WEBVTT 1 00:00:00.080 --> 00:00:03.480 Welcome to another deep dive, and this time we're tackling 2 00:00:03.520 --> 00:00:08.720 something that's been making headlines way too often. Ransomware. You know, 3 00:00:08.720 --> 00:00:11.240 I'm a little nervous about this one because we're diving 4 00:00:11.279 --> 00:00:15.759 deep into Windows Ransomware Detection and Protection. That's a whole 5 00:00:15.800 --> 00:00:19.199 book by Matt Davidson and Niddish Nund And let me 6 00:00:19.280 --> 00:00:23.800 tell you, just skimming through these excerpts, it's pretty intense. 7 00:00:23.879 --> 00:00:26.359 Yeah, it's a real wake of call. These authors. They 8 00:00:26.359 --> 00:00:30.960 don't sugarcoat anything. They've seen how devastating ransomware can be firsthand. 9 00:00:31.079 --> 00:00:33.119 You know, I used to think ransomware was just about 10 00:00:33.159 --> 00:00:36.200 like some loan hacker and a basement, locking up your 11 00:00:36.200 --> 00:00:37.719 files and demanding money. 12 00:00:37.560 --> 00:00:38.920 Right, almost like a Hollywood movie. 13 00:00:39.000 --> 00:00:41.280 Yeah, But this book, it pays a much bigger picture. Right. 14 00:00:41.359 --> 00:00:45.280 We're talking financial losses, operational downtime, and the possibility of 15 00:00:45.320 --> 00:00:47.240 companies going bankrupt after an attack. 16 00:00:47.439 --> 00:00:50.479 It's scary stuff. And what's even more alarming is how 17 00:00:50.560 --> 00:00:54.840 ransomware itself has evolved. It's not just about encrypting data anymore. 18 00:00:55.119 --> 00:00:58.359 Attackers are stealing it too, using the threat of leaking 19 00:00:58.399 --> 00:01:01.359 sensitive information to us. You're victims into paying up. 20 00:01:01.560 --> 00:01:04.319 Oh, Yeah, like that case with JBS Foods. They mentioned 21 00:01:04.319 --> 00:01:06.959 in the book, the Sodinokuburvil group hit them with a 22 00:01:07.000 --> 00:01:10.439 massive ransomware attack and just walked away with eleven million dollars. 23 00:01:10.519 --> 00:01:11.560 That's a lot of stakes. 24 00:01:11.640 --> 00:01:14.760 That's the point, right. Attacks are becoming increasingly targeted. They're 25 00:01:14.799 --> 00:01:18.079 even hitting critical infrastructure. It's not just your personal files 26 00:01:18.079 --> 00:01:22.840 at risk anymore. It's about disrupting essential services. So understanding 27 00:01:22.840 --> 00:01:25.000 how these attacks happen that's crucial. 28 00:01:25.079 --> 00:01:28.840 Okay. So the book uses this term attack vectors, which 29 00:01:28.920 --> 00:01:32.359 I gotta say sounds a little intimidating. What are those exactly? 30 00:01:32.400 --> 00:01:34.280 Okay? So think of it like breaking into a house. 31 00:01:34.599 --> 00:01:37.680 You could pick a lock, find a hidden key, or 32 00:01:37.719 --> 00:01:41.280 even smash a window. Each of those methods, those would 33 00:01:41.280 --> 00:01:44.640 be an attack vector, a path that an attacker uses 34 00:01:44.680 --> 00:01:46.840 to gain access to your systems. Got it? 35 00:01:46.920 --> 00:01:49.840 Okay? So what are the most common entry points for 36 00:01:49.959 --> 00:01:51.200 these ransomware attacks. 37 00:01:51.400 --> 00:01:55.239 It often starts with something deceptively simple, like compromise credentials 38 00:01:55.519 --> 00:01:57.640 or phishing emails. You know those emails that trick you 39 00:01:57.640 --> 00:02:00.000 into clicking a bad link or opening it in face 40 00:02:00.079 --> 00:02:00.640 to attachment. 41 00:02:00.799 --> 00:02:03.799 Oh yeah, I know those all too well. I almost 42 00:02:03.840 --> 00:02:05.719 fell for one a few weeks ago. It looked exactly 43 00:02:05.760 --> 00:02:07.519 like an email from my bank exactly. 44 00:02:07.879 --> 00:02:11.120 That's why awareness is so crucial. Phishing attacks are getting 45 00:02:11.120 --> 00:02:15.599 incredibly sophisticated. Once attackers gain that initial access, they start 46 00:02:15.680 --> 00:02:20.159 moving through your network like digital ninjas, looking for vulnerabilities 47 00:02:20.159 --> 00:02:24.759 to exploit. They try to establish a persistent presence. Think 48 00:02:24.800 --> 00:02:27.439 of it like setting up back doors, and then finally 49 00:02:27.479 --> 00:02:30.800 they execute the payload, which is the actual ransomware that 50 00:02:30.879 --> 00:02:31.759 encrypts your data. 51 00:02:31.879 --> 00:02:35.439 It's almost like a military operation with different phases and objectives. 