Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

Episode #40 - Protect Your People From Themselves

This week, the guys discuss technical controls to protect your employees and protect your company from its own employees. From honest mistakes to gross negligence and malicious activity, proper protections minimize employee related cyber risk. The guys also share tips for configuring and issuing devices to your team members, which is especially critical for those working from home. 

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws 

Unpatched Microsoft Exchange Servers Hit With Proxyshell Attack

 Microsoft Breaks Silence on Barrage of ProxyShell Attacks

38 Million Records Exposed From Microsoft Power Apps of Dozens of Organizations

Google Publishes Zero-Day Vulnerability in Windows Firewall and Appcontainer Affecting Every Version. Patch Not Available


Over a Third of Smart Device Owners Do Not Take Security Measures

FBI Sends Its First-Ever Alert About a ‘Ransomware Affiliate’

CISA Shares Guidance on How to Prevent Ransomware Data Breaches


Apple, Microsoft and Amazon Chiefs to Meet Biden Over Critical Infrastructure Cyber Attacks


U.S. State Department Was Recently Hit by a Cyber Attack

T-Mobile's Current Data Breach Tally: 54 Million Victims

A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health


Trend Micro Detected Over 13 Million Malware Events Targeting Linux-based Cloud Environments


Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems

Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs

F5 Releases Critical Security Patches for BIG-IP and BIG-IQ Devices

VMware Issues Patches to Fix New Flaws Affecting Multiple Products

10103417-small

Send Us Your Questions & Rants!

