Microsoft squashes windows server bug. - CyberWire Daily

Summary10 min read

CyberWire Daily: Microsoft Squashes Windows Server Bug

Release Date: April 17, 2025
Host: Dave Bittner
Publisher: N2K Networks

Introduction

In the April 17, 2025, episode of CyberWire Daily, host Dave Bittner delivers an in-depth analysis of the latest cybersecurity developments, encompassing emergency patches, significant breaches, and expert insights into evolving security strategies. This summary encapsulates the key discussions, expert interviews, and critical updates presented in the episode.

Major Security Updates

Microsoft Issues Emergency Updates for Windows Server

Microsoft has released urgent updates to address a critical bug affecting Windows Server. This vulnerability prevented Windows containers from initiating when utilizing Hyper-V Isolation. The issue stemmed from mismatched system file versions between the container and the host, leading to startup failures. The newly deployed fix ensures containers correctly access host files, thereby enhancing system stability and compatibility. Notably, these updates are not available through the standard Windows Update mechanism and must be manually obtained from the Microsoft Update catalog. Microsoft has provided detailed instructions for applying the fix using DISM tools on live systems or installation media.

Apple Releases Emergency Security Updates for Two Zero-Day Vulnerabilities

Apple has proactively released security patches to mitigate two zero-day vulnerabilities actively exploited in targeted iPhone attacks. These flaws impact a broad range of Apple devices, including iPhones (iOS), MacBooks (macOS), iPads (iPadOS), Apple TVs (tvOS), and Vision Pro devices (VISION OS). One of the vulnerabilities permits remote code execution via malicious audio files, while the other circumvents pointer authentication, a critical memory protection mechanism. Apple characterized the attack as "extremely sophisticated" but did not disclose further specifics. Despite the targeted nature of these attacks, users are strongly advised to update their devices promptly. This update brings Apple's zero-day vulnerability count for 2025 to five.

CISA Extends MITRE's Contract to Manage CVE and CWE Programs

The Cybersecurity and Infrastructure Security Agency (CISA) has extended MITRE’s contract for managing the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs by 11 months. This extension prevents a potential disruption to the global vulnerability tracking system amidst concerns that arose when MITRE's contract was set to expire on April 16. MITRE has overseen these critical programs for 25 years, providing essential support to cybersecurity operations worldwide. The extension follows MITRE's announcement of staff layoffs due to broader budget cuts. Additionally, the CVE Foundation has been established to transition CVE oversight away from exclusive U.S. government control, introducing initiatives like the Global CVE System and the EU's vulnerability database to diversify global vulnerability management.

Research and Vulnerability Insights

Enviso Research Uncovers Windows Versions of the Brickstorm Backdoor

Research conducted by Enviso has identified Windows variants of the Brickstorm backdoor, associated with the Chinese Advanced Persistent Threat (APT) group UNC 5221. Active since at least 2022, these variants primarily target European organizations, employing stealthy file manipulation and network tunneling through DNS over HTTPS protocols written in Go. The malware maintains persistence via scheduled tasks and leverages stolen credentials to exploit Remote Desktop Protocol (RDP) and Server Message Block (SMB) vulnerabilities. Additionally, the malware obscures its infrastructure by utilizing public cloud services and evades detection through encrypted multiplexed Command and Control (C2) connections.

Atlassian and Cisco Patch High-Severity Vulnerabilities

Both Atlassian and Cisco have released patches addressing multiple high-severity vulnerabilities. Atlassian's updates cover longstanding flaws in Bamboo, Confluence, and Jira, including denial of service (DoS) bugs and XML external entity (XXE) issues. Cisco's patches address security defects in WebEx App Secure Network Analytics and Nexus Dashboard, with one WebEx vulnerability allowing remote code execution through crafted meeting invites. Although neither company has reported active exploitation of these vulnerabilities, users are strongly encouraged to apply updates promptly to safeguard their systems.