52 00:02:35.560 --> 00:02:37.120 That's a good way to think about it, and this 53 00:02:37.159 --> 00:02:39.680 book it does a great job of explaining those phases 54 00:02:39.719 --> 00:02:42.680 in detail, especially when it comes to Windows environments. 55 00:02:42.840 --> 00:02:46.039 Right, So, what are some of the specific vulnerabilities that 56 00:02:46.080 --> 00:02:48.080 attackers target in Windows? 57 00:02:48.240 --> 00:02:50.240 There are a lot, but this book highlights a few 58 00:02:50.280 --> 00:02:57.080 key areas, things like Citrix, ADC, Microsoft Exchange, fortin Net, POLSEVPN, 59 00:02:57.599 --> 00:03:00.599 even Sonic Wall. These are all systems is that if 60 00:03:00.639 --> 00:03:04.319 they're not properly configured, can provide an opening for attackers. 61 00:03:04.439 --> 00:03:06.439 So it's not just about having these systems in place, 62 00:03:06.479 --> 00:03:09.039 it's about making sure they're properly secured. 63 00:03:08.879 --> 00:03:12.159 Exactly, and The problem is these vulnerabilities are constantly evolving. 64 00:03:12.240 --> 00:03:15.719 Attackers are always finding new ways to exploit weaknesses in 65 00:03:15.759 --> 00:03:19.080 software and hardware. That's why staying informed about the latest 66 00:03:19.120 --> 00:03:20.560 vulnerabilities is so important. 67 00:03:20.680 --> 00:03:22.599 So where do we even start with all of this? 68 00:03:22.800 --> 00:03:24.280 It feels like a never ending battle. 69 00:03:24.919 --> 00:03:27.800 It can feel that way, But there's a fundamental shift 70 00:03:27.879 --> 00:03:31.000 in how we think about security that can really help, 71 00:03:31.360 --> 00:03:34.080 and this book dives right into it. The concept of 72 00:03:34.159 --> 00:03:34.919 zero trust. 73 00:03:35.479 --> 00:03:38.159 Zero trust. That sounds pretty intense. 74 00:03:38.199 --> 00:03:40.360 It is a big change. It's about moving away from 75 00:03:40.360 --> 00:03:43.479 that old way of thinking where we assumed everything inside 76 00:03:43.479 --> 00:03:47.879 our network was safe. Instead, zero trust says we should 77 00:03:48.000 --> 00:03:51.319 verify every user and device every single time. 78 00:03:51.159 --> 00:03:53.879 So no more trusting just because something is inside our 79 00:03:53.919 --> 00:03:54.680 network perimeter. 80 00:03:54.840 --> 00:03:57.360 Exactly. It's like having a security checkpoint at every door 81 00:03:57.400 --> 00:03:59.479 in your house instead of just relying on a lock 82 00:03:59.520 --> 00:04:00.159 on the front door. 83 00:04:00.280 --> 00:04:02.520 Okay, I like that analogy. But how do we actually 84 00:04:02.560 --> 00:04:05.199 put zero trust into practice? It seems like a pretty 85 00:04:05.199 --> 00:04:06.759 abstract concept. 86 00:04:06.360 --> 00:04:09.439 It's not just theory. This book breaks it down into 87 00:04:09.520 --> 00:04:12.680 five key pillars that you can actually apply in a 88 00:04:12.800 --> 00:04:13.879 real world setting. 89 00:04:14.080 --> 00:04:16.920 Okay, let's hear those five pillars first. 90 00:04:17.000 --> 00:04:20.319 There's identity, making sure we know exactly who was accessing 91 00:04:20.360 --> 00:04:24.079 our systems and that their credentials are secure. Then there's 92 00:04:24.160 --> 00:04:27.720 device ensuring that only trusted and compliant devices are allowed in. 93 00:04:28.480 --> 00:04:30.759 So it's not enough to just have a username and password. 94 00:04:30.839 --> 00:04:33.439 The device itself needs to be secure exactly. 95 00:04:33.879 --> 00:04:37.439 And then we have the network environment pillar, which is 96 00:04:37.480 --> 00:04:40.560 all about segmenting our networks to limit the spread of 97 00:04:40.560 --> 00:04:43.720 an attack. Think of it like compartmentalizing a ship. If 98 00:04:43.800 --> 00:04:46.439 one compartment is breached, the entire ship doesn't. 99 00:04:46.160 --> 00:04:48.360 Sink, right, It's about containing the damage. 