|
The modern answer is to use a vendor that isn't from onprem history, the enterprise answer is to use your corporate MITM proxy / NAT gateway to effectively overwrite DNS and hosts-file the cloud hostname into one IP hardcoded, when it breaks, have someone update it Why yes I have had to tell people to not do this with cloudfront and eks and load balancers and ...
|
#
?
Jun 2, 2021 18:56
|
|
|
|
| # ? May 17, 2024 05:25 |
|
|
You write a custom DNS recursive resolver that truncates the A return set to 32 and point the lovely LB at it. How hard could it be?
|
|
#
?
Jun 2, 2021 23:44
|
|
|
We have some cases where we use Squid proxy with a restricted set of allowed domains. And the Squid listens on multiple ports with different restrictions and a server is allowed to connect to specific instance.
|
|
#
?
Jun 3, 2021 00:39
|
|
|
Derp wrong thread
AlternateAccount fucked around with this message at 16:44 on Jun 3, 2021 |
|
#
?
Jun 3, 2021 04:00
|
|
|
So it seems like browser extensions, and the end users ability to install any of them without local admin of the OS needing to be invoked, is a pretty big deal? It doesn't seem to be a hot topic / common knowledge issue in my circles, but they were never security-centric to begin with. "Our end users aren't local admins, we're safe except for zero day but we patch them fast" is the mantra. Don't browser extensions work around that?
|
|
#
?
Jun 3, 2021 04:59
|
|
|
you can block them with GPO
|
|
#
?
Jun 3, 2021 06:27
|
|
|
There is a gpo for all the major browsers/they all respect it?
|
|
#
?
Jun 3, 2021 15:36
|
|
|
Yeah. For chrome you need to install the enterprise version, and you’ll need to get the admx files for each one, but it all works for the most part. Firefox admx: https://support.mozilla.org/en-US/kb/customizing-firefox-using-group-policy-windows Chrome admx: https://support.google.com/chrome/a/answer/187202/set-chrome-browser-policies-on-managed-pcs?hl=en#zippy=%2Cwindows
|
|
#
?
Jun 3, 2021 15:40
|
|
|
More of a comment on how 'security minded' IT leaders haven't been talking about it in my sphere.
|
|
#
?
Jun 3, 2021 15:54
|
|
|
droll posted:More of a comment on how 'security minded' IT leaders haven't been talking about it in my sphere. Yep, our people got the wakeup finally when some kind of relatively widely installed "coupon toolbar" was causing some instability with an Accounting SaaS product. Took forever to figure out, and then was a big WAIT A MINUTE.
|
|
#
?
Jun 3, 2021 16:43
|
|
|
The Fool posted:Yeah. For chrome you need to install the enterprise version, and you’ll need to get the admx files for each one, but it all works for the most part. We use the Chrome GPOs and it works great. Extensions are set to whitelist only. Users can install them from the Chrome Store, but only the ones on the white list. You can also force-install extensions via the same GPOs if you want.
|
|
#
?
Jun 3, 2021 18:43
|
|
|
AlternateAccount posted:Yep, our people got the wakeup finally when some kind of relatively widely installed "coupon toolbar" was causing some instability with an Accounting SaaS product. Took forever to figure out, and then was a big WAIT A MINUTE. There was a time that Skype registered a Firefox extension automatically when you installed Skype on Windows, and it would lead to multi-minute startup times for some of the afflicted. We blocklisted it from Firefox and sent Skype a polite version of "lol fix your poo poo" and eventually they did, mostly.
|
|
#
?
Jun 3, 2021 18:58
|
|
|
https://twitter.com/kwestin/status/1400551484547158016?s=20
|
|
#
?
Jun 3, 2021 22:09
|
|
|
So what are the reasonable ways a government can combat this? Sanctions on host countries? Cant see that having too much of an effect. Providing support and/or guidance to businesses on improving defenses? lol Clamp down on cryptocurrencies? Is that a reasonable response? Probably not but at least a few politicians will think so.
|
|
#
?
Jun 3, 2021 22:51
|
|
|
Diva Cupcake posted:So what are the reasonable ways a government can combat this? Hit the nail on the head: There's not Not paying the ransom is basically the "Too big to fail" problem all over again, are you really willing to let a major company collapse? Not likely in the US despite DOJ claims.
|
|
#
?