Notable Breaches and Incidents

Oklahoma Cybersecurity CEO Charged with Hacking a Local Hospital

Jeffrey Bowie, CEO of a cybersecurity firm based in Edmond, Oklahoma, has been charged with infiltrating St. Anthony Hospital. Authorities allege that Bowie installed malware to covertly capture and transmit screenshots every 20 minutes. Surveillance footage from August 6th of the previous year depicted Bowie accessing restricted areas and attempting to gain entry to a staff-only computer. Upon confrontation, Bowie claimed he had a family member undergoing surgery. Alias Cybersecurity, Bowie's former employer, stated that he was terminated years earlier due to ethical concerns. Alias CEO Donovan Farrow expressed disappointment, describing Bowie’s actions as a "stain on the cybersecurity field." The hospital confirmed that no patient data was compromised. Bowie was apprehended after a forensic investigation revealed unsuccessful attempts to communicate with his company via the deployed malware. This incident highlights the fine line between ethical hacking and illegal activities within the cybersecurity industry.

Ameriprise Financial Insider Data Breach

Ameriprise Financial, a Fortune 500 company with $17 billion in revenue last year, has notified over 4,600 customers that their personal data was improperly shared by a former advisor who transitioned to LPL Financial between 2018 and 2020. The breach, discovered in January, involved the ex-employee sharing customer information beyond permitted limits during the transition, including names, addresses, emails, and phone numbers. While Ameriprise has not disclosed whether more sensitive data was exposed, it is offering free credit monitoring to affected customers. The company has implemented new measures to prevent similar incidents, underscoring the potential risks posed by internal lapses even in the absence of external hacking attempts.

Researchers Unmask IP Addresses Behind Medusa Ransomware Group

Security experts at Covsec have successfully identified the real IP addresses of the Medusa Ransomware Group, a notorious operation previously concealed within the Tor network. Leveraging a severe vulnerability in Medusa's blog platform used for posting stolen data, Covsec exploited a server-side request forgery (SSRF) attack to reveal the server's public IP address. The compromised server, hosted by Selectel in Russia, runs Ubuntu and exposes insecure services, including OpenSSH with password authentication enabled. Active since 2019, Medusa Locker targets sectors such as healthcare, education, and manufacturing, employing double extortion tactics. This breakthrough demonstrates how inadequate server security can compromise even the most clandestine cybercriminal operations, providing unprecedented visibility into the group's infrastructure.

CISA Issues Warning Following Oracle Data Breach

Federal cybersecurity authorities have issued a warning after Oracle experienced a data breach where hackers accessed credentials from legacy systems. Although Oracle privately informed customers in January, the breach became public when a hacker began selling stolen data from Oracle Cloud's Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems online. Cybersecurity firms have verified that approximately six million records were compromised, affecting over 140,000 tenants. The stolen data includes encrypted passwords, keys, and other sensitive information. The hacker reportedly sought assistance to decrypt the data and attempted to extort Oracle customers. In response, CISA has advised organizations to reset passwords, monitor system logs, review code, and report any suspicious activities. Oracle has not publicly commented on the federal advisory.

Industry Insights: Layered Approach to Zero Trust

In the Industry Voices segment, Dave Bittner interviews Rob Allen, Chief Product Officer at ThreatLocker, to discuss the importance of a layered approach to zero trust in modern cybersecurity strategies.

Rob Allen on Layered Zero Trust Security

[12:53] Rob Allen: "It's more about a layered approach to security in general than specifically the zero trust. And by layered approach, broadly speaking, what we mean is using different strategies or different approaches simultaneously."

Rob Allen emphasizes that while many organizations implement similar security layers—such as antivirus (AV), endpoint detection and response (EDR), and extended detection and response (XDR)—these often rely heavily on detection mechanisms. However, because attackers constantly evolve, relying solely on detection is insufficient. Instead, Allen advocates for incorporating control layers that proactively manage what can and cannot run within an organization’s environment.

[14:19] Rob Allen: "That's probably the biggest misconception is to think that you can go out and buy yourself some zero trust. Because realistically, zero trust is not a single product. It is a way of looking at things. It is an approach, it's a strategy."

Allen debunks common misconceptions about zero trust, clarifying that it is not a product but a comprehensive strategy aimed at continuously verifying and limiting access based on the principle of "assume breach." This mindset ensures that even if an attacker gains entry, their ability to navigate and exploit the network is severely restricted.

[15:07] Rob Allen: "Probably the biggest misconception is to think that you can go out and buy yourself some zero trust. [...] Another misconception is it's going to be difficult, it's going to be hard, it's going to get in the way, it's going to affect our business. It doesn't need to."

He reassures organizations that implementing zero trust does not have to hinder business operations. On the contrary, a properly executed zero trust framework can enhance security without disrupting workflows.

