OneDrive’s Sneaky Sync Prompt

Welcome to this week’s episode of Cyber Whack-a-Mole, where we tackle Microsoft OneDrive’s new personal sync prompt before it pops up with a data leak surprise!

Microsoft is rolling out a new OneDrive feature around May 2025 called “Prompt to add a personal account to OneDrive Sync” for business users (Microsoft 365 Roadmap ID 490064). Designed for convenience, it allows users to sync their personal OneDrive accounts alongside work accounts with a single click. Sounds handy, right? But here’s the catch: it’s enabled by default, and without proper controls, it could lead to sensitive corporate data being synced to personal, unmanaged accounts.

Why This Matters

Mixing personal and work data on the same device introduces risks, including:

  • Data Leakage – Sensitive corporate files could be unintentionally or maliciously moved to personal OneDrive accounts, which lack organizational oversight.
  • Compliance Issues – Industries like healthcare, finance, and legal, bound by regulations such as GDPR, HIPAA, or SOX, face potential compliance violations if data leaves the managed environment.
  • Security Gaps – Personal accounts typically lack the same security controls (encryption, DLP policies, or audit logs) as corporate accounts, creating a weak link.

The good news? These risks are manageable with proactive measures. Let’s dive into how to keep your organization secure without breaking a sweat.

How to Fix the Issue: Practical Solutions

Below are three key steps to mitigate the risks posed by this feature, followed by additional options for comprehensive protection.

Disclaimer: Plan and Audit to Avoid Disruptions

How to Protect Your Data 🕵️‍♂️🔨💾

Before implementing any of these changes, carefully plan and perform an audit to prevent organization-wide disruptions:

  • Audit Current State – Use tools like Intune, Group Policy reporting (gpresult), or PowerShell scripts to assess which devices have personal OneDrive accounts synced or OneDrive for Business in use. This helps identify potential impacts of disabling syncing or access.
  • Test Changes – Apply policies in a pilot group (a small department) to evaluate effects on workflows, especially for users relying on OneDrive for Business.
  • Plan Communication – Coordinate with stakeholders to inform users of changes, particularly if disabling OneDrive access or syncing broadly.
  • Backup Critical Data – Ensure no critical business data is stored solely in personal OneDrive accounts before removing access.
  • Consult Compliance Teams – For regulated industries, verify that changes align with GDPR, HIPAA, or other requirements.

By planning ahead, you can mitigate risks without disrupting productivity or compliance.

1. Disable the Feature with DisablePersonalSync 🚫

The most effective way to block personal account syncing is to enable the DisablePersonalSync policy via Group Policy or Microsoft Intune. This prevents users from setting up new personal syncs and stops existing ones, displaying a message that syncing has stopped (though synced files remain on the device and must be removed separately).

Group Policy

  • Open Group Policy Management Console (gpmc.msc).
  • Create or edit a GPO linked to the domain root or an OU containing all users.
  • Navigate to User Configuration > Administrative Templates > OneDrive > Prevent users from syncing personal OneDrive accounts and set it to Enabled.
  • This sets the registry key: HKCU\SOFTWARE\Policies\Microsoft\OneDrive\DisablePersonalSync=dword:00000001.

Intune

  • In the Microsoft Intune Admin Center, create a Configuration Profile (Platform: Windows 10/11, Profile Type: Settings Catalog).
    • Add the setting: OneDrive > Prevent users from syncing personal OneDrive accounts (User) and set it to Enabled.
    • Assign to “All Users” or a group containing all tenant users for tenant-wide enforcement.

Reference: Microsoft Learn – Use Group Policy to control OneDrive sync settings

2. Audit Existing Syncs 📋

Before or after applying the policy, check for devices with active personal OneDrive syncs to close any existing gaps.

  • Use device management tools (Intune compliance reports or scripts) to identify personal OneDrive folders (typically under C:\Users\[Username]\OneDrive).
  • Remove synced personal files from devices, either manually or via automated scripts, ensuring compliance with your organization’s policies.
  • Consider using Microsoft Purview to audit OneDrive access events for signs of personal account activity.

3. Educate Your Team 📢

Communicate the policy change to users to avoid confusion and reinforce data security best practices.

  • Send an internal email or post on your company’s communication platform explaining why personal syncing is disabled.
  • Highlight the importance of keeping work and personal data separate, especially for compliance-heavy industries.
  • Provide a point of contact (such as IT helpdesk) for questions or support.

Additional Options for Enhanced Control

For organizations seeking broader or server-side controls, consider these tenant-level approaches, but note their trade-offs:

Disable Personal Site Creation (SharePoint Admin Center)

  • In the SharePoint Admin Center, go to More Features > User Profiles > Manage User Permissions.
  • Remove the “Create Personal Site” permission to prevent new OneDrive site creation, effectively blocking syncing for users without existing sites.

Limitation – Doesn’t affect existing OneDrive sites; use PowerShell to lock them if needed.
ReferenceManage user profiles in SharePoint

Restrict OneDrive Access by Security Group (PowerShell)

Use PowerShell to limit OneDrive access to specific security groups:

  • Connect-SPOService -Url https://-admin.sharepoint.com Set-SPOTenant -RestrictOneDriveAccessToSecurityGroupOnly $true Set-SPOTenant -OneDriveAccessRestrictedSecurityGroups “GroupID”
  • This prevents users outside the specified groups from accessing OneDrive, indirectly blocking personal syncing.

