00:01
This is CyberSound, your simplified and fundamentals focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. I’m your host, Jason Pufahl, joined by Steve Maresca, Michael Grande,
Steven Maresca 00:17
It’s like you’ve never met me before.
Michael Grande 00:19
Here we are!
Jason Pufahl 00:20
I looked at both of you for a second. I’m like, which one do I say first? We do, you know, you got that, you got those good looking glasses on. I was thinking about that for a second.
Michael Grande 00:30
Very erudite.
Steven Maresca 00:31
Oh yes.
Jason Pufahl 00:33
So today we’re gonna, we’re actually gonna do something, I think a little different. I’m not sure we’ve done in calling it, ‘In the News’ section, and I think we’ve had different names for it over the last couple of years, but there were, there have been a few pretty, pretty notable or high profile events, right?
Michael Grande 00:52
But they’re all good news, though, right? Or is this, you know, the reality?
Jason Pufahl 00:59
You know, I find so anytime I do the security awareness training about midway through, I always feel like I have to say, like, you know, I just feel like I’m doom and gloom, like there’s nothing, you know, it’s all about. Here’s all the bad things gonna happen to you if you do this,
Steven Maresca 01:14
These are all unpleasant things for the people directly affected by them. We’re gonna turn the corner into making them opportunities for something.
Jason Pufahl 01:22
So let’s talk about the first opportunity then. Oh boy, it’s whopper. But it’s twofold. So we’re gonna combine, we’re gonna turn this topic a little bit into everybody invests in security tools, right? Whether that be, well, in this case, spam and phishing protection or your EDR space, right? We’re obviously talking about CrowdStrike there, and there’s a huge Proofpoint vulnerability as well. And I think rather than rehash the technology, the technical issues that sort of caused the CrowdStrike outage, for example, it’s probably more valuable for us to spend a little bit of time little bit of time about, you know, how do you responsibly utilize some of these technical controls? How do you mitigate against the potential problems that, like a CrowdStrike had? It huge, huge, widespread issues. Really, everybody’s read it, right?What do we do going forward with security products, security vendors? I think that’s the topic we want to discuss.
Steven Maresca 02:27
We have a two fold problem. I suppose. You know, CrowdStrike is pervasive in an environment where it’s deployed. EDR is as well. Proofpoint, you know, being for email protection. It’s in the middle of everything, right? That’s a shared characteristic here. Either one of those types of platforms falls down because of a compromise or an actual outage. You know, everyone impacts, everyone has an impact from business perspective. So on the one hand, it’s a business continuity discussion. What do you do when you can’t transact your business, and do you have a backup for it? The other is, how do you use those tools in a way to make the pain more pleasant or your recovery time shorter?
Jason Pufahl 03:11
Yeah and I think that’s what it is. And we’re in a mode now where we’ve accepted vendors updating their software on our behalfs and, you know, yeah, I was gonna say, I want to make sure that we don’t try to suggest in any way to people that they turn off these automatic updates or anything like that, right? Because they’re hugely beneficial.
Steven Maresca 03:32
Which, just so we’re clear, was one of the contributing factors to the CrowdStrike event. We don’t have to get into the particulars, but it was something delivered that people did not necessarily feel they have control over.
Jason Pufahl 03:43
And every vendor is doing it right, right? I mean, Microsoft, automatic updates, you know, Mac, everybody. So how, how do you keep these enabled and protect yourself? I think that’s really the key, the key element here,
Steven Maresca 03:57
Yeah, I think it’s true, and ultimately, continue to have them enabled, but alter maybe the schedule that they’re applied, or stagger systems so that you can test in one more tolerable area for an outage that is your more, you know, tolerable user base, or something to that effect.
Michael Grande 04:18
Is this something that is generally planned, you know, when you’re going through business continuity or disaster recovery plan, I don’t know that someone ever says, well, a bad update or a bad patch, you know, forces us to revert. Do we have a program that, you know, or a process built in place for how we’ll do this, how we’ll sort of turn back the hands of time, go back to a prior revision, whatever it may be?
Jason Pufahl 04:40
Yeah, change management practices used to be really common. I think if you went back, I don’t know, you keep me honest in this, 15 plus years, yeah, I feel like there was the common approach of mistrusting Microsoft automatic updates and wanting to wait a week or two and then always putting them into a test environment first. And then as issues became less and less common, trust grew to the point where people said, I’ll just let them update. And now we’re in a situation again where we see you really do want to be careful with that.
Steven Maresca 05:11
This is a pendulum that swings all over the place. You get burned by an issue that you needed to deploy quickly, you really wanted those things, you’ve made the process more laborious. There’s no happy medium. It’s trying to find something business appropriate that doesn’t cause undue impact, but simultaneously lets you do job. A lot of business continuity, incident response, preparatory work focuses more on supply chain impact, vulnerabilities, zero day flaws, that type of thing. And this kind of resembles that realistically. It’s just trying to stack the deck for what tools you have in place so that you can actually recover quickly. And a lot of that is good inventory of your assets out of band, offline copies of documentation, systems that are deliberately, intentionally dissociated from updates, so that you have something as a stepping stone from which to rebuild an environment if you don’t have an update that goes well, those are the types of easy practices.
