Defensive Security Podcast Episode 285
01:08:00 Share

Here we go two days, sunday, november tenth, two thousand and twenty four. And this is episode two hundred eighty five of the defensive security packets. My name is Jerry bell, and joining me today's always is mister Andrew Kelly.

Good evening, Jerry. How are you, sir.

so good at hurts?

How are you? I'm doing well. I'm puzzled how it's already november and nearly thanksgiving, but others SE.

I'm too good. The year has just gone by and flash, i'm surprised to yeah .

but I see that you're at you're undisclosed southern command location again .

for the the final time this serious oh.

wow, wow. Enjoy what you can.

IT has been crazy. It's been super warm hair. So it's been really quite nice.

But I think we're .

head in that way around thanksgiving to enjoy a couple of days at the beach button.

I always good right to stay reminder that the thoughts and opinions we expressed on the shower hours and do not represent those of our employers to our not yet, it's true. Our first story for today comes from bleaching computer, and the title here is hackers steal fifteen thousand cloud credentials from exposed git convicts. So there's a there's a malicious actor and immerged whale, which I think is pretty cool. Like I think I do think we have to go with that gene yesterday advice about naming them, you know something that's not cool.

So this should be like, you know, pulsating sist or something .

and stay exactly exactly, you know, something on those lines with my head L A bit.

And what real sounds like a name for like a bad man, you know, bad guy or something or.

So so the issue we hear is that organizations have been systematically including git conflict files in there, roughly speaking, their web directories that get get populated to their external websites in the actor here is using open source tools like masking to seek out systems that are both listening to the web and then the interrogating directory structures, looking for these gift config files and apparently finding a lot of them that actually contain cloud credentials, which is just amazing.

Well, sadly, not a huge surprise to me. Honestly, I keep this is a regular repeated problem that I see over and over again of just secrets management. There's a big, I would say, attention between use of use and security when IT comes to secrets management in infrastructures, code and code in general. And it's I almost feel like it's an under appreciated problem that I see over and over and over again.

So this this report was its articles written about a report from mistake, insisting interestingly found that this actor had harvested about fifteen thousand cloud credentials, which they then the actor then stored in an s three bucket that was apparently also collected in the the access to the the asty bucket was collected in the same way. But I had they describe IT as one terribly worst of secrets in A, I don't know if I can bridge the gap between fifteen thousand credentials in a terrible of data, but yeah.

especially in secret is a tiny string of code.

Yeah, if you set that to the side for us. Second is interesting that, you know, a, the actor use something that they also stolen from one of their victims. N.

B. The s three bucket that contains potential was apparently exposed in open to the internet. They were not protected. So hey, I mean badness all the way around.

right? And I guess when some of these there was a much of a bk or know things like atos tokens that they could turn around and log right into a bunch of cloud environments with what they were finding in these convict files.

correct? Correct in that, by the way, apparently is what happened, or something very similar is what happened to internet archive. I think, I think on the second second go around.

at least they had a bad time of IT.

They did have a bad time, which is unfortunate. But I I mean, even the most sophisticated organizations, well funded organizations are falling victim to this sort of thing. So know that sounds like, as they describe in the article, the the list of these urals containing credentials itself is as valuable commodity to be traded.

They're saying that the list of your else is worth about one hundred bucks. But if you can actually extract legitimate tokens out of that, each one of those tokens IT would be worth some to be determined amount of money. So my suspicion is that this, if it's not already been industrial ized, it's about to be.

And this is something that when I was way back, way back when I was actually doing something productive, something that that I was a quite concerned about seeing up until very recently, most of the time when these kinds of of credentials were stolen and they they provided access to cloud accounts, IT was used for the purposes of of hosting wares or you know, illegal content or or most commonly, mining cyp to currencies. Actually, they would spend up a whole bunch of of GPS or or virtual servers or darker containers to mind cyp du and and like that was the most ban thing you could possibly do because IT was super easy to see that, that was going on. And like IT wan wasn't a data breach per sae.

But I think that over time and we've ready started to see, you know, the actors are figuring out that they can do a lot more valuable things with these what the access these credentials provided into cloud accounts. So so I think this is again, I think this is an area where like the industry, I think is a bit flat footed. So yeah yeah.

there's a whole ecosystem around initial access, we cellars, right? So these guys who find this could just turn around and sell this access to this initial access brokers who can information there's a whole system they don't even even need necessarily go any further with this. Once they discover that they can turn out to modified this pretty quickly.

And then that could be formed out to caldas other bad actors. The other thing that just come from my notes located this article, I kind of took a little bit exception with. So quoting from the article, they're talking about these gift configured files, such as dog get, slash, config or what not, and typically have a positive path, branches remote, sometimes even of diction information gap.

