Talk With a Friendly Human
Matt: Beep beep boop boop thing again.
Attila: Beep beep boop boop thing again.
You're listening to the Cyber Secured Podcast, helping you become safer in every way.
Now, your hosts, Matt and Attila.
Attila: Well, welcome back to the Cyber Secured Podcast.
Attila: I'm your host Attila and.
Matt: This is Matt, the well-fed Matt.
Matt: This is post-lunch Matt.
Attila: Post-lunch, we've both had lunch.
Attila: I am having coffee though, so that seems to kind of wake me up and allow us to talk about important things.
Attila: We do have an important topic because in the news, I'm not sure if you've heard.
Attila: Matt, have you heard all about the 40-net?
Attila: No.
Attila: Breaches, all kinds of stuff.
Matt: So.
Matt: It seems like they're having a lot of breaches all the time.
Attila: It's been ongoing.
Attila: And in fact, the FBI has issued numerous alerts urging system administrators to make sure to patch 40-net firewalls.
Attila: And 40-net firewalls are probably a brand you may not have heard of.
Attila: Maybe Palo Alto.
Attila: Have you heard of that brand of firewall?
Matt: I think most people are more familiar with like Netgear, Orbi, Linksys.
Matt: You know, stuff you see at Costco.
Attila: Like the Costco, Linksys kind of stuff?
Matt: Yeah, stuff you buy and you bring home.
Attila: Well, unfortunately, we have to deal with more than just, you know, Linksys firewalls.
Attila: In the real world, the world that runs everything else.
Attila: So if you go to Costco or if you go to a bank or if you go to Walmart or an insurance company, any of those places, they're running real commercial-grade equipment.
Attila: This is where the brands Cisco, Palo Alto, Fortinet, these are the big brands that are out there that are running our world.
Attila: And those firewalls are having critical vulnerabilities and exploits.
Attila: And those vulnerabilities are being taken advantage of by the bad guys.
Attila: They're intercepting VPN traffic.
Attila: They're able to gain access into the firewall and inspect packets to send malicious payloads right through the firewall undetected.
Attila: These are really bad things.
Attila: And the manufacturers, when they discover that this occurs, they send out a patch.
Attila: And it's up to the system administrators to install the patch.
Attila: And let me guess, all of us system administrators have so much extra time on our hands that we love doing long arduous patches in the middle of the night, right?
Matt: That's half my job.
Matt: I just sit around and wait for patches.
Attila: Wait for patches.
Attila: It's like watching grass grow.
Attila: And so it is a part of the system administrator's job, but there is something called patch lag.
Attila: And that kind of lag is what can lead to big problems happening.
Attila: And so in today's episode, we wanted to talk about managed firewalls, what these things are, and what's coming down the pipe.
Matt: Maybe what's the difference between a Costco firewall and a firewall that is managed and costs a lot more money?
Attila: Well, that's a great place to start, Matt.
Attila: Why don't you tell me, what is the difference between a cool Costco firewall with all its antennas sticking up that promises me that I will do better on my home gaming versus a very beige, boring metal box with lights on it?
Matt: Well, I don't know what level of technical expertise our listeners have out there.
Matt: So I'll start with the really basic.
Matt: Anybody can connect directly up to the internet.
Matt: They can plug their computer into the modem from Spectrum or whoever your internet provider is, and you can be right on the internet.
Matt: But the recommendation is that you are behind a firewall.
Matt: Reason being, to really over simplify, being on the internet would be like going for a stroll out in the middle of the highway.
Matt: You got cars whizzing by you, all kinds of dangerous fumes and things happening out there, let alone anybody can run by you and hit you over the head and take you for a ride themselves.
Matt: Like I said, this is a very over simplified explanation.
Attila: Well, you know, firewall has a bit of a history behind it, too.
Attila: So, you know, if you think about it, fire wall, a wall that prevents a fire.
Attila: And can you think of the world's oldest firewall?
Matt: No.
Attila: Great Wall of China.
Attila: Prevented fires.