Limitation: Impacts OneDrive for Business broadly, not just personal syncing.
Reference: Microsoft Learn: Configure OneDrive access restrictions

Hide the Sync Button (PowerShell)

Limitation: Only affects the web interface; doesn’t stop syncs via the OneDrive client if DisablePersonalSync isn’t applied.
Reference: Microsoft Learn: Hide the sync button

Stay Ahead, Not Alarmed

This isn’t about panic—it’s about staying one step ahead of potential risks. If you’re an IT admin, take a moment to review your OneDrive policies to ensure your organization is protected. The DisablePersonalSync policy, applied tenant-wide via Intune’s Settings Catalog or Group Policy, is a straightforward way to lock things down. For extra peace of mind, audit existing syncs and explore server-side controls if needed.

You can also find this post on LinkedIn.

#DerettiTalks #Cybersecurity #Microsoft365 #OneDrive #Compliance #DataSecurity #EnterpriseSecurity #CyberWhackAMole #ITSecurity #CloudSecurity #DataProtection #TechNews #InformationSecurity #ITManagement #BusinessTech

The Cognitive Firewall

A Guide to Filtering the Noise and Staying Human in an Overloaded World

Why I Built This

The modern world is drowning in information but starving for clarity.

The real cost of emotional distraction and cognitive overload is not just bad information; it’s your time, energy, and life.

Many people cling to their outrage or distractions as a healing mechanism, and I get it. Anger is often easier than pain, and distraction is easier than introspection. But as time passes, the question becomes: What are we really doing with our lives?

There was a time when I’d flip through cable news while cooking dinner, only to notice that each channel was spinning the same story in a different emotional direction. I wasn’t being informed. I was being steered. And so were millions of others.

Each network tugged at emotions, shaping opinions and how people felt. It was less about informing and more about steering. That was my tipping point. I canceled cable and stepped away, calling it my first step to building The Cognitive Firewall.

But the problem wasn’t just TV. It was everywhere: headlines that provoke instead of informing, outrage-fueled social media cycles, and echo chambers disguised as facts. As the noise rose, so did my need for clarity.

Clarity is resistance. Awareness is strength. Time is life.

With little kids, aging parents, a wife who needs me, and multiple priorities, my time is precious. I need clarity — fast.

This guide isn’t a silver bullet. It reflects how I try to stay informed without being overwhelmed, seek truth without being hijacked by emotion, and reclaim time and intention in a noisy world.

This guide is not about changing minds but reclaiming your own.

Core Principles

  • Efficiency over Exhaustion
  • Clarity over Noise
  • Emotion is a Signal, not a Compass
  • Tolerance over Tribalism
  • Time Is Life

Basic Firewalling

This guide is shaped by my limited time and broader interests.

  • If it’s stealing my peace, it’s costing too much.
  • I don’t need (to know) everything—just the right things.
  • Loud headlines often hide quiet truths.
  • Feel it, but don’t be led by it.
  • Listen without needing to convert.

The Filtering Process (Quick Run)

  1. Headline Triage
  2. Signal vs. Noise
  3. Source Stacking
  4. Emotional Checkpoint
  5. Synthesis

This is for you if…

  • You feel overwhelmed by today’s information landscape.
  • You’re tired of emotional manipulation disguised as news.
  • You want to stay informed without being consumed.
  • You believe in living with intention, not just reacting.

This guide isn’t for those clinging to comfort. It’s for those willing to ask, “Have I been misled?” and who want to reclaim their time, clarity, and peace of mind.

It’s also for those who want to help others navigate the information storm—not with judgment but with awareness and empathy.

Final Words

We were never meant to be just cogs in a machine. Technology was meant to connect us, not divide us. But the constant stream of outrage, distraction, and tribal noise pulls us apart, and I use my Cognitive Firewall to push it back.

If this resonated with you, feel free to share, adapt, or build upon it. The goal isn’t perfection—it’s progress.

Let’s protect our clarity, preserve our time, and keep our minds our own.

You can also find this post on LinkedIn: The Cognitive Firewall↗

Rethinking Vendor Trust – Broadcom’s Blow to Fair Trade and IT Stability

Imagine purchasing a product with the understanding that you can maintain and service it for years to come. Now imagine that the company that sold you the product changes the rules, telling you that you can only keep using it if you pay for a more expensive and ongoing service you didn’t agree to when you bought it. This is what Broadcom has done to businesses using VMware software.

This issue isn’t just about IT—it’s about fairness, trust, and the precedent it sets. If Broadcom can retroactively change the rules for its software, what’s stopping similar tactics for consumer products, apps, or even services we use every day? The possible impact can be far and wide, as it opens the door for companies to devalue what you’ve already paid for and force you into costlier arrangements.

This move is more than a cost shift—it’s a disruption to trust in enterprise agreements, operational stability, and future IT investments, and fundamentally alters the value proposition upon which many organizations based their purchasing decisions.

Broadcom’s decision to discontinue Support and Subscription Services (SNS) for VMware perpetual licenses is a clear example of unfair trade practices. If companies can retroactively alter licensing agreements, customers are left vulnerable to coercive practices that devalue their investments, creating financial uncertainty and operational risk.

For years, perpetual licensing offered businesses a predictable, stable investment in critical IT infrastructure. Businesses purchased these licenses with the understanding that SNS would remain available to maintain functionality and security. Broadcom has now retroactively devalued this model, forcing companies to subscribe to services that may not align with their budgets or operational needs.

The termination of perpetual license support by Broadcom is a wake-up call for businesses financial planning and raises serious concerns about the honorability of this posture.

We must hold vendors accountable to honor their commitments and preserve the integrity of investments, and Broadcom’s actions deserve scrutiny, not just for the IT industry but also for what this could mean for consumer rights in the future.

For organizations relying on VMware products, this change leads to unexpected costs, compliance issues, and potential disruptions. It also raises a more profound question: how do we ensure that our vendors remain trustworthy and honor long-term commitments?