I is access token passwords. Developers might include these secrets, and private posters for convenience can do the transportion API interaction easier without international performing authentication each time. Got IT.

Okay, here's where I start to really disagree. Quote, this is not risky, as long as the repository is appropriately the isolated from public axis. And completely disagree.

I got that too yeah .

these things have a pesky little habit of suddenly becoming public or you know there's a whole thing thing about, oh I don't know, insiders excEllent leaking things or intentionally leaking things or bad actors getting foot holds on you one machine and moving literally um I in general and this is a lot easier seven dumb, I think you need to treat these secrets as radioactive. You really don't want to be your code.

You really want to be able to have some sort of system to call them securely as needed on demand and have some sort of reference in your code that goes out to whatever system you're using and grabs IT and uses IT as needed on demand. But just relying on these files to say secret, I think, is really asking for trouble because more often than not, something somebody makes mistake and they get published and then there's really very little way to ever roll that back. Now you're rotate and .

keys and other other think you said IT extremely well. This this is not something that we should be assuming that was as long as you have a practice of preventing this from ending up in your your public HTML fold are right yeah like that's not good enough. These these are attractive nuances like that.

They're going to become a problem at at some point. If you do expose them, I would also say you should be looking at the opportunity to minimize the length of time those credentials are valid. sure.

Because they you know, for example, if if these credentials are used for the purposes of your ccd pipeline, they may not need to be valid for more than a couple of hours. No, no, no. Six years.

fifteen years is the recommended line from those secrets.

Doesn't yes, you probably rain.

you probably rain about the same time you change you. Underwear, I think for most developed anyway, sorry. So I don't sunday getting sharky. The other thing I would say is I would love to know more about exactly how these tools are being used.

And ideally, scan my own stuff, my own, you know, public attack service, the same way the bad guys are and find this stuff quicker than they can. Because typically they can, but they can find stuff for effect, like I think about this exact one. But i've seen other cases, and our friend bob was even telling you about one where somebody actually only published a private something and get up out to a public group. And IT was found by the bad guys within hours. It's very fast.

So yeah.

I mean, got be careful about that. And but I think IT behooves us to do the same types of scans and and look the same way the bad actors look to try to find that stuff.

absolutely. By the way, there's nothing to say you couldn't have cranch a or whatever on whatever kind of periodic job running on your web servers that just find and seeking to story these these files on a continuous basis, perhaps perhaps connected here hr system so that the, you know take care of the guilty party.

then you accidentally delete all the web content now, then the website that goes down.

but these your secrets are safe.

right? Can't leave if you're not up.

That's right. Exactly right. Our next story also comes from bleeping computer, and the title here is microsoft share point R C E bug exploited to .

breach corporate network.

So the story here is, back in july, microsoft released as part of their patch tuesday a fix for a not spectacular rally, severe chair point wners ability at at a cbs s of seven point two. But the the new thing, the new news, is that the sesa, the cyber security agency in the us, put IT on its known exploited vulnerabilities list. And that is apparently as the result of a breach. That rapid seven, who this article is written about, investigated and responded to, that found that this vulnerability was actually the cause of of what appears to be a fairly highly severe system compromise. So I was one of things I was a little surprised about was that a people are exposing chair point two of the internet like, I thought that was something that died out in the nineties.

It's come of backman like parachute pants.

okay. Then in that b, you would have a microsoft product connecting in the internet that is running some code that is vulnerable. So those were that .

you're not patching rapidly.

Did you have a patch rapidly? yeah. Now in particularly because this is apparently of relatively large organization who could afford to pay rapids seven to respond.

So i'm assuming this is not like a flower shop or I think obvious ly, they don't see who who the victim is, but you know me. Look, I don't know how we can say we talked about IT a whole lot IT in the past. It's super important a to limit your exposure.

I I don't know how to say IT anymore. I was I was being flippant maybe but like this is one of those things that should not be exposed on the internet and jam. Sorry, it's just not .

I think this comes on a lot to attack surface management, understanding what you happens and understanding, you know, what's likely to get nailed easy and fast in an auto fashion and making sure that you patch that incredibly ever people. But I know you're right. IT feels like we're just sort of like saying the same thing over and over and over again.

There is there is one thing that I do want to talk about that I thought is worthy of discussion. And and when you read when you read this article, they talk about the way this this breach, the sequence that this breach happened, right there was a rc bug. The bad actor used the publicly available exploit.

We should have caused you to patch, okay, to upload a web shell. And then I was kind of game on. They created some scheduled jobs.

They did some account discovery. They did some credential harvest thing using things like mini cats, which I can't believe is twenty twenty four. And i'm still talking about mini cats. But here's the here's the the thing that bothers me, right? And maybe I should not bother me right.

I'm .

struggling because i'm angry and IT out.

Let IT out first. Safe space. We only no one will hear. It'll be fine.