Attila: European castles, they use motes as their own version of firewalls.
Matt: I've never actually looked up the etymology of firewalls.
Attila: Well, you know, think about it, still using construction today to limit the spread of fire.
Attila: And, you know, back when Henry Ford was building those Model T's, there was a firewall, literally, because the engines would catch on fire because they didn't have quality.
Matt: Well, that's the thing that's in our car.
Matt: I've had to install wiring between my engine block where the battery is at and then the firewall to go into my radio.
Matt: That's what it's listed as in the manuals.
Attila: And you have to seal it really well, otherwise the fire can get through and kill you.
Attila: We don't want that.
Matt: Right.
Matt: Yeah, so essentially a firewall slash router, they're usually one and the same.
Matt: They protect you from the stuff that's out on the internet.
Matt: And the way they do that is very simply, again, to really oversimplify, is the difference between you've got maybe like a street address and then you've got the highway.
Matt: And the street address has like individual numbers.
Matt: And within the firewall, let's say that's your home, you've got your individual rooms and stuff, where you've got different things going on, that would be like your computers or IoT devices.
Matt: But the real difference that determines the pricing of a firewall is, it's basically kind of a traffic cop too, is how much data it can handle, how much processing it can handle.
Matt: If it's actually going to be looking at some of the data, like from your Xbox, and then prioritizing that so your Xbox has less lag, that's going to be more expensive Nighthawk router from Costco.
Matt: Versus our industry corporate firewalls and routers that actually have things that are watching for malicious traffic.
Matt: There's things on the network called packets, and so industry standard firewalls will do packet inspection.
Matt: And so that's usually what will determine the difference.
Matt: There's a lot of other features that could be included in firewall and what it does with the traffic.
Matt: And then all of that usually comes at the cost of some kind of processing resource.
Matt: So if you have a small office and you're analyzing all that traffic, you can get away with a smaller firewall.
Matt: But if you've got two floors of people in cubicles doing things, your internet is going to slow to a crawl, not because you have slow internet, but because the firewall can't keep up.
Attila: Yeah, I mean, everything has purpose built, right?
Attila: Like you think about it, if you go to a restaurant and you look at a frying pan at the back of the restaurant, that frying pan is probably a few hundred dollars.
Attila: Now, an average person in their kitchen is not going to have a $500 frying pan because they use it maybe once a day, right?
Attila: But in a kitchen, they're using the frying pan all day every day.
Attila: It's got to be a commercial-grade fire plan, you know, frying pan.
Attila: And it needs to be able to stay hot and whatever, and not warp and fall apart.
Attila: And so in the same way, firewalls are built in the same way.
Attila: And, you know, think about it, like if you go to a Costco, and they got a firewall, obviously they got to have a firewall there, right?
Attila: You know, what happens if, I don't know, one of the firewalls suddenly shorts out?
Attila: Boom, gone, right?
Attila: They have a spare firewall there.
Attila: That's called high availability, right?
Attila: You have a second firewall that can take over in the event of a failure of the first one.
Attila: So you have some redundancy, kind of like here, you have two lungs, right?
Attila: If you get punctured in one lung, you can still keep breathing, right?
Attila: You want that to keep happening.
Attila: So firewalls have high availability.
Attila: Like you said, they have traffic monitoring capabilities.
Attila: And some of the new firewalls are really interesting because, you know, for years, everyone's been talking about AI lately, but for years, that's been around on firewalls forever because you needed some sort of engine that could ingest all those packets and make sense of them and find out if there's a problem, some sort of intrusion, otherwise known as an intrusion detection system, IDS.
Attila: IDS, a feature on a firewall, is pretty cool because it can find out if there is an issue and let you know about it before it ruins your network.
Attila: Now, AI has been used for that for years, but lately, there's even fancier AI stuff happening in firewalls.
Attila: That's pretty exciting stuff.
Attila: I know you were talking about that earlier.
Matt: We were.
Matt: Yeah, there's a couple manufacturers out there that have been working on doing large language processing of the traffic that happens on firewalls.