Jason Pufahl 06:15
It’s not about eliminating impact, just reducing.
Steven Maresca 06:18
And the change management side of it’s really important too. There are always applications or groups of systems that have organizational inertia that prevents them from being updated, or a vendor that has an issue to patch in a timely manner, you name it, that stuff you have to treat individually in test environments. But, it’s challenging.
Jason Pufahl 06:38
So let’s shift for a second to the Proofpoint, yeah, issue, right. Like was, is that a configuration issue? I mean, obviously I think it’s a little bit bigger than that, but.
Steven Maresca 06:47
So the Proofpoint issue in this particular case, just to put it in a sentence, was a flawed a default configuration that enabled most folks deploying some of their spam and anti-phishing technology to have their their domains, impersonated with ease. And I think some of this is the architecture being very complex and requiring a lot of evaluation to to use appropriately. And some of it has to do with just not toggling the things that are in documentation, but not part of the you know, the demo recipe exactly.
Michael Grande 07:23
And the express set up right, yeah. One of the things that strikes me about that is, you know, I feel it from a sort of, let’s say, a corporate email perspective, phishing campaigns. It feels, over the last several years, that both the testing side and also the filtering side of so many of these products has become really, sort of really inhibited some progress, or, you’re not sure, is this email, you know, the days of check your spam folder, you know, felt like we sort of lost that for a while. We’re back into that, or go into quarantine, make sure my message get hung up. So I think there’s probably some reticence in some organizations about putting overly, you know, stringent guidelines.
Steven Maresca 08:08
And it’s true, yeah, for sure. And it’s it’s made more complex with the shift from on prem to hybrid, sure, fully cloud. And this digital system configurations introduce all manner of interesting things that occur there, not to mention, you know, Google on a phone or an iPhone with mail it, they remove some of the UI ability for you to determine whether a message is legitimate or not. So it’s there’s no simplicity here. It’s just evaluate everything being deployed in line that protects your systems or gives you a leg up against an attacker and make sure that if something were to fail, yeah, you know, if you can actually get around it easy and mitigate that, right?
Jason Pufahl 08:51
We’ll shift into you pick which one do you want to talk about next?
Steven Maresca 08:55
I think it’s worth talking about the IPv6 vulnerability from Patch Tuesday, it’s an important one, yeah thisis a Patch Tuesday issue from August, yeah, August 13, the week before recording, yep. And this is a flaw in the IPv6 protocol stack in Windows systems. And, you know, there are lots of folks who go IPv6, what is that? And it’s deployed everywhere, by default, for the most part,
Jason Pufahl 09:19
Deployed, but how heavily utilized?
Steven Maresca 09:22
It almost doesn’t matter, though. If it’s on, it’s on, and, you know, there are lots of places where it’s in place because they’re ISP, like Comcast, Big IP Six, you know, they’ve invested heavily, and lots of devices are using it transparently. This is a wormable flaw that’s not currently exploited the time of recording, but needs to be attended to very quickly and efficiently by every organization that hasn’t otherwise disabled IPv6 patch. Patch, if you can, disable six, if you don’t need it, that’s it.
Jason Pufahl 09:45
But stagger your patches, right? Per our previous,
Steven Maresca 10:02
All rollouts warrant that, right? Yeah, that’s it. On this one, it’s sort of evolving. I expect it will be weaponized probably in the next week or so. It’s basically something that, you know, you send a packet across the network, game over.
Jason Pufahl 10:19
So I want to spend one second on this, because it’s just it goes back to our security 101, fundamentals concept. So many of the incidents that we encounter are a result of not patching, and where attackers take advantage of known vulnerabilities, things that are published like this, where you can anticipate a worm or it being used maliciously, you need to expedite your passion. You need to, you need to make sure that you’re updated as quickly as you can, because it’s a real risk.
Steven Maresca 10:49
And this is a really good example of where some engineers might say, Oh, that doesn’t affect me, and move on and say,alright, we’ll just do our usual patch cycle, that may not be appropriate here. Sometimes you have to dive a little deeper into whether or not you’re susceptible, even if you think the technology is unused. And this is an excellent example of that.
Jason Pufahl 11:09
Yeah, go ahead.
Michael Grande 11:09
Well, I was gonna say that one of the other current thing, 2.9 billion user accounts through the national public database about a couple weeks ago. Yeah, that’s, that’s a massive number.
Steven Maresca 11:24
Yep, it’s not the first background checking organization to have their stuff breached either. But, major impact.
Jason Pufahl 11:31
I mean, that is a huge number there, because we have breaches all the time. Yeah, I think people are somewhat numb to the idea of getting these notifications,
Michael Grande 11:43
Every letter that you get, every, it’s terrible.
Jason Pufahl 11:46
And I really do think people have to just assume that their data has been exposed in some way, right? I mean, 2.9 billion in and of itself, but then you’ve got all these other preceding ones that happened over the years.