Why on the screen erth would you connect and externally exposed windows web server of any kind to your internal active directory? Okay.

because it's it's easier to one minute.

I know, is also easier for the bad guys to just like room around your network, like this is the way this is the way these you know advanced threats happen is like you don't. This kind of thing is extraordinary arly hard to do in a linux environment, not because linux is necessarily EXO much more secure.

And I know that there are people who will argue that point, but it's because there isn't that relation, that trust relationship between all of the different components. And by the way, I am not saying that IT doesn't make sense. Like from a from an Operation standpoint, I makes a lot of sense the fact that I can disabled an ID like one of my people leave, I can disable an ID and active directory and like there no longer are able to log into anything, anywhere, including my external web servers. Like that's a very powerful thing .

without a remote question.

yes, without a remote code exploit. So I get that point. But like I think at some level, we've we have to think more about Better segmentation and and you that this concept the least privilege like it's just feels like what's all this new again.

you know, again, worry.

That was twenty, twenty five people.

Yeah true. You can run A D much more security than this is employing IT was set up like A D current instances of a and I don't going to get call that anymore. There are ways to mitigate all these problems.

So I mean, microsoft is just struggling the shoulder in this, like there are ways to do this much more safely with the concept of defense and tired layers and segmentation in one way, trust and all sorts of ways that you could leverage this. Just nobody sets them up. What I say, nobody a lot of unsophisticated, low um IT capable companies don't set them up that way.

And and there could be lots reason for that. I mean, they have the staff. They may have the oleg. May they know how we don't know who this is, or they could just be the staff could be of whelms.

They could have someone that this could have been a server they forgot, was out there and had no idea, was even start writing, who knows? right? I've seen that before. You know, the everything that was interesting about attacks.

So, so good. No, no good.

What I think the bad actors did to hide their intrusion was load a conflicting AV tool, shut down the existing AV tool. And like, that's brilliant either way.

but that .

should be raising every alarm bells in your security stack at.

That point. So one of the one of the things that I found is very common. Organza, especially specific antivirus.

But I think it's also even if you look at some of the more advanced no E D R X D R stuff, they look at, they look at things that tripped the sensor, right, like they with anti virus. My observation is know people do have logging that they're logging in a leering if a virus was found. And and by the way that that if IT goes quiet, right right.

And and by the way, there are even organizations who will say, well, you know like anti virus, like get detected in quarantine IT, so like no no harm, no file, they they don't even look at IT. It's just something that Operate because there's this assumption that like if anti s caught IT, then IT didn't the bad thing didn't happen. And if IT didn't catch IT, then antivirus like is a blind to IT anyway.

So like it's just something you just run in the corner and let IT do this thing. And I think that's a very obviously bad you bad way to go about IT. Like if you when especially when you have like a web server or or sharing server on the internet, yeah like if your anti virus trips trigger something like that should be an investigation. What happened? Something happened that cause that although .

to be honest, in my experience lately with r none of all the time it's a false positive. But that's a whole different .

conversation. Well, so that yes, IT is A I think is a bit different.

still need investigate, still understand why you get a whole thing about a little fatigue book. But but in this case, IT looks like by running this competitive A V software, IT just killed the existing A V software in somewhere. No, you've got local lights.

I'm assuming at this point, if you've done a remote code x point, you're probably gna get up in rates probably and cheer. You can shut this down. yes.

I mean, you could you could probably if you're pulling logs of this system to a centralize system and you're learning on those, if you are clever, you could do something on lines of of watching for whatever a log event might happen. But that's only based on that. You know about that ioc and you're already looking for IT and novel.

My suspicion is that they were trying to hide behind, by the way, they apparently went for several weeks without being detected. So I think they knew they were they knew what they were dealing for sure. But what I I think they were trying to accomplish with installing that other interiors was that the company's main activities agent just crashed.

And so they given if they were looking at logs, they would probably have have seen that the agent crash. And that might not they may not. They mess like jess, like mcafee crashing.

right? And did that generate even a logue? Yeah, yeah it's a lot of I am shared quarter back in twenty, twenty eyes, right?

But right IT is .

interesting. So the other .

going back to something you said earlier, right? Yeah, one of the I think one of the chAllenges i've had some several discussions recently about this about the way that many organizations Operate their active directory is the result of decisions they made back in the nineties.

Oh yeah, absolutely. And and they're stuck with that legacy. And it's a way too much time, energy and work to to update and fix IT unless it's post breach hold percent.

Yeah and it's it's interesting. It's and is such a fascinating concept and like it's one of those things like I find a fair setting, but IT doesn't actually amount to hillier ans as they say. But like the fact that IT isn't until after you have the bridge that you have, your organization has the appetite to spend the money and and go through the downtime of reengineering, things like there is not an appeal, generally speaking, to do that beforehand.

