|
Tryzzub posted:bet he knows how to code in html He can whip up something in Microsoft frontpage in no time.
|
# ? May 19, 2021 03:22 |
|
|
# ? May 19, 2024 22:16 |
|
Sickening posted:Crossposting because some of you need this in your lives. I'm a dumb baaby, but I don't understand their distaste for least priveledge administration quote:These practices limit the opportunity for a technically skilled employee to identify anomalies — a key sign that someone may have breached security and be roaming around preparing to launch the next big cyber attack. Is a theoretical network engineer going to be knowledgeable enough about everything going on in the company IT stack to be able to distinguish between a innocuous cron job doing something sanctioned at 3am versus hackerman doing stuff? Possibly if you're at my company of less than 200 people, and everybody in IT is effectively doing everything and the tech footprint is very small, probably not if you expand the IT footprint and the amount of employee's you have to care for. I could be wrong though, I haven't worked for a company larger than 300 people yet.
|
# ? May 19, 2021 04:50 |
|
Defenestrategy posted:I'm a dumb baaby, but I don't understand their distaste for least priveledge administration they want to go back to the days of cowboy sysadmins holding companies hostage to their whims and he may be referring back to the days when 'Network and Systems Engineer/Administrator' was a thing, because it was possible for one person to know an entire companies systems. because the systems were very simple. oh, and he seems horrified by the concept of teamwork. if I need to know why the network is being lovely, I ask a neteng
|
# ? May 19, 2021 05:08 |
|
Seems to me to be an old man yelling at the clouds. The problem as he sees it with modern hacks is people not doing it the way he learnt, rather than the threat landscape being vastly different. Also poor security is the fault of the people on the tools (so a badly configured or missing product). Rather than a failure of process or culture.
|
# ? May 19, 2021 06:23 |
|
I love his implicit assumption that people at the engineer level are given any discretion when it comes to security policy. "But if we enforce MFA, the CIO gets mad because of all of the notifications so he just starts mashing 'Accept' on all of them."
|
# ? May 19, 2021 11:24 |
|
Those are some glaringly hot takes from someone who describes CISSP and CISA as "impressive credentials". In a 200-300 person company, I can't imagine the mythical jack-of-all-trades knowing (or caring) enough about security or the inner-workings of systems they are tangentially responsible for to investigate or detect a breach or security event. Those are always the people who are overworked, with no time to specialize deeply into anything because of constant fires, busy piling up tech debt for when the company finally hires a security person who is probably also forced to wear every hat. That security person may end up being able to write "impressive 100-page missives justifying a proposed new password policy", which means they already lost because the company has a culture that requires exceptional justification to implement bare minimum security practices rather than doing any meaningful security engineering improvements.
|
# ? May 19, 2021 11:31 |
|
That is painful to read and that man should never be allowed near even a Desktop Support shop, let alone a Security Program
|
# ? May 19, 2021 13:11 |
|
Just give the end users admin access. They're already on their endpoints, who better to investigate a compromise than the person at the source??
|
# ? May 19, 2021 13:15 |
|
I’d just play it like Dwarf Fortress your first few runs and try to fail fast and fail often
|
# ? May 19, 2021 13:40 |
|
god I love 100-level IT professors that have been in academia for the last 20+ years and smugly call out anyone not using 1995-era network practices as "complete idiots"
|
# ? May 19, 2021 13:48 |
|
You gotta fire every doctor and nurse who had a patient die, then start bringing hospital admin staff and EMTs into the OR in order to give them holistic control over the process of open heart surgery so we can figure out why people are dying. What if Jamie in accounting notices a strange lesion that the Chief neurosurgeon missed? Until people stop dying we cannot accept any excuse for the sorry state of medicine and nursing.
|
# ? May 19, 2021 13:53 |
|
quote:All of them embrace the latest "industry best practices." lmao
|
# ? May 19, 2021 15:56 |
|
Shuu posted:Those are some glaringly hot takes from someone who describes CISSP and CISA as "impressive credentials". My company is FedRAMP and we have a single Security and Compliance person for the whole org. Last time I saw him he was running around screaming about the FedRAMP password requirements that I have heard my coworkers threaten people over(one dude made a statement of how anyone who used more than alpha numerics for root/database password was his enemy as he 'fixed' a complex password he didn't like) We are pretty hosed
|
# ? May 19, 2021 16:20 |
|
RFC2324 posted:one dude made a statement of how anyone who used more than alpha numerics for root/database password was his enemy as he 'fixed' a complex password he didn't like RIP you're company I guess
|
# ? May 19, 2021 16:34 |
|
Volmarias posted:
Yuuuuup. I am working to get things in a position to go after that, but right now its a culture where the cowboys are celebrated for getting poo poo done, not poo poo on for making everyone else work harder with their bizarre 'just make it work' solutions
|
# ? May 19, 2021 16:44 |
|
Every day that passes that I can't my collogues on the internet to understand that wanting a decade of infosec experience for cloud security roles is often inviting the wrong employee for the job, makes me want to stab people more and more.