[16:13] Rob Allen: "Well, there's a few different aspects to this. [...] organizations can use common applications maliciously, what's called living off the land."

Allen further explains the necessity of zero trust in combating sophisticated threat actors who exploit legitimate applications for malicious purposes. By controlling and limiting application permissions, organizations can prevent abuse even if attackers gain initial access.

[17:41] Rob Allen: "Well, obviously it very much reduces it. [...] zero trust is very much something that they will take into consideration. It may be the difference between a company getting cyber insurance and not getting cyber insurance."

He highlights the role of zero trust in risk management and cyber insurance. Implementing zero trust can significantly reduce organizational risk, making it easier to obtain cyber insurance and potentially lowering premiums.

[19:29] Rob Allen: "Yeah, absolutely, absolutely. Realistically, anything you can do to risk, to limit your exposure, anything you can do to reduce your risk is a good thing."

Allen underscores the importance of proactive measures in cybersecurity, noting that reducing exposure and risk is universally beneficial.

[21:37] Rob Allen: "Absolutely. [...] you will always be able to do more and you should always strive to do more."

Discussing the balance between compliance and comprehensive security, Allen advises organizations to go beyond mere checkbox compliance. Implementing zero trust is an ongoing journey that requires continuous improvement and adaptation.

[22:52] Rob Allen: "Well, look, things like token theft are a constant, constant concern. [...] securing cloud infrastructure easier and attainable for organizations."

Addressing challenges in cloud environments, Allen mentions ThreatLocker’s new "Cloud Control" product, which enhances security measures by integrating with Microsoft's Azure conditional access tools to dynamically manage cloud resources and protect against token theft and business email compromises.

[24:05] Rob Allen: "Well, I mean, I suppose the first recommendation that suggests is to start somewhere. [...] you can start making decisions about are these things needed or not."

For organizations seeking to implement zero trust without feeling overwhelmed, Allen recommends starting with a comprehensive audit of existing software and remote access tools. By identifying and eliminating unnecessary applications, organizations can reduce potential entry points for attackers.

Leadership Changes

Chris Krebs Steps Down from SentinelOne

Chris Krebs, a respected figure in cybersecurity and former director of CISA, has resigned from his position as SentinelOne's Chief Intelligence and Public Policy Officer. This decision follows the revocation of his security clearance and a presidential directive to review CISA's conduct during his tenure. In a personal statement, Krebs clarified that the resignation is his own decision, emphasizing his commitment to defending democracy, free speech, and the rule of law. Recognized for his integrity, Krebs led CISA from its inception in 2018 until his dismissal in 2020, which occurred after he publicly affirmed the security of the 2020 U.S. election. Post-government, Krebs co-founded the Krebs Stamos Group, later acquired by SentinelOne. As he departs from SentinelOne, the company commends his ongoing dedication to truth and integrity.

Conclusion

The April 17, 2025, episode of CyberWire Daily provides a comprehensive overview of critical cybersecurity updates, significant breaches, and expert strategies for enhancing organizational security. From emergency patches by industry giants like Microsoft and Apple to groundbreaking research uncovering sophisticated malware operations, the episode underscores the dynamic and ever-evolving nature of cybersecurity threats. Additionally, insights from Rob Allen highlight the essential role of a layered zero trust approach in mitigating risks and fortifying defenses. Leadership shifts, such as Chris Krebs's departure from SentinelOne, reflect the broader challenges and commitments within the cybersecurity community to uphold integrity and secure digital infrastructure.

For more detailed insights and updates, listeners are encouraged to subscribe to the CyberWire Daily podcast and stay informed on the latest developments in the cybersecurity landscape.