And so it's almost like you in the in government, and I have I heard this terminal a long time, but in government, they used to have this this you shovel shovel ready project concept, right? Like where you know you wanted to have slate of things that needed to be done and ready to go and all planned out and costs IT out what not then like give money landed on your desk like you had yet and it's almost like, I hate saying that, right? But you have to have something like that ready to go in case you get breached because otherwise you're going to be making all of those kind, those plans and decisions in a, in a war footing.

Yeah, how do you agree everything? I think the chAllenges, people wondering ing why companies don't do this, I would say the majority companies look at that sort of activity of rebuilding our ad system with all the costs involved and all the downtime and all the disruption as a very low value activity because they read the likelihood of a breaches low impact may be high and likelihood is low, and that they have limited amount of resources in time and energy in people. And that is not a good user. Capital or resources are time for most businesses.

That's a very low return .

on investment for a maybe occurrence. Now post breach, it's hold .

different equation.

right? Everybody y's only just do something, just fix IT. We can never let this happen again.

And therefore that likelihood exciting. That equation has gone away to help up. And everybody's calculus changes about what to good use of energy and time and resources. But most of these businesses are running thin, or at least no more than they absolutely need.

So they don't have slacked typically in their apartments to go being pursuing rebuilding A D for a navy scenery o that their CEO is scaring them with versus deploying a new bit of technology that's gonna a eight percent more on the next deal. And that's I think of a lot of businesses. Look at this and I think you're right. If it's not work, don't fix IT.

So why is why you get .

all these magic box salesman coming in saying, sled my managed box on, copy your problems and i'll stop her from happening? Because that's an easier solve, a one time cavin outlet or maybe a SaaS retribution to reduce the risk without actually fixing the problem. sorry.

So I I think you're right on all all points, but I I left with a general .

sense .

of of an yes about our ability to assess likelihoods and in maybe impacts because I I just mean obviously, after that happens like IT, you have certainly there's no there's no question because that happened and now you know you can quantify the impact as well. But I think we live in a different world like the world today for IT in organizations is just different than that used to be.

And and I just feel like in general, the business leaders are thinking about IT risk like IT were two thousand and five like you know you were. You just have to be the unlucky one that some bad actor is gonna target and there's really not the right way to think about IT anymore. It's Operated at such an industrial scale.

Know you've got entire crime markets of actors, you trying to find initial access points and then sell them into a into a deeper market of of a ban actor. So I just. Would be interesting to know like what percentage as a whole of organizations have had some kind of a bad thing and then they get what rate is that increasing?

Yeah and not to be cynical, how many of them are like, well, we've got cybersecurity, so we just shift that liability.

Yeah anyway.

This is the, this is the good news hour.

Yeah yeah cheese. The next next story comes from the hacker news. And the title here is five most common male techniques in twenty twenty four. So that the caution on this is that it's all about a company called any that runs sand boxing software, sand boxing service, which is interesting, but kind of secondary in my mind. No, I thought I was.

We're not pinned for them. No idea how well they work.

I actually I don't.

Yes.

I don't. But but I thought I thought they are observations about how what male is actually doing was was worth talking about the other. I didn't want to also talk about something for a second, which I think is perhaps a little problematic. Know like the I think both of the last two articles we talked about, we're in the context of a company like doing something, and I feel like all are not all. But much of the news we have about security stuff comes .

as a result .

of some cyber security supplier who's in that particular market writing. I don't want to call IT a puff piece because I think that's not surely fair, right? But like a lot of what we get is, is pushed through the filter of our company is trying to make money off of the thing that happened. So that's just the anyway.

whatever no, i'm with you. It's something it's wondering on why I think not to like blow own horns here. But one thing that I find useful about sure like cars as were not driven by any particular viewpoint from a vender who's trying to celebrate an solution whose view of the world is through their solution, right? They define the problems, the problem they can solve, and now they are out touting that problem and how they can solve IT.

And you that for .

lack of vendor, a lot of when we educate the industry and the workforce ing industry via vendors were getting a biased to view whether we like to know no matter how well intention, no matter like even some of the best, most respected publications out there, like rising data report and and some other stuff like that, that I could call on, like very well respected, a lot of great data.

It's still cynically driven by a an interest of selling or marketing their services to the market, right? And you know there are other sources of information books that are not britain by a particular organization, I think is a good one that we don't talk about IT and podcast like hours that try not to editorialize around a given sponsor. Now sponsorship is in necessary evil. These shows aren't cheap and that's something that you and I have never done on this show but we might on other venues possibly .

hinted um and .

but that is always a chAllenge, right? We how do you get good non bias to value useful information that isn't just shaded by vendor's view? And I look, I will admit when I was in sales engineering, I even had situations where I was asked to write articles, four publications like this that was very much about how the educating the marketplace.