Potential Legal Venues and Claims

  • Breach of Trust and Contractual Expectations
  • Potential Legal and Ethical Violations
  • Breach of Implied Covenant of Good Faith and Fair Dealing
  • Misrepresentation or Fraudulent Inducement
  • Unfair Trade Practices and Customer Coercion
  • Operational Risks to Critical Systems
  • Class Action Lawsuits
  • Breach of Warranty
  • Antitrust Claims

AT&T Services, Inc. v. Broadcom Inc.

AT&T Services, Inc. v. Broadcom Inc. (as successor to VMware, Inc.) and VMware, Inc.
654490/2024 – New York County Supreme Court

Verified Complaint filed in the New York Supreme Court. The complaint alleges breach of contract, breach of the implied covenant of good faith and fair dealing, and seeks declaratory and injunctive relief.

654490_2024_AT_T_SERVICES_INC_v_BROADCOM_INC_et_al_COMPLAINT_2Download

Broadcom’s decision has led to a notable case involveing AT&T, which filed a lawsuit against Broadcom in August 2024. AT&T alleged that Broadcom breached their contract by refusing to renew support services for previously purchased perpetual VMware software licenses unless AT&T agreed to purchase additional bundled subscription services.

AT&T’s lawsuit emphasized the critical role of VMware’s software in its operations, supporting approximately 75,000 virtual machines across 8,600 servers. The telecommunications giant argued that losing support could lead to operational disruptions, potentially affecting services provided to millions of customers, including first responders and national security communications.

In response, Broadcom contended that AT&T was not entitled to renew support services, citing an “End of Availability” provision that allows VMware to retire products and services upon notice. Broadcom also argued that AT&T had been aware of VMware’s transition to a subscription model and had sufficient time to adapt accordingly.

The dispute was closely monitored by the industry, as it highlighted the challenges and customer dissatisfaction arising from Broadcom’s shift in licensing strategy.

In October 2024, Broadcom and AT&T reached a settlement, the terms of which were not publicly disclosed.

Broadcom’s move away from perpetual licenses has prompted scrutiny from other customers and industry observers, raising questions about the company’s commitment to honoring existing agreements and the impact on customer relationships.

While the AT&T lawsuit is a prominent example, it reflects broader concerns within the IT ecosystem.

A Call to Action

This issue extends beyond a single vendor or product—it challenges the foundational trust between technology providers and their customers. Broadcom’s actions warrant scrutiny not only for their immediate impact but for the precedent they set in devaluing perpetual license models.

Organizations, regulators, and policymakers must evaluate this shift carefully to ensure fair treatment, protect operational continuity, and maintain competition in the enterprise IT market.

We must act to prevent a dangerous precedent that places businesses at the mercy of vendor-driven licensing changes, protecting the long-term integrity of enterprise technology investments.

Take Action: Sign the Petition Now!

We’re calling on Broadcom to reinstate SNS for perpetual licenses and honor their original agreements. Together, we can send a clear message that businesses and professionals will not tolerate unfair practices.

Your voice matters. By signing this petition, you’ll help bring attention to this issue and push for accountability from one of the industry’s largest players. With enough support, we can ensure this critical issue reaches the desks of industry leaders, regulators, and policymakers.

📢 Sign the Petition on Change.org Now!

Every signature counts. Share the petition with your network and join us in the fight for fairness in IT licensing!

Regulatory Complaints Options

Letter to Regulatory Agencies

Subject: Urgent Concern regarding Broadcom’s Discontinuation of Perpetual License Support and Its Implications for Fair Trade Practices

[Date]

[Recipient Name/Title]
[Agency/Committee/Organization Name]
[Address]
[City, State, ZIP]

Dear [Recipient Name/To Whom It May Concern],

I am writing to formally raise concerns regarding Broadcom’s decision to discontinue Support and Subscription Services (SNS) for VMware perpetual license holders, which has forced customers to transition to a subscription-based model. This decision, in my view, raises serious questions about the fairness, legality, and ethical implications of such a fundamental shift in licensing practices.

Background

For many years, VMware’s perpetual licensing model has been a cornerstone of IT infrastructure, allowing organizations to make substantial upfront investments with the assurance of renewable SNS to maintain security, compliance, and operational stability. With Broadcom’s acquisition of VMware, perpetual SNS has been terminated, effectively retroactively devaluing these licenses and creating significant operational and financial risks for customers.

Concerns

  1. Breach of Trust and Contractual Expectations
    VMware perpetual licenses were marketed with the understanding that SNS would remain available to maintain functionality and security. Broadcom’s decision to unilaterally discontinue SNS fundamentally changes the value proposition of these licenses, impacting organizations that rely on them for critical operations.
  2. Unfair Trade Practices and Coercive Behavior
    The elimination of SNS leaves customers with no choice but to adopt subscription models that may not align with their needs or budgets. This shift raises questions about anti-competitive practices, particularly tying arrangements and forced transitions to services that customers did not initially agree to purchase.
  3. Impact on Critical Infrastructure
    Many organizations depend on VMware products for mission-critical operations. Broadcom’s decision jeopardizes the stability and security of these systems, increasing the risk of disruptions, compliance violations, and financial losses.
  4. Potential Legal Violations
    Broadcom’s actions may violate federal and state laws, including:
    • Antitrust laws: Forcing customers into subscription limits and imposing undue financial burdens.
    • Consumer protection laws: Perpetual licenses sold with the implied promise of ongoing SNS are now rendered less functional without proper financial accommodation or transitional options.