Loading summary

Transcript21 lines

[00:02]
Dave Bittner
You're listening to the CyberWire network, powered by N2K. Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Microsoft issues emergency updates for Windows Server Apple releases emergency security updates to Patch two zero days CISA averts a CVE program disruption Researchers uncover Windows versions of the Brickstorm, Backdoor, Atlassian and Cisco patch several high severity vulnerabilities. An Oklahoma cybersecurity CEO is charged with hacking a local hospital. A Fortune 500 financial firm reports an insider data breach. Researchers unmask IP addresses behind the Medusa ransomware group. CISA issues a warning following an Oracle data breach on our Industry Voices segment, we're joined by Rob Allen, chief product officer at ThreatLocker, to discuss a layered approach to zero trust. And former CISA director Chris Krebs steps down from his role at Sentinel One. It's Thursday, April 17, 2025. I'm Dave Bittner and this is your CyberWire Intel Brief. Thanks for joining us here today. It's great to have you with us. Microsoft has issued emergency updates for Windows Server to fix a bug that prevented Windows containers from starting when using Hyper V Isolation. The problem happened when system file versions between the container and host didn't match. This mismatch caused startup failures. The fix ensures containers now access the correct files from the host, improving stability and compatibility. These updates are not available via Windows Update and must be manually downloaded from the Microsoft Update catalog. Microsoft also shared instructions for applying the fix using the DISM tools on live systems or installation media. Apple has released emergency security updates to Patch two zero day vulnerabilities actively exploited in target targeted iPhone attacks. The bugs affect INOs, macOS, IPADOs, TVOs, and VISION OS. One flaw allows remote code execution via malicious audio files, while the other bypasses pointer authentication, a key memory protection. Apple says the attack was extremely sophisticated but offered no further details. A wide range of devices are impacted. Despite being targeted attacks, all users are urged to Update. This brings Apple's 2025 zero day count to five. CISA has extended MITRE's contract to manage the CVE and CWE programs by 11 months, averting a disruption to the global vulnerability tracking system. The extension followed concerns raised after Mitre disclosed the U.S. government wouldn't renew the contract, set to expire on April 16. Mitre has managed the program for 25 years, offering critical support to cybersecurity operations worldwide. The abrupt funding uncertainty stemmed from broader cuts that led Mitre to lay off hundreds of staff. In response, CISA identified emergency funding to keep operations running. Meanwhile, the CVE foundation was formed to transition CVE oversight away from sole US government control. New initiatives like the Global CVE System and the EU's vulnerability database aim to diversify and decentralize global vulnerability management going forward. Research from Enviso uncovers Windows versions of the Brickstorm backdoor linked to the Chinese APT UNC 5221 behind the MITRE attack in early 2024. These variants, active since at least 2022, target European organizations and offer stealthy file manipulation and network tunneling using DNS over HTTPs written in go. They use scheduled tasks for persistence and rely on stolen credentials to abuse RDP and SMB. The malware hides its infrastructure using public cloud services and evades detection through encrypted multiplexed CNC connections. Atlassian and Cisco released patches for high severity vulnerabilities this week, some of which could lead to remote code execution. Atlassian addressed long standing flaws in Bamboo, Confluence and Jira, including denial of service bugs and XML external entity issues. Cisco patched security defects in WebEx App Secure Network analytics and Nexus Dashboard. One WebEx flaw could allow remote code execution via a crafted meeting invite. Neither company reported active exploitation of the vulnerabilities, but users are urged to update promptly. Jeffrey Bowie, CEO of a cybersecurity firm in Edmond, Oklahoma, has been charged with hacking St. Anthony Hospital, where authorities say he installed malware to secretly take and send screenshots every 20 minutes. Surveillance footage showed Bowie roaming hospital halls on August 6th of last year, trying doors before accessing a staff only computer. He claimed he had a family member in surgery when confronted. Former employer Alias Cybersecurity said they let Bowie go years ago over ethics concerns. Alias CEO Donovan Farrow expressed disappointment, calling the act a stain on the cybersecurity field. The hospital confirmed no patient data was compromised. Bowie was arrested after a forensic review uncovered the malware attempts to reach his company failed. Ethical hacking is common in the industry, but this case appears to have crossed legal and ethical lines. Ameriprise Financial has notified over 4,600 customers that their personal data was improperly shared by a former advisor who who left for LPL Financial between 2018 and 2020. The company discovered the breach in January. The EX employee shared more customer information than allowed during the transition, including names, addresses, emails and phone numbers. Ameriprise hasn't detailed if more sensitive data was leaked, but is offering free credit monitoring to those affected. The Firm, a Fortune 500 company founded in 1894 and formerly part of American Express, reported $17 billion in revenue last year. Ameriprise says it has since implemented new measures to prevent