Blue Security Andy Jaw & Adam Brewer
-
- Technology
A podcast for information security defenders (blue team) on best practices, tools, and implementation for enterprise security.
-
Mobile Threats
In this episode, Andy and Adam discuss the growing threat of mobile device threats. They highlight the recent mass password reset and account lockout of Apple IDs and the potential for a mobile wormable event. They explore the conditions necessary for a mobile wormable attack, including the development of zero-click exploits, the abuse of contact lists for further spread, and the lack of clear mitigations from telecommunications and mobile device companies. They also discuss the limitations of lockdown mode and the importance of endpoint protection for mobile devices.
Takeaways
-Mobile devices have become ubiquitous in corporate environments and are vital for both security and operations.
-The conditions necessary for a mobile wormable attack are already in place, including the development of zero-click exploits and the abuse of contact lists for further spread.
-Lockdown mode and mobile threat detection (MTD) solutions can provide some risk mitigation for mobile devices, but they have limitations and limited visibility.
-Endpoint protection for mobile devices, including mobile device management (MDM) and MTD, should be part of an organization's risk mitigation strategy.
-Enterprises should consider implementing baseline security measures for mobile devices, such as a minimum six-digit passcode and keeping the operating system up to date.
-----------------------------------------------------------
YouTube Video Link: https://youtu.be/lxWveot8AF4
-----------------------------------------------------------
Documentation:
https://www.macrumors.com/2024/04/27/apple-id-accounts-logging-out-users/
https://go.recordedfuture.com/hubfs/reports/CTA-2024-0416.pdf
https://www.wired.com/story/apple-lockdown-mode-hands-on/
-----------------------------------------------------------
Contact Us:
Website: https://bluesecuritypod.com
Twitter: https://twitter.com/bluesecuritypod
Linkedin: https://www.linkedin.com/company/bluesecpod
Youtube: https://www.youtube.com/c/BlueSecurityPodcast
-----------------------------------------------------------
Andy Jaw
Twitter: https://twitter.com/ajawzero
LinkedIn: -
VDI and Shared Responsibility Model
In this episode, Andy and Adam discuss the importance of VDI (Virtual Desktop Infrastructure) in security and enterprise architecture. They highlight the security benefits of VDI, such as separating end user environments from the underlying physical hardware, centralized management of baseline images and patches, and the ability to keep sensitive data in the data center. They also explore the shared responsibility model in cloud computing, where the cloud provider is responsible for the security of the infrastructure, but the end users are responsible for protecting their data and assets stored in the cloud.
Takeaways
-VDI provides security benefits by separating end user environments from the underlying physical hardware and centralizing management of baseline images and patches.
-The shared responsibility model in cloud computing means that while the cloud provider is responsible for the security of the infrastructure, the end users are responsible for protecting their data and assets stored in the cloud.
-Understanding the shared responsibility model is crucial for security practitioners to ensure they are defending their organization's data effectively.
-Minimizing the use of IaaS and on-premises models in favor of PaaS and SaaS models can reduce the organization's security responsibilities and provide better security.
-It's important to know what you're responsible for in terms of data protection and security when using cloud services.
-----------------------------------------------------------
YouTube Video Link: https://youtu.be/wdguHOGjs2Q
-----------------------------------------------------------
Documentation:
https://x.com/itguysocal/status/1769052129111707877?s=46&t=wVpJpdH7u2mDZZDEtx3bMg
https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility
https://aws.amazon.com/compliance/shared-responsibility-model/
https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate
-----------------------------------------------------------
Contact Us:
Website: https://bluesecuritypod.com
Twitter: https://twitter.com/bluesecuritypod
Linkedin: https://www.linkedin.com/company/bluesecpod
Youtube: https://www.youtube.com/c/BlueSecurityPodcast
-----------------------------------------------------------
Andy Jaw
Twitter: https://twitter.com/ajawzero -
Entra Follow-up, Helpdesk Security, Certifications
In this episode, Andy and Adam clarify some points from the previous episode and discuss two main topics: mitigating social engineering attacks on IT help desks and the value of certifications in cybersecurity. They provide practical tips for securing IT help desks, such as requiring callbacks, video verifications, and supervisor verification. They also share their thoughts on certifications, highlighting the importance of experience and continuous learning over the number of certifications. They recommend certifications from AWS and Microsoft for beginners and discuss the relevance of TCP/IP knowledge in today's cybersecurity landscape.
Takeaways
-Mitigate social engineering attacks on IT help desks by implementing measures such as requiring callbacks, video verifications, and supervisor verification.
-Certifications in cybersecurity can be valuable for beginners and for demonstrating knowledge and skills to employers, but they should not be the sole focus. Experience and continuous learning are more important.
-Certifications from AWS and Microsoft are cost-effective options for beginners in the field.
-TCP/IP knowledge, while important, may not be as relevant in today's cybersecurity landscape as other skills and knowledge areas.
-Adaptability and meeting employers where they are in terms of security practices are crucial in the field of cybersecurity.