Steven Maresca 12:04
Ticketmaster is another one in recent news too.
Jason Pufahl 12:06
Yeah, I mean, your statement we were talking about it was, you 2.9 billion and people aren’t even going to bat an eyelash.
Steven Maresca 12:12
No, they won’t, right?
Jason Pufahl 12:13
I mean that’s where we’re at with these.
Steven Maresca 12:14
It’s true. It’s just background noise for a lot of people. And you know, this one’s a little interesting in that the affected entity has been called out for scraping personally identifiable information from sources that had nothing to do with the people having their background checks performed, meaning there are impacted people who had no background check. That’s a problem, but I think turning the corner into how you react to it is maybe the most important thing.
Michael Grande 12:43
It’s just, you just reminded me of that case of, was it Ancestry.com where there was sure now, sort of 23andMe, maybe that’s what it was. You know, they had user data for family members who weren’t on the database. Right? Taken, yeah,
Steven Maresca 12:58
It’s easy to get that. Yeah. I think the main takeaway is freeze your credit and take advantage of credit monitoring services offered to us, because we have one in the mail every other month. That’s right.
Jason Pufahl 13:08
So, and if you’re not familiar with freezing your credit, right, all the credit bureaus have the ability for you to they call it freezing, but it’s basically locking your credit against it being evaluated at the time of somebody trying to request a loan or open up a credit card or something like that. There’s four major credit bureaus. You have to do your freezes at each one individually. It is, it is a security scenario that I would say is a little bit cumbersome. I wouldn’t say complicated, but cumbersome.
Michael Grande 13:41
Zero trust for credit. Yeah,
Jason Pufahl 13:43
yeah, that’s actually certain, It’s free in most states. I’m not sure if it’s free in all states, but most states it’s free. The process to unlock is pretty straightforward. So yeah, if you actually are buying a house or buying your car or open a credit card, the challenge, of course, is typically, lenders don’t know which credit bureaus they’re going to check so you have to unfreeze all four. So yeah, that’s a little frustrating.
Steven Maresca 14:05
And do know that there are services that are out that are monitoring credit out there that will do this on your behalf. So there are other ways to do this, other than just going to the bureaus themselves. But it’s worth investing. It’s taking control over who can see your information or use it to open up new accounts, which is the outcome we care about.
Jason Pufahl 14:24
And our recommendation always is, even if you’ve got children under 18, freeze their credit as well, you know. So if you’re a family of four, you’re potentially doing this 16 times, right? So it’s all effort.
Steven Maresca 14:36
I think the other complimenting statement could be, if you’re concerned about how your data exists out in the open, consider taking a look at some of the data broker protection services so that you have your data expunged where it’s possible to expunge it. This is not the same thing as freezing credit, but taking some degree of control over what your personal information is going to be used.
Jason Pufahl 14:57
And they can see some visibility to how data is being used. Great. So and information is always good. I mean, those are the three things that we had. And I don’t want to, I want to overblow this, because I think, you know, getting the information out there, certainly, you know, the IPv6 vulnerability one is important. You know, patch as soon as you can.
Michael Grande 15:20
Just going back to the beginning for a brief moment, sort of as we wind up here. Do you think the major firms, like a CrowdStrike are going to change some of their ways?
Jason Pufahl 15:32
It’ll be an industry benefit, no, no question about it, and it was, you know, is a huge blow to CrowdStrike, but I would say it doesn’t make them a bad product. They had a mistake, it impacted, because of their market share, impacted a lot of people. It’s a practice that most companies are using now. I think one of the challenges is, you know, CrowdStrike has maybe more access into the operating system, right? So the impact is potentially greater,
Steven Maresca 15:32
Every time, every time something notable like this occurs, there are measurable positive improvements, right? Microsoft had a fabulous stint from, you know, mid 2000s up through the present, with a lot of their security practices, they’ve had some lapses, but they did that as a reaction to the way that they fell down in the late 90s and early 2000s and it had major observable quality improvements. This is a QA problem at CrowdStrike, and they’ve already come out and made it clear what changes they’re making. In that regard, other vendors are actively reevaluating their own processes, so this will have ripple effects elsewhere in terms of how updates are rolled out. I suppose, but that’s a truth in most of the similar competitors that exist in that space, right? Yeah, you need it in order to do what they’re doing. So, you know, net positive after the fact, maybe an unpleasant moment,
Jason Pufahl 16:57
But I would agree. I mean, the industry will benefit from that, from that misstep,
Steven Maresca 17:01
And as we talked about in that part of the segment here, you know, every organization that was directly impacted will emerge stronger because of the things that they think about to make it easier to the next time around, right?
Jason Pufahl 17:12
Okay, well, I mean, you know, as always, if there’s anything that somebody wants to dive into on these topics, or if there’s something in the news that you feel we’ve egregiously missed, let us know. We’ll talk about it, and we, as always, hope you got value out of this and learn something.
Steven Maresca 17:28
Thank you.
17:30
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant. Stay resilient. This has been CyberSound.