100 00:04:48.439 --> 00:04:51.560 Now for the application pillar, which focuses on securing the 101 00:04:51.600 --> 00:04:56.199 applications themselves, ensuring they're not vulnerable to attack. And finally, 102 00:04:56.240 --> 00:05:00.040 there's data, protecting the most valuable asset of all. This 103 00:05:00.160 --> 00:05:03.920 involves encrypting sensitive information and controlling who has access. 104 00:05:04.040 --> 00:05:06.439 It's like a multi layered defense system with checks and 105 00:05:06.480 --> 00:05:08.160 balances at every level exactly. 106 00:05:08.480 --> 00:05:11.600 And this book argues that zero trust it's essential in 107 00:05:11.600 --> 00:05:15.519 today's threat landscape, especially as we deal with increasingly sophisticated 108 00:05:15.560 --> 00:05:16.560 ransomware attacks. 109 00:05:16.800 --> 00:05:20.199 Yeah, makes sense, So how does zero trust actually translate 110 00:05:20.199 --> 00:05:23.759 into practical steps, especially for Windows users? 111 00:05:23.800 --> 00:05:26.600 Well, for starters, Windows has a feature called attax surface 112 00:05:26.680 --> 00:05:30.759 Reduction rules or ASR rules. These rules are built into 113 00:05:30.800 --> 00:05:34.399 Windows ten and later editions, and they are a fantastic 114 00:05:34.439 --> 00:05:36.800 way to harden your endpoints against attacks. 115 00:05:37.040 --> 00:05:39.360 Okay, I'm intrigued. Give me an example of what these 116 00:05:39.439 --> 00:05:41.040 ASR rules can actually do. 117 00:05:41.240 --> 00:05:43.759 They can control which applications are allowed to run on 118 00:05:43.800 --> 00:05:48.480 your system, restrict access to sensitive folders, and even protect 119 00:05:48.480 --> 00:05:51.519 against exploits that attackers might use to gain control. 120 00:05:51.800 --> 00:05:53.959 It sounds like they're putting up roadblocks at every turn. 121 00:05:54.120 --> 00:05:56.600 They are, and the best part is they're built right 122 00:05:56.639 --> 00:05:59.959 into Windows. This book goes into detail about setting up 123 00:06:00.040 --> 00:06:04.040 ASR rules using Endpoint Manager, which is a powerful tool 124 00:06:04.079 --> 00:06:06.600 for managing security settings across your organization. 125 00:06:06.839 --> 00:06:10.439 So they're not just for like tech savvy users. Anyone 126 00:06:10.600 --> 00:06:12.079 can implement these protections. 127 00:06:12.079 --> 00:06:15.560 That's the goal, make security accessible and effective for everyone. 128 00:06:15.800 --> 00:06:18.600 I like it. The book also mentioned some additional protections 129 00:06:18.680 --> 00:06:22.240 like Microsoft Defender, Application Guard and Credential Guard. What are 130 00:06:22.240 --> 00:06:22.879 those all about? 131 00:06:23.040 --> 00:06:26.079 Those are designed to protect against attacks that specifically target 132 00:06:26.079 --> 00:06:30.920 your credentials. Application Guard it basically isolates untrusted websites and 133 00:06:31.040 --> 00:06:35.040 files in a secure container like a virtual sandbox, so 134 00:06:35.199 --> 00:06:37.959 even if they contain malicious code, they can't harm your 135 00:06:38.000 --> 00:06:38.639 main system. 136 00:06:38.800 --> 00:06:41.000 It's like giving them a safe space to play without 137 00:06:41.079 --> 00:06:43.040 causing any real damage exactly. 138 00:06:43.480 --> 00:06:47.160 And Credential Guard takes a similar approach, but focuses on 139 00:06:47.199 --> 00:06:51.680 protecting your log in credentials. It uses virtualization based security 140 00:06:51.720 --> 00:06:55.519 to prevent attackers from stealing passwords and other sensitive information 141 00:06:56.079 --> 00:06:57.839 even if they manage to get onto your device. 142 00:06:58.160 --> 00:07:00.240 So even if they breach the perimeter, they can't get 143 00:07:00.240 --> 00:07:01.800 their hands on the keys to the kingdom. 144 00:07:02.000 --> 00:07:04.160 That's the idea. It adds another layer of protection. 145 00:07:04.319 --> 00:07:06.759 Okay, this is all starting to come together. We've got 146 00:07:06.759 --> 00:07:09.720 our perimeter defenses with zero trust, and now we're layering 147 00:07:09.759 --> 00:07:14.040 on additional protections like ASR rules and credential Guard. What 148 00:07:14.079 --> 00:07:16.360 else should we have on our radar when it comes 149 00:07:16.360 --> 00:07:18.240 to protecting our Windows end points? 