Request for Action

I respectfully urge your office to investigate the following:

  • Whether Broadcom’s actions constitute anti-competitive behavior or violate unfair trade practices laws.
  • The legal and ethical implications of retroactively devaluing perpetual licenses without providing viable alternatives for SNS.
  • The broader impact on organizations relying on VMware products, particularly in critical sectors like healthcare, telecommunications, and public safety.

Additionally, I request that Broadcom be required to:

  • Offer transitional support options for perpetual license holders.
  • Provide transparency regarding the financial and operational impact of this policy change on its customers.

Conclusion

Broadcom’s decision sets a dangerous precedent in the IT industry, undermining trust in perpetual licensing models and threatening operational stability for organizations worldwide. I urge your office to take swift and decisive action to address these concerns and ensure fair treatment of affected customers.

Please do not hesitate to contact me if further information or documentation is needed. I am available to discuss this matter at your earliest convenience.

Thank you for your attention to this important issue.

Sincerely,
[Your Full Name]
[Your Title]
[Your Organization]
[Contact Information]

Key Contacts to Consider

To effectively address our concerns, we can engage with specific congressional committees and representatives who oversee consumer protection matters.

Here are key contacts to consider:

Senate Judiciary Subcommittee on Competition Policy, Antitrust, and Consumer Rights

Senator Amy Klobuchar (D-MN)

As Chair, Senator Klobuchar leads the subcommittee responsible for overseeing antitrust enforcement and competition policy.

Senator Mike Lee (R-UT)

Senator Lee is the Ranking Member and leading Republican on the subcommittee, focusing on antitrust issues.

House Judiciary Subcommittee on the Administrative State, Regulatory Reform, and Antitrust

Representative Thomas Massie (R-KY)

Rep. Massie leads the subcommittee overseeing antitrust matters and regulatory reforms.

Representative David Cicilline (D-RI)

Rep. Cicilline serves as the senior Democrat on the subcommittee, with a focus on antitrust issues.

House Energy and Commerce Subcommittee on Innovation, Data, and Commerce

Representative Gus Bilirakis (R-FL)

Rep. Bilirakis leads the subcommittee overseeing consumer protection and commerce issues.

Representative Jan Schakowsky (D-IL)

Rep. Schakowsky serves as the senior Democrat on the subcommittee, focusing on consumer protection.

Federal Trade Commission (FTC) – Office of Congressional Relations

The FTC enforces federal antitrust and consumer protection laws and monitors unfair business practices, including tying arrangements, anti-competitive behavior, and customer coercion.

U.S. Department of Justice (DOJ) – Antitrust Division

The DOJ investigates potential violations of antitrust laws, including anti-competitive mergers and business practices.

Advocacy and Other Industry Groups

Public Knowledge
  • Why: Public Knowledge is a consumer advocacy group that focuses on promoting competition and fair digital markets.
  • Website: Public Knowledge Contact Page
Electronic Frontier Foundation (EFF)
  • Why: EFF advocates for digital rights, fair technology policies, and corporate accountability.
Information Technology Industry Council (ITI):
  • Why: ITI advocates for fair trade practices and policies that promote innovation and competition.
  • Contact: ITI Contact Page
CompTIA Public Advocacy

Engagement Steps

  1. Compile detailed information about how Broadcom’s policy change adversely affects your organization and the broader market.
  2. Write a concise letter outlining your concerns, referencing potential antitrust and consumer protection issues; use the letter above as a template.
  3. Contact the above-listed officials and agencies, providing your documentation and requesting an investigation or policy review.
  4. Maintain communication to track the progress of your concerns and offer additional information if needed.

National See Something Say Something Day: Your Role in Community Safety

🛡️ September 25 is approaching, marking the National ‘See Something, Say Something’ Awareness Day, an important reminder that security is a collective responsibility we all share. #HumanFirewall #BeyondCyber

👁️ The “If You See Something, Say Something®” campaign, launched by the U.S. Department of Homeland Security, empowers individuals to help protect their communities by reporting suspicious activities.

Together, we can make a difference. If you see something that does not feel right, say something — it could help prevent the next attack.

🚨 Why It Matters: Reporting suspicious behavior can help prevent potentially harmful situations, including terrorist incidents. A seemingly small or insignificant observation might be a key piece of a much larger puzzle. Your vigilance could be the difference in preventing a tragedy. It’s a simple idea, but it’s powerful: We all have a role in keeping our communities safe.

🧩But what exactly constitutes suspicious activity? Let’s break it down.

What Is Suspicious Activity?

Suspicious activity refers to any observed behavior that may indicate a threat to public safety or involve criminal activity, including potential terrorism. Here are some examples:

  • Expressed or Implied Threats: Making statements that threaten harm to people, facilities, or infrastructure.
  • Unauthorized Intrusion: Attempting to breach restricted areas or impersonating authorized personnel.
  • Unusual Material Storage: Storing large quantities of items like chemicals, weapons, or cell phones without a clear purpose.
  • Surveillance: Showing unusual interest in facilities, personnel, or security protocols by taking photos or videos covertly.
  • Cyber Attacks: Disrupting or compromising an organization’s IT systems in an attempt to cause harm.
  • Testing Security: Probing or testing a facility’s security systems to assess their strengths or weaknesses.

These activities are concerning not because of who a person is, but because of their actions. The security community and organizations urge everyone to report suspicious behavior—not based on someone’s appearance but on their actions.

Reporting suspicious behavior could potentially stop the next terrorist incident. Even a seemingly unimportant observation may be a piece of a larger puzzle.

What to Do if You See Suspicious Activity

It’s critical to report activities that feel off or seem unusual, especially when they suggest planning or preparation for harmful actions. Examples include someone breaking into a restricted area or gathering information about a facility’s security measures.