welcome to the cyber rants podcast where
we're all about sharing the forbidden
secrets and slightly embellished truths
about corporate cyber security programs
we're ranting we're raving and we're
telling you the stuff that nobody talks
about on their fancy website and trade
show giveaways all to protect you from
cyber criminals and now here's your
hosts mike rotondo zack fuller and lauro
chavez hello and welcome to the cyber
ants podcast this is your co-host zach
fuller joined by mike rotondo and laro
chavez good podcast today as always good
looking group of listeners today too i
think we have the best looking listeners
probably of any podcast don't you guys
agree oh yeah sure i love looking at the
live audience love it i think they're
the most intelligent too
absolutely absolutely um yeah if you
don't know how we know that you're
looking sharp today it's a new new
technology we'll maybe we'll talk about
next next episode but uh for today we're
talking about technical controls
and uh putting protections around
users which is
super important but before we do that
mike do you want to play anchorman for
us
the arsonist had oddly shaped feet and
here we go there's a lot of headlines
this week there's a lot going on other
than what what else you're seeing in the
news about afghanistan and other things
so i'm just going to hit some highlights
but there's a lot that are going to be
posted at our site so combining this
into three microsoft exchange under
attack with proxy shelf laws
unpatched microsoft exchange servers hit
with proxy shell attack
and microsoft breaks silence on barrage
proxy shell attacks
long story short patch your exchange
servers if you haven't which is
basically microsoft's guidance on the
subject security researchers at hunter's
lab also reported seeing proxy cell
vulnerabilities being actively exploited
throughout the month of august to
install backdoor access once the proxy
shell exploit code was published on
august 6th the hunters reported a surge
in attacks after finding 140 web shells
launched against 1900 unpatched exchange
servers so this thing's back and if you
haven't haven't patched your exchange
server please do other news from
microsoft 38 million records exposed
from microsoft power apps of dozens of
organizations i love the irony of this
one of those is microsoft global payroll
38 million acre records from 47
different entities including the state
of indiana state of maryland new york
city american airlines and of course
microsoft global payroll google
publishes zero day vulnerability in what
windows firewall and app container
affecting every version with no patch
available so that's always good news
google's cyber security unit published
research detailing its analysis of the
firewall and app container and microsoft
runtime environment
it points to the detection of a severe
vulnerability in app container that
microsoft has not chosen to address
there's a good article i don't get too
too deeply into it but it's all
exploitable uh that can lead to
privilege escalation from the consumer
side over a third of smart device owners
do not take security measures so that's
your smart tv your alexa at home your
smart refrigerator smart washing machine
or whatever smart stuff you got at home
71 do not take the pressure proper
measures to secure those devices so
check that one out just some quick
headlines fbi sends its first ever alert
about ransomware affiliate definitely
worth a good read
since the shares guide shares guidance
on how to prevent ransomware data
breaches apple microsoft and amazon
chiefs to meet with biden over critical
infrastructure cyber attacks and then to
round that one out u.s state department
was recently hit by a cyber attack so
maybe
cisa needs to reach out to the state
department there's more there's more
headlines about data breaches in there
but we're going to leave it right there
so laurel any exploits we want to talk
about afternoon delight yeah thanks for
that mike um just one uh just one and
it's um it involves our best friend and
the coked out crazy minded wordpress
it's the only one worthy about talking
about i mean mike got the other one i
mean you know it's i don't want to i
don't want to talk about the you know
the proxy shell stuff right after he
talks about the proxy shell stuff so i
have to you know i have to filter i have
to filter my other exploit data around
you know the news which is really the
important stuff right so pay attention
to that everybody look at those look up
those headlines but
for all you crazy people out there
playing wordpress
i got one for you today uh if you're
using mail master well there's a local
file inclusion vulnerability they got
the code out there
very very nice code i give a nice shout
out to this guy for putting this
together for everybody to use looks
really really nice he's even got the
nice ascii
header at the top of the exploit code so
make sure you're running mail master and
you're playing wordpress that you got
that patched to the latest version or
you've got some form of compensation in
place to protect you from that local
file inclusion all right well first i do
want to tell the listeners that we do
not put the news and the uh exploits on
on repeat or no not play
replay articles and news from previous
episodes although we talk about
microsoft and wordpress a lot this is
actually all new material every episode
so just wanted to put that disclaimer
out there so important stuff you know of
course it affects so many people being
such
huge environments a lot of people are
looking for ways to you know exploit
both but um
that said
especially with word i mean a lot of
microsoft you're kind of stuck with but
well some central bodies
no you don't some some bot in the future
is going to you know look through all
this and it's going to look through all
the headlines it's going to look it's
going to say exploit it's going to say
microsoft and it's going to see that a
whole bunch is going to exploit
microsoft exploit microsoft exploit
wordpress wordpress and it's going to
know it's going to be like microsoft bad
wordpress bad
because you know what i mean so i
imagine the bot someday will figure out
for us the
software is dangerous if you don't if
you don't play with it in the right ways
well there's a lot of linux ones out
there especially cloud-based linux right
now they didn't touch on that but
there was an article about the top 15
linux exploits and how cloud
environments aren't being properly
secured for linux and people are just
making the assumption because it's linux
it's secure and that's just not the case
so
not to be an apologist for microsoft but
they are not the only guilty party i
just wish you know if the government's
gonna tell us how to secure our stuff
that maybe they should secure their
stuff that's kind of my thing
yeah yeah i mean
yeah exactly
look at my straw house you want to build
a brick one
that's asking a lot
he's asking a lot
well maybe you know they'll they'll come
back and say well you should pay more