150 00:07:18.560 --> 00:07:21.680 DNS filtering is another important piece of the puzzle. It's 151 00:07:21.720 --> 00:07:24.519 like having a security guard at the entrance to your network, 152 00:07:24.920 --> 00:07:27.120 checking everyone's ID before they're allowed in. 153 00:07:27.439 --> 00:07:30.120 But how does that work? Exactly? I mean, isn't the 154 00:07:30.120 --> 00:07:31.560 Internet just a bunch of websites? 155 00:07:31.800 --> 00:07:35.040 It is, but every website has a unique address like 156 00:07:35.040 --> 00:07:39.199 a phone number called a DNS name, and DNS filtering 157 00:07:39.519 --> 00:07:44.399 basically blocks access to known malicious websites by checking those 158 00:07:44.480 --> 00:07:46.720 names against the list of bad actors, So. 159 00:07:46.639 --> 00:07:50.399 It stops you from accidentally stumbling onto a dangerous website. 160 00:07:50.079 --> 00:07:53.199 Precisely, and it can block a lot of malicious traffic 161 00:07:53.279 --> 00:07:56.560 before it even reaches your computer. This book highlights the 162 00:07:56.600 --> 00:07:59.199 fact that over two hundred thousand new domains are registered 163 00:07:59.240 --> 00:08:02.720 every month, and most of them are malicious, so having 164 00:08:02.759 --> 00:08:05.360 that extra layer of protection can make a big difference. 165 00:08:05.480 --> 00:08:07.480 It's amazing how much is going on behind the scenes 166 00:08:07.480 --> 00:08:09.319 that we don't even realize it is. 167 00:08:09.680 --> 00:08:12.279 And there's another powerful tool built into Windows that we 168 00:08:12.319 --> 00:08:14.560 need to talk about, securing PowerShell. 169 00:08:14.879 --> 00:08:17.480 PowerShell that sounds familiar, but I'm not exactly sure what 170 00:08:17.519 --> 00:08:17.800 it is. 171 00:08:18.000 --> 00:08:21.319 It's a powerful scripting language that's built into Windows that 172 00:08:21.439 --> 00:08:25.360 administrators use to automate tasks and manage systems, but unfortunately, 173 00:08:25.399 --> 00:08:27.600 attackers can use it for malicious purposes too. 174 00:08:27.759 --> 00:08:30.560 Oh no, another double edged sword, you got it. 175 00:08:30.839 --> 00:08:34.879 That's why securing PowerShell is so crucial, and this book 176 00:08:34.919 --> 00:08:36.720 gives some practical advice on how to do that. 177 00:08:36.840 --> 00:08:40.039 Okay, I'm all ears, what are the key things we 178 00:08:40.080 --> 00:08:43.799 should be doing to protect ourselves. When it comes to PowerShell. 179 00:08:43.519 --> 00:08:47.399 Enabling logging is a must. It helps track suspicious PowerShell 180 00:08:47.440 --> 00:08:50.559 activity so you can investigate if something fishy is going on. 181 00:08:50.919 --> 00:08:53.679 You can even use a security information and event management 182 00:08:53.720 --> 00:08:57.679 system or see them like Microsoft Sentinel to monitor those 183 00:08:57.720 --> 00:08:59.639 logs and alert you to potential threats. 184 00:08:59.799 --> 00:09:03.120 So it's like having a security camera recording all PowerShell 185 00:09:03.159 --> 00:09:05.279 activity just in case you need to review the footage 186 00:09:05.360 --> 00:09:06.279 later exactly. 187 00:09:06.639 --> 00:09:09.240 And speaking of reviewing footage, there's another protocol we should 188 00:09:09.240 --> 00:09:12.200 talk about, securing the SMB protocol SMB. 189 00:09:12.879 --> 00:09:14.879 That one rings a bell, but refresh my memory. 190 00:09:15.039 --> 00:09:17.919 SMB is used for file sharing in Windows networks. It's 191 00:09:17.960 --> 00:09:20.480 how you access files on a shared drive, for example. 192 00:09:21.039 --> 00:09:25.360 But older versions of SMB, especially SMBv one, are outdated 193 00:09:25.440 --> 00:09:26.879 and vulnerable to attack. 194 00:09:27.039 --> 00:09:29.080 So what do we do about that? Just disable it 195 00:09:29.120 --> 00:09:30.559 altogether if possible. 196 00:09:30.639 --> 00:09:34.320 Yes, this book has specific constructions on how to disable 197 00:09:34.480 --> 00:09:38.399 SMBv one on different versions of Windows. It's a relatively 198 00:09:38.440 --> 00:09:42.240 simple step that can significantly improve your security posture. 