|
# ? May 19, 2021 16:54 |
|
Wanted: 5 years experience implementing version 8 of the CIS controls.
|
# ? May 19, 2021 17:14 |
|
We require a decade experience with OpenSUSE LEAP 15.3 in order to plan our upcoming migration
|
# ? May 19, 2021 17:17 |
|
quote:What can businesses and industries do right now?
|
# ? May 19, 2021 17:17 |
|
Cultures of fear always work out well, right?
|
# ? May 19, 2021 17:25 |
|
1 year of experience 10 times.
|
# ? May 19, 2021 17:26 |
|
Its so painfully bad. This is a man that has NEVER had to implement an IR/DR policy and stand behind it, or pitch a Governance/Policy that wouldve prevented a breach but management refuses to back. Also apparently works under the "Total Security" belief, versus the "Being compromised is inevitable" which is the reality of security. CommieGIR fucked around with this message at 17:29 on May 19, 2021 |
# ? May 19, 2021 17:26 |
|
This is some alt-med bullshit down to using "holistic" unironically.
|
# ? May 19, 2021 17:27 |
|
When Tumblr went no-porn, a group of people with no software experience beyond a front-end bootcamp decided to found a new, user-supported social network, called Pillowfort. A lot of the fic community have actual tech experience and tried to tell them what they were doing wrong in security, but they knew better, even when there were demonstrations that you could embed a logoff command into a link. Earlier this year Pillowfort went offline after a hack. Now they're back, with this message: quote:Pillowfort is back! We missed you so much. Uh, welcome to the oughties, I guess?
|
# ? May 19, 2021 17:45 |
|
HYPOTHETICAL SCENARIO:
What are some sensible precautions someone caught in this TOTALLY HYPOTHETICAL situation might take to prevent total destruction?
|
# ? May 19, 2021 17:50 |
|
lol, just walk away
|
# ? May 19, 2021 17:55 |
|
Sickening posted:https://thehill.com/opinion/technology/553891-our-cybersecurity-industry-best-practices-keep-allowing-breaches I once was fortunate enough to work for a company as it quickly grew past the point where the "everyone in IT has all the keys to the kingdom" model ceased to be feasible. Yes, the newer least-privilege setup felt a lot more confining. Even frustrating sometimes. But a small-org arrangement with omnipotent sysadmins just doesn't scale past a certain point. I recall a late-night conversation in the ops center about how any one of us, if we so chose, could bring the entire company to its knees. We even had a dark-humor brainstorming session about the most effective ways to do maximum damage. And as the company grew, the dollar amount that could go up in flames from this kind of attack became nothing short of staggering. So as we transitioned to a separation-of-powers model, we may have griped a bit among ourselves, but we completely understood the necessity.