taxes so we can secure
we'll secure our stuff better we're
probably going to pay that either way
yeah that's for sure that would actually
be a worthy a worthy cause right i mean
yeah i'd be like you know if i can see
the security plans i'll agree to that
right
oh we have to plan
want even more cyber rants be sure to
subscribe to the cyber rants podcast get
your copy of our best-selling book cyber
rants on amazon today
this podcast is brought to you by silent
sector the firm dedicated to building
world-class cyber security programs for
mid-market and emerging companies across
the us silent sector also provides
industry-leading penetration tests and
cyber risk assessments visit
silentsector.com and contact us today
let's move on shall we yeah
is it time okay
technical controls for protection around
users of an organization now we've
talked a lot in the past
about other other types of controls
right and a lot around
governance right policies and procedures
and such we've talked a lot about
following different frameworks and all
that and here we want to get into kind
of the
a little bit of the nitty-gritty i guess
you could say
for
what you should actually do when you're
thinking about configurations when
you're thinking about your users what
should you be doing to protect i hate to
say it but protect the users from
themselves i think it's a critical thing
that
we every organization needs to be doing
what are your thoughts if you had to
give the top
36
tips
in order what would where would you
start
there's 36 i didn't know that number of
i'll settle i'll settle with three
how about that 42 let's just pick 42
it's like a good nice number though
friends don't let friends use microsoft
yeah
don't i guess number one don't don't let
them have administrative privileges at
all times
why not tell us more
well
so
it's funny there's no there's some
protections in place so as an example
you've you know you've got you've got
some stuff running right you maybe you
you enabled your windows firewall to
prevent some uh some inbound ports and
protocols from some bad sites and you
know maybe you uh maybe you've got
windows defender running um since we're
talking about windows and you've got
windows defender running as antivirus
you know to provide some protection for
your user but you've left your user to
um to be in an advent group or be part
of the local administrators group
and so
that individual now can become oh let's
just say disgruntled with the
configurations that you've laid forced
to you know enable that protection and
they can go in and disable that
protection right they can turn off
firewall
they can go inside and you know they can
disable the windows defender piece as
well right on the windows security side
so
you you kind of circumvent some of the
good security practices you're trying to
put in place by leaving the user to have
those types of root and administrative
privileges on the on the local machine
that they're that they're operating
that's one i think that's number one
talk about disgruntled i mean you could
have someone encrypt their disk and not
tell you how yeah yeah true or pull data
yeah absolutely or shut down their
antivirus because they don't like the
props that are popping up
yeah
yeah well that was that's what windows
defenders it's sort of
it's it's sort of antivirus i guess you
could kind of call it time you should
but yeah you shouldn't really that's
sort of yeah i would
i was talking about more serious
that's like an egg a souffle yeah
anyway so uh
yeah i think that's number one and then
you know to to add on to that if you you
know if you're installing any
third-party epp pieces you know if you
don't have the security installed on
those those agents to prevent tamper
even from local administrators then you
know your users can turn those off
because they may they may be scanning
the local disk at a bad time or they may
feel that their internet connection is
unstable because of the agent that's
running i mean you there's all kinds of
conspiracy theories around local agents
now right and security i think security
tools in general in the past have always
been part of them right i mean that's
what we always got blamed for anytime
something went down like are you guys
doing anything like what do you mean are
we doing anything like running any scans
take down the network like no
like your app failed because it didn't
have enough memory that'd have to do
with us but security in general has
always been the bad guy right so
yeah some of the you know from
administrative side of the house
it's always a good idea to schedule
things
at the appropriate time and i remember
one of the things that we did when when
antivirus way back way back first came
out when you could control it from a
centralized location
um you know you tried to schedule them
the scans to run around lunchtime not
log in or not at four o'clock in the
afternoon people are trying to get out
but you know
so smart scheduling will help some of
that but um
i just want to dovetail on the third
party controls though
one of the things we're seeing is people
have moved remotely is that they're
starting to install software that works
for them that's not necessarily part of
the
approved suite of software uh for for
your company and you need to really
prevent and lock down those kind of
tools because those tools are not
embedded those tools are not secure
necessarily and you know they're posting
critical ephi or pii or whatever on
web-based forums that you haven't
reviewed and that really needs to be
tied down
yeah yeah no no that's a great point
mike and controlling your users and
making sure that they they don't have
permissions more than they need
um is is super important especially now
with this work remote situation like
you're saying we're seeing organizations
that are actually letting users bring
their own device like their own home
they're using their own home machines
so you know yeah you might be in office
365 right so you're secured for the web
supposedly but if that individual is not
updating their home machine
and you know the kids are using it or
somebody else is coming in and using it
or
you know they get some form of you know
kind of hidden hidden malware that's
that's on the machine it's going to be
able to grab those tokens and those and
see that email and grab those passwords
and so
that security of the home device you
know now you've just introduced you know
even uh you know a more significant risk
to the business organization because now
you have an untrusted device
with the user um that you can't control
the permissions to that's accessing your
business data
so i think that you know that that's
been a i don't know it's been a pretty
big top-of-mind topic
recently at least i think with some of
our conversations right yeah so how do
you yeah how do you handle that how do
you handle that user security when the
device doesn't belong to you
i i have a an ancient infosec proverb
here that comes to mind um this is a new
one and it's
if you think
buying