199 00:09:42.440 --> 00:09:45.000 It's incredible how many things we need to consider to 200 00:09:45.000 --> 00:09:46.320 stay secure these days. 201 00:09:46.440 --> 00:09:48.399 It is. And there's one more concept I want to 202 00:09:48.399 --> 00:09:51.799 introduce that might surprise you ol BAILES, which stands for 203 00:09:52.000 --> 00:09:55.600 Living off the Land Binaries and Scripts LLLBS. 204 00:09:55.759 --> 00:09:57.720 Now that's a mouthful. What is that all about? 205 00:09:57.879 --> 00:10:01.080 It basically means that attackers are using legit intimate system tools, 206 00:10:01.120 --> 00:10:03.039 the ones that are already on your computer to carry 207 00:10:03.039 --> 00:10:06.120 out their attacks. They're blending in making it harder to 208 00:10:06.159 --> 00:10:07.600 detect their malicious activity. 209 00:10:07.720 --> 00:10:09.759 So they're using our own tools against us. 210 00:10:09.879 --> 00:10:12.919 Exactly. They might use something like PowerShell or a system 211 00:10:13.000 --> 00:10:17.039 utility to download malware, execute commands, or even steal data. 212 00:10:17.200 --> 00:10:20.000 It's a stealthy tactic that's becoming increasingly popular. 213 00:10:20.120 --> 00:10:23.840 That's seriously sneaky. So how do we even defend against that. 214 00:10:23.960 --> 00:10:27.320 Well, awareness is key. Knowing that this tactic exists is 215 00:10:27.360 --> 00:10:29.879 the first step. Then you can use tools like cisman 216 00:10:29.960 --> 00:10:32.759 to monitor for suspicious use of these legitimate binaries. 217 00:10:32.960 --> 00:10:34.600 Sismon tell me more. 218 00:10:34.799 --> 00:10:38.360 It's a free tool from Microsoft that monitors and logs 219 00:10:38.440 --> 00:10:42.639 system activity, including the use of system binaries. So if 220 00:10:42.679 --> 00:10:45.679 an attacker tries to use a legitimate tool for malicious purposes, 221 00:10:46.159 --> 00:10:48.120 cismin can catch it and alert you. 222 00:10:48.480 --> 00:10:50.679 So it's like having a detective on your computer or 223 00:10:50.679 --> 00:10:52.559 watching for any suspicious behavior. 224 00:10:52.639 --> 00:10:54.519 That's a great way to put it, and the beauty 225 00:10:54.519 --> 00:10:57.360 of Cisman is that it's very configurable. You can fine 226 00:10:57.440 --> 00:11:00.320 tune it to monitor specific events and alert you to 227 00:11:00.360 --> 00:11:04.759 specific threats. This book even provides some example configurations that 228 00:11:04.799 --> 00:11:05.320 you can use. 229 00:11:06.120 --> 00:11:09.440 This is all incredibly helpful information, but I have to 230 00:11:09.480 --> 00:11:11.720 admit I'm starting to feel a bit overwhelmed. There are 231 00:11:11.879 --> 00:11:13.159 so many things to consider. 232 00:11:13.360 --> 00:11:15.240 I understand it can be a lot to take in, 233 00:11:15.960 --> 00:11:17.799 but don't worry. We're going to break it all down 234 00:11:17.840 --> 00:11:21.440 into manageable steps. And remember, the goal isn't to implement 235 00:11:21.559 --> 00:11:25.200 every single security measure out there. It's about finding the 236 00:11:25.279 --> 00:11:28.039 right balance for your specific needs and resources. 237 00:11:28.320 --> 00:11:31.279 That's reassuring. So we've covered a lot about securing our 238 00:11:31.279 --> 00:11:34.639 Windows end points and understanding the tactics tackers use, But 239 00:11:34.679 --> 00:11:37.759 what about protecting our actual user identities? I mean, that 240 00:11:37.759 --> 00:11:39.679 feels like the first line of defense, right. 241 00:11:39.720 --> 00:11:42.039 You're absolutely right, and that's where we'll pick things up. 242 00:11:42.039 --> 00:11:44.120 In the next part of our deep dive. We'll delve 243 00:11:44.159 --> 00:11:48.200 into the world of multi factor authentication, strong passwords, and 244 00:11:48.279 --> 00:11:51.639 other essential strategies for protecting user identities in the age 245 00:11:51.639 --> 00:11:52.279 of ransomware. 246 00:11:52.399 --> 00:11:56.039 Okay, can't wait, all right, So let's dive into protecting 247 00:11:56.080 --> 00:11:59.519 those user identities. This feels especially crucial now that so 248 00:11:59.600 --> 00:12:02.320 much of our lives are you online. 