Remember: Race, gender, religion, or appearance are not indicators of suspicious behavior. Focus on the activity itself and report the behavior to local authorities or the appropriate channels.

Join the Effort on September 25

Let’s commit to staying aware and prepared on #SeeSayDay and throughout the year. Recognize the signs, report them, and play your part in maintaining the safety of our families, friends, and communities.

🔗 For more resources and guidance on what to look for, watch the awesome informative videos created by the New Jersey Office of Homeland Security and Preparedness (NJOHSP).

NJOHSP “See Something, Say Something” School Challenge 

NJOHSP PSA – “See Something, Say Something”

#SeeSayDay #CommunitySafety #CyberSecurity #PublicSafety #SecurityAwareness #ITSecurity #SeeSomethingSaySomething

https://www.dhs.gov/see-something-say-something

Navigating the Fallout: Lessons from the CrowdStrike Outage for the Future of Cybersecurity and Digital Resilience

The global computer outage on July 19, 2024, caused by a faulty software update from CrowdStrike, underlines the vulnerability of complex technological systems and the importance of robust incident response plans. The incident disrupted multiple industries worldwide, shedding light on the fragility of interconnected systems. The update introduced a critical error, crashing nearly 9 million Windows computers and impacting various sectors, emphasizing the potential for a single point of failure to escalate into a global crisis. This event underscores the significance of rigorous testing of updates, comprehensive incident response plans, and continuous improvement in security measures to combat the invisible threat of cyber warfare.

Summary

The global computer outage of July 19, 2024, serves as a reminder of the weaknesses inherent in our complex technological ecosystems. This incident, triggered by a faulty software update released by CrowdStrike, reverberated across multiple industries, causing widespread disruptions and highlighting the critical need for robust incident response plans, continuous improvement, and vigilance – a blunt reminder that strategic preparedness and rapid incident response are more crucial than ever in our age of ever-evolving cyber threats.

The Incident Unveils

It was 0147 EDT, overnight and into Friday.

The unusual stillness for a bustling Thursday evening and the paradox of the tech world came into play—the approaching weekend against the eerie thoughts of updates being released into production systems. 

As I was about to call it a night, the silence was shattered by the shrill ring of systems alerts and monitoring dashboard lights changing status, followed by ringing phones. The almost full moon cast a silvery glow over the misty mountain, starkly contrasting the chaos unfolding in the tech world.

This Friday would be unlike any other in our IT history. Our interconnected world was on the brink of an event that would underscore our systems’ fragility and highlight our false sense of security—a reminder of the delicate balance we maintain in our digital lives.

Incident Overview

For the ones unsure, CrowdStrike is a cybersecurity company with a significant market presence and serves various industries globally. One of their main products, Falcon, provides endpoint protection through real-time threat detection, prevention, and response, using advanced Artificial Intelligence and Machine Learning to identify and mitigate security threats.

A software update from CrowdStrike containing a critical error caused nearly 9 million Windows computers to crash worldwide, leading to widespread system failures and affecting numerous industries globally, including nearly 700,000 direct enterprise customer relationships between CrowdStrike and Microsoft.

The fragility of our interconnected systems was demonstrated when airlines faced delays and cancellations, financial institutions experienced disruptions in online banking and ATM services, and media companies saw interruptions in broadcasting.

This incident not only disrupted day-to-day operations but also highlighted the potential for a single point of failure to cascade into a global crisis.

A Technical Overview

CrowdStrike updates are installed automatically into production environments to ensure that the systems are protected with the latest security measures against emerging threats. This practice helps maintain high security but can lead to widespread outages if an update contains a flaw, as seen in the recent outage.

The faulty software update from CrowdStrike introduced a critical error in the .sys channel file, which is integral to system operations and contains a logic bug that disrupts the normal functioning of the Windows system. Security tools like CrowdStrike’s Falcon use these files to monitor system behaviors at a granular level, providing real-time protection against threats and protecting system activities at a deep level.

These .sys files act as drivers or kernel modules, facilitating communication between the operating system and hardware components, operating at a low level, or providing necessary services to the computer system, often interacting directly with the hardware or core system functionalities to manage resources, perform input and output operations, and ensure system stability.

An Insight into the Invisible Enemy

As we experienced firsthand, the impact of critical systems outages can be as disruptive and devastating as traditional warfare. An invisible enemy, such as a bug or a malicious code, can disrupt nations and large operations worldwide with resources at a fraction of the cost of conventional warfare methods. For instance, deploying a cyberattack is significantly inexpensive and less conspicuous than an electromagnetic pulse (EMP) attack, which would escalate tensions and likely provoke retaliation on a larger scale.

The interconnectedness of modern IT systems means that a failure in one component can have cascading effects, impacting numerous sectors simultaneously. The ability to disrupt critical infrastructure, financial systems, and communication networks can cripple a nation’s economy and security without firing a single shot.

The CrowdStrike fiasco illustrates the power and efficiency of digital warfare, which has rendered me many sleepless nights as the contrast between the invisible threats posed by software and the visible, traditional means of waging war.

Unlike physical attacks that require significant infrastructure, personnel, and logistics, cyberattacks can be executed remotely with little risk to the attacker. The stealth and anonymity provided by the internet allow nefarious actors to launch attacks that are difficult to trace and attribute, thus avoiding immediate retaliation.

This scenario underscores the importance of viewing cybersecurity not just as a technical issue, but as a matter of national security, highlighting the need for robust and comprehensive incident response plans, and the continuous improvement of security measures to protect against the invisible enemy that can strike without warning.

