I bet you're from the USA, so this may be hard for you to understand given your context, but as someone from LATAM, let me tell you: China can try really hard to be evil - they will have a LOT of work to be worse than the US.
That's mainly because the USA's flaws have been covered in far more detail, and has also played a bigger role in Latin America. Once those countries start to deal with China more you may find your observations were biased.
You're right, but that's not the point.
Being afraid that another state will become the leading superpower and "dictate the international order" when your oligarchical country has been doing the same thing for the past 70~ years, and not in a "cuddly as Mickey Mouse" way, is HILARIOUS. The doublethink is off the charts! hahahaha.
America has been truly 'oligarchal' for approximately the past one month, whereas China has been a totalitarian state for the better part of a century.
Why not compare the Allies with the Axis next? The US was segregated, right, so... hey, same difference! /s
A surprising number of people don't seem to know the first thing about China. Hey, it might not help that China doesn't allow a fifth of the world to learn the history of China.
But let's talk again in four years. The way things are going in America, I may agree with you guys by then :(
You're arguing with folks who just want to be angry, not listen to facts or sage observations.
(it's not like the US is innocent; we have made a huge number of terrible mistakes attempting to maintain the Pax Americana. I fully acknowledge while being fairly sure that China could and would do far, far worse than the US)
This speculation that China could do far worse is totally unfounded given that they've had plenty of time to push buttons militarily that the US and the Soviet Union had already pushed with much less military power.
What democratic government did they overthrew? Because the ROC was no more democratic than the CCP... and Taiwan didn't have real election till the 1990.
If this kind of take is what I missed by never installing TikTok, I don't regret it.
Also, China did try it only a few decades ago. Murder, starvation, horrific torture, reeducation camps, brainwashed children denouncing their parents... impressively evil. Not that Tiananmen Square or Uyghur ethnic cleansing or kidnappings of expat dissidents are so much better.
It's extremely telling that you're bringing up the atrocities of the Cultural Revolution and the Great Leap Forward and being downvoted as if the US had ever done anything to that scale.
For sure this country has its own flawed history with slavery and treatment of Native Americans, but China is absolutely on its own level with Nazi Germany and Soviet Russia.
What it says is "be careful when using federated trust relationships, because if one of your trusted environments is pwned, it will be trusted by the others". That's very obvious.
And about "disable seamless SSO", I only found this:
"On-premises SSO systems: Deprecate any on-premises federation and Web Access Management infrastructure and configure applications to use Azure AD." (Seems pretty basic too, especially considering how vulnerable on-prem ADs are).
The original article seems to paint this MS page as a security advisory or vulnerability notification, while it just seems to me to be a very very basic security guideline.
I think those things the article is advising are the same things Andrew Harris wanted to advise customers to do 3 years prior, but Microsoft didn't want to, because it would make the default configuration sound insecure (it kind of was), jeopardizing government contracts, especially since various government systems would break if those config changes were made.
I get what you're saying, but from my point of view, this seems like something that doesn't need to be advised, because it is so trivial. Yes, if someone pwns my AD, then they can also pwn my cloud if i'm using some sort of federated trust. Even if i'm not, and both systems are completely separate, they just need to steal passwords from the cloud admin, which should be easy given they're already domain admins.
Maybe Andrew being overly cautious, was assuming most government users didn't know these basic facts, and should be warned anyway? Was MS pushing back on his report because communicating something like this to users would probably sow too much confusion?
That would still a failure on MS's part, but would make for a much more boring story. The article makes it seem like Andrew discovered an atomic bomb and MS pushed it under the rug. The reality seems much more bland.
But still, could you elaborate on the default configuration being insecure? I know next to nothing about Azure/Entra, maybe I'm missing something important.
>this seems like something that doesn't need to be advised, because it is so trivial
According to the article, that's not the reason Microsoft gave for not advising it. The reasons they gave were (1) it would make governments scared and jeopardize contracts and (2) it would let hackers know about the attack.
Also according to the article, the NYPD weren't aware of the problem until Harris warned them of it, then they quickly disabled seamless SSO:
>On a visit to the NYPD, Harris told a top IT official, Matthew Fraser, about the AD FS weakness and recommended disabling seamless SSO. Fraser was in disbelief at the severity of the issue, Harris recalled, and he agreed to disable seamless SSO.
