|
go3 posted:and in non-business environments? online friend posted:don't browse the internet like a moron, use adblockers and don't open shady emails
|
#
?
May 5, 2016 21:40
|
|
|
|
| # ? Jun 5, 2024 19:44 |
|
|
seriously, i haven't run AV in years and haven't had a single issue utilize common sense unless you are incapable of doing so, in which case you should contact your ISP and have them disconnect your service immediately before they have to call you and tell you that your IP is DoSing some random website in china
|
|
#
?
May 5, 2016 21:43
|
|
|
dont browse the internet like a moron. christ we cant even convince people to stop getting blackout drunk while pregnant.
|
|
#
?
May 5, 2016 21:43
|
|
|
go3 posted:dont browse the internet like a moron. so you advocate using a piece of software that, in the modern age, is little more than a feel-good bandaid than a legitimate line of defense against malware instead of focusing on user education and making basic poo poo like a good adblocker readily available and easy to discover?
|
|
#
?
May 5, 2016 21:45
|
|
|
go3 posted:dont browse the internet like a moron. True, but paid for anti virus isn't going to do anything for these folk either
|
|
#
?
May 5, 2016 21:46
|
|
|
So is the point basically that an environment with average users where endpoints can't be locked down with AppLocker should just be prepared to recover from backups a lot? I heard that AV is poo poo loads of times in the other thread but is there literally nothing that can be done if the user is an idiot and training is also not an option? Is OpenDNS Umbrella a load of crap as well?
|
|
#
?
May 5, 2016 21:47
|
|
|
anthonypants posted:People will write off Lenovo altogether because they included a root SSL cert on every computer, but if an antivirus installs a remotely-exploitable rootkit or keylogger, well, that's just the cost of doing business. That, and firmware that silently modifies Windows. https://www.google.com/#q=lenovo+firmware+backdoor
|
|
#
?
May 5, 2016 21:52
|
|
|
Thanks Ants posted:Is OpenDNS Umbrella a load of crap as well? literally never heard of this but it sounds like magic snake-oil bullshit geared towards executives who want to meet arbitrary guidelines for security that they set themselves so i'm gonna say yes Thanks Ants posted:So is the point basically that an environment with average users where endpoints can't be locked down with AppLocker should just be prepared to recover from backups a lot? keep regular backups, keep them offsite, have a disaster recovery plan and plans for restoring workstations/laptops/etc Thanks Ants posted:literally nothing that can be done if the user is an idiot and training is also not an option? when and where is training not an option? if you're in a business environment, roll out good, modern browsers with basic security/privacy stuff (ublock origin, httpseverywhere, etc) preinstalled. make it so that they need local admin to install poo poo, and only give them local admin if they have a track record of being someone who isn't a literal loving retard. this is exactly how my last company did it- ActiveDirectory established user permissions and rights, but you needed local admin to install stuff, or have IT install it for you. if you're building a PC for your mom or dad, do the exact same loving thing. set up automatic updates to run when they won't be using the computer, say 3 AM their time. keep their poo poo backed up and sync it somewhere remote, like a VPS running freeNAS or something similar. keep a good backup rotation policy so the drive doesn't fill up. it's really loving simple to keep yourself safe without AV.
|
|
#
?
May 5, 2016 21:52
|
|
|
Thanks Ants posted:So is the point basically that an environment with average users where endpoints can't be locked down with AppLocker should just be prepared to recover from backups a lot? I heard that AV is poo poo loads of times in the other thread but is there literally nothing that can be done if the user is an idiot and training is also not an option? Is OpenDNS Umbrella a load of crap as well? If you can't train folk to stop doing stupid poo poo, and can't lock the computer down to stop them doing stupid poo poo then the computer is going to get wrecked, and possibly everything on your shared drives as well. I don't know why this is surprising to anyone 
|
|
#
?
May 5, 2016 21:53
|
|
|
none of the poo poo that anyone is suggesting is too hard or requires a decade of high-level sysadmin experience to do. it's all really simple, basic poo poo that can be done in a weekend at most, and probably for less than the cost of your AV. if you still insist on using AV it's because you're lazy and you'd rather install something that you think is keeping you safe instead of taking steps to actually secure your poo poo. we're not telling you this poo poo because it makes us feel smarter or superior or whatever, it's because you're simply wrong, and you keep parroting the same poo poo you've been hearing for years even after someone calls you out and says "well, actually, that's not true, and here's why:" RISCy Business fucked around with this message at 22:00 on May 5, 2016 |
|
#
?