But boy was IT shaded with the tool. I was pink's abilities and nobody else's. And it's a very real aspect of .

the industry. Yeah, I still work for to work for a manager and i'm sorry for the diversion here, but he's to work for manager who whose perspective on an education budget was that we really didn't need IT because we didn't need to spend the bone on training because there were plenty of suppliers or vendors out there who would provide education for free. And I think you mean to some extent that is true.

But exactly like you said, you're getting a very biased view. You're not necessarily understanding the actual problem. You're understanding the problem through the lens of that, that, that vendors your product or are offering.

which means are going to advertise their strength and minimize or ignore their .

weaknesses .

and you're not going to discover the edge of their give building until he bite you .

maybe yeah alright. So getting into the enough with Jerry, cynical Jerry hour here, I think .

all seeks for a listener appreciated the .

first of the the techniques that they're seeing disabling windows event logging. By the way, this isn't not necessarily just a blanket to stabling event logging completely. One of the one of the particular pieces of man where they talk about actually enables remote access to the remote access service and IT actually disables that the logging of the remote access service.

So like logging in general, is still working, but they've disabled through the registry logging for that particular process or or application, which I think is important to understand. Because know where I used to work, we set up logger is super important. And having some assurance about your ability to monitor logs.

This is very important. And so you do sophisticated things like looking for quiet sensors. Yes, what can see like, okay, I have a system this in my immature and I haven't received a log from IT in three days.

Well, what's going on? And you know sometimes it's you know the network cable got on blug, sometimes it's blue screen, sometimes is there's lots of different reasons that might happen. But in this instance, know it's a surgical the surgically disabling logs that would be that would indicate their activity. And so you know, just assuming that bad actors are going to completely disable a logging and then you would catch that through like that kind of a quiet sensor monitoring strategy is not not a safe bet anymore.

right? By the way, he has to be said like this, quite sensor technique doesn't work for like mobile devices and laptops in such .

bun for servers. True.

maybe useful to know. Hey, I Normally get a large velocity of twenty eight meg per hour on this server and it's now dropped to zero. Then might want to look good.

Point power shell exploitation is next. Obviously, this has been a problem for a long time. And and I would say I think the next one is commercial.

I just kind of handle and both together, you know that the malware tends to use applications or stuff that exists on the Operating system as as a means of in a bypassing or reducing the likelihood of raising raising alarm. And so if you use something like power show or commercial, you would expect to see those things running on a system. Now obviously, power show you can do monitoring and there's lots of stuff has been written about how to monitor powerful.

That's definitely worth IT, but not everybody does. And so of all your all you're looking for is anomalous processes and you you expect to see command. You seem to that exe and powers shell that xc you you're not, you going, you have a sense of alarm. That's what the the attackers here are relying on.

I think the term my head often is living off the land by using tools. Look, get to the system that your own.

And then the next one is modification of register ranke's. I've seen this you i've seen this used in some really creative ways, by the way, like when when a remote system connects to a terminal server and that remote systems in a local file system is mapped into the terminal server and if that terminal server is being controlled by an actor, that bad actor can actually add things into the start up program, which then creates registry keys.

And so they can maintain persistence. But but in in general, this is A A very common mechanism for persistence. And I think most of your X D R, E D R tools and even a lot of anti erris have the ability to monitor and protect against this stuff.

But you again, like if somebody installs another agent that's around. And then I thought the next one, the last one was was interesting in the context of a sandbox. So again, the company, the rote, this provides the sandbox type service.

It's time based evasion. So basically they are saying on your run, your questionable executors in the same bucks s see, that doesn't anything like all the stuff that we just talked about before for evidence of of malicious behavior. And what they're saying is, well, like sophisticated mail where we will just wait a few hours yeah because your sandbox is going to time out after a while.

It's not it's not going to keep running forever. And and so if you wait more than a few minutes to to execute, it's going to happen after the same backs monitoring concludes. And so so that also an interesting, I actually a institute tive I hadn't heard of, of this being used in the wild. So interesting.

Yeah you know I remember red early days of of like fire eye was one of the first big sandbox tools and one out and there is all sorts of interesting techniques back at the time of things like, yeah, what does advanced clock ck? We're run faster so that we can figure this out, solve for this and who knows, who knows how many those things actually caught anything in the real world.

There is just clever techniques that we're tried by no sort engineers. But there's all sorts of various, various idea is around this because again, this is the tradeoff of your sandbox can't run forever and things still need to get down. So how long do you hold the file before you let IT you finished and unloading and whatever. So it's interesting .

problem. The the next article is from the register and the title here is sce had been shocked as windows over twenty twenty five installs itself after update labelling air. I like after after the the crowd strike thing. This one just boils my mind.