Jun 3, 2021 22:58
|
|
|
Diva Cupcake posted:So what are the reasonable ways a government can combat this? Depends on the country. Someplace like Russia that wants to actively thumb their nose and can't really be hurt by even more sanctions won't really be effected, but some tiny country could possibly be "persuaded" to "step up" their law enforcement efforts in lieu of influential leaders becoming barred from the global financial system.
|
|
#
?
Jun 3, 2021 23:03
|
|
|
Volmarias posted:Depends on the country. Someplace like Russia that wants to actively thumb their nose and can't really be hurt by even more sanctions won't really be effected, but some tiny country could possibly be "persuaded" to "step up" their law enforcement efforts in lieu of influential leaders becoming barred from the global financial system. I think the long and short is: If you are a ransomware actor, you are moving to Russia.
|
|
#
?
Jun 3, 2021 23:15
|
|
|
CommieGIR posted:Not paying the ransom is basically the "Too big to fail" problem all over again, are you really willing to let a major company collapse? Not likely in the US despite DOJ claims. Yeah I will agree as well, there is no silver bullet. I tend to argue based on my experience that not-paying is a major component of the solution but it is not that simple. Cyber liability insurers are more problematic, as they have turned into the "solution" by reimbursing ransom payments. This incentivizes the attackers of course, since they're getting paid and they know insurers have deep pockets, and I've had clients straight up say their plan for ransomware is to just pay and let insurance deal with it. Insurance claims aren't necessarily just the cost of the ransom itself either. Some policies may cover lost revenues due to downtime, incident response fees, legal fees, data breach related fees, etc. Some insurers are making changes here, so maybe we will see trends start to shift a bit. But a lot of this seems to boil down to "paying the insurance premium is cheaper than investing in security". The OFAC sanctions from last year matter a little as well, as insurers aren't fans of reimbursing payments to sanctioned entities. Beyond that, the other thing I notice is that while the big "whale" victims get headlines and have massive ransoms, there is still a lot more of this impacting very small organizations. Many may not have any insurance, but also have no meaningful security budget (such as the one-person IT/Infosec team). Even if the ransom demanded of them is a fraction of what you saw with Garmin or whoever else, they're incredibly soft targets and there are a lots of them to hit so it adds up to a lot of money. These people have no budget for security and even if you have the best access to open-source tools there's nobody watching controls 24/7. Even with the big human-operated ransomware attacks the sophistication is kind of middling. Frequently there are tons of alerts firing on various controls, but nobody's paying attention or responding promptly... who gives a poo poo if you've got some poo poo-hot market leading product when it's not even deployed correctly or monitored.
|
|
#
?
Jun 3, 2021 23:18
|
|
|
Groups from Russia, China, N Korea, etc see effectively no repercussions even if they’re identified as long as their targets are Western countries.
|
|
#
?
Jun 3, 2021 23:23
|
|
|
Diva Cupcake posted:So what are the reasonable ways a government can combat this? tie tax breaks to cybersec practices and government auditing. If you want any tax breaks companies posting revenue in excess of $somearbitrarynumber, must obtain CMMC certification level 1, and the certification level increases as your revenue increases. Probably won't be extremely effective, but it will make companies pay x% more attention to it than they other wise would.
|
|
#
?
Jun 4, 2021 00:04
|
|
|
Defenestrategy posted:tie tax breaks to cybersec practices and government auditing. Step 1 to any of these plans is gonna look a whole lot like the USG setting out actual requirements for cybersec for a lot more industrial and commercial sectors instead of the "well if you really want to do something here are some suggestions that maybe you could look at, you know, if you wanted to" guidance that they've currently got for pretty much anything that isn't finance or health-care related. Tie those in to insurance providers to allow them to reject claims if companies weren't following the guidance and you'd get a lot of companies to at least take basic steps. I know government regulation is not and cannot be a silver bullet or in many cases even "largely effective," but it's well past time that we let "too big to fail" companies of national significance keep skating on with zero expectations for security and then acting all surprised when they inevitably get popped.
|
|
#
?