Matt: Cisco, namely, is one of them.
Matt: I've never actually seen a demo, but I have heard that they're in the works of doing that.
Matt: I think that's actually already in production.
Matt: The other one that we've been looking at, and it's part of what we deploy, is Unifi.
Matt: Their enterprise firewalls have a thing they call Next AI.
Matt: And I think it's still in the developmental phase right now, because the features that they rolled out are still, they're pretty advanced, but it's limited.
Matt: It doesn't do everything, but I think they're probably going to change that in the next version to come out.
Matt: What's really cool is that it can analyze traffic automatically for you, determine if what it sees is malicious, and then notify you about that.
Attila: Well, let's be honest, when you say the word AI, I mean, it's all new.
Attila: It's all pretty much one step out of beta.
Attila: But one thing that I thought was really cool about that new Unifi feature is that it could do...
Attila: So when you go to a website on your network, it's got a little lock.
Attila: And that little lock means it's encrypted, secured, right?
Attila: So you go to a banking website, type in your username and password, that's all been encrypted end to end.
Attila: But the problem is that what if you're entering your banking username and password not on a banking site?
Attila: What if it's a phishing site and they tricked you?
Attila: How do you stop that kind of stuff?
Attila: And with these new firewalls, there's some cool new features, right?
Attila: How's that work, Matt?
Matt: Well, I don't think they're quite at that level yet.
Matt: They're not actually analyzing people going to fake banking websites.
Matt: It's more about someone is going to Google and typing in, how do I export all this data in my work network offsite?
Attila: How do I screw my employer?
Matt: Basically, yeah.
Matt: That kind of stuff.
Matt: How do I build a bomb?
Matt: These are really exaggerated examples, but stuff more like that.
Matt: But I do see down the line, they would probably have those features that would detect when you go to a malicious encrypted site that is pretending to be your bank.
Attila: But how does your firewall see that encrypted traffic?
Matt: So yeah, right now, most firewalls would not see that traffic.
Matt: They would see encrypted data.
Matt: And that's the point of when you go to amazon.com and you put in your credit card information, you don't want that information floating around in packets in the clear for anybody to just inspect and see so they can steal your credit card.
Matt: So that's what the HTTPS on your web address stands for.
Matt: But the way that a firewall would be able to see that is they would put a certificate on your system that would basically kind of be in the middle of that traffic.
Matt: Like it's already in the middle of that traffic, but that way you can inspect the traffic before sending it off to Amazon or to Google or to whatever site that you're visiting.
Attila: So that certificate would be like that stamp of approval.
Attila: So that way, like when that packet comes from your computer through the firewall, the firewall is like, oh, I got permission to read this packet.
Attila: What's in there?
Attila: Oh, look, someone's searching on Google for something bad.
Attila: We should let the system administrator know.
Attila: Wouldn't that be nice?
Matt: And this is like going down the rabbit hole and the technicalities of the stuff.
Matt: But in advance, that certificate would be installed on the computer and be accepted as legitimate.
Matt: Because otherwise, you would end up getting what a lot of people will see if they go to a site that has a cert that has not been certified, which is, this is a self-created, self-signed cert.
Matt: And this may be malicious site trying to steal your data.
Matt: You may or may not have ever seen that.
Matt: When we deal with setting up new printers, new phones that have SSL installed, we see that all the time because those have not been signed.
Matt: They're self-signed.
Matt: But yeah.
Attila: So why do we care about reading encrypted traffic other than to detect malicious employee behavior?
Attila: Like what?
Attila: Are there any bad guys who use this?
Matt: Yeah.
Matt: So the other side of it, we were talking about this a few weeks ago.
Matt: I've been really putting some time into learning the different implementations of C2 servers.
Matt: C2 are command and control.
Attila: Hence the two.
Matt: Hence the two.
Matt: Yeah.
Matt: So basically, that would be like, you open up a malicious PDF on your computer, and when it's what we say malicious, it deployed secretly in the background, this thing that connected your computer to a control system out in the Internet, out in the ether, and it's completely invisible.