>In an interview, Fraser confirmed the meeting.
>“This was identified as one of those areas that was prime, ripe,” Fraser said of the SAML weakness. “From there, we figured out what’s the best path to insulate and secure.”
>But still, could you elaborate on the default configuration being insecure? I know next to nothing about Azure/Entra, maybe I'm missing something important.
I'm not very familiar with Azure either. I'm getting most of this from the article. It sounds like the weakness is that by default trust federation to Microsoft 365 is enabled. Microsoft's post-Solarwinds article recommends disabling it.
It is pretty boring. Where I would blame Microsoft, there needs to be an easier way to setup AD, AAD, ADFS, without having a bunch of people be domain and global admins, like out of the boxed roles and better gui. Every ad deployment I’ve ever worked in is insecure due to complexity of secure deployment. So people running it are going to be logging in domain admin /ga to do basic crap like add a new hire.
> If you have a competent and fully staffed SRE Platform engineering team - you will NOT need a separate cybersecurity team.
Not all cybersecurity problems are platform problems, or even technical problems. Even if you decide to gather all AppSec/InfraSec engineers inside of SRE/SysAdmin, this creates two problems:
1 - They are now separate from the main cybersecurity team, which is solving other problems and that in turn creates all sorts of issues ranging from lack of coordination to managerial ones.
2 - This creates a HUGE lack of separation of duties (or a conflict of interest). The executor of a task should never be the auditor of a task. You cannot expect the SRE team to go out of their way to keep finding flaws in their own work and exposing them to the board so they can be forced to reprioritize and fix these flaws. The SRE can and should have security built-in as much as possible, but an external team is still required.
SRE is really a more familiar "sysadmin" from good ole days. You know, that bearded IT guru in a basement floor, will curse and shout at you, but will keep your company running when it comes to IT.
if you switch back to sysadmin model - having a single sysadmin do all the SRE and security work, divided per platform, then separate security is indeed feel like extra.
You can obviously hire independent third party security auditors and do pentest, but that thing could be done once a year. Often times your financial auditors (Big 4 accounting firms) will offer IT audit and pentest in a bundle and you can get a good deal.
>yeah, but crowdstike or whatever antivirus you use can.
...No, it really can't. Not all of the time. It doesn't understand your business logic behind your architecture, it doesn't know how to separate normal from anomalous behaviour (yes, even if you have XtremeAI or whatever the vendor peddled to you), it cannot correlate alerts and activites in patterns not explicitly programmed and it can't generate alerts with 100% precision. In short, it's not intelligent.
thats not the job of red team, this is blue team work (Detection Engineering or Incident Response or Security Operations whatever they are called) - a SIEM tool monkey basically.
I don't think you know what the point of a red team is, if you did you'd understand how oxymoronic your statement is.
A part time red teamer is just a pen tester. That's not what a red team does, and adequate threat emulation isn't someone who flies in for two weeks does somethings that you can only accomplish in two weeks, then fly out to the next company to do the same things. You actually need to dig deep and research a companies individual weaknesses and that takes time. Threat actors have that kind of time to sit and observe and probe, a part time noisy pen test isn't going to get you more than the basics.
Also a blue team has to be right all the time, the attacker only has to get things right once. That's why you constantly test your assumptions with a red team and give blue someone to "train" with and improve with that isn't an actual threat actor. You don't want the first time you fight to be in the ring, you need to spar.
A lot of pen testing consultancies brand themselves as red teams, but a lot of them are just rebranding pen testing services to the ignorant.
yeah nice word salad, except that it doesnt happen in real world. what you described is probably just one threat intelligence engineer that also does bunch of other stuff like IR
Threat Intel informs the red team, and we'll model our ops or threat emulation exercises off of that information, we also have a few members that came over from threat intel. Last I checked, Threat Intel engineers don't write malware to simulate malware real threat actors that target a companies industry use.
I think you're speaking from your limited experience at your own company. Again, you have to have a mature blue team before you're ready for a red team. Most orgs aren't ready for that, especially if you think Qualys covers your threat models. That's just vulnerability management and might catch some apps/hosts that missed the patch cycle.
If it's word salad, maybe its because you're out of your depth when and ignorant of how these programs are supposed to work.