Jun 4, 2021 00:30
|
|
|
Defenestrategy posted:tie tax breaks to cybersec practices and government auditing. If you want any tax breaks companies posting revenue in excess of $somearbitrarynumber, must obtain CMMC certification level 1, and the certification level increases as your revenue increases. This is how you end up with antivirus clients on database servers for "compliance"
|
|
#
?
Jun 4, 2021 00:40
|
|
|
I vote retaliatory hacking. Let's black ice everyone.
|
|
#
?
Jun 4, 2021 00:43
|
|
|
Time to Battlestar Galactica infrastructure. Airgaps or bust.
|
|
#
?
Jun 4, 2021 00:45
|
|
|
Mustache Ride posted:I vote retaliatory hacking. Let's black ice everyone. Pretend that I said something about giving them a trapped file that's actually Langford's Basilisk and linking to 
|
|
#
?
Jun 4, 2021 00:45
|
|
|
Absurd Alhazred posted:Time to Battlestar Galactica infrastructure. Airgaps or bust. they had to network the computers in the long run anyway!
|
|
#
?
Jun 4, 2021 00:55
|
|
|
Defenestrategy posted:tie tax breaks to cybersec practices and government auditing. If you want any tax breaks companies posting revenue in excess of $somearbitrarynumber, must obtain CMMC certification level 1, and the certification level increases as your revenue increases. Welcome to another Check Box like PCI.
|
|
#
?
Jun 4, 2021 01:01
|
|
|
Arivia posted:they had to network the computers in the long run anyway! Right. "Had to". 
|
|
#
?
Jun 4, 2021 01:02
|
|
|
Diva Cupcake posted:Clamp down on cryptocurrencies? Is that a reasonable response? Probably not but at least a few politicians will think so. Clamping down on cryptocurrency as in "cryptocurrency traders, brokers, & exchanges have to follow the loving laws" is pretty dang reasonable, and would help a lot. It's not like ransomware was technically impossible before 2013. It was a thing some people tried and had extremely limited success with, because the financial part was too dangerous. At any point in the last 8 years, some basic loving enforcement of on-the-books laws could have made a whole lot of problems go away.
|
|
#
?
Jun 4, 2021 02:10
|
|
|
CommieGIR posted:Welcome to another Check Box like PCI. Some boxes need to be checked.
|
|
#
?
Jun 4, 2021 02:38
|
|
Cat Army
|
The Iron Rose posted:Some boxes need to be checked. Its more HOW the boxes are checked. Most PCI audits are not very thorough.
|
|
#
?
Jun 4, 2021 02:39
|
|
|
CommieGIR posted:Its more HOW the boxes are checked. Most PCI audits are not very thorough. I am shocked, SHOCKED, that the Payment Card Industry Security standards established by PCISSC, which was established and staffed by current employees of VISA, Mastercard, Amex, Discover, and JCB would possibly overlook mistakes and whoopsies by various Payment Card Industry members, such as VISA et al. Shocked. I'd think that business' would at least pay some amount of lip service if the government comes around every so often if the business in question can't afford a few congressmen.
|
|
#
?
Jun 4, 2021 04:56
|
|
|
Mustache Ride posted:I vote retaliatory hacking. Let's black ice everyone. if black hat hacking involved more ICE then networks would probably be a lot more secure tbf 
|
|
#
?
Jun 4, 2021 07:49
|
|
|
CommieGIR posted:Its more HOW the boxes are checked. Most PCI audits are not very thorough. Agreed, but for most industries right now there aren't even basic, surface level boxes to be checked. There's an enormous amount of low-hanging security fruit that's not being picked simply because no one has sat a given industry down and said "alright look motherfuckers, stop putting your SCADA systems on the open internet" and similar. Even "not very thorough" audits would help with stuff like that. You'd hope that any reasonably major company wouldn't be doing that already, and yet we see time and time again that there are enormous segments out there whose entire relationship with security is "lol wut? that might cost money. no."
|
|
#
?