May 5, 2016 21:56
|
|
|
Well re: the training I have been looking into the KnowBe4 stuff since it's come up around here before and generally been praised, but that was also shot down because of the (admittedly dumb) name they give to their training course. I don't have the time to deliver training to people and frankly I wouldn't be any good at it since dodgy attachments in an email from someone I have never spoken to before look really dodgy anyway. I imagine getting myself into the mindset where I can understand why people blindly download Invoice_002.zip and then open the .js file inside it would be impossible so it would be hard to deliver training and not come across like a complete dick when people started struggling. And it's a new enough field that getting someone in to train people on it could literally be some total charlatan and a waste of money. My backups are good but there is going to always be an element of CEOs wanting to solve problems with buying stuff so that staff don't need to feel responsible for computer security. I'm not saying AV is it, at all, and it's only installed on systems I manage because we have a client that insists on it. online friend posted:literally never heard of this but it sounds like magic snake-oil bullshit geared towards executives who want to meet arbitrary guidelines for security that they set themselves so i'm gonna say yes I assume any AV element is similar to having antivirus running on a firewall, presumably they use the same engines that the commercial AV vendors use which explains why nothing is gained by it being there? Thanks Ants fucked around with this message at 22:03 on May 5, 2016 |
|
#
?
May 5, 2016 22:00
|
|
|
Thanks Ants posted:Well re: the training I have been looking into the KnowBe4 stuff since it's come up around here before and generally been praised, but that was also shot down because of the (admittedly dumb) name they give to their training course. I don't have the time to deliver training to people and frankly I wouldn't be any good at it since dodgy attachments in an email from someone I have never spoken to before look really dodgy anyway. I imagine getting myself into the mindset where I can understand why people blindly download Invoice_002.zip and then open the .js file inside it would be impossible so it would be hard to deliver training and not come across like a complete dick when people started struggling. you don't need to pay someone else for security training. it basically boils down to a few simple things:
slap that poo poo in a powerpoint. i'm not saying you won't have some fuckups, but that's why you have your backup and restoration plans. plan for the absolute worst possible scenarios you can imagine. for example, we had a customer at one job who used an application of ours for something that was mission critical. every single release, we would put the source and everything necessary for them to host the application inside their network on a disc, and send it to a company (like iron mountain) to be stored so that if we ever just disappeared off the face of the earth, their business would continue as normal. RISCy Business fucked around with this message at 22:08 on May 5, 2016 |
|
#
?
May 5, 2016 22:04
|
|
|
jre posted:Windows 7 ? 4 eva For that you'd use MSE because of course you would. I'm not following that, Windows Updates logs when updates are installed, and MSE/Defender definition and executable updates (depending on OS version) are specifically called out in those logs. How can that be harder to track?
|
|
#
?
May 5, 2016 22:05
|
|
|
youd think there would be a market for some sort of program that stopped old people from opening potentially malicious attachments
|
|
#
?
May 5, 2016 22:06
|
|
|
Thanks Ants posted:Is OpenDNS Umbrella a load of crap as well? OpenDNS prevents known botnet traffic, some phishing sites, malvertising for us. The value add is all of the other services, roaming clients, web reporting and filtering, MSP friendly admin. It reduced our time spent cleaning up malware and adware measurably. But it will depend on what type of customers you have. If you spend any time at all dealing with the aftermath of people clicking on links they shouldn't, this will help, but it is just one part of a layered approach.
|
|
#
?
May 5, 2016 22:07
|
|
|
Windows Security Essentials?
|
|
#
?
May 5, 2016 22:07
|
|
|
online friend posted:you don't need to pay someone else for security training Sort of disagree. There have been cases where I've taken certain training because it relates to my job and I wouldn't be able to learn the important aspects of it without having taken some external training. My job deals with a lot of industrial control systems (aka "SCADA") and as a result of that I've taken actual training on them just so I can understand how everything is supposed to function. I am nowhere near an expert on ICS but I can at least understand what is going on now and how poo poo can really go sideways compared to two-years ago when I started working at this place. If you're looking for training, SANS is not a terrible option especially if you're just starting out.
|
|
#
?
May 5, 2016 22:08
|
|
|
So related to this, how do you handle environments that are moving to BYOD with very little IT control over endpoints? Everybody connects via a VDI session? Do you try and manage the devices anyway but via MDM rather than GPO? Or is it a case of letting people do what they want but the only way they can work on shared files is through OneDrive / SharePoint / Google Drive / Box / whatever?
|
|
#
?
