|
Martytoof posted:If it makes you feel better, I fully expect 3/4 of the posters in this thread would be chiming in with similar stories if not for NDAs :P Now, now, it could be worse. You could be at a company with three distinct IT departments, whose systems are interconnected, but are at best completely ignoring each other. And, hypothetically, responsibilities would be clear as mud. Also outsourcing with lovely contracts and no follow-up.
|
# ¿ Dec 18, 2020 21:00 |
|
|
# ¿ May 8, 2024 07:12 |
|
Potato Salad posted:Sears? Nope, and I'm not gonna tell you where it is either, because it's frankly beyond embarrassing. It's in Europe though. Half the problem is Operational Technology/OT, which in theory is completely separated from IT, but in practice, you guess where the user accounts are. If you guessed "the IT AD", that would be correct, but also we have two ADs, that operate in mostly the same environments.
|
# ¿ Dec 31, 2020 12:19 |
|
Ynglaur posted:I'll be honest, I don't see how a salesperson buying someone lunch is bribing them. I mean, it's lunch. If they show up with the keys to a new car, or a suitcase full of It's definitely a bribe, just a small and less effective one. You're still more likely to do business with Dave who brought pizza than some rando from wherever. I worked in Danish government, where the rules are super strict about bribes. You can accept a sandwich if you're at a relevant event at some company, but that's about it. No Christmas chocolates either. Think about it from their perspective: they're using their budget for your lunch, presumably that's not just being nice, it's because they know it's a worthwhile investment.
|
# ¿ Jan 13, 2021 17:50 |
|
chin up everything sucks posted:I hate socializing with people I don't know, so I'm never taking one of those social sales lunches unless I'm required to by a boss. If they want to send snacks to my office/home, sure - but don't expect me to remember the company that sent them. If you hate socializing, you're probably not in charge of procurement and thus irrelevant. You probably should be in charge of it because you were hired for being good at actual work, but that's another thing. Also lots of companies will get snacks with their logo on so you don't forget. It's actually also a main reason you get logos on pens, just basic "hey, this brand exists, did I check out their product recently?" stuff. I use an aggressively magenta pad of paper from one of the two Danish ISMS software companies, and I sure think of them every time i write something down.
|
# ¿ Jan 13, 2021 20:25 |
|
Best case, you're infecting, say, 40 people per night, let's say for two weeks before someone notices to be very generous. That's 580 Google/Apple accounts of random people, which is worth probably less than you'd make being a waiter for a night. It's just too much effort for limited payoff, especially since the risk of getting traced is pretty high. As a targeted operation, still no but a bit more likely.
|
# ¿ Jan 13, 2021 23:22 |
|
The Fool posted:I haven’t been paying close attention but I feel like they’ve gotten a little bit better since the stormfront thing I think they just avoid the customers that would be more trouble than they're worth, like stormfront and 8chan, but don't care if they themselves don't become a secondary target.
|
# ¿ Jan 18, 2021 21:08 |
|
It also seems like it would be difficult to track down the actual physical person who did a thing in case of incidents with that setup? Or is that me misunderstanding?
|
# ¿ Jan 19, 2021 19:15 |
|
I think listening to the guy who studied how the body works is safer than listening to the guy who's selling the drug, or even the bottle made by the company selling the drug (and bribing the supposed oversight). Sort of like how you trust the security expert who found a flaw in a piece of software and not the vendor who insists it's perfectly safe.
|
# ¿ Jan 22, 2021 20:21 |
|
Volguus posted:I had to, once, add a feature in an web application I was working on to allow an administrator (a user with ADMIN role) to impersonate another user. Again, for troubleshooting purposes, I suppose. Now, no impersonated user's password were needed, was just asking for the admin's password again, and the token was set to expire after 30 minutes but man, I never felt so ... walking on thin ice before. It looked safe enough, I couldn't see any security holes, at least not obvious ones, but even today I still think sometimes "what if I missed something?". Eh, it's a useful tool to have in certain applications. Just be sure to log every loving thing and maybe put done multifactor on it. Preferably with one factor being another person.