Matt: That's the point.
Matt: They want to be able to have control, be invisible, and then be able to do things on your network, to be able to get into your payroll systems or into your storage system so that they can encrypt things and run ransomware, do whatever bad things that bad guys want to do.
Matt: So that all happens usually through encrypted traffic, so they can hide what they're doing.
Matt: It happens intermittently, and it will happen to some random servers out there or a website that's been hijacked.
Matt: And because it's encrypted, the firewall can't see that.
Matt: And because they're not actively running anything on the network to move laterally and connect to other computers, the intrusion detection system also doesn't see anything.
Matt: So that's part of the excitement that we have around having a system that's monitoring that encrypted traffic, because it would possibly see that stuff, that C2 command and control handshake, and see the stuff that's going on there.
Matt: Even though it's intermittent, it would be intercepted, it would be analyzed and reported on.
Attila: How would a command and control piece of software end up on a computer at all?
Matt: A lot of different ways.
Matt: And that's part of what the bad guys and Red Team, Cyber Security experts are always looking for is vulnerabilities.
Matt: So, you know, let's say I walk into a dealership and...
Attila: What kind of dealership?
Matt: This is a high-end dealership.
Matt: This is a luxury brand.
Attila: Like luxury car dealership.
Matt: Luxury car dealership.
Matt: So I know they have money.
Matt: And I know they're connected to, you know, higher up servers that are connected to other servers, that are connected to the larger brand.
Matt: And I want to be able to get into their stuff and be able to steal their money.
Matt: So, you know, I walk into their dealership.
Matt: I'm dressed nicely.
Matt: I've never been there before.
Matt: I've never been in the state.
Matt: Nobody knows who I am.
Matt: I'm just, you know, pretending to be someone else.
Matt: And I bring with me a little device that's always scanning the network, scanning the Wi-Fi, grabbing handshakes.
Attila: I think you have one right here.
Matt: I actually have one on my desk that I built about a week ago.
Attila: We're looking at it.
Attila: You can't see it, though.
Matt: Where did I put it?
Matt: I think it's hiding and hacking it.
Matt: There it is.
Attila: Yeah.
Matt: And so, you know, it's grabbing handshakes.
Matt: It's doing all this beep, beep, boop, boop stuff.
Matt: And I take it home and I grab what it finds and I crack it.
Matt: So now I have the password to their Wi-Fi.
Matt: And let's say they're not using the best setup for their encryption, for their Wi-Fi.
Matt: I go back with another device that has that cracked handshake, that cracked password for the Wi-Fi, and it connects.
Matt: So I have a device on their network now.
Matt: So while I'm on their network, I discover, hey, I have full view of all this admin stuff, all these servers.
Matt: And so now I can spend my time to get into stuff and to capture packets on the network to see what's going back and forth.
Matt: And eventually, I find my way onto a system, and I deploy a C2 connection.
Matt: Once I deploy that C2 connection, I can grab my little box that I deployed there and take it with me, because I don't want someone to find it.
Matt: I don't want the network admins to spot it on the network and figure out what's going on.
Matt: I want it to be as inconspicuous as possible.
Matt: And so now I have a C2 connection on other servers, and maybe I've spent the time to spread to a few more systems, just so I can have a persistent connection to the network.
Matt: Now, if they have a very advanced firewall, it might see me moving from one system to another.
Matt: This is where firewalls come in play and are really important, especially in a corporate environment.
Matt: But if the firewall isn't patched, and I know that, in case of the 40 net, in case of Palo Alto has also had some recent vulnerabilities that have been documented online, I can also go after those devices.
Matt: The thing that is supposed to protect you, is supposed to protect all the workers on that network.
Matt: I can go after that.
Matt: And trust me, there are ways to set up C2 servers and systems for that device as well, because firewalls are really nothing but another computer.
Matt: It's a different operating system.
Matt: It's usually a version of Linux.
Matt: Sometimes it's a customized version of Linux.