May 5, 2016 22:08
|
|
|
Thanks Ants posted:So related to this, how do you handle environments that are moving to BYOD with very little IT control over endpoints? Everybody connects via a VDI session? Do you try and manage the devices anyway but via MDM rather than GPO? Or is it a case of letting people do what they want but the only way they can work on shared files is through OneDrive / SharePoint / Google Drive / Box / whatever? BYOD with a policy where MDM must be applied if you want to use your own device.
|
|
#
?
May 5, 2016 22:09
|
|
|
OSI bean dip posted:Sort of disagree. There have been cases where I've taken certain training because it relates to my job and I wouldn't be able to learn the important aspects of it without having taken some external training. My job deals with a lot of industrial control systems (aka "SCADA") and as a result of that I've taken actual training on them just so I can understand how everything is supposed to function. I am nowhere near an expert on ICS but I can at least understand what is going on now compared to two-years ago when I started working at this place. i should clarify, then: you don't necessarily need to pay someone for security training, but it depends on your users. for example, my last company was mostly developers/ops people/tech nerds, so security training for them would more than likely be a waste of money. for the 60 year old woman answering the phones, it would probably help her. you have to evaluate your users and figure out who really needs the training. basically: what does your threat model look like as it relates to the human beings in your office? who's more likely to disclose something they shouldn't, or open something that they shouldn't have?
|
|
#
?
May 5, 2016 22:10
|
|
|
Thanks Ants posted:So related to this, how do you handle environments that are moving to BYOD with very little IT control over endpoints? Everybody connects via a VDI session? Do you try and manage the devices anyway but via MDM rather than GPO? Or is it a case of letting people do what they want but the only way they can work on shared files is through OneDrive / SharePoint / Google Drive / Box / whatever? i've seen good things out of using a separate WAP that can't communicate with anything internal- it can access email and whatnot if necessary, but it wouldn't be able to SSH into one of the prod servers. provide two ethernet cables max per workstation, one for the phone network only and the other for a workstation or laptop. it's not perfect, but it works. i think the way most places i've worked at approach BYOD with the mindset of "if you're using your own device, you are NOT conducting any sort of business with it" RISCy Business fucked around with this message at 22:15 on May 5, 2016 |
|
#
?
May 5, 2016 22:12
|
|
|
lampey posted:OpenDNS prevents known botnet traffic, some phishing sites, malvertising for us. The value add is all of the other services, roaming clients, web reporting and filtering, MSP friendly admin. It reduced our time spent cleaning up malware and adware measurably. But it will depend on what type of customers you have. If you spend any time at all dealing with the aftermath of people clicking on links they shouldn't, this will help, but it is just one part of a layered approach. They're pretty secretive about it on the website, but they do say you just change your DNS records. Does this gently caress things up for clients that are in the office needing to access internal resources since they don't get the internal DNS servers any more, or is there an agent that deals with swapping the servers out? If the thinking behind AV is that it's a waste of money and is so poorly written that it is likely to present a larger attack surface, then I guess something that isn't installed on your machine can at worst be a waste of money.
|
|
#
?
May 5, 2016 22:15
|
|
|
The best part is when management inevitably skips the training because they're too important to attend then starts filing tickets for you to get stuff off OneDrive for them that you can't just tell them to gently caress off with because they're on the remuneration committee. The majority of our users refuse to even learn how to join a Skype meeting.
|
|
#
?
May 5, 2016 22:15
|
|
|
online friend posted:i think the way most places i've worked at approach BYOD with the mindset of "if you're using your own device, you are NOT conducting any sort of business with it" Doesn't that defeat the entire purpose of BYOD though?
|
|
#
?
May 5, 2016 22:16
|
|
|
fishmech posted:For that you'd use MSE because of course you would. If you have a requirement to produce a report showing when definition updates were installed ( which lots of regs require now  ) doing this with the free microsoft tools is loving painful by design.
|
|
#
?
May 5, 2016 22:16
|
|
|
online friend posted:i've seen good things out of using a separate WAP that can't communicate with anything internal- it can access email and whatnot if necessary, but it wouldn't be able to SSH into one of the prod servers. provide two ethernet cables max per workstation, one for the phone network only and the other for a workstation or laptop. it's not perfect, but it works. Any reason for the physical separation over separate SSIDs and/or user profiles based on authentication method and VLANs? Is it a compliance thing?
|
|
#
?