|
# ¿ Apr 28, 2021 08:44 |
|
Maneki Neko posted:We have a federal microagency as a customer and sherpaing them up on their FISMA audits from "lol ad hoc on everything" has been quite the journey. If anyone is actively enforcing anything requirements wise it hasn't ever made it to our customers level. I worked in two Danish government agencies. All agencies are required to be "ISO 27001 compliant", and both my places had plenty reason to be. On paper they were both 4 on a 1-5 scale. The trouble is that it's self evaluation. So basically it's a requirement with essentially zero enforcement beyond "tell us you're doing well please". Long story short, my honest evaluation would have been a lot lower, and when talking to colleagues in other agencies off the record, they said the same thing. Very few agencies officially dip below 3, despite a lot of them having no real concept of system/service ownership. Of course, there's the state audit institution, but I'm very much but impressed with them. They're nice and could be a really good resource if the agencies treated them as a partner helping to improve security, but in all cases I know of, they're treated as an opponent that you have to dodge. Now I'm doing consulting/ISMS software designing. The customers range from "what's a risk assessment" to a few guys who really run a tight ship (at least on the governance level, we don't really do deep technical stuff). It's a lot of fun seeing the range and sherpaing/nudging organisations towards actually thinking about security.
|
# ¿ May 13, 2021 19:53 |
|
Powered Descent posted:I once was fortunate enough to work for a company as it quickly grew past the point where the "everyone in IT has all the keys to the kingdom" model ceased to be feasible. Yes, the newer least-privilege setup felt a lot more confining. Even frustrating sometimes. But a small-org arrangement with omnipotent sysadmins just doesn't scale past a certain point. In my experience, mentioning your fun scenarios to management casually might make them think about it, and if you do it a couple of times before submitting a formal memo or risk assessment, they might even act on it eventually. Just in the hypothetical case where the IT guys don't want to let go. It might help to spice it with hackers, angry about salary employees, Russians picking up the wrong kid in kindergarden or some similar stories depending on your company. Hypothetical company guy: if it's not your responsibility, just make sure you told someone that this is crazy, and make sure to tell them in writing. And then talk about the benefits of Amazon cloud or something, just to get a transition to anything not made of matchsticks, duct tape and gasoline.
|
# ¿ May 19, 2021 20:03 |
|
Cup Runneth Over posted:They didn't fix anything They fixed their image problem, same thing. they didn't fix that either
|
# ¿ May 19, 2021 21:19 |
|
Subjunctive posted:Oh sure, which is why "we don't have to worry about X because Team Q should be doing Y" is the form of question I try to guide people away from, towards "does Team Q actually do Y or do we need to worry about X?" This is the case even at places that generally pay for more adherence to "should", since it's not always just paying for it that is necessary. Never forget the "if X happened, Team Q would be the prime suspects (and they wouldn't like that)" angle. Also users are the worst and they will break any guidelines eventually. So make sure they can't. Network segments is one tool here.
|
# ¿ May 27, 2021 19:25 |
|
Are you doing new custom software or just consolidating everything to fewer and less crap vendors? Because the former seems like a legacy and person dependency bomb being installed to me. Also some vendors have good poo poo that you don't need to invent from scratch.
|
# ¿ May 30, 2021 20:56 |
|
Cup Runneth Over posted:So... did they let those murders go ahead even though they knew they were planned? Swedish police at least said they prevented 10 murders, so presumably not. But on the other hand, the US police might have made other choices.
|
# ¿ Jun 9, 2021 09:16 |
|
CommieGIR posted:Even more "Just do what NIST says", who are you paying to ensure that stuff is enforced? Internal Security Engineering teams and Security Operations teams, plus Governance teams to help push policy enforcement. In Denmark the center for cyber security is just advisory mostly (they did put out some "technical minimum requirements" together with the agency for digitalisation), but actual implementation is up to each institution. We do have checks if they're doing stuff though! Every 6 months they have to tell how good their ISO 27001 implementation is. Most agencies know how to answer "pretty good but can be improved" despite only having a policy from 2007 in a physical drawer and nothing else. It's all good!
|
# ¿ Jun 13, 2021 06:41 |
|
Klyith posted:Infosec best practice: don't use any software. You clearly haven't worked anywhere with large amount of typewritten PII/generally sensitive information in a locker outside the bathroom (because office space is expensive).