Strategic Insights

The CrowdStrike incident offers several strategic insights into the vulnerabilities of complex systems. First, it highlights the necessity of rigorous testing and validation of updates before deployment. A single faulty update can have far-reaching consequences, disrupting multiple sectors simultaneously.

Second, the incident underscores the need for comprehensive incident response plans. Organizations must conduct regular vulnerability assessments, implement advanced threat detection tools, and ensure continuous monitoring of their systems. Effective communication protocols are also essential to inform stakeholders and manage the crisis transparently.

My account as an Incident Response Leader

What I’m about to share underscores the critical importance of a robust incident response plan and the necessity of continuously enhancing security measures.

However, I must emphasize that, through the exceptional efforts of our world-class IT team (Application, Infrastructure, and Security), whose dedication I had the privilege of witnessing firsthand, we achieved close to total restoration of systems across multiple data centers and continents before CrowdStrike’s released a statement about the incident – even before many users had their first cup of coffee for the day. This remarkable achievement proves the extraordinary caliber of Haystack’s IT group’s understanding of the landscape and commitment to excellence. The team’s relentless efforts and hands-on approach transformed the recovery into an exemplary model of efficiency and excellence.

On that fateful night, as I prepared to call it a night and started investigating and assessing the cause of my systems going offline across data centers globally, I revisited the “Planning Considerations for Cyber Incidents” guide from my previous experiences with the Cybersecurity and Infrastructure Security Agency (CISA), an arm of the US Department of Homeland Security.

The CISA guide provides a structured framework for assessing the situation, activating the incident response team, and implementing effective containment and recovery strategies. By using the procedures in the CISA document as a guideline, in conjunction with my team’s Business Continuity, Disaster Recovery, and Incident Response plans, we were able to execute a coordinated and effective response in a structured manner.

Once the incident response protocol was initiated, we were tasked with restoring access and reestablishing timely availability for the affected platforms. We found the pattern within the system outage, identified and organized the affected systems, and initiated a detailed analysis to identify the root cause. We coordinated with internal teams and external stakeholders; we communicated regularly to inform everyone of our progress and manage expectations accordingly.

Our focus on system restoration involved rolling back faulty systems, composing a structured recovery procedure based on rigorous testing, outlining team members’ responsibilities, and distributing the vetted recovery steps with the group. We followed post-restoration, comprehensive validation, and user acceptance testing to ensure all systems were fully operational.

What Nefarious Actors Can Learn from This

While CrowdStrike has stated that the incident was not a cyberattack, the scenario described aligns with known patterns of nation-state supply chain attacks aimed at long-term espionage. These attacks require advanced capabilities and are designed to remain undetected while extracting valuable data over extended periods.

Nefarious actors, including rogue nations, state-sponsored hackers, and organized cybercriminal groups, can glean several insights from the CrowdStrike outage, as far as creating a sense of instability and uncertainty, making it easier to execute larger-scale attacks when defenses are perceived as unreliable while eroding trust in security controls and providers.

During such events, attackers can observe how quickly and effectively organizations respond and recover, gaining an understanding of the strengths and weaknesses of incident response plans. This knowledge allows them to craft more effective attacks in the future.

The incident also underscores the potential impact of targeting critical infrastructure components. By compromising security tools like CrowdStrike, attackers can create a ripple effect, disrupting multiple industries and sectors. This is particularly attractive for state-sponsored actors aiming to cause widespread disruption.

Strategic Recommendations

In light of the outage caused by CrowdStrike’s system update, organizations can focus on enhancing their incident response and cybersecurity measures. Here are some specific recommendations:

  • Schedule and conduct a cybersecurity incident response simulation within the next quarter. Use real-world scenarios to test current plans’ effectiveness and identify improvement areas.
  • Cybersecurity should be included as a regular agenda item in board meetings. Review the organization’s security posture, recent incidents, and ongoing improvement initiatives.
  • Create a flexible, modular, scalable security architecture that allows centralized policy orchestration but decentralized enforcement. This will help protect all endpoints and systems more effectively.
  • Perform a comprehensive risk assessment of all third-party vendors and partners. Ensure they adhere to strict cybersecurity standards and have robust incident response plans.
  • Implement a zero-trust security model, which assumes that threats can come from outside and inside the network. This involves continuous verification of user identities, strict access controls, and real-time monitoring of all network activities.
  • Leverage artificial intelligence and machine learning to detect anomalies and potential threats in real-time. These technologies can analyze vast amounts of data and identify patterns that might indicate a cyberattack, enabling quicker and more effective responses.

Practical Advice for Individuals and Businesses

In addition to organizational recommendations, individuals and small businesses can also take steps to enhance their cybersecurity posture:

Cybersecurity Steps

  • Implement regular data backup procedures to ensure that critical information can be recovered in case of a cyberattack.
  • Post-incident analysis and continuous improvement are vital for enhancing resilience against future threats.
  • Conducting thorough post-mortem reviews helps identify gaps in the response process and provides valuable insights for refining incident response plans.
  • Training staff based on lessons learned from incidents ensures the organization is better prepared for future crises.
  • Install and maintain robust firewall and antivirus software to protect against common threats.
  • Conduct regular cybersecurity training sessions for employees to raise awareness and ensure they understand best practices.

Cyber Hygiene Tips

  • Ensure that all devices and software are regularly updated to patch known vulnerabilities.
  • Use strong, unique passwords for different accounts and enable multi-factor authentication (MFA) wherever possible.
  • Be cautious of phishing emails and links. Verify the source before clicking on any links or downloading attachments.

By recognizing these items, we can better prepare for the evolving landscape of cyber warfare, ensuring that our systems are resilient and capable of withstanding the sophisticated threats posed by those who seek to exploit them or vendor negligence.

