a study called nation state cyber conflict in the web of profit that was done by an

english university it claimed that 100 percent increase in significant state based attacks

between 2017 and 2020 and an average of an over 10 publicly attributed tax per month in 2020 alone

um 50 featured surveillance tools 14 were focused on damage or destruction you might

remember the ukrainian power grid uh while more than 40 had a physical and digital component so

cyber is moving into a very dark place it's also claimed that 10 to 50 of dark web vendor sales

now go to atypical purchasers like state-backed apts this one's i added this one simply because

of our political uh reason that we're in here reveal our our evil ransomware now

changes password to auto login in safe mode guess what they change it to d trump forever

uh the ransomware configures following uh registry values so that windows will automatically log

in with the new account information so there you go that's the headlines laurel

that was great at least you always know that some of these individuals have somewhat of a sense of

humor at times yeah exactly well interesting stuff mike thanks for that for exploitation this week

there's a couple things i'll talk about one of them is done by the google security research team

um it's on the linux kernel 5.4 and it exploits the bluetooth zero click remote code execution uh

capability it's there it's what you'd expect from google research team andy nguyen and

that team they just wrote this and see it's elegant so they did a poc and they have the

data there uh they estimate the accuracy of the success rate rather than about eighty percent

which is um and so they they were able to do this on on a mac which is really cool um so check that

out um certainly something to be aware of for in-proximity attacks for more of your physical

stuff like that which is you know pretty neat as well but but i think the interesting one is kind

of just been you know by one of the independents that was shot out there was for the rockstar

service there's an insecure file permission on how rockstar service installs if you're if

you're using it for online play on your pc and stuff and so for those of you who who are not

rockstar fans um you may have heard of grand theft auto so this is um if you've got everybody who's

playing gta 5 and so the the this is an authentic kind of vulnerability so you have to already have

an account of a local pc in order for for this attack to work it's a clever attack um no doubt

about that but um it certainly punches um punches in the gut of a lot of everybody's favorite game

so i'm a big fan of gta 5. i used to play gta i used to play gta 1

back in 1997 and play gta 1 and along with it so if you've not heard of those and might

not know what a voodoo one by 3dfx is or what overclocking opinion 2 is like but in any case

what was that are those on the wii on the week no i i think that's more of like a maybe it was

nintendo ds or something i don't know okay yeah yeah yeah my my two my two megabit on on on board

voodoo one it was it was the most amazing thing at the time anyways um gta has come a long way um

yeah anyways so this is a really cool exploit that they brought out i thought but that's pretty much

it those two uh for this week that are of interest everything else is in poc and on random items so

always make sure you take a look at what your attack surface looks like and then compare

that to what you're seeing in the exploit world zach turn it back over to you all

right well thank you both um interesting stuff happening and a little bit nerve-wracking but um

hey that's the business we're in so um you know there's going back to cloud migration right

there are tremendous amount of benefits to this we see a lot of organizations moving to the cloud but

they're also downsides and i think one of the myths that i want to dispel right off the bat

is the myth that is catching a lot of companies off guard right this myth is the idea that if

you move to the cloud you're more secure or you're automatically secure right and the

cloud of course is just somebody else's computer all right so same security considerations apply

but what are your recommendations your thoughts what have you seen out there in the wild as far as

cloud migrations and and where people are screwing it up there's a myriad of places they could screw

it up but primarily what i see is even even at the beginning of the negotiation of the contract of

who actually owns the security and what there's a misconception out there and hopefully it's going

away to a certain extent but that automatically by moving things to the cloud i'm safe

and that the cloud provider will take care of all my security will take care of all my things

all my requirements all in my you know past past passwords given all my patching you know that sort

of thing and that is not the case depending on the level of cloud service that you have

um you know there there is some of that but if you know you're just buying you know for lack of

a better term bear steel in the cloud and then you're putting your infrastructure on it that's

all you right they'll take care of the you know part of it but you know you have to still maintain

uh a lot of your security measures and your patching and everything else so it's a matter of

you know being sure from the beginning what you're getting and and i think that's just

you know when you start with step one and then you know goes from there exactly i think you

mentioned i think you mentioned it you know on the net when you said that they take care of

requirements for you that's that should be right the first step right we talked about diagrams um

a couple episodes ago and you know this stuff the stuff that you're trying to

migrate you should have diagrams on and you should certainly have requirements

um kind of measured out fully measured out so that you understand what is you're trying to accomplish

once you get your technologies in the cloud and make sure that what service

levels that you've committed to from a price perspective are going to meet those

those requirements right i mean that's just like you said that's that's rule number one and i think

