Talk With a Friendly Human
You're listening to the Cyber Secured Podcast, helping you become safer in every way. Now your hosts, Matt and Attila.
Attila: Well, welcome to the Cyber Secured Podcast. My name is Attila.
Matt: My name is Matt.
Attila: Mr. Matt, today is not your Matt Monday. Today is a Thursday. This would be a good time to talk about your new, interesting learning experience, right?
Matt: No, absolutely. Myself and another coworker, we went to a cybersecurity class that was sponsored by a company on the mainland. They sent out their main guy, the Chief Nerd.
Attila: Chief Nerd, yep. I love the Chief Nerds.
Matt: CNO—Chief Nerd Officer.
Matt: Some of the stuff they were teaching, I was already familiar with and had used in the field. Some was new. I've mentioned before that I broke into some scam call centers and used similar tools. But their computers were so low-resource—like one or two gigabytes of RAM—that I'd often crash them. At this class, we had access to data centers and real resources. It was a lot of fun, and even after years of experience, there was so much new to learn. I definitely want to set up a bigger lab environment for us, because 45 people sharing one isn't ideal.
Attila: Yeah, we have a small cyber range here, but it’s limited.
Attila: The reason we do these podcasts is to share wisdom. No one has all the answers. And if someone says they do, beware—because it means they have no more room for growth.
Attila: Good job going out there, Matt.
Attila: What was your biggest takeaway?
Matt: The biggest takeaway? One of the things we’ve talked about on this podcast before—SIEMs.
Unknown Speaker: Like The Sims? Little diamonds over your head?
Matt: No, no. SIEM: Security Information and Event Management.
Matt: It manages and alerts you to security issues. Everything electrical generates logs—those logs either stay local or get sent off for analysis.
Attila: We’ve talked about SIEM before.
Attila: You need two things: gather the logs, and someone has to watch them (SOC—Security Operations Center). Then take action. Found, fixed, remediated.
Matt: Exactly.
Matt: We deploy this for multiple clients. Sometimes we get simple alerts; sometimes priority one alarms that wake us up at 3AM—true story, happened 48 hours ago.
Attila: It happens a lot.
Attila: And you have to have a workflow for handling those alerts.
Matt: One of the instructor’s biggest points:
Matt: Microsoft Windows, especially Domain Controllers, ship unsecured by default.
Matt: It’s a minimum viable product—safety rails are off. It’s up to you to secure it: disable old, insecure protocols and transport methods.
Attila: Like riding a bike without a helmet. Here’s the bike—go.
Matt: Worse—no brakes, no chain guard.
Matt: The goal is just to get you moving fast, security is optional.
Attila: Not everyone even knows what an AD Controller is. Active Directory—it's the gatekeeper for all usernames and passwords in a network.
Matt: Exactly.
Matt: It lets admins push out company-wide policies—like screen timeouts, password lengths, app restrictions. Makes IT management scalable.
Attila: It controls who gets what printers, file access, password complexity...
Matt: And Windows has to keep compatibility all the way back to 90s standards, so a lot of old insecure stuff remains.
Attila: The "ancient 90s," as my kid calls it.
Matt: There are still built-in standards where, if a bad guy gets on the network, they can easily sniff out passwords.
Matt: SIEM helps track this.
Attila: Because your SIEM gathers logs from AD servers to find unusual activities.
Matt: Exactly.
Matt: Like seeing a user added to an admin group.
Matt: In our class, we exploited bad group configurations to escalate a regular user into Domain Admin—and compromised the domain.
Attila: Walk me through that.
Matt: It’s all about misconfigurations or no configurations.
Matt: LDAP lets anyone—even a low-level user—query your Domain Controller for user lists, groups, and settings.
Matt: That's dangerous.
Matt: His advice: kill LDAP. Kill RDP too—Remote Desktop Protocol is another constant attack vector.
Attila: It took 20 years for people to realize RDP was insecure.
Matt: You can find RDP servers on Shodan search right now—public, unprotected.
Matt: And Windows allows remote shutdowns from the login screen!
Attila: We've reported lots of those over the years.
Matt: The crazy part that blew my mind:
Matt: By default, Windows Domain Controllers have important audit logs turned OFF.
Matt: No audit logs = your SIEM won't catch critical breaches.
Attila: Wait—Windows security logs are off?
Matt: Not all logs—specific categories inside the security logs.
Matt: You can turn them on, but many orgs don’t know they need to.
Attila: If you don’t have logs, SIEM can't alert you.
Matt: Simple.
Matt: Exactly.
Matt: But turning on everything can overwhelm the server. So you need careful, selective logging.
Matt: Storage is cheap, but still, people fill up drives irresponsibly.
Attila: Did he talk about web server logs?
Matt: No, this class was very Windows-focused.
Matt: They also discussed firewall recommendations—steer away from Fortigate, move to Palo Alto or Checkpoint firewalls.
Attila: Fortigate is used everywhere, especially by big ISPs.
Matt: Yeah, but it's riddled with vulnerabilities.
Matt: Checkpoint and Palo Alto are much better.
Attila: Checkpoint’s old logo was a crayon drawing from the founder's kid!
Attila: Fun fact.
Matt: Yeah, but if it works, it works.
Matt: At the end of the day, the biggest security risk is people—bad habits, misconfigurations, convenience over caution.
Attila: Is it forgetting steps or just humans being fallible?
Matt: Both.
Matt: Microsoft doesn't turn security features on by default because users complain.
Matt: UAC (User Access Control) was hated, so it got weakened.
Attila: Mac requires biometrics or passwords every time—Windows doesn’t.
Matt: Exactly.
Matt: It's about balancing security and convenience.
Matt: And the best takeaway: audit your setup monthly. Use checklists. Validate everything.
Attila: We'll post resources in our Cyber Secured Group at cybersecured.ai.
Matt: Cybersecured.ai—great resource.
Matt: And by the way, .ai is actually for Anguilla, a British Overseas Territory. It just got adopted by tech companies!
Attila: Fun fact!
Attila: Well, let’s wrap up.
Attila: We’ll continue this discussion in Part 2.
Matt: I’m Matt.
Attila: I’m Attila.
Attila: Aloha and thanks for listening!