To be fair, I ve had some trouble really verifying this one like IT seems to have had a very limited impact and and there's there's some ordinary on that. But I just could say there's there's some yellow flies on the story in my mind, but OK, but it's accurate wow go out with there's every so so the security .

company hym doll identified or I think IT was discussed in rudders, which is probably one of the yellow flags. I suppose, that they came in to work and found that some of their the window over twenty twenty two systems had been updated to twenty twenty five in an unexpected manner.

And the allegation after some investigation by hindu is that this was a result of is not clear to me exactly in what context this was that the windows server twenty twenty five upgrade was labeled as a patch basically. And so IT was IT was, by all appearances, through some patch management system. Again, assuming this is actually real, IT was IT looked like a patch that you were supposed to be provisioning.

But in fact, that would actually was windows server twenty twenty five. So microsoft apparently is not responded, neither neither his handle for additional information. So I have not heard any followup on on the story. So but it's again coming after the the crowd streak issue. This one just IT hit a one nerve with me, I guess.

the trust we place in the auto bd systems.

Yeah well, that is exactly what went through my mind when I read this like we have enough trouble as IT is getting people in organizations on board with with auto bbb dates. Well, look at our earlier .

story about the chair points over that had auto web dates turned on when I got popped, right? So we're actually arguing with ourselves on this show. True, but you know I mean, that just argues for a planned methodical role out with key environments and test environments and brought environments. And but again, these these are difficult, not trivial, link to set up and run properly. Sorry, I interrupted at your point .

with my diversion. So far as I can tell, nothing bad happened other than that some organizations ended up with unlicensed when the server twenty twenty five installs that they now have to go in deal with. But you know, this is one of those things where you want to do a pretty method, al, and played out test in appointment, which obviously didn't happen in these instances. So I guess again, my concern is the impact on trust in in automatically patching like I I think we are at a point an inflection point where we have to start relying more and more more on auto .

updates .

and things that like this. Again, if it's real, move us in the wrong direction.

In my view, IT gives IT teams ebi tion to go to their gross and say we don't want to turn this on. Even those curious time is to here's an example why this could happen to us and they throw another table exactly, even not wrong. But also is the the reason why i'm a little hesitant on this article is we haven't seen widespread reports of this.

This article came out four days ago in real time against the day we're recording. I just I don't know this is such a huge mistake. Not saying it's not possible, but i'm saying why are we only hearing about IT from one company and IT could very well be complete IT.

And just as one company got caught up one situation, but this feels like something we would see more. And honestly, I did a few quick searches and I saw a lot of channel and read IT. How do know? But okay, let's just take IT for a completely legit at face value. Yeah, this is this is a problem for us because we are pushing people to patch as soon as they can because we know of the exploitation against patch window is very short right now, and we don't want to build in all these, well, just in case scenarios that I T teams won to test against, which I don't blame them because of this examples. So I really does help help give credence to we shouldn't auto patch very rapidly, but I hurts the but bad guys will abuse you .

if you don't argument. Yeah.

there's there's a one. There's a lot, lot of discussion in that at a link link from the article.

Somebody get Steve bower on the phone.

Our last story is, is related to something we've talked a lot about, the concept of cyber due diligence for suppliers. We've talked we've made super .

fun topic parties.

Oh, it's absolutely like a few. Somebody comes up to you and says, what do you do and you say, like i'm in cyber risk manager, you supply a risk management.

You're a set of attention.

Yeah yeah. Bring out the bear head and everything. So we've talked in the past about how frustrating the season, and I think we've made fun of ed nosie the the concept spree, spread shit based questioners and how Frankly, like in my some of the roles that i've had in the past, we had problems, suppliers.

We had suppliers that got right somewhere to compromise. And also, it's always a learning experience. So I would like what were the science? Like how did that happen without us knowing that that was likely to happen? Unfortunately, never. We had our own protections and never really hurt us or minimally heard our customers.

But but did you ever did you ever see a common indicator that you could have asked about and found ahead of time and had warned you sufficient?

Or was IT? So yama IT was interesting in all instances. IT was that they were running old out of support firewalls, every single one.

IT IT was really becoming quite bizarre. After a while, I cook. No patch .

management of network for structure.

really? Yes, security. But here's but here's the thing obviously, like I never went and asked questions directly. Like did you surely the version of your fireplace you trust?

You trust what they put on the sheet, right? Yeah, they probably all answer with we have a robust product manager .

program that does exactly, exactly and you really don't have a lot of opportunity to get deeper into the weeds. Now I think this is perhaps one of the potential benefits of like the security score card kind of a bit kind of assessments of of your suppliers, but like even that's not perfectly far, far from IT. You know in effect, like we were as you know, if if you're any kind of a service provider where your customers are responsible for things like it's it's a manding experience because like you're getting just crap results back. And so like the credibility that you place on these reports goes down goes down pretty far and they're very noisy in general because it's it's hard to figure out like which I P addresses are is not an exact science to attribute system is to companies.

especially in the class .

environment. Yeah yeah, especially in conway's.