Jun 4, 2021 15:30
|
|
|
DrDork posted:Agreed, but for most industries right now there aren't even basic, surface level boxes to be checked. There's an enormous amount of low-hanging security fruit that's not being picked simply because no one has sat a given industry down and said "alright look motherfuckers, stop putting your SCADA systems on the open internet" and similar. Even "not very thorough" audits would help with stuff like that. You'd hope that any reasonably major company wouldn't be doing that already, and yet we see time and time again that there are enormous segments out there whose entire relationship with security is "lol wut? that might cost money. no." 100% agreed as well. Which is why so many view Cybersecurity Insurance as better than building an actual Infosec program. When your management is filled with people who are just MBAs, who view everything as a cost center even when that cost center is literally the foundation of their company in the digital age, anything like Infosec and IT in general is just a wasteful spend. https://twitter.com/jamieantisocial/status/1400824184490672130?s=20 CommieGIR fucked around with this message at 15:53 on Jun 4, 2021 |
|
#
?
Jun 4, 2021 15:33
|
|
|
CommieGIR posted:When your management is filled with people who are just MBAs, who view everything as a cost center even when that cost center is literally the foundation of their company in the digital age, anything like Infosec and IT in general is just a wasteful spend. Painfully accurate. Some I've seen be more receptive if you can put it in terms of security breach = loss of customer trust / reputation = loss of customers = considerable drop in income, and therefore some reasonable amount of spend on security is worth it. Others are, as you say, pretty firm on just throwing a line-item on the budget for insurance and figuring it's fine. But yeah, MBA and related people whose mantra is that the only legitimate path for a business is the one that most perfectly maximizes profits, regardless of anything else, are a huge cause of all sorts of stupid socially consequential problems like this. Launch them all into the sun and we'd all be better off, even if it would mean the stock prices didn't rise that extra 0.5% this year.
|
|
#
?
Jun 4, 2021 15:55
|
|
|
CommieGIR posted:100% agreed as well. Which is why so many view Cybersecurity Insurance as better than building an actual Infosec program. At a certain point, though, wouldn't the cybersecurity insurance companies enforce at least some sort of basic security practices as a prereq for providing coverage? Kind of like how life insurance wants a medical/lifestyle history to determine coverage and pricing. Darchangel fucked around with this message at 16:02 on Jun 4, 2021 |
|
#
?
Jun 4, 2021 15:58
|
|
|
DrDork posted:But yeah, MBA and related people whose mantra is that the only legitimate path for a business is the one that most perfectly maximizes profits, regardless of anything else, are a huge cause of all sorts of stupid socially consequential problems like this. Launch them all into the sun and we'd all be better off, even if it would mean the stock prices didn't rise that extra 0.5% this year. They're also the dingleberries that decided JIT for *everything* was the way to go, and nothing could ever go wrong with supply infrastructure. There's no way, for example, that there could be a once-in-a-century global pandemic affecting production literally everywhere, or a giant cargo ship could get wedged into a vital shipping canal. Absolutely no need to stockpile anything, ever.
|
|
#
?
Jun 4, 2021 16:02
|
|
|
Darchangel posted:They're also the dingleberries that decided JIT for *everything* was the way to go, and nothing could ever go wrong with supply infrastructure. There's no way, for example, that there could be a once-in-a-century global pandemic affecting production literally everywhere, or a giant cargo ship could get wedged into a vital shipping canal. Absolutely no need to stockpile anything, ever. I'm sure someone did a case study at some point (or will, now) that shows that even with the lost/reduced revenue from such singular events, the company still makes more money over the long run with JIT and just letting the world burn every so often. These are the same types of people who explicitly view "social responsibility" as an entirely unnecessary cost center, to be engaged with if and ONLY if doing so will produce enough positive PR to pay for whatever minimal spend has been done on it.
|
|
#
?
Jun 4, 2021 16:10
|
|
|
|
| # ? May 17, 2024 05:25 |
|
|
Darchangel posted:At a certain point, though, wouldn't the cybersecurity insurance companies enforce at least some sort of basic security practices as a prereq for providing coverage? Kind of like how life insurance wants a medical/lifestyle history to determine coverage and pricing. They are starting to, because they are realizing they are being taken for a ride. Rather deliciously ironic it took them this long to realize.
|
|
#
?
Jun 4, 2021 16:11
|
|