|
# ? May 19, 2021 17:56 |
|
VagueRant posted:What are some sensible precautions someone caught in this TOTALLY HYPOTHETICAL situation might take to prevent total destruction? Find a new job? Powered Descent posted:I once was fortunate enough to work for a company as it quickly grew past the point where the "everyone in IT has all the keys to the kingdom" model ceased to be feasible. Had this at the beginning of last year, but it felt freeing to be like "sorry yall, I don't own [system] and I don't have admin powers to fix it, please submit a ticket and the [system] owner will get back to you." instead of being put on the spot to fix everything, because I'm one of the more visible IT personell. Defenestrategy fucked around with this message at 17:58 on May 19, 2021 |
# ? May 19, 2021 17:56 |
|
I’m gonna guess that he’s not using an ssh key for authentication either
|
# ? May 19, 2021 17:56 |
|
SMEGMA_MAIL posted:I’m gonna guess that he’s not using an ssh key for authentication either
|
# ? May 19, 2021 18:00 |
|
VagueRant posted:HYPOTHETICAL SCENARIO: This TOTALLY HYPOTHETICAL employee in security need to write an email to the proper head(s) stating this setup is ignoring audit standards. edit: best way to get an answer is to leave the email open ended so the heads needs to give you some kind of answer. then the employee needs to print it out and take it home to cover their rear end. A read notification is not good enough because the head can just say they usually click every email to clear their inbox and don't know about being able to mark all emails read. Which audit? The employee should choose whichever one has the most punishment if found out of compliance. Even in a development environment developers love doing bad things. If they happen to use non-cleaned credit card transactions to test processing, that's PCI . That could be a fine of 100k a month until remediated for not securing customer data because why does that developer even have that data? Here's a nice list of the main compliances, what the compliance are concerned about, and punishments and fines if this HYPOTHETICAL company needs to deal with. https://www.lucidchart.com/blog/understanding-types-of-compliance-audits EVIL Gibson fucked around with this message at 18:07 on May 19, 2021 |
# ? May 19, 2021 18:04 |
|
VagueRant posted:HYPOTHETICAL SCENARIO:
|
# ? May 19, 2021 18:05 |
|
More serious answer: snapshots and backups out the rear end, and turn on selinux and pray he doesn't figure out setenforce 0
|
# ? May 19, 2021 18:06 |
|
Martytoof posted:Just give the end users admin access. They're already on their endpoints, who better to investigate a compromise than the person at the source?? You laugh, but guess what we do? I just sort of stared for a minute when I discovered that, first day. SMEGMA_MAIL posted:You gotta fire every doctor and nurse who had a patient die, then start bringing hospital admin staff and EMTs into the OR in order to give them holistic control over the process of open heart surgery so we can figure out why people are dying. What if Jamie in accounting notices a strange lesion that the Chief neurosurgeon missed? Until people stop dying we cannot accept any excuse for the sorry state of medicine and nursing. That's an excellent analogy. VagueRant posted:HYPOTHETICAL SCENARIO: Work for a different hypothetical company. edit: f, b
|
# ? May 19, 2021 18:13 |
|
Powered Descent posted:I once was fortunate enough to work for a company as it quickly grew past the point where the "everyone in IT has all the keys to the kingdom" model ceased to be feasible. Yes, the newer least-privilege setup felt a lot more confining. Even frustrating sometimes. But a small-org arrangement with omnipotent sysadmins just doesn't scale past a certain point. In my experience, mentioning your fun scenarios to management casually might make them think about it, and if you do it a couple of times before submitting a formal memo or risk assessment, they might even act on it eventually. Just in the hypothetical case where the IT guys don't want to let go. It might help to spice it with hackers, angry about salary employees, Russians picking up the wrong kid in kindergarden or some similar stories depending on your company. Hypothetical company guy: if it's not your responsibility, just make sure you told someone that this is crazy, and make sure to tell them in writing. And then talk about the benefits of Amazon cloud or something, just to get a transition to anything not made of matchsticks, duct tape and gasoline.
|
# ? May 19, 2021 20:03 |
|
BonHair posted:In my experience, mentioning your fun scenarios to management casually might make them think about it, and if you do it a couple of times before submitting a formal memo or risk assessment, they might even act on it eventually. Just in the hypothetical case where the IT guys don't want to let go. I have the ability to pull root credentials in all kinds of systems, but not the ability to edit events on the department calendar that we use for scheduling maintenances that is funny as gently caress to me
|
# ? May 19, 2021 20:25 |
|
Arsenic Lupin posted:When Tumblr went no-porn, a group of people with no software experience beyond a front-end bootcamp decided to found a new, user-supported social network, called Pillowfort. A lot of the fic community have actual tech experience and tried to tell them what they were doing wrong in security, but they knew better, even when there were demonstrations that you could embed a logoff command into a link. They didn't fix anything
|
# ? May 19, 2021 20:53 |
|
Cup Runneth Over posted:They didn't fix anything They fixed their image problem, same thing. they didn't fix that either
|
# ? May 19, 2021 21:19 |
|
RFC2324 posted:More serious answer: snapshots and backups out the rear end, and turn on selinux and pray he doesn't figure out setenforce 0 Was going to post this. Beyond polishing your resume, there's only so much you can do. Figure out if you have any client contracts that specify penalties for destroying their entire everything via "whoops, that wasn't it"
|
# ? May 19, 2021 21:39 |
|
|
# ? May 19, 2024 22:16 |
|
RFC2324 posted:More serious answer: snapshots and backups out the rear end, and turn on selinux and pray he doesn't figure out setenforce 0 This. Its amazing how many, modern, hugely technical companies still fail to have PROPER backups.
|
# ? May 19, 2021 23:02 |