there's a lot of assumptions like oh we can just deploy this and we test a lot of customers um from

a technical assessment perspective that have you know had vulnerabilities that were closed

on-prem and then when they migrated some of those changes didn't follow and so be because it's in

their processes of mature organization to include contests upon changes we were able to identify

those weaknesses were then now kind of showing up again and so they they realize

um you know that that you know just moving your code up there isn't going to also take all the

nice configs that you've done and in place you know behind application firewall profiles that

you may have that aren't consistent in aws or azure or something like self software right

it doesn't matter um so that requirements on what you have today understanding what

you have today and how that's going to translate is critical incredible stuff

the other thing that comes to mind too is that you know monitoring and reporting and auditing

and logging um that's an add-on in a lot of cloud services that's not an automatic right they're

going to take care of you know the perimeter of their you know they're going to take care of

their piece but monitoring your application that's up to you you have to be able to configure that

that piece you know configure the alerts you have to configure the process you have to configure

you know all of that sort of thing and add those pieces into the system

um just because an application sits in the cloud doesn't mean amazon or azure or google or

you know whoever is taking care of it for you um and and so that yeah that's the next step

down the road is that people forget that they have to actually add those pieces in

um this is i think yeah and uh um you know and then code yeah i mean code doesn't necessarily

work the same in the cloud as it does on-prem either right i mean can we see differences in

that as well always always um there's there's a lot of tweaking that needs to be done for you

know changing some of this right it's not a it's not a simple just you know copy pasta right if

you will um there's there's some things there that you have to do and again if you don't understand

what your what your what your infrastructure looks like today it makes it a more difficult challenge

i think to make that smooth transition and like we keep saying right there's a lot of things that

that i think organizations assume that is going to just be included in the package

and it may be right some things may be included that doesn't mean you don't need to go in and

configure the settings so you know cloud doesn't mean hands-off you know what i mean there's still

you know through the snap-ins and everything else there's still management you need to perform

and you know us engineers had a saying back in the day called rtfm and i'm not gonna for

those that know no but in any case right they have best practice guides that i think a lot of

a lot of um technologists refuse to read or research so do your homework because um

all these all these vendors they put out a best practices to cyber security and and in

that as a checklist a lot of them call it that right and you'll be able to go through that

and find um you know what it is that you need to do and how you need to go through that

and you know what i think is interesting is is to bring up one and again you know i i don't really

like to talk about the brands but you know if you look at aws security checklist which i think is

pretty funny they talk about making sure that you have an incident response plan and making

sure that you're you're making run books and stuff so they're they're like look we're not going to do

this for you like these are things you know it's almost like they don't put don't iron clothes

while on body have you ever noticed that on that i don't know how many people iron anymore right but

for us military folk like we we know what it's like to iron right so you know that

sticker was on the iron right it's like somebody did that and so you know in the

beginning aws didn't have the security checklist but everybody was getting hacked and they're like

why aren't you guys in there like what do you mean like that was in the terms of service like you're

supposed to read that part anyway so they've made a checklist now so that you can consume it

and understand what what things you need to have in place to better better reduce the risk you're

going to have while while performing and and conducting activities with your technologies

and business software in these environments super critical to read this document

i just can't yeah can't enforce that enough like read read the manual it's there for you

right i mean if we put it on wikipedia more people would read it but because you got to go dig for it

you know wherever it makes it like so much harder to understand but uh you know when we when we um

you know we've been asked recently to do a lot of these reviews

and you know here's the thing is that everybody has a way that they're going to deploy these um

these technologies and in these in these online you know online vendors and so the

the best thing that we do as well to practice this is with our customers that we're taking care of is

that we we read the manuals right right and we and we look at the consoles and and scroll through the

settings and kind of evaluate what opportunities we have in the licensing kit that's given to

the organization it's like we have or go in there and look you know i mean like what options do you

have yeah you've got some logging capabilities but you've got to enable some other things and

like you said mike some things you have to pay for like that really good telemetry that they have

for the compliance uh area is you know that might be an additional add-on you might want to pay

for right so you want to look at that but you may also if you get a tour of it as an example or tour

of some of these capabilities um with the reps then you may be surprised to watch some videos

right and you may be surprised at the um the capabilities you get but if you don't

do that research and understanding requirements it's just going to be a big headache for you

but as i said i think the value of the cloud is that it enables you to do whatever you want the

problem is it enables you to do whatever you want there's no there's no guard rails right to say

absolutely so um yeah i mean that's that's that's a big that's a big concern right there i mean