May 5, 2016 22:17
|
|
|
Ghostlight posted:Skype meeting. goondolences Inspector_666 posted:Doesn't that defeat the entire purpose of BYOD though? i'm still not entirely sold on the concept of BYOD from a security standpoint, so if it were up to me that's exactly how it'd be. i'd rather have an asset that i can control than one that is only in the office from Monday-Friday from 9AM to 5PM, but that's just me, and i am by no means saying that i'm an expert on the subject.
|
|
#
?
May 5, 2016 22:18
|
|
|
Thanks Ants posted:Any reason for the physical separation over separate SSIDs and/or user profiles based on authentication method and VLANs? Is it a compliance thing? i assume it's a peace of mind thing. for example, our actual work network with our dev resources and servers and whatnot was only accessible over ethernet, even for laptops. VPN was available, but needed AD credentials to log in. for some reason webmail was available from the public internet, though?  not even the company intranet was available over wireless. each workstation got two ethernet cables, one that only accessed the phone network and one that could access the internet and our internal resources. but we also handled a lot of PII, so there's that.
|
|
#
?
May 5, 2016 22:20
|
|
|
online friend posted:i'm still not entirely sold on the concept of BYOD from a security standpoint, so if it were up to me that's exactly how it'd be. i'd rather have an asset that i can control than one that is only in the office from Monday-Friday from 9AM to 5PM, but that's just me, and i am by no means saying that i'm an expert on the subject. I think BYOD is a pretty dumb idea unless it's "BYOD (that you use to connect to a secure VDI-type of thing)" so we're probably in agreement on that. online friend posted:i assume it's a peace of mind thing. for example, our actual work network with our dev resources and servers and whatnot was only accessible over ethernet, even for laptops. VPN was available, but needed AD credentials to log in. for some reason webmail was available from the public internet, though? Physically separate voice networks is still really common due to a mix of not using networking equipment that can easily handle voice VLANs, the way that VOIP providers provide equipment, and the "redundancy" of having both networks not running through the same switches/routers. It really kind of sucks from an admin/support perspective though, especially when the wires are poorly marked! Inspector_666 fucked around with this message at 22:24 on May 5, 2016 |
|
#
?
May 5, 2016 22:21
|
|
|
online friend posted:i'm still not entirely sold on the concept of BYOD from a security standpoint, so if it were up to me that's exactly how it'd be. i'd rather have an asset that i can control than one that is only in the office from Monday-Friday from 9AM to 5PM, but that's just me, and i am by no means saying that i'm an expert on the subject. I think this is probably the source of the friction between the cross-posting in the two threads. It's great if you're in a position to be able to set that policy, but where there has to be a compromise struck people would like to do as best as they can to try and maintain some level of security. Although this discussion seems productive so far. I don't like BYOD either because it makes everything more difficult, but sometimes you have to deal with it.
|
|
#
?
May 5, 2016 22:21
|
|
|
online friend posted:a really lovely one That's great and all when people listen, but like 90% of your user base will inevitably be people who use their PCs for the very basic functions (printing, Office, internet) and won't necessarily know what to avoid. Pair that with sneaky loving ads that disguise themselves as legitimate downloads/programs and it's easy to understand the confusion. As for emails, it's a mixed bag because a lot of spoof messages look legit and users won't think twice if someone in Finance sends them an invoice as a PDF, ZIP, or Word/Excel sheet, especially when it's part of their job and happens every day. Basically, you can NEVER assume anything about anyone's level of intelligence or common sense, not even based on the type of job they do. Makes you look stupider than the people you're trying to support, and you turn into the arrogant, ignorant rear end in a top hat that nobody wants to deal with who gets fired for mouthing off because you didn't want to teach someone something really basic and easy.
|
|
#
?
May 5, 2016 22:22
|
|
|
Inspector_666 posted:I think BYOD is a pretty dumb idea unless it's "BYOD (that you use to connect to a secure VDI-type of thing)" so we're probably in agreement on that. i bring my phone to work obviously but i just use 4g.
|
|
#
?
May 5, 2016 22:22
|
|
|
Thanks Ants posted:I think this is probably the source of the friction between the cross-posting in the two threads. It's great if you're in a position to be able to set that policy, but where there has to be a compromise struck people would like to do as best as they can to try and maintain some level of security. Although this discussion seems productive so far. again, this is my opinion and does not necessarily reflect anyone else's. Ozz81 posted:a lot of spoof messages look legit this is exactly what DKIM, SPF and DMARC are for.
|
|
#
?