|
# ¿ Jun 20, 2021 16:29 |
|
Oysters Autobio posted:
I'm a trained linguist with close to zero real tech/computer knowledge (I can't program a hello world in any language for instance), and I work in infosec consulting. My advice is to look into governance stuff. In my experience, the most important thing to protecting your stuff is figuring out who is responsible for it (preferably both operationally and management wise) and then figuring out how important each bit is and why. This sounds like ground floor, and it is, but realistically that's what a lot of businesses need to figure out. I/the consulting firm I work at basically use ISO 27001 as the framework for this, and it's good. Get a copy of the standard, and try to understand the whole management system part of it. Next step is figuring out how to protect your stuff. That's where you look to ISO 27002 and, for each control, figure out who's responsible and what the minimum level should be. In this framework, you want to set up role based rules like "the system administrator should confirm that all users with admin rights have a legitimate need for them at least every month". Third step is getting it to actually work across the business, and then comes the whole spiral of improvements. Or do I've heard, most businesses don't get that far. In this kind of infosec, the most important thing is pretending to understand a lot of stuff, and being able to connect management and computer touchers (and others, like HR and physical security) in some capacity. Being able to a) pretend to be interested in why DB2 is superior to SQL and b) put on a suit and explain to the CFO why having that one guy being the only one who can operate the key system is bad, that's the kind of skill set you need.
|
# ¿ Jul 16, 2021 20:16 |
|
The two factors are something you know and someone at tech support
|
# ¿ Jul 17, 2021 07:50 |
|
Defenestrategy posted:On this note Not quite right, but my old employer had password resets that you could only order from a colleague's account. The invoice system had something like someone you know though, whenever you had something you needed reimbursed, you had to pick someone to approve it. The point was obviously not security as we know it, but the same principle could be used: pick someone close by on a drop-down, and they get the app buzz (and can choose to approve if they know/like you).
|
# ¿ Jul 17, 2021 17:42 |
|
Sickening posted:Its been a long road of network department goals of "having a reliable, highly available network" runs opposite of network security goals. Its incredibly tedious to design a network with security in mind. Why go through the extra time, manpower, complexity, and money when you just have to fight every time a new project comes down the pipe. They are actively rewarded by not having things secured. Projects are easier to implement, the networks are easier to manage, and the manpower involved is so much less expensive. And this is why you should have an overall risk assessment of all your business processes, which includes vulnerability assessments of underlying systems and assets. If you can show management that everything is resting on a platform that's ...insecure, and highlight a couple of likely catastrophical scenarios, they will hopefully be much more inclined to actually do something. Incidentally, all the business risks should be assigned to the network guys, so they actually have a reason to care, but also some leverage to get the needed resources. And then you can go play with the unicorn and watch incompetent managers get punished for being terrible. Also no one is falling for phishing emails.
|
# ¿ Aug 5, 2021 20:53 |
|
Sickening posted:Aww yes, the risks assessments will surely change their minds. The guilty will be punished and the heroes will save the day. That's why I added the unicorns. I have managed to change a few minds in management by laying the risks clearly in front of them though. Having a very clear scenario that connects to the bottom line for each risk is key though, like "it's pretty easy to remotely connect with admin rights. If an admin accidentally or through coercion loses his password, all production will shut down and also a lot of fake bills will get paid. Also no one will trust us to keep anything safe for the next year. If you want to not have this risk, pay $X to implement 2FA". Then give it a pretty red colour to match and maybe some charts. At the very least, you'll have covered your rear end, but hopefully someone will want to avoid losses, and or gets harder to argue against when it's not about IT, but about the bottom line. The hard part is to take all the tech out of the risk assessments and replace it with management stuff.
|
# ¿ Aug 6, 2021 09:09 |
|
Shuu posted:How will we ever stop these highly sophisticated attacks?? It's impossible, and anyway, this specific Windows 98 machine hasn't been compromised yet and we are working on getting a replacement system, so don't worry about it. Also, did anyone see my notebook? I can't remember my password to the ERP system...