similar incidents. While this breach wasn't the result of hacking, it underscores how internal lapses can still jeopardize customer privacy. Researchers have unmasked the real IP address behind the Medusa Ransomware Group, a notorious operation long hidden on the Tor network. Covsec security experts exploited a severe vulnerability in Medusa's blog platform used to post stolen data, bypassing Tor's anonymity protections using a server side request forgery attack. They ran a simple command that revealed the server's public ip. Hosted via Selectel in Russia. The server runs Ubuntu and exposes insecure services, including OpenSSH with password login. Medusa Locker, active since 2019, has targeted healthcare, education and manufacturing sectors with double extortion tactics. This rare technical breakthrough into a Tor hidden ransomware group offers unprecedented visibility into its infrastructure, demonstrating how poor server security can undermine even the most elusive cybercriminal operations. Federal cybersecurity officials have issued a warning following a data breach involving Oracle, where hackers accessed credentials from legacy systems. Oracle privately notified customers in January but didn't publicly confirm the breach. The company claimed Oracle Cloud infrastructure wasn't impacted, though hackers accessed usernames from two outdated servers. The breach became public when a hacker offered stolen data from Oracle Cloud's SSO and LDAP systems for sale online. CyberSecurity firms confirmed 6 million records were stolen, affecting over 140,000 tenants. The data included encrypted passwords, keys and other sensitive information. The hacker allegedly solicited help to decrypt the data and extorted Oracle customers. CISA urged organizations to reset passwords, monitor logs, review code, and report incidents. Oracle has not commented on the federal advisory. Coming up after the break, my conversation with Rob Allen from Threat Locker. We're discussing a layered approach to zero trust. And former CISA director Chris Krebs steps down from his role at SentinelOne. Stay with us. Bad actors don't break in, they log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing your data Varonis AI powered data security platform secures your data at scale across LAS, SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@varonis.com what's the common denominator in security incidents, escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to SpectorOps IO today to learn more. Spectrops see your attack paths the way adversaries do. Rob Allen is Chief product officer at ThreatLocker. And on today's sponsored Industry Voices segment, we discuss a layered approach to zero trust.
[12:54]
Rob Allen
It's more about a layered approach to security in general than specifically the zero trust. And by layered approach, broadly speaking, what we mean is using different strategies or different approaches simultaneously. So an example would be we speak to a lot of organizations who've got layers, but they tend to be similar layers. So they might, for example, have AV and ED or and XDR and basically everything that ends with dnr and they think they're well protected. But fundamentally they are dependent on detection. They are dependent on something being recognized as being bad. And the problem is that nobody knows all of the bad things because if they did, there would be no such thing as ransomware. When we talk about layers, what we talk about is different type of layers. So yes, detection is good, detection is important. You should have detection. But you should ideally combine detection with controls, which is fundamentally what a threat locker is about. It's about controlling what can run and what can't run, controlling what things can do, controlling the network. It's a different type of approach to detection, but it works very well alongside detection and it gives you true layered security.
[14:10]
Dave Bittner
Are there common misconceptions out there? I mean, when people decide, hey, we're gonna go buy ourselves some zero trust, are there any myths?
[14:19]
Rob Allen
That's probably the biggest misconception is to think that you can go out and buy yourself some zero trust. Because realistically, zero trust is not a single product. It is a way of looking at things. It's an approach, it's a strategy. So you can't just go out and buy yourself some zero Trust. So that's probably the biggest misconception. I mean, the other biggest misconception is it's going to be difficult, it's going to be hard, it's going to get in the way, it's going to affect our business. It doesn't need to. One of the things we pride ourselves on is that we make this strategy, this approach achievable, attainable to even, you know, everything from small and medium businesses up to massive enterprises.
[15:01]
Dave Bittner
What about the name itself? I mean, does zero trust actually mean no trust at all?
[15:08]
Rob Allen
That's a really loaded question. It means constantly limiting, constantly verifying. I mean, it means allowing people to do what they need to do, but no more. I mean, probably my favorite way of looking at it is to assume breach. So basically assume that they're already in. They're on your network right now, they've got full, you know, administrative privileges on one of your DCs. What can they do now in the normal run of things? And without zero trust, the answer is probably going to be quite a lot. Whereas if you take that assumption, if you assume, okay, they're in right now, what can they do? Fundamentally, everything that we do makes sense. So, you know, blocking unknown software from running, you know, stopping PowerShell from reaching out to the Internet, that kind of stuff, it's going to make their lives significantly more difficult.