and people don't read the manual and a lot of times these migrations are done out of

desperation because we're cutting staff we need to migrate everything in cloud because

there's a financial there's a belief in the financial offices that

we're going to save all this money you know x percent in reality

by doing it in a hurry you're creating issues where you have 400 percent increasing incidence

because you haven't taken the due diligence to do care cloud migration is not a 30-day migration it

is a well-planned out 12 to 18 month migration if you're moving your entire infrastructure

and to do it while cutting staff that's just you know not a good idea

yeah no you you net you nailed it mike it's it's it here's the thing is it's cheaper to a lot of

a lot of individuals say it's cheaper especially something like covid right where we have a remote

workforce it's like oh we got metal um we've got to buy vpn now to access the stuff and you

know it makes it more complicated more expensive it's probably in those cases cheaper to migrate

things to the cloud and then just have everybody access it through the portal you know what i

mean and then there's no yes there's no need to manage more infrastructure devices right and so

it's the perfect storm and that remote that like you said at haste like what are we gonna do

we don't have you know x amount of dollars to spend on these updated vpn licenses and

to get everybody you know updated on this let's let's move this stuff to the cloud right yeah

let's say i'm a business leader that just went through kind of a hasty cloud migration

so to speak and i want to understand where i stand in terms of security with this migration

in this new environment what recommendations would you give to me and or somebody in that situation

first off you don't come on the show and ask questions like that random stranger you have

to purchase the appropriate manner and second did you do your diagrams

that's what i'm going to ask you yeah i did my diagrams i didn't have your dogs

they're in crayon on a napkin but i i did my diagrams i'm not here to judge hey the

muffler works you know i'm i'm just checking to make sure the smog system works i don't care

what color your car is or if the door handles there you know what i mean hey that's fine if

it's it's there we've got a if the ones we have a detailed understanding of what your of what your

migration looks like then you know that's step one right and step two is that have you read the

manual did you read the manual did you read the best practices for your deployment well i was

hoping you guys would do that well you can i mean that's fine that's fine we can do that for you

did you lock down your global admin for that did you give everybody just administrative

access so that we're working we're working you know you didn't have to figure out how to

identify access management okay there's a lot of questions right but a lot of these questions i

think i could just you know pass off we could save some time i could just i could just pass you this

thumb this checklist here you can you can read it so look through the checklist what about pen tests

that's always a smart idea mike i don't know what do you think should we should we

i mean he just interrupted our show and started talking about what advice would we give him

i mean i don't know yeah i think the first thing is a contest but the also the other thing that you

need to look at is the process of procedures right have you uh translated your processes that are an

internal for your bare metal to um cloud processes you know yeah did you yeah did you did you do that

well i'll have to check yeah okay that's fine get back to it make sure you save that napkin

i don't care if it's got a drink stain on it well thank you guys dirty olives dirty

cigars we laugh but this is this is a conversation of course we have regularly

right with organizations that just need guidance

right we're uh maybe inflating it a bit but um but yeah good considerations

no we certainly don't approach clients in the same manner i just you know

we're sort of more professional

that's the point of podcasting right it's all good fun um yeah now we get you know we get a

lot of a lot of questions i would try to bring those bring those scenarios up and kind of the

the worst case scenario right and uh hopefully um you know the the listeners out there in a better

spot right but we can always learn from these situations that uh can and will happen um but

we are coming up on time any final thoughts ideas words of wisdom to share yeah remember

don't forget and read the manual read the manual read the manual uh anything that was worth doing

is worth doing slowly and properly don't rush when you're getting into this stuff there are

emergencies acting in an emergent acting in a manner that you see as an emergency without

careful consideration of all the response or all the risks will create problems in the long term

so very well said very well said and i'm sorry for interrupting your show lauro

that's fine i don't know who you are still what are you doing again i promise zach who's this

person i'm just calling in just a random call in asking asking questions but uh well thank you

first time calling first time caller do i win anything do i get was i like the 100th caller

hey look you got your crayons and your napkin into the drink stain and diagram that's all you get and

some free advice there you go thank you and thank you everyone for listening hope you enjoyed the

show hope you found some information that was valuable and uh if you did go ahead and give

us a rating or subscribe to the channel and uh we'd love to hear your comments uh feedback ideas

for future episodes thanks a lot and have a great day pick up your copy of the cyber rants book on

amazon today and if you're looking to take your cyber security program to the next level visit us

online at www.silentsector.com join us next time for another edition of the cyber rants podcast

Episode #24 - To Cloud or Not to Cloud?

Send Us Your Questions & Rants!