|
# ¿ Aug 10, 2021 19:33 |
|
GDPR seems to be doing a lot of good in terms of information security, at least in Denmark and in companies I hear about (and they have a bias towards wanting better security). But a fun different vector is the insurance companies: when they realize how much they have to pay for companies with open access to everything, they might require companies to have, say, implemented CIS controls if they want to be insured (or have a non crazy premium).
|
# ¿ Aug 16, 2021 14:26 |
|
DrDork posted:
The fun thing is that it's 95% old rules here, the main addition is the fines. The typical story we see is
This is very basic and takes a huge amount of time, struggle and effort. But the end result is that Company is a lot more mature in their handling of data, and with some luck (assisted by "you need to tell people what legitimate purpose you are collecting their data for" from GDPR), they will actually only collect and save stuff they need. And maybe even consider protecting it if they identify a risk along the way. Clear responsibility helps, because quite often, the business owner assumes IT takes care of security, and vice versa, leading to no actual security. Hammering out that one or the other is responsible means they can't deflect as easily.
|
# ¿ Aug 16, 2021 19:20 |
|
To be fair, actual fines from GDPR have been pretty much slaps on the wrist over here too. You have to be super blatant to get the full amount. The fun thing for private citizens is the right to know what information a company has on you. It's usually a huge hassle for them to find it all, but if they don't bother, that's a very clear crime on their part. So if you are really pissed at a company, it's a godsend for pettyness. I made a bank waste a bunch of time and got them a slap on the wrist (no actual fine) from the data protection agency just by sending a couple of short emails.
|
# ¿ Aug 16, 2021 19:43 |
|
BrianRx posted:
In my experience, depressingly easy. I don't know about dumps, but just writing a mail from weedgoku1488@gmail.com asking for anything they have on me, John Q Uniquename, is likely to succeed. I think the best line of defense is having a common enough name that it would likely need more information to be disambiguated.
|
# ¿ Aug 17, 2021 16:27 |
|
Volmarias posted:And is precisely why large companies actually take this seriously, at least from what I've seen. So far. It will be interesting to see when we have an established precedence for GDPR infractions. So far in Denmark, the fines haven't come near the maximum. I'm betting a lot of companies will pay lip service and get a sizeable fine reduction for it.
|
# ¿ Aug 20, 2021 19:31 |
|
I'm late to the party on jobchat, but this thread is, in my opinion, heavily weighted towards technical infosec, bordering on opsec if not outright crossing over. It's hardly surprising, since it's the computer toucher subforum, and it's all good. But anyway, I'm in an small infosec consulting/software solution company. One or two of our 10ish consultants can code their way out of paper bags. I certainly can't. But we're still growing and experiencing happy/satisfied customers. What we're doing is compliance and governance: setting up how to do CIS controls, ISO 27001, GDPR and others, including clear ownerships and responsibilities at the company. And when we have that, we set up automated controls to check up on the sysadmin or whoever was supposed to check the logs. And then also business level risk assessments and emergency preparedness plans and exercises. My point is: the governance/compliance part of infosec is like 95% people skills in reality (because if you have half a brain you can figure out roughly who should be doing backups). The hard part is to sell responsibility to the organisation and make them understand that this poo poo of important. And it's not just a consulting gig, larger companies are employing people to do this poo poo too, and it's a growth industry here in Denmark and probably the rest of Europe. And it's also coming to the rest of the world if it isn't already there. The reason I think Europe is in front is GDPR, which heavily incentives companies to get their ducks in a row.
|
# ¿ Sep 3, 2021 21:14 |
|
Ynglaur posted:My personal pet peeve was how Sarbanes-Oxley's separation of duties somehow became "the person who wrote the code can't deploy it to production." That is not what separation of duties meant. That's part of it? The point is that one person shouldn't be allowed to write code [containing Russian backdoors] and put it into production [where the backdoors will be used] without at least having some other guy saying "yeah, that's the code we want alright". It's not about you not being allowed to deploy your own code as such, it's about you not getting to both code and approve it for production. Compare to financial separation of duty: you're allowed to request a new desk, and you're allowed to go to the store to get it, but someone has to actually say it's okay and allow you to use the company credit card. And of course always do risk based. If it's internet having bank infrastructure code, maybe get two or more competent people to look over the code, and if it's a dumb intranet reminder thing for who brings cake on Thursday maybe skip the