[16:03]
Dave Bittner
Why is zero trust important at this moment? You know, where we find ourselves, the kinds of threat actors that we're facing here? What makes it an appropriate part of the toolbox?
[16:14]
Rob Allen
Well, there's a few different aspects to this. I mean, first and foremost, one thing that not just we see, but, I mean, everybody pretty much sees, is the misuse of otherwise good applications. So, effectively, what's called living off the land. I mean, as an example, Anydesk is a remote access tool of choice of many ransomware gangs today. I mean, they, in a lot of cases, they'll use a thing called Orclone for exfiltrating data. Now, Orclone and AnyDesk are not bad applications in themselves. They're not malicious, they're not malware. So most detection is not going to pick them up or block them. I mean, another example would be WinRAR or 7zip. I mean, WinRAR and 7zip both have all of the characteristics of ransomware, meaning you can encrypt data with them, you can delete data with them, you can exfiltrate, you can copy data with them. Again, are they bad, inherently bad applications? No, they're not. But can they be misused if a threat actor is in your environment and has access to them. Absolutely. So that again brings us back to why limiting things and controlling things and blocking things that are not, strictly speaking, necessary is so important.
[17:22]
Dave Bittner
Yeah, I think most businesses are on board with the notion of assessing risk, aligning risk, those sorts of things. How does zero trust play into that? As organizations assess their risk, as they look at their appetite for risk, how do you dial in zero trust into that?
[17:42]
Rob Allen
Well, obviously it very much reduces it. I mean, I've had conversations, I've spoken to insurance companies and had fairly in depth conversations about, for example, things like cyber insurance and their appetite for giving cyber insurance to companies. And I mean, it's getting harder and harder to get things like cyber insurance today. And it's because, I mean, I think one example they gave me was that in, I think it was about two years ago in France, the entire cybersecurity, sorry, the entire cyber insurance premium. So the, the number that they made or that they got paid for cyber insurance premiums was wiped out by one cyber insurance breach. So that what they had to pay out on one breach eclipsed everything they got in in that year. So it's not difficult to understand why they consider risk to be so important. It's not difficult to understand why they're hesitant about giving things like cyber insurance to anyone and everyone. And I did speak to them about, look, what can people do to make it easier to effectively reduce the risk? And again, they basically said zero trust is very much something that they will take into consideration. It may be the difference between a company getting cyber insurance and not getting cyber insurance. It might be the difference between a, you know, a $10,000 premium and a hundred thousand dollar premium. So it certainly helps. And again, that's not just my opinion. That is from speaking to those who would know.
[19:14]
Dave Bittner
Yeah, I mean, it's an interesting, you know, analogy. I guess it's kind of like if you own a building and having the insurance folks walking around to make sure that you have sprinklers and fire extinguishers. Right. It's sort of, it's a table stake sort of thing these days. I suppose.
[19:30]
Rob Allen
Yeah, no, absolutely, absolutely. Realistically, anything you can do to risk, to limit your exposure, anything you can do to reduce your risk is a good thing.
[19:40]
Dave Bittner
What about the regulatory regimes that folks are under these days? I mean, we see that cisa, for example, they have their zero trust maturity model. It seems like the feds are really on board with this.
[19:53]
Rob Allen
Yeah, I mean, the executive order from a few Years ago, I think it was 2021 actually where they bas mandated zero trust for anything to do with the federal government was a real eye opener and something that people looked at and went oh, but you know, maybe this is something we should be looking at too. One really interesting example from our own perspective as to how sort of governments and legislations can focus people's minds is across the entire globe. Our second biggest market is Australia and has been for some time now. We've never done any marketing in Australia. We don't do events in Australia, we don't do advertising in Australia. Well, we, we do now, but we never did for a long time. But the reason our second biggest market Australia is they've got a set of recommendations called the Essential eight. And the Essential age is they've effectively narrowed down all of the things you should do to keep yourself secure as an organization to eight general recommendations. And the situation is if you get hit in Australia, if you have a data breach in Australia, then your fine is going to be an order of magnitude bigger if you haven't followed or don' adhere to the Essential eight. Now, as I said, from our perspective it's great because it means we've got lots of customers who need to implement allow listing. But again, it just shows that how government can assist and guide organizations in doing what is best for them.
[21:19]
Dave Bittner
How do organizations avoid checkbox compliance though? I mean if you've got regulatory pressure for this, obviously you want to check that box. But that's not all you want to do. You want to go beyond that, right?
[21:37]
Rob Allen