249 00:12:02.480 --> 00:12:07.000 Absolutely, and this book it stresses that multi factor authentication, 250 00:12:07.320 --> 00:12:11.679 or MFA, it's non negotiable. It's surprisingly easy to set 251 00:12:11.759 --> 00:12:14.360 up and incredibly effective at stopping attacks. 252 00:12:14.600 --> 00:12:17.320 I've heard it mentioned a lot, but honestly, I'm still 253 00:12:17.360 --> 00:12:19.519 a little fuzzy on how it actually works. Can you 254 00:12:19.759 --> 00:12:20.559 break it down for me? 255 00:12:20.759 --> 00:12:23.919 Sure? Think of it like this, MFA is like adding 256 00:12:23.960 --> 00:12:26.600 an extra lock to your front door. Even if someone 257 00:12:26.639 --> 00:12:28.679 gets their hands on your house key, they still can't 258 00:12:28.679 --> 00:12:30.080 get in without that second lock. 259 00:12:30.320 --> 00:12:34.000 So it's about having multiple layers of security for our accounts. 260 00:12:34.120 --> 00:12:36.879 Exactly. With MFA, you need to prove your identity in 261 00:12:36.919 --> 00:12:39.240 more than one way. So in addition to your passwords, 262 00:12:39.279 --> 00:12:41.120 you might need to enter a code sent to your phone, 263 00:12:41.519 --> 00:12:44.440 use a fingerprint scam, or prove a notification on a 264 00:12:44.440 --> 00:12:45.159 trusted device. 265 00:12:45.519 --> 00:12:48.039 That makes sense. So even if someone steals your password, 266 00:12:48.080 --> 00:12:50.519 they can't get in without that second factor, right. 267 00:12:50.799 --> 00:12:52.960 And what's great is that this book walks you through 268 00:12:53.039 --> 00:12:57.360 setting up MFA using Azure ad Conditional Access, which lets 269 00:12:57.399 --> 00:13:00.360 you manage it all in one central location. They also 270 00:13:00.399 --> 00:13:03.759 talk about the Windows NPS extension for Azure MFA for 271 00:13:03.840 --> 00:13:07.480 those using radius based authentication on their on premises systems. 272 00:13:08.200 --> 00:13:10.000 That's good to know, especially for folks who might be 273 00:13:10.039 --> 00:13:12.480 dealing with a mix of cloud and on premises systems. 274 00:13:12.799 --> 00:13:16.480 But what about passwords themselves? Any tips on creating those 275 00:13:16.679 --> 00:13:17.720 super strong ones? 276 00:13:18.039 --> 00:13:21.440 Here's where things get interesting. This book actually challenges those 277 00:13:21.600 --> 00:13:24.440 traditional password complexity rules that we all kind of grew 278 00:13:24.519 --> 00:13:26.200 up with, you know, the ones that force you to 279 00:13:26.279 --> 00:13:28.840 use uppercase, lowercase numbers and symbols. 280 00:13:28.879 --> 00:13:31.879 Wait, really, I thought those were like the gold standard 281 00:13:31.960 --> 00:13:33.080 for password security. 282 00:13:33.320 --> 00:13:35.960 Turns out, it's not so much about complexity as it 283 00:13:36.000 --> 00:13:39.080 is about length. The longer your password, the harder it 284 00:13:39.159 --> 00:13:41.840 is to crack. I think passphrase is easy to remember 285 00:13:41.879 --> 00:13:46.120 sentences or combinations of words. The book even suggests checking 286 00:13:46.159 --> 00:13:49.480 out the nord pass list of common passwords. It's eye 287 00:13:49.480 --> 00:13:51.879 opening to see how easily weak passwords are cracked. 288 00:13:51.960 --> 00:13:54.159 Oh, I'll definitely check that out. Knowledge is power, as 289 00:13:54.240 --> 00:13:57.799 they say, But what about managing all these long pass phrases, 290 00:13:57.879 --> 00:14:01.399 especially within an organization? Active directory is still the king 291 00:14:01.480 --> 00:14:02.360 for that right. 292 00:14:02.240 --> 00:14:05.480 Yes, and for good reason. It lets you enforce password 293 00:14:05.519 --> 00:14:09.279 policies and monitor for brute force attacks where someone tries 294 00:14:09.320 --> 00:14:13.159 to guess passwords by trying tons of combinations. This book 295 00:14:13.200 --> 00:14:15.600 explains how to do that in both active directory and 296 00:14:15.639 --> 00:14:16.360 to azure AD. 297 00:14:16.759 --> 00:14:19.200 So it's not just about having strong passwords, it's about 298 00:14:19.240 --> 00:14:21.840 having the systems in place to manage them effectively. 