The Security Swarm Podcast

In this episode, Andy and Paul, the dynamic duo of the Security Swarm Podcast, delve into the often-overlooked security of the Windows boot process, revealing how recent leaks have compromised its integrity.  Join Andy Syrewicze and Paul Schnackenburg as they break down how the boot process has evolved from the BIOS days to today's sophisticated UEFI system. They explore features like Trusted Boot and Secure Boot, which are designed to stop rootkits and other malware from hijacking the system.   But things aren't as secure as they seem. Recent leaks of platform keys, including the infamous "PKFail" incident, have exposed vulnerabilities that threaten the whole system. Listen on to discover how these vulnerabilities are being exploited by attackers, the potential risks they pose to your system, and what you can do to safeguard your devices.  Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  The Windows boot process is more complex than you think: It includes multiple phases, from basic hardware checks to kernel initialization and anti-malware checks, all before you even see the login screen.   Secure boot and measured boot aim to protect against rootkits and bootkits: These security features check for trusted components and fingerprint the boot process to detect unauthorized changes.   PKFail exposes a major vulnerability: A leaked test key used across 800 motherboard models allows attackers to bypass secure boot and load malicious software during the boot process as if it were legitimate.   Firmware vulnerabilities are widespread: The boot process isn't the only place where attackers can hide malware. Network cards, storage devices, and other components with firmware can also be compromised.   Rootkits and bootkits are persistent and difficult to remove: They can survive operating system reinstallation and are incredibly difficult to detect and remove, making them highly effective for attackers.   Updating firmware is crucial: You need to keep your firmware updated just like you update your operating system and software to protect yourself from vulnerabilities.   Beware of the dangers of compromised hardware: While less common than other attacks, these vulnerabilities should be addressed seriously. If you suspect a machine is infected, it's often best to discard it entirely.  Timestamps:  (01:27) Overview of Boot Process   (05:39) Breakdown of the Boot Process Steps   (08:44) Secure Boot and its Features   (12:13) The PKFail Leak: Leaked Platform Key Weakens Secure Boot   (17:18) Bootkits and Rootkits - The Types of Attacks   (22:41) Digital Supply Chain Issues and the Leaked Keys   (27:42) Mitigating PK Fail & Updating Firmware   (30:15) Balancing Risk Profile & Protecting Against Other Attacks   (31:39) Why Rootkits are a Major Persistence Threat  Episode Resources:  Github Repo of known compromised devices Ars Technica Article regarding UEFI Malware Intel Boot Guard News -- Hornetsecurity's Advanced Threat Protection (ATP) can help you stay ahead of these threats.  ATP provides:  Threat intelligence: Stay informed about emerging security threats like bootkit and rootkit vulnerabilities.   Advanced detection: Identify and block these highly sophisticated threats before they can compromise your systems.   Real-time protection: Prevent malicious code from executing, even at the boot level.  Don't wait for a breach! Contact Hornetsecurity today to learn how Advanced Threat Protection can help you secure your boot process and protect your organization from the most persistent malware threats. Click here to schedule a free consultation with a Hornetsecurity specialist. 

This episode of the Security Swarm Podcast dives deep into the psychological landscape of cybersecurity, exploring the driving forces behind different threat actors. Host Andy Syrewicze welcomes first-time guest Angelica Ortega, Founder & CEO of Novify and an active member of the cybersecurity community with a sharp focus on the psychology of cybercriminals.  Together, they unravel the motivations of nation-state actors, hacktivists, and cybercriminals, highlighting the role of narcissism, risk-taking behavior, and ideological beliefs. Angelica shares personal experiences with pig butchering, a devastating form of romance scam, and discusses the emotional toll it took on a friend.   The episode also delves into the mental health challenges facing cybersecurity professionals, including burnout and the need for psychological safety in teams. Through insightful discussions and personal anecdotes, Andy and Angelica emphasize the importance of understanding and addressing the human element in cybersecurity, both on the defensive and offensive sides.   This episode sheds light on the often-overlooked psychological dimensions of cybercrime and cybersecurity, urging listeners to consider the human impact of these activities and the need for greater awareness and support for both professionals and victims.   Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  Threat actors can be categorized into three main groups: nation-state actors, hacktivists, and cybercriminals, each with distinct psychological motivations.   Narcissism and risk-taking behavior are common traits observed in cybercriminals, while hacktivists are driven by ideological beliefs, and nation-state actors are motivated by political goals.  Cybersecurity professionals, particularly blue teams and ethical hackers can also exhibit narcissistic tendencies due to the psychological stress and pressure of their roles.  The rise of cryptocurrency has enabled cybercriminals to more easily obfuscate illicit payments and profits, further fueling their motivations.   Romance scams and "pig butchering" schemes, where threat actors slowly gain the trust of victims over time, can have devastating psychological and financial consequences for the victims.   Educating the public, especially vulnerable groups like the young and elderly, and providing psychological support for victims of cybercrime are crucial in addressing the psychological aspects of cybersecurity.   The fear of missing out (FOMO) can be a powerful motivator for individuals to engage in risky or unwise financial decisions, which threat actors often exploit, particularly in the cryptocurrency space.   Timestamps:  (04:19) Categorization of threat actors   (07:17) Psychological traits of different threat actor groups   (09:50) Narcissism in cybersecurity professionals   (18:22) Impact of cryptocurrency on cybercrime   (25:16) Romance scams and "pig butchering" schemes   (31:36) Educating the public and providing psychological support for victims   (35:44) The role of FOMO in enabling cybercrime  Episode Resources:  Old Hornetsecurity Roundtable with some Psychology discssions -- Your organization is vulnerable to more than just technical exploits. Hackers target the human element, leveraging emotions like fear, greed, and trust to gain access and compromise systems. Learn how to protect your employees and organization with Hornetsecurity's Security Awareness Service. Hornetsecurity's Security Awareness Service empowers your employees to be your first line of defense against sophisticated attacks.   Don't wait until you've been a victim of a psychological attack. Schedule a demo today to learn about our comprehensive security solutions and protect your organization from the inside out. 

In this episode of the Security Swarm Podcast, the host Andy Syrewicze and the guest Philip Galea discuss the security implications of Microsoft's AI assistant Copilot, which is integrated into the Microsoft 365 suite. They explore how Copilot's ability to surface information from an organization's Microsoft 365 data can create significant security risks, especially for companies that lack the operational maturity to properly manage permissions and access controls.  The discussion also covers Microsoft's reactive approach to security in some of its products, where default settings are often not secure enough, and the company is slow to address these issues. The host and the guest emphasize the need for organizations to take a proactive approach to security, continuously reviewing and updating their security posture to mitigate the risks posed by Copilot and other Microsoft 365 features.   The episode also introduces Hornetsecurity's Tenant Manager tool, which aims to help organizations better manage and enforce their Microsoft 365 security settings, providing a centralized and automated way to ensure that their environments are configured according to best practices.   Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  Copilot makes it easy for nosy or malicious insiders to quickly surface sensitive information that they may not have proper access to.   Copilot could be abused by threat actors who compromise a user account with an active Copilot license, allowing them to easily gather intelligence and move laterally within the organization.   Microsoft's default security settings and permissions in Microsoft 365 are often too open, creating challenges for organizations to properly secure their data.   Jailbreaking Copilot to bypass its security restrictions is an ongoing concern, as it could allow users to access restricted information.   Solutions like sensitivity labels and disabling search on sensitive SharePoint sites have significant drawbacks and may not be practical for many organizations.   Tools like Hornetsecurity's Permission Manager and Tenant Manager can help organizations better manage and enforce security policies across Microsoft 365.   Continuous security awareness and training for employees is crucial to mitigate the risks posed by Copilot and other AI-powered tools.  Timestamps:  (04:37) Challenges with managing permissions and sharing in Microsoft 365   (11:20) Microsoft's history of security-related missteps and reactive responses   (16:17) Attempts to jailbreak Copilot and bypass its security restrictions   (21:08) Insider threat scenarios enabled by Copilot's data surfacing capabilities   (23:40) Threat actor scenarios and the potential impact of a compromised Copilot-enabled account   (34:16) Hornetsecurity's 365 Permission Manager and 365 Multi-Tenant Manager for MSPs solutions to help manage Microsoft 365 security. Episode Resources:  Andy and Phil’s first Episode on Sharepoint Permissions 365 Multi-Tenant Manager --  As an MSP, managing security and compliance policies across multiple Microsoft 365 tenants can be a complex and time-consuming task. The new 365 Multi-Tenant Manager for MSPs from Hornetsecurity provides a centralized solution to easily configure, enforce and monitor security settings across all your clients' environments.   With 365 Multi-Tenant Manager, you can:   Quickly create and apply security baseline policies to new and existing tenants   Automatically remediate configuration drift to ensure continuous compliance   Monitor policy adherence and receive alerts on risky changes   Streamline Microsoft 365 administration and reduce your clients' security risks   Stop juggling multiple portals and start taking control of your clients' Microsoft 365 security. Try the 365 Multi-Tenant Manager for MSPs today and simplify your Microsoft 365 management. Schedule your demo today and learn more.  --  Streamline your Microsoft 365 security with 365 Permission Manager - the tool that provides visibility, control, and automated remediation of SharePoint, OneDrive, and Teams permissions. Take back control of your data and protect against insider threats and external breaches. 

In this episode of the Security Swarm Podcast, our host Andy Syrewicze and one of our regular guests, Eric Siron discuss the latest quarterly threat report from Hornetsecurity. They dive into data points such as the breakdown of email threats, most common malicious file types, targeted industry verticals, and brand impersonations.  The conversation also covers recent security news, including Microsoft's efforts to address the aftermath of the CrowdStrike incident and a high-severity vulnerability in the Linux CUPS system. The hosts provide valuable insights and analysis, highlighting trends in the threat landscape and the evolving tactics of cybercriminals.  Do you want to join the conversation? Join us in our Security Lab LinkedIn Group!  Key Takeaways:  Quarterly threat report data shows an increase in email threats in Q3 compared to Q2, driven by the ending of the summer vacation months.  PDF, archive, and HTML files remain the top malicious file types used by threat actors.  Microsoft is exploring ways to reduce security vendors' kernel-mode access after the Crowdstrike incident.  NIST has updated password guidelines, including recommendations to remove password composition rules and avoid forced password rotations.  A high-severity vulnerability in the Linux CUPS system allows remote code execution, highlighting the need to secure critical services.  The importance of securing the digital supply chain and the risks of supply chain attacks.  The challenges of convincing users to adopt secure practices, such as using password managers.  Timestamps:  (03:33) Breakdown of email threats by category  (06:58) Most common malicious file types  (11:46) Targeted industry verticals  (19:52) Impersonated brands  (22:33) Discussion of Microsoft's efforts after the Crowdstrike incident  (37:19) NIST's updated password guidelines.  Episode Resources:  Hornetsecurity Monthly Threat Reports can be found here -- Protect Your Business from Advanced Threats! Ensure your organization is safeguarded against sophisticated attacks by leveraging Hornetsecurity's Advanced Threat Protection (ATP). Stay secure and informed—discover more here!