I cannot tell you that over times I dealt with the skirts gorge on our type report that was alleging something that was in our IP all the time, all the time yeah. And I don't even know, like was that at one point did an L B grab at one point? I have no idea how would ever get associated with our our environment. But it's manding if you don't stay on top of that, by the way, as as the energy that they are saying has this and it's just out there and people just believe in. So when you spend a lot of time correcting their .

bad in and it's almost like a protection racket too, because like if you don't subscribe to their service, you don't know necessarily what they're telling your customers about you. And until you .

get a report from customer.

you get a report right .

if they tell you you and me.

typically it's you know the last day of the quarter, you get an angry email from a sales person saying, like i've got this twelve, thirteen dollar sale, let's pending and and i've got this report, this is you were running outdated version of windows.

says we're writing .

on the is six to o what they were not not .

not that that ever happened to me. But but I think what we were lacking, certainly, I saw a lots of different approaches to supplier management. I worked very closely with bank regulators and they have a they have a fairly. Robust sounding approach .

to the .

supplier management. But I think what we've been, been lacking as a bit of a framework and this story or this is not really an article. It's it's a publication by nest national institute of standard and technology.

They released the document called the nicest security supply, aching risk management, do diligent, do diligence, assessment, quick start guide. And IT has a couple of kind of high level categories. What I would describe as a framework to think about risk management, the first of which is to kind of break your suppliers down into tears.

And the way they recommend doing that is here one would be like your direct suppliers tier two would be the suppliers to those suppliers, ers and and and so on all the way down, and turtles all the way down. And and then they then they talk about foreign because it's vocs foreign you basically foreign owned for n foregone influenced yeah this, by the way, I think is becoming in our current political climate. This might not be A A global phenomenon, but certainly here in the us, looking at how different countries play into into the supply chain.

So for example, in right now, perhaps going to change, right? We in the us have a deep distrust of anything at a russia. And and obviously in china was less so than russia, but certainly growing china is certainly going up the member ter scale. But then we also have we also have long standing embargoes on countries like cuba and syria in north korea and what not. And and so you look assessing your your exposure up and down supply chain, that was was more associated with the next point, which is prevents, which know basically.

Do you know where your your systems are, where your weirs are coming from? And in particular, I think one of the aspects that a lot of lot of companies don't think about is like after you get one step removed or two steps were removed, do they all do your suppliers all in turn rely on the same upstream supplier that could create some kind of A. A risk situation on you.

Like as an example, if if all of your suppliers, all of your, your, your assess providers are hosted in the same AWS data center in held in Virginia, like that could be a bad thing. And so looking for those kinds of concentration risks of is an example of of that. stability.

Obviously, looking at the financial, this is what a lot of people think about in terms of traditional third parties, a risk management, like are they are they gonna be in business in a year? Have they've been sued? Are they have they do have a history of data breaches and and that sort of things.

So those are, I think, more the contemporary cyberia st. management. And then they break, they break actual cybercafe ns into two buckets. And the first bucket is they call cyberkinetics one. And cyber practices to cyber practices, one is focused on, I would call, open source intelligence. And this this is kind of going back to your question, where where their indications of my suppliers and this this is the opportunity.

Like if if I had run A A bit site report and seen that these suppliers were using ten year old firewall that was was layers st end of life and and had lots of vulnerabilities, that would have been my opportunity perhaps to see that something was was wrong. And so they recommend that a host of different recommendations. And then the cyber er practices two is all around the new relatively new executive order around development, secure development practices.

So so there's a huge push by the government is a result of A A job at an executive order several years ago around a testing to development practices. And lots of anything is Mandatory for for companies that want to sell their software into the U. S. government. They have to attest to is a part .

of feed ramp. Now where I think .

I think that is part of federal p but it's basically any time you want to sell into self software into the government, even if it's outside of a cloud service, you have to you have to have yeah this at a station in place. So this is not perfect, by the way, like this. This is like a version to me.

It's like a version point, one of a of of a plan. But I can see like something coming together. It's IT is a tangible step in a direction that I think is is good at, actually had you will offers some questions to ask, makes some actionable recommendations. It's not just like the Normal fluff that we've seen coming. So actually like this, and I know I did a crappy job of explaining IT, but I am i've not always been a big fan of things put out by list in this space, but I kind of like where they .

are going with this. I wouldn't IT was crappy. Is that was that your best work? But crappy seems harsh. I mean, you know we'll discuss on your review this week. So a couple thoughts I generally agree with with your kind of view on this. I also wonder how often let's let's say you asset somebody in new assistance is weak or substandard whatever whatever you decide like well, these I mean, how often do you think that, that actually stops a deal for a company and that's .

individual to .

eat company really like how powerful is a third party? Rik management team is one of the questions like I was curious about that they don't think I think about is for a lot of people today typically answered red, these types of questions was something like a sock to report where they're like, look, we've got an outside auditor is ready. You had audited us.