devices for all your users is expensive
try going through a breach
yeah no doubt
good point so
so in short here's the thing is that
to protect the user account you have to
be able to provide the user controls
which in some cases may mean you need to
issue the device
because you're going to have to control
the configuration of the device right
you need to also you know removing
administrator privileges is not it's a
switch okay but it's unfortunately
doesn't matter if you're downloading
something like jumpcloud you're going to
do it or you're going to use azure
directory to do it
it yes it's a it's just a it's a boolean
um check
but it's harder in in reality because
you know you may not
be able to anticipate what your users
may or may not need from you so always
have a good process to request
elevated permissions temporarily or to
have somebody
have the capability to install something
if they need it for work purposes right
because otherwise you're gonna you're
gonna fill up your your help desk
tickets with users requesting for
install software or admin privileges and
not have a way to really do that in a
good way
and i think the other thing is is is
protecting the user accounts also means
protecting that
that user from themselves with with
passwords so
that's a whole nother conversation we
could have but i i you know i see that
you know federated you know federated
password methodologies like you know
single sign-on and oauth and things like
that are kind of working because you can
get some of your third-party vendors to
offer
like a saml hook in or something like
that where you can enforce to that
third-party portal that doesn't belong
to you
controls over the password and the user
that are specific to your organization
so you can um you can usually request
that so look into that if you're dealing
with third-party apps and you are using
a federated identity method today i
think that's uh that's probably a
helpful thing to try to make sure the
users aren't practicing bad passwords on
third-party applications you can't
control
yeah
so speaking of those third-party apps
one of the things that you do need to
get is get all those controls under i.t
and not let the business units manage
those especially for provisioning and
deprovisioning where there's critical
data in them
that's more of an operational
control
yeah and if you're if you're a small
yeah no great point mike if you're a
small shop
and you're you know one or two man i.t
and you're trying to figure out how to
do this you know the pride the hold of
the proverb i would try to get budgeting
to issue laptops for your if your
individuals that are
um that are bringing their own devices
from home i would do i would set that up
as a priority for the year and request
budget and there's all kinds of risks
that we can put around the untrusted
device and using data even though it's
in a stream to a third party like a
google
um corporate or or microsoft office 365
or any other those types of
um outsourced third-party email
kind of work hubs right
if the endpoint device can be
compromised that data and streams
probably get compromised at some point
too
so um you know try to request budget try
to issue those devices try to get a
handle on what your users need
daily so that you don't really have to
enforce
you know giving everybody administrative
privileges because that's the easy way
out
it will it will take a little bit of
engineering a little bit of questioning
inquisition to your users to find out
what they need but that's really the
right way to go about it and i'm going
to say it
and i'll shut up
but all you administrators out there
you need to have two accounts too you
need to have an administrator account
that you do your admin work with and if
you guys are on you know nics or
whatever that's a suitors file okay you
need to be added to that there needs to
be a process around that and if you're
on windows you need to have two accounts
you need to have your admin account
admin group account you need to have
your user account you don't need to be
an admin all day long every day
surfing the internet and you know
checking on your you know checking on
your email that's you know going to
meetings right that's perfectly fine for
your user account and then you need to
elevate with your other account when you
actually need to do engineering level
work and that's what the audit
framework's going to look
for socks or anything else right mike oh
yeah yeah and i'm actually surprised
that how many companies don't do that
so i mean that's just common hygiene
well
thanks a lot lauro and mike because we
just lost a whole bunch of our listeners
a lot lots of unsubscribes
lots unsubscribed people don't want to
have two accounts it's terrible yeah i'm
watching our followers go down right now
it's like we just lost we just lost four
or five million we still got we still
got several hundred million so it's okay
but
well yeah that will be we'll be just
fine just fine
hey speaking of it let's let's talk
about the one of the things that we run
into quite a bit which is those
companies that kind of
are partially there those companies
especially mid-market and emerging
organizations
they went out and they they did the
right thing in buying a bunch of company
owned devices and issuing devices to
their users but they don't have any
management of them they're not they're
not using active directory or jump cloud
or anything similar so they're they're
basically leaving
the
user leaving the updates and everything
else up to the users
how how would you recommend they go from
that state into a managed state and and
deploy the you know proper hardening
images and all that across the board get
everybody together on the same page as
as appropriate and have it
have those devices managed from a
central location
yeah good question so built first off
you know define what your what your
environment is going to be where they're
going to be you know mac you're going to
use windows build yourself a stick for
you know the bare minimum secure
configuration that you're going to need
for that device for the user
and then build your if you're whatever
you're using build yourself a deploy
script if you don't if you want to be
old school and you can do it per device
and then issue the device after it's
after it's edits um
it's stig installed and
the permissions and all of that for the
user installed
all the necessary apps you know removed
and um necessary apps installed and then
you hand it off as part of the build
process
um that would be the next step if you're
you know not looking to you know try to
hook up into active directory or you
know it you know active directory cloud
type stuff or you know trying to use a a
bolt on like like a jump cloud like you
said um which is which which are all
viable options right to do that control
yeah i mean i really i mean that's
really the best way to do it as far as
i'm concerned you know and for for if
you're trying to implement that the best
thing to do is just start anything new