Matt: In the case of like Palo Alto, I'm not sure about 40 net, but yeah, if I'm familiar enough, I can deploy something there as well, and then have complete control in there, and use that as a pivoting point.
Matt: That's why we want to keep things up to date.
Attila: Well, and from a Red Team perspective, I mean, when you were describing going in there and putting in a little listening device, initially, no one would know that it's in your pocket, right?
Matt: No, and the device I have on my desk, yeah, it fits on a keychain.
Attila: Yeah, so that's really small.
Attila: Then when you go back, then you can stick that anywhere.
Attila: And when I've heard of other Red Teamers being successful, you know, they put a Raspberry Pi behind a coffee machine or behind a microwave.
Matt: You can buy batteries that would be on it or plug it into a USB.
Attila: Yeah, and it can literally sit there forever.
Attila: It won't get caught, because no one knows what these things are.
Attila: It's just a little box hanging off there.
Attila: But you do bring up a good point about car dealerships.
Attila: They are subject to FTC compliance.
Attila: And the goal of FTC is really to protect the consumer, is to protect people that are in there buying high-end luxury vehicles and to try to keep them from becoming a target.
Attila: Because if you think about it, someone who's coming in to buy a $200,000, $300,000 vehicle, they probably have other assets, and they could become a high-profile target.
Attila: And that's what the bad guys are looking for.
Attila: Most people can afford a Nissan, but not everyone can afford something that ends in an I, I guess is the best way to put it.
Attila: There's a lot of those, or Y, I or Y, Ferrari, Lamborghini, whatever, those high-end kind of vehicles.
Attila: So FTC compliance is something that has been pushed to all car dealerships.
Attila: And there have been some breaches, specifically with CDK, that took out some car dealerships, and they had ransomware deployed.
Attila: And those kind of activities happen when there's patch lag.
Attila: That's a big one.
Attila: So, you know, in our riskara behavioral risk assessment, we do go through and ask these kind of questions to discover if your organization has a good patch management policy, how often do your computers reboot?
Attila: I mean, that's a great question, you know.
Attila: Sometimes people say, oh, I can't remember the last time my computer rebooted.
Attila: Well, guess what?
Attila: Patches need a reboot in order to kick in sometimes.
Attila: You got to force that through.
Attila: And same thing with firewalls.
Attila: No one wants to take down the firewall, but you can't have a firewall up 365 days a year, 24-7, without a patch.
Attila: You got to do it.
Attila: And so that, you know, that's part of why we do these podcasts, is to help you become more secure by doing basic small things that are not terribly sexy.
Attila: Patch management is probably down there with backups in terms of the sexiest things that IT people have to do.
Attila: It's the least exciting.
Matt: It leads to that unsexy H-word, which applies to a lot of aspects of our life, which is tech hygiene.
Attila: Oh, hygiene.
Matt: Hygiene.
Attila: Oh, boy.
Attila: Hygiene.
Attila: Yeah.
Attila: Well, we can't all be dirty hippies when it comes to our networks.
Attila: We have to be clean and on point and organized.
Attila: So, I encourage you to really think about your cyber hygiene.
Attila: Good word, Matt.
Attila: Hygiene.
Matt: Hygiene.
Attila: And I like the other words you used earlier, the beep-beep-boop.
Attila: Yeah.
Matt: When I get a little too verbose and give my wife way more information than she needs, that's what she tells me.
Matt: She's like, you're doing the beep-beep-boop-boop thing again.
Attila: Beep-beep-boop-boop thing again.
Attila: Well, I think we have our clip for the beginning of our show.
Attila: Yeah.
Attila: Well, I guess, you know, so if you guys need help or some other resources, you know how to reach us.
Attila: We're part of the Cypac team, and we do our best to educate the community and help those in need of keeping their systems secure.
Attila: Hopefully, don't call us after the fact, call us before the fact.
Matt: Well, I'm Attila, I'm Matt.
Attila: Stay safe out there.
This episode was brought to you by Cypac.
To learn more about keeping your business safe from threat, crime, and disaster, visit Cypac.com.