299 00:14:22.039 --> 00:14:24.840 Absolutely, and there are some really advanced tools out there too. 300 00:14:25.080 --> 00:14:28.840 The book highlights azure ad Identity Protection, or a DIP. 301 00:14:29.440 --> 00:14:32.559 It uses machine learning to detect risky sign ins, like 302 00:14:32.600 --> 00:14:35.720 someone logging in from an unusual location or advice they've 303 00:14:35.759 --> 00:14:36.600 never used before. 304 00:14:36.720 --> 00:14:40.399 It's like having a security guard for your logins, always 305 00:14:40.440 --> 00:14:42.879 on the lookout for anything suspicious. 306 00:14:42.519 --> 00:14:46.559 A very smart security guard. The book also suggests taking 307 00:14:46.600 --> 00:14:50.960 some additional steps, like restricting Internet access to your domain 308 00:14:50.960 --> 00:14:56.200 controllers and disabling non critical services. Every little bit helps 309 00:14:56.200 --> 00:14:57.559 to reduce your attack surface. 310 00:14:57.919 --> 00:15:00.799 Okay, so we've covered a lot about securing Windows endpoints, 311 00:15:01.159 --> 00:15:05.279 protecting user identity, which is clearly a huge deal. But 312 00:15:05.399 --> 00:15:08.440 what about email that feels like a major gateway for 313 00:15:08.480 --> 00:15:09.200 these attacks. 314 00:15:09.279 --> 00:15:12.200 You're hitting on a crucial point. Email is often that 315 00:15:12.279 --> 00:15:15.360 first line of defense, but it's also a prime target 316 00:15:15.399 --> 00:15:17.600 for phishing attacks, which is how a lot of ransomware 317 00:15:17.600 --> 00:15:18.399 infections start. 318 00:15:18.600 --> 00:15:20.720 I feel like I'm pretty good at spotting phishing emails, 319 00:15:20.759 --> 00:15:23.039 but sometimes they are just so convincing. 320 00:15:23.200 --> 00:15:25.320 That's why it's so important to understand that different types 321 00:15:25.320 --> 00:15:27.720 of phishing attacks and how to protect against them. 322 00:15:28.039 --> 00:15:30.639 Okay, what kinds of phishing emails are we talking about here? 323 00:15:30.720 --> 00:15:34.559 Well, some use malicious domains websites that are specifically designed 324 00:15:34.559 --> 00:15:38.919 to steal your information. Others spoof legitimate domains, making you 325 00:15:38.960 --> 00:15:40.759 look like the emails coming from your bank or a 326 00:15:40.759 --> 00:15:41.639 trusted colleague. 327 00:15:41.879 --> 00:15:43.600 Those are the ones that really get me. I'm always 328 00:15:43.639 --> 00:15:45.279 double checking the center address now. 329 00:15:45.399 --> 00:15:49.759 And then there are emails that contain malicious content, either 330 00:15:49.879 --> 00:15:53.799 in the body of the email itself or hidden within attachments. 331 00:15:54.200 --> 00:15:56.720 These could be links that download malware onto your computer 332 00:15:57.360 --> 00:16:00.000 or attachments that unleash the ransomware when you open them. 333 00:16:00.320 --> 00:16:04.159 Yikes, that's terrifying. So what are the best defenses against 334 00:16:04.200 --> 00:16:05.320 these sneaky attacks. 335 00:16:05.799 --> 00:16:09.720 One major step is protecting your domain, and this book 336 00:16:09.759 --> 00:16:15.039 goes into detail about three technologies that are key for this, SBF, DTM, 337 00:16:15.320 --> 00:16:19.759 and DRC. I know more acronyms, but they're really powerful tools. 338 00:16:19.919 --> 00:16:21.960 Hit me with the breakdown. What do those even stand for? 339 00:16:22.080 --> 00:16:25.519 Okay? So SBS stands for Sender Policy Framework, and it 340 00:16:25.559 --> 00:16:28.879 helps prevent email spoofing by verifying that the sender is 341 00:16:28.919 --> 00:16:32.679 actually authorized to send email from that particular domain. It's 342 00:16:32.679 --> 00:16:34.759 like a digital signature for your email domain. 343 00:16:35.039 --> 00:16:36.519 So it's a way to make sure the email is 344 00:16:36.559 --> 00:16:38.639 actually coming from who it says it's coming from. 345 00:16:38.799 --> 00:16:42.559 Right. Then there's DCAM, which stands for Domain Keys Identified Mail. 346 00:16:42.960 --> 00:16:45.600 This adds a digital signature to each email, ensuring it 347 00:16:45.639 --> 00:16:48.519 hasn't been tampered with while traveling across the Internet. Think 348 00:16:48.519 --> 00:16:50.000 of it like a seal of authenticity. 