May 5, 2016 22:24
|
|
|
online friend posted:i bring my phone to work obviously but i just use 4g. Well I think there's a difference between "We want a guest wifi network" which is a trivial request and "BYOD: We want people who bring whatever they want to work and then do everything they would need to do from a company-provided/managed laptop" where you're pretty much turning your IT staff into an MSP.
|
|
#
?
May 5, 2016 22:27
|
|
|
Inspector_666 posted:I think BYOD is a pretty dumb idea unless it's "BYOD (that you use to connect to a secure VDI-type of thing)" so we're probably in agreement on that. VDI has its own fairly large usability impact, though unless things are getting better at passing through touch input etc. It's also got all the expense of supporting a bunch of different client devices and the expense of VDI. I think BYOD is great for "your phone has access to your emails" but for everything else people can have a company laptop.
|
|
#
?
May 5, 2016 22:27
|
|
|
online friend posted:Make it so that they need local admin to install poo poo, and only give them local admin if they have a track record of being someone who isn't a literal loving retard. this is exactly how my last company did it- ActiveDirectory established user permissions and rights, but you needed local admin to install stuff, or have IT install it for you. We also have this. It's also completely undermined by our other policy that anyone gets local admin or any software thay want installed so long as their supervisor approves it. Luckily new CIO is slowly but surely getting rid of stupid things like that. "Our network has a lot of backdoors, but you'd have to access the network in the first place to exploit any of them." - What I was told by one of our lead app dev people when I questioned his instructions to disable TLS in Java on machines where everyone has local admin.
|
|
#
?
May 5, 2016 22:31
|
|
|
online friend posted:this is exactly what DKIM, SPF and DMARC are for. Can confirm DMARC and its prerequisites as a thing worth doing. Pair it up with something like DMARC analyser / dmarcian and just log initially - you'll likely discover a bunch of  services that you use that are sending emails 'incorrectly' and can work with the vendor to get it fixed. Fixing it might look like adding stuff to your SPF record and a DKIM record in your DNS. Once the policy is changed to reject then Google Apps will automatically apply that to your own inbound messages and outright drop spoofed email (the classic "quick wire this supplier $100k" from the not-CEO). Office 365 needs to be told to drop those messages, but it's simple:https://blogs.technet.microsoft.com/eopinsights/2015/09/18/block-spoofing-in-office-365/ We turned the policy on and saw thousands of Vietnamese/Russian/Chinese etc. IPs spoofing our email domain, after moving to reject the numbers gradually dropped off as people stopped bothering to try.
|
|
#
?
May 5, 2016 22:38
|
|
|
Inspector_666 posted:Well I think there's a difference between "We want a guest wifi network" which is a trivial request and "BYOD: We want people who bring whatever they want to work and then do everything they would need to do from a company-provided/managed laptop" where you're pretty much turning your IT staff into an MSP. Thanks Ants posted:I don't like BYOD either because it makes everything more difficult, but sometimes you have to deal with it. The best way I've seen to manage BYOD is to distribute corporate VMs. The only thing on the host you are responsible for is VMware Player running. Everything else is not your problem. Then have full control over the VM.
|
|
#
?
May 5, 2016 23:01
|
|
|
Inspector_666 posted:Physically separate voice networks is still really common due to a mix of not using networking equipment that can easily handle voice VLANs, the way that VOIP providers provide equipment, and the "redundancy" of having both networks not running through the same switches/routers. It really kind of sucks from an admin/support perspective though, especially when the wires are poorly marked! I see it loads where a company has outsourced everything to the point where nobody is working together and there's barely even any actual leadership in the technology side of the business. Phone providers want their own switches because they don't want to have to work with the existing data network people, or the data network people just flat-out refuse to work with the concept of having to support multiple service types. When you have a voice VLAN and decent phones then everything works nicely, but it requires a level of co-operation that only happens with internal teams or really good management of outsourced operations.
|
|
#
?
May 5, 2016 23:04
|
|
|
|
| # ? Jun 5, 2024 19:44 |
|
|
Lunar Suite posted:Look at this stash, isn't it neat? So I noticed you guys liked the VOD of us performing this so I recorded it properly (without me making a bunch of mistakes in the piano) and then I got real ambitious and made a lyric video, here it is https://www.youtube.com/watch?v=yqjpJtL5D-k Also probably doing another show on Saturday (5/7) around 5PMish, so come along and hang out with us if you like  http://www.twitch.tv/sacolorfinger
|
|
#
?
May 6, 2016 00:15
|
|