-----------------------------------------------------------
YouTube Video Link: https://youtu.be/BHcR7bAyMlY
-----------------------------------------------------------
Documentation:
https://www.bleepingcomputer.com/news/security/us-health-dept-warns-hospitals-of-hackers-targeting-it-help-desks/
https://twitter.com/infosec_fox/status/1778404395035550105?t=wVpJpdH7u2mDZZDEtx3bMg
-----------------------------------------------------------
Contact Us:
Website: https://bluesecuritypod.com
Twitter: https://twitter.com/bluesecuritypod
Linkedin: https://www.linkedin.com/company/bluesecpod
Youtube: https://www.youtube.com/c/BlueSecurityPodcast
-----------------------------------------------------------
Andy Jaw
Twitter: https://twitter.com/ajawzero
LinkedIn: -
Managed Machines, E3 vs E5
In this episode of the Blue Security Podcast, Andy Jaw and Adam Brewer discuss two main topics: the importance of managed devices for improving security posture and the bundling of security solutions in Microsoft licensing. They highlight the shift towards requiring Intune and Azure AD joined devices for improved device management and security. They also address the question of why Microsoft doesn't include more security solutions in their basic bundles, explaining the challenges of bundling and the need to compete fairly in the security market.
Takeaways
-Managed devices, specifically Intune and Azure AD joined devices, are crucial for improving security posture.
-Hybrid join is the bare minimum for requiring managed machines, but Intune and Azure AD compliance provide continuous device health attestation and better device risk management.
-Microsoft's licensing bundles, such as E3 and E5, do not include all security solutions because it would raise prices and not all customers need or want those solutions.
-Microsoft aims to compete fairly in the security market and offers value in their licensing options, with E5 being the most comprehensive and cost-effective solution.
-Customers have the flexibility to choose third-party security solutions and integrate them with Microsoft's offerings.
-----------------------------------------------------------
YouTube Video Link: https://youtu.be/Fv5yns0olmU
-----------------------------------------------------------
Documentation:
https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybridhttps://techcommunity.microsoft.com/t5/manufacturing/getting-started-with-an-intune-device-management-poc/ba-p/2703678
https://www.techrepublic.com/article/microsoft-teams-unbundle-office-eu-probe/
-----------------------------------------------------------
Contact Us:
Website: https://bluesecuritypod.com
Twitter: https://twitter.com/bluesecuritypod
Linkedin: https://www.linkedin.com/company/bluesecpod
Youtube: https://www.youtube.com/c/BlueSecurityPodcast
-----------------------------------------------------------
Andy Jaw
Twitter: https://twitter.com/ajawzero
LinkedIn: -
Teams External User Phishing
This episode of the Blue Security Podcast discusses the issue of finding logs for chats between external and internal users in Microsoft Teams. The hosts explore various methods for detecting and alerting on suspicious chats, including using KQL queries, creating workbooks, and leveraging communication compliance features. They also highlight the connection between Teams, Exchange Online, and SharePoint, and the importance of protecting against malicious links and educating users about phishing threats. The episode concludes with a discussion on the significance of single sign-on configuration and the need for a holistic approach to security.
Takeaways
-Implementing KQL queries and workbooks can help detect and analyze logs for chats in Teams
-Communication compliance features can be used to detect insider risks and inappropriate behavior in chats.
-Protecting against malicious links and educating users about phishing threats are crucial for maintaining security in Teams.
-Configuring single sign-on and requiring managed machines can enhance security and prevent credential theft.
-----------------------------------------------------------
YouTube Video Link: https://youtu.be/y4EEhkw7EpA
-----------------------------------------------------------
Documentation:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-support-teams-about?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-microsoft-teams
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide
-----------------------------------------------------------
Contact Us:
Website: https://bluesecuritypod.com
Twitter: https://twitter.com/bluesecuritypod
Linkedin: https://www.linkedin.com/company/bluesecpod
Youtube: https://www.youtube.com/c/BlueSecurityPodcast
-----------------------------------------------------------
Andy Jaw
Twitter: https://twitter.com/ajawzero
LinkedIn: -
Midnight Blizzard Update, CISO Technical Skills, BEC + Automatic Attack Disruption
This episode covers updates on the Midnight Blizzard attack, the role of CISOs and their technical expertise, the need for international standards in cyber warfare, and defending against business email compromise.
Takeaways
-Microsoft provides an update on the Midnight Blizzard attack, revealing attempts to gain unauthorized access to internal systems.
-The technical expertise of CISOs is important, but they don't need to be deeply technical. Understanding the solutions, threats, and being able to explain them is crucial.
-Cyber warfare is a serious issue, and there is a need for international standards to define appropriate targets for attacks.
-Microsoft demonstrates how their ecosystem defends against business email compromise using automatic attack disruption.
-----------------------------------------------------------
YouTube Video Link: https://youtu.be/SQGJT2qLLms
-----------------------------------------------------------
Documentation:
https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
https://www.sec.gov/edgar/browse/?CIK=789019&owner=exclude
https://www.youtube.com/watch?v=GnEGWzfxU8c
-----------------------------------------------------------
Contact Us:
Website: https://bluesecuritypod.com
Twitter: https://twitter.com/bluesecuritypod
Linkedin: https://www.linkedin.com/company/bluesecpod
Youtube: https://www.youtube.com/c/BlueSecurityPodcast
-----------------------------------------------------------
Andy Jaw
Twitter: https://twitter.com/ajawzero
LinkedIn: https://www.linkedin.com/in/andyjaw/
Email: andy@bluesecuritypod.com
-----------------------------------------------------