Here's their attestation of our, you know, concurrence of meeting all these different standards. Trust them. Go go to this. And do you find that trust really good enough?

But so I would say, you know, sack to really slides into the park like I saw and I saw twenty seven thousand years away. Sc, report, whatever I see those this kind of fitting into that cyber practice is one right? Like that's and even so, it's not like most of those are testing you against your policies, right?

And so going to do yes.

So like okay, it's yeah I have like i've got share point. I've got a vulnerable version of share point on the internet. But like IT says that I just I can do that so long as the right level of management signed off on IT and I can show that the right level of the management signed off on IT.

Therefore, I met my policy. And so they are not started performing quality tail assessments and know the decisions that you're making. They're looking to see that have you made, you have reasonable processes in place and following them.

And so so that I I think that's the whole that I have long saw with things like sc too. Yes, they're great, by the way. Like this is something that I think we struggle with is an industry because if you think about you think about a service provider, they don't have the ability, I mean, less the services become birthday kingly expensive.

They don't have the ability to entertain auditors from every every one of their customers. And so they have to use something like a sc too. It's just the way IT is.

And on the other side, you know, companies that are you paying, you know five thousand dollars a year for a cloud service don't want to like employee one hundred or two hundred or three hundred thousand dollar a year auditor to go in audit of five thousand dollar. The supplier is supplying five thousand dollar, five thousand dollar service like this also not a very fail. So so I I think we're stuck having to do something like that. But I don't think IT meets the market, think it's an input, think it's you know .

if if they .

don't have IT, that should raise alarm, but if they do have IT, you shouldn't say like well, you know like everything's great. They they have their suck to yeah. That's that's the world, according to Jerry. Yes.

yep, I think it's I think I think IT still comes back down to how can how can you ask the right question and get an honest enough answer to make a valid of risk decision that also doesn't change in five minutes.

Yeah because is not static and it's a point point. So I struggle with .

their branding with measured now some of the other from a cyperus cof, some of the other questions. I think our ladies of germ, like you know how was financial stability of the company? The you know the ability of the company to to consider IT keep going as a going concern. They owned by know some other entity that we don't trust right now, like pressure china or whatever. I get that, but I think the cyber stuff is just a lot of, Frankly, hand waving to make IT looks like we did something and I don't know how affected this program they are.

Honestly, you ask a question, so how often is IT that, that a risk management function would have the ability to just stop a deal with, with a supplier that they find to be dangerous? And I would say like I have seen IT, I mean, I mean, I have seen IT. And exuberant, by the way, can get ugly and sometimes does get over written as as you know, you might expect.

But at the same time, if something bad happens like that exhibit a like you know, like you know, like you can at that point, you can like you you got nothing to hide behind. You know you did do diligence and you found a concerning thing and you ignored IT. And so like you proceed IT your unparalleled not saying that that's necessarily unreasonable to do in all instances because they know if it's if it's a company that's managing your lunch menu, like that's probably not A A big deal.

But if it's like your the company is handling the personal help health information of your customers and you find something concerning, that's probably not a good thing because you could be in serious troubled. So I think IT comes down to comes down to risk. And IT relies on the leadership, the company having the the right mindset when they're making these risk decisions. And so we know some make bad decisions. And so I think that probably more often than should happen that you know the decision is made to continue on using suppliers that have concerns.

Just the .

way in is yeah yeah so only way that is this the show for today? I hope this was useful to you despite my my stammering.

I just get you so worked up and just .

I just it's you IT really is you that's fair and yet .

you knew that and you did. You do diligence and yet you still inviting me to the show and keep inviting me here.

Here I am this right?

You know what you're getting.

So anyway, thank you for being here hopeful you hope fully still like the the video format if if you like us and like what you here, please give us some love on whatever pod test APP or format tat that you're looking at you're washington this or listening to this through. You can find, by the way, you can find links to all the stories we talk about on our website at WWW that defensive security data work. You can find IT, mister kelley.

where i'm on x and infrastructure exchange at erd. L R, G.

good deal. And I am at jury at infor sethos exchange. And by the way, I have to say we have had quite a few new people signing up to infotech that exchange over the past probably two weeks, citing that they're coming here because .

they listen to the show.

So that's pretty cool.

That is cool. Hopefully like it's worth IT to them then yeah, they should say hello.

Don't be shy exactly. Anyway, we will talk again soon. Thank you all very much.