Our personal data is a goldmine for cybercriminals. Vigilance in safeguarding our data is paramount.

#CybersecurityAwarenessMonth🎉🔒

In this third part of #DerettiTalks 🤖 #CyberAwareness

💡Our personal data is a goldmine for cybercriminals. Vigilance in safeguarding our data is paramount.

🔒#PrivacyMatters – Privacy can be viewed from a philosophical perspective as an essential element of personal autonomy; this concept highlights each person’s capacity to make decisions about their life free from outside interference. This same idea was pioneered by the luminaries of social contract theory, such as John Locke and Jean-Jacques Rousseau, who argued that all individuals possess certain inalienable rights bestowed upon them naturally, which cannot be taken away or infringed upon by any government or individual – among these natural rights, is THE RIGHT TO PRIVACY.

👨‍👩‍👧‍👦 #DigitalFootprint – Our families are in the cyber crosshairs. Educating all family members on online dangers is crucial, ensuring our children and sensitive information remain shielded. To protect ourselves and our loved ones from these hazards, security protocols must be strengthened at both personal and organizational levels, while educating family members about internet safety is also essential.

🛡️ #OnlineSafety – To safeguard against cyber threats effectively, we should deploy multiple layers of defense: two-factor authentication, software updates, avoiding public Wi-Fi networks when carrying out sensitive activities, and using strong passwords that aren’t shared with anyone else.

🌐 #DigitalHarmony – With each measure taken towards fortifying cybersecurity defenses, we preserve individual data and help build a secure digital world where innovation meets privacy requirements. By becoming proactive participants rather than passive bystanders, we create greater resilience to face tomorrow’s challenges head-on!

🔄 #DigitalResilience – Each action taken toward securing personal and family data leads us to a more secure and trustworthy digital world. Let’s uphold cybersecurity, individually and collectively, to ensure a safer space for innovation and social connection.

📊Cybersecurity breaches are on the rise; unfortunately, their consequences can be devastating. As highlighted in IBM’s 2021 Cost of a Data Breach Report, organizations take an average of 287 days to identify and contain such incidents – leaving millions exposed to potential identity theft, fraud, or invasion of privacy.

🗣 “The price of freedom is eternal vigilance.” – John Philpot Curran

#InfoSec
#DerettiTech
Electronic Frontier Foundation (EFF)
Ranking Digital Rights
Privacy International
Electronic Privacy Information Center
SANS Institute

United We Defend: Empowering the #HumanFirewall in Cybersecurity

#CybersecurityAwarenessMonth 🎉🔒

In this second part of #DerettiTalks#CyberAwareness

💡United We Defend: Empowering the #HumanFirewall in Cybersecurity

👥 The role of cybersecurity is a collective effort, transcending individual and organizational boundaries, where each of us plays a pivotal role.

🛡️As we usher into a future where digital and physical realms are seamlessly integrated, our vigilance, knowledge, and adherence to cybersecurity protocols will define our nation’s safety, security, and prosperity. #SecurityForAll

💸 Today’s interconnected world demands robust cybersecurity, and with cybercrime expected to cost $6 trillion globally this year, proactive measures must be taken. Companies and individuals alike are vulnerable to attack; thus, strong passwords, updated software, and regular education 📚 are essential tools for thwarting threats.

🔐At the core of effective defense is #SecurityAwareness.

😱 #HumanError accounts for 85% of reported data breaches in 2020 alone. Thus, organizations must implement comprehensive training programs that address current risks, empowering teams to recognize and mitigate potential dangers successfully.

🌐Knowledge truly is power when it comes to fighting cybercrime! #HumanFactor#SecurityTraining

🏛️ #NationalSecurityInFocus – Governments play a pivotal role in spearheading initiatives that counter-current cyber threats and anticipate future challenges. National defense is no longer confined to physical borders; the cyber frontier is a critical battleground where future wars will be fought. Safeguarding critical infrastructure, sensitive data, and public services is a mandate that underscores the synergy between cybersecurity and national well-being.

⚔️”We shall defend our island, whatever the cost may be.” – Winston Churchill

#InfoSec
#DerettiTech
Microsoft Security
Katie Arrington
National Counterintelligence and Security Center

Cyber Security Awareness Month

🛡️ Welcome to October – it’s the #CyberSecurityAwarenessMonth. The most thrilling month of all for those of us immersed in the ever-evolving world of digital security!

🎯My goal this month is to illuminate the pivotal role cybersecurity plays in our interconnected lives and businesses. Each week, I’ll delve into diverse yet interconnected topics, providing insights and actionable strategies to help bring awareness and enhance our digital security posture. #DerettiTalks#SecurityAwareness

🔒Let’s get ready to take our knowledge of cyber defense up a notch! Together, we can create an environment where security intersects innovation seamlessly while promoting awareness among fellow citizens around us. Your participation is key here, so don’t hesitate – join me during Cybersecurity Awareness Month for plenty of learning experiences ahead! #CyberUnity

🌐I will be delving into various topics ranging from essential principles such as data protection to more advanced concepts while I dive deep into real-world applications by examining phishing tactics, ransomware threats, cloud computing safety measures, and IoT developments – providing actionable insights and robust solutions. 

🚀As we embark on this journey together, I am eager to uncover and understand how cybersecurity plays an integral part in our interconnected lives and businesses. #DigitalSafety

🤝Together, let’s elevate our understanding, fortify our defenses, and foster a digital ecosystem where security and innovation thrive symbiotically. #DerettiTalks 🤖 #CyberAwareness

A Philosophical Take on the Right to Privacy

I have always advocated for the concept of privacy as an inviolable and unassailable freedom.