gets rolled out with the new config and
you know as you as you have time go back
and replace and replace and replace so
as as you take the depreciation on the
device then you then you replace it with
something new and you need to push up
those depreciation schedules to ensure
they're secure
yeah no that's super good idea too
um but i mean it's really
you know if if you got if you've got
budget to deploy a device i mean you
know if you're if you're not going to
use a mac i mean you know nothing
against that but you know it's it's it's
a little it's a little honestly it's a
little easier with uh with a windows
device to to build a script um to to to
secure the device and then deploy it
than it is with a mac it takes a little
more work
but um you know i think you can do it
either way and then if if if that
becomes the you know too much of a
a process
to repeat over and over again then you
can you can get into the whole agent
right based off like jump cloud there's
a few others out there i don't drop
their name don't get paid by those guys
or anything maybe we should get paid by
those guys but
well the other thing that's out there
too is that there are vars depending on
your size and your budget there are vars
out there that do computers as a service
so you just tell them what to config
they take care of all of it they take
care of your maintenance they take care
of applying the device repairing the
devices providing the devices
and procure them so i mean if you don't
have the work resources to manage
something like this there are services
out there they do cost they aren't cheap
but uh
you know there are services out there
that can do that kind of stuff
yeah
and can i just remind everything it was
it was it was mentioned before but just
remind everybody that
this is not optional when you get into
filling out security questionnaires
especially for b2b technology companies
software as a service system
integrators people like that i mean
you have to have control over your end
user devices and you have to be pushing
patches you have to be on top of this
stuff that you cannot meet compliance
requirements
and really
you know achieve much at all
without doing this so it's at some point
you'll have to take the leap if your
organization is growing
i was just gonna say that you you know
if you're if you're out there listen to
this and you're you know a two or
three-man shop and you're just you know
you're buying machines you're just
sending them out to everybody and
telling them to log in and you know use
the office 365 whatever
um that's not good enough you need to
have a plan in place because it's going
to be an instantaneous fail on any
assessment for you not having end user
control over the devices if everybody
has administrative level permissions and
you don't have a way to control the them
turning off security
configurations or you know
mitigator you know bypassing security
configurations that you're trying to put
there to reduce risk you're going to
fail it on it
and and so be thinking of of ways to
cleverly get around that without having
to you know ask for a bunch of money you
can go back to google and start asking
all the nerds out there that have done
this a million times on how to build a
stig and a deploy script for your your
your endpoints
and um you know start you know just
start sending them out and and yeah like
pull them in and then replace them with
a new one
you can use them you can get from cis
too i mean cis has the the base images
the gold images i mean as long as you
get cis as a paid service
yeah absolutely and that's pretty cheap
it's not expensive i don't think and no
yeah
their their images are completely worth
it too i think yeah it's based on their
i think their fees the last time i
looked at was based on the number of
users company and if you're you know 150
person company it's not expense
so just something to keep in mind
probably a lot cheaper than hiring you
know an engineer to build these out for
you yeah yeah and i know i know what
every admin is out there thinking it's
like this has been in the back your mind
you just had other stuff to do yeah and
so yeah don't don't lose sight of this
right because it's it's going to come
back at some point the business you're
working with is going to get a
questionnaire we're going to need to
meet an audit requirement
and this is going to be one of those
catches that you're going to have to
solve and so solve it sooner than later
um it's yeah
you're hearing this message today for a
reason
it's it could be divine you never know
yeah get it yeah you want to get it done
though now that you know now that you're
right now that you know we're telling
you again yeah i'm looking at you don't
look at your radio like that you know
exactly who i'm talking to
you look you look wonderful today by the
way you you know who you are and yeah
great shirt well any final words of
wisdom before we wrap up
don't trust your users
yeah you well
programmatically you can't you shouldn't
take the risk to right so control those
actions yeah
they are i mean generally the greatest
threat to your company is the insider
yeah most of all the malware
right all the malware comes from easy
quick yeah i mean whether intended or
unintended
they are your biggest
you know your biggest risk whereas you
know the rogue admin story that's out
there does happen from time time to time
occasionally but uh it's more of your
you know
the secretary sitting at a desk or some
you know clerk in accounting that clicks
on the wrong email and all of a sudden
boom
yep call center employee decides that
they want 100 amazon gift card you know
what i mean it's that that's what we see
all the time
yeah the rogue admin certainly happens
but not as much as it does for you know
somebody who's you know kind of
you know maybe bored or have some board
time or be on lunch doing some stuff
right so
you never know
yep the
um the fact that you're using office 365
and
you know box and quickbooks cloud to run
the company is not is certainly not a
valid reason to not do these things
anymore just based on all the breaches
and stuff we've seen so
um get it done
uh i hope you enjoyed this podcast hope
it was valuable for you and you learned
some things um again
subscribe to the podcast if you if you
enjoy it
share with your friends other people
that might benefit from this information
might be able to learn
and go to
cyberrantspodcast.com if you have any
any ideas thoughts questions anything
like that we want to hear from you
there's a web form right there
next to the podcast list and you can
just
get in touch or
reach out on linkedin because we want to
talk about topics of interest that are
of interest to you and and beneficial to
you and your career so thank you again
for listening everybody and have a
wonderful day
pick up your copy of the cyber ants book
on amazon today and if you're looking to
take your cyber security program to the
next level visit us online at www dot
join us next time for another edition of
the cyber rants podcast