Absolutely. Look, there is always, always, always more that you can do. I mean, we did a webinar a half an hour ago and one of the people on it, basically one of the questions was about running threat locker on servers and one of the people said that I have ThreatLocker my servers. It's great. It helps me sleep at night. Now, while that very much makes me happy and it's probably the best thing any customer can say to me is that you help me sleep at night because it tells us that we're doing a really good job. But at same time in the back of my mind I was wondering, are you doing everything you could be doing to protect yourself? Yes. You're running Threadlock, Ron. So you're blocking unknown software from running. But have you for example, lock down your network? So are you controlling what can connect to that server? My guess would be maybe they're not. There are always going to be other things that you can do. There are always going to be more steps that you can take. And again, it comes back to fundamentally zero trust. Not being a destination, more being a journey. You will always be able to do more and you should always strive to do more.
[22:42]
Dave Bittner
You mentioned that person running Threat Locker on their servers. What about cloud environments? What are some of the specific challenges that folks face there?
[22:52]
Rob Allen
Well, look, things like token theft are a constant, constant concern. Obviously business email compromise, that kind of stuff has been going on for years. I mean, it's one of the, the things that we've tried to deal with more recently is we've released a, or recently released a new product which is cloud control. So effectively using Microsoft, and Microsoft do have some quite good tools built into Azure, but using Microsoft's conditional access in a slightly more dynamic way. So rather than just locking your cloud resource down to an IP address, we basically made an agent. It's installed on people's phones, it checks in, it gives the IP addresses and those IP addresses are uploaded to Office 365 automatically. So that's one of the things that we've done to try and make securing cloud infrastructure easier and again, attainable for organizations.
[23:50]
Dave Bittner
Well, you know, you mentioned at the outset that one of the misconceptions that people have is that this is difficult. What are your recommendations for organizations who are looking to get started here so they, they don't feel overwhelmed?
[24:05]
Rob Allen
Well, I mean, I suppose the first recommendation that suggests is to start somewhere. I mean, probably the biggest thing that we have to battle against is people's sense of, I suppose over, you know, being overwhelmed or we don't know where to start or what are we going to do? I mean, probably step one is what is the problem? What does it look like within my environment? You know, what, what remote access tools am I running on my computers? You know, is there anything there right now that needs to concern me? And you'd be amazed at how many organizations just have no idea what's running on their machines. It's one of the first things that we do is we do effectively a full audit. So we'll see all of the software, we'll see all of the remote access tools you're running, we'll see all of the potential ways for data to be exfiltrated and then you can start making decisions about are these things needed or not. So I can see team viewers installed on 25% of our computers. We don't use TeamViewer. Now, look, we all know how it happens, which is at some point in the far distant past, some third party has said, well look, I need TeamViewer to get into your machine. Can you install it please? But the problem is it gets installed and then it gets forgotten about. So it sits there forever as a potential way into the network. I mean I and I know this is a terrible way to describe it as favorite, but one of my in inverted commas favorite cyber attacks over the last number of years was on a water treatment facility here in Florida. And it was described in the media as an advanced cyber attack. And somebody got in and basically started playing with the levels of chemicals in this water treatment facility. Now, as I said, it's a terrible way to or thing to describe as favorite, but the fact is it was basically done this advanced cyber attack via somebody having TeamViewer installed on a machine in this water treatment facility.
[25:55]
Dave Bittner
That's Rob Allen, Chief product officer at ThreatLocker. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for a thousand dollars off. And finally, Chris Krebs, a respected voice in cybersecurity and former CISA director, has stepped down from his role as Sentinel 1's chief intelligence and Public Policy officer. This decision follows the revocation of his security clearance and a presidential order to review cisa's conduct during his tenure. In a heartfelt message, Krebs made it clear the resignation was his alone, saying this is my fight, not the company's. Committed to defending democracy, free speech and the rule of law. Krebs said the challenge ahead requires his full focus. Recognized for his integrity, Krebs led CISA from its founding in 2018 until 2020, when he was dismissed after publicly affirming the 2020 election's security. After leaving government, he co founded the Krebs Stamos Group, which was later acquired by Sentinel 1. As he steps away from Sentinel 1, we commend his continued commitment to truth and integrity and wish him well on the road ahead. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Heltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Looking for a career where innovation meets impact Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge solutions. Whether you're passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguardjobs.com.