The inalienable right to privacy has been a cornerstone of existential thought since the great social contract theorists, such as John Locke and Jean-Jacques Rousseau. From a philosophical standpoint, this concept encompasses individuals’ capacity for self-governance; it is an integral part of personal autonomy that allows each person the freedom to make decisions about their life without any interference from external forces.

The right to privacy has long been a matter of debate, but there is one particularly compelling argument that stands out: it’s a fundamental human entitlement bestowed by the divine. This idea has evolved over time and become enshrined in legal documents like the US Constitution and Universal Declaration Of Human Rights, which acknowledge how critical individual autonomy and secrecy are for sustaining our pride, independence, and joyfulness. In short – privacy is essential for protecting our most basic needs.

Therefore, we can see that guaranteeing everyone’s entitlement to privacy not only serves our interests but also meets our moral obligations towards others, allowing every person equal opportunities within society regardless of background or beliefs so they may pursue their desires with peace of mind knowing they will not be judged nor hindered by outside sources.

In my previous “Will Technology Ever Rule the World” podcast, I discussed that as we move further into the digital age, it is imperative that individuals take the necessary steps to protect their online privacy. From using anonymous browsing tools and virtual private networks (VPNs) to downloading relevant apps, there is an array of options available for those who desire secure communications free from unwanted surveillance or data harvesting – something once only dreamed of in science fiction tales. Though mass data collection can be seen as a convenience by some businesses and governments, its abuse threatens our right to autonomy over our own information. We must make use of powerful encryption technology and other innovative solutions if we wish to safeguard ourselves against such intrusions on our personal lives.

Although these freedoms come with great responsibility, taking advantage of such measures is an important step towards preserving your rights as a person both online and off. So why not make sure you’re doing everything in your power? After all, protecting yourself should be at the top of everyone’s priority list when navigating our high-tech age.

An Introduction to eDiscovery – Part 1 of 2

It can still be challenging to explain what eDiscovery is and what we do in this industry, even after being in it for over a decade, particularly when my work area is in the black hole of information security and infrastructure.

I’m here to attend to the inquiry of friends and other IT colleagues that requested me to write an introductory article about eDiscovery, as clearly I can’t explain it or make sense of it orally.

When I started composing this introduction, I noticed that it was turning long and boring, so I decided to break it down into two parts – so here we go.

Introduction

eDiscovery (Electronic Discovery) is the process of identifying, collecting, processing, and reviewing electronically stored information (ESI) during litigation. It is a critical component of modern-day litigation as the vast majority of information is now created and stored electronically.

Principles of eDiscovery

The principles of eDiscovery are based on the idea that all relevant information should be identified, preserved, and produced in a manner that is defensible and proportional to the needs of the case. These principles are based on the rules of civil procedure in the United States, which govern the conduct of litigation and the exchange of information between parties.

Some of the key principles of eDiscovery include:

Proportionality: Information requested and produced during eDiscovery must be proportional to the needs of the case, taking into account factors such as the amount in controversy, the importance of the issues at stake, and the parties resources.

Preservation: Parties are obligated to preserve relevant information once litigation is anticipated or initiated, and failure to do so can result in severe sanctions.

Cooperation: The parties are expected to cooperate to ensure that eDiscovery is conducted promptly, efficiently, and cost-effectively.

Transparency: The parties must be transparent in their eDiscovery efforts, providing detailed information about the sources of information, the collection methods used, and the tools used to process and review the information.

The EDRM Framework

The Electronic Discovery Reference Model (EDRM) is a widely recognized framework for the eDiscovery process. The EDRM provides a high-level overview of the steps involved in eDiscovery and is useful for organizing and managing eDiscovery efforts.

The EDRM consists of the following stages:

Information Management: The first stage of the EDRM involves identifying and managing information that may be relevant to the case.

Identification: The next stage involves identifying potentially relevant information and sources.

Preservation: The third stage involves preserving potentially relevant information to ensure it is not lost or destroyed.

Collection: The fourth stage involves collecting potentially relevant information defensibly.

Processing: The fifth stage involves processing the collected information to make it searchable and reviewable.

Review: The sixth stage involves reviewing the processed information to identify relevant documents and data.

Analysis: The seventh stage involves analyzing the reviewed information to gain insights into the case.

Production: The final stage involves producing the relevant information to the opposing party.

Famous Use and Cases

Many high-profile cases have involved eDiscovery, some of which have set legal precedents and shaped the way eDiscovery is conducted today. Here are some examples:

Enron: The Enron case was one of the largest and most complex eDiscovery efforts in history. The case involved over 3.7 million pages of documents and resulted in new eDiscovery software and technology being developed.

Apple v. Samsung: The Apple v. Samsung case is a well-known example of eDiscovery in the context of intellectual property litigation. The case involved the production of large amounts of ESI, including emails, memos, and other documents.

Zubulake v. UBS Warburg: This case is widely recognized as a landmark eDiscovery case. The court in this case established the principle that the cost of eDiscovery should be shared by the parties and that the requesting party should bear the costs of producing ESI that is not reasonably accessible.

TL;DR

  • eDiscovery is the process of identifying, collecting, processing, and reviewing electronically stored information (ESI) during the litigation process.
  • The principles of eDiscovery include proportionality, cooperation, preservation, transparency, and defensibility.
  • The goal is to identify and collect the minimum amount of data necessary to achieve the investigative objectives, while also ensuring that the data is preserved in a forensically sound manner and that the process is transparent and defensible, meaning that all steps are documented and can be supported in court if necessary.
  • Throughout the eDiscovery process, it is important to maintain transparency and communication with all parties involved. This includes ensuring that all parties are aware of the data sources, collection methods, and processing techniques used.