349 00:16:50.039 --> 00:16:53.679 Okay, So SBS confirms the sender and DCAM makes sure 350 00:16:53.679 --> 00:16:56.080 the message itself hasn't been messed with. What about this 351 00:16:56.200 --> 00:16:57.080 DMRX thing. 352 00:16:57.720 --> 00:17:01.440 Dmr RC, or Domain based Message Authentic Reporting and Conformance 353 00:17:01.720 --> 00:17:04.799 builds on those other two by telling email providers what 354 00:17:04.839 --> 00:17:07.079 to do with the emails that fail those SPF and 355 00:17:07.119 --> 00:17:08.000 DCAM checks. 356 00:17:08.200 --> 00:17:10.680 So it's like setting the rules of engagement for your 357 00:17:10.720 --> 00:17:11.440 email domain. 358 00:17:11.720 --> 00:17:14.720 You got it, and thankfully, implementing these is pretty straightforward, 359 00:17:14.799 --> 00:17:17.880 especially in Office three sixty five. The book even recommends 360 00:17:18.000 --> 00:17:21.160 using mxtoolbox dot com to check if your domain's SPF, 361 00:17:21.359 --> 00:17:25.119 DKM and DBR settings are configured correctly. It's a free tool, 362 00:17:25.200 --> 00:17:26.000 so no excuses. 363 00:17:26.160 --> 00:17:28.799 That's a great tip. But what about protecting the actual 364 00:17:28.839 --> 00:17:32.119 content of emails, those links and attachments. How can we 365 00:17:32.160 --> 00:17:34.039 be sure we're not clicking on something dangerous? 366 00:17:34.519 --> 00:17:37.640 This is where Microsoft Exchange Online Protection comes into play, 367 00:17:38.160 --> 00:17:40.920 especially if you're an Office three sixty five user. It's 368 00:17:40.920 --> 00:17:44.000 like having a whole team of security experts analyzing your 369 00:17:44.039 --> 00:17:45.000 emails for threats. 370 00:17:45.079 --> 00:17:47.319 I'm listening. What kind of protection does it offer? Well? 371 00:17:47.359 --> 00:17:50.920 It includes features like safe Attachments, which scans attachments form 372 00:17:50.960 --> 00:17:53.400 malicious code before they even reach your inbox. 373 00:17:53.759 --> 00:17:56.839 It's like having a bomb squad check each attachment before 374 00:17:56.839 --> 00:17:57.880 you open it exactly. 375 00:17:58.000 --> 00:18:01.359 And then there's safe Links, which lies links in emails 376 00:18:01.519 --> 00:18:04.839 and blocks you from accessing dangerous websites. Plus, it has 377 00:18:04.960 --> 00:18:08.039 anti phishing and anti spoofing protection that use machine learning 378 00:18:08.240 --> 00:18:11.839 to identify and block suspicious emails based on things like 379 00:18:11.880 --> 00:18:14.279 the content, the sender and other factors. 380 00:18:14.359 --> 00:18:17.079 Wow, so they're really throwing everything they've got at protecting 381 00:18:17.079 --> 00:18:17.759 our inboxes. 382 00:18:17.799 --> 00:18:19.720 They are, And this book even mentions a cool new 383 00:18:19.759 --> 00:18:23.799 senter called zero hour Autoperge or ZAP, which lets you 384 00:18:23.960 --> 00:18:27.920 neutralize those malicious emails retroactively. So even if a bad 385 00:18:27.920 --> 00:18:31.119 email slips through the cracks, ZAP can find it later 386 00:18:31.359 --> 00:18:33.519 and remove it from your inbox before it can cause 387 00:18:33.559 --> 00:18:34.160 any harm. 388 00:18:34.319 --> 00:18:37.039 That's amazing. It's like having a time machine for your email, 389 00:18:37.359 --> 00:18:39.079 going back and fixing any mistakes. 390 00:18:39.160 --> 00:18:42.240 It's a pretty slick feature. And the book even tells 391 00:18:42.240 --> 00:18:45.680 you how to use PowerShell to extend safe attachments protection 392 00:18:46.000 --> 00:18:48.480 to share point in on drive, so those file sharing 393 00:18:48.480 --> 00:18:49.440 platforms are covered too. 394 00:18:49.640 --> 00:18:51.200 That's good to know. It seems like we have a 395 00:18:51.240 --> 00:18:54.599 lot of tools to secure email, but what about accessing 396 00:18:54.640 --> 00:18:58.000 all those resources behind the company firewall. What's the best 397 00:18:58.000 --> 00:19:00.559 way to do that securely? Especially with so many people 398 00:19:00.640 --> 00:19:01.920 working remotely these days. 399 00:19:02.079 --> 00:19:06.000 That's where traditional VPNs start to show their limitations. You see, 400 00:19:06.079 --> 00:19:09.279 VPNs often operate on the idea of a trusted network, 401 00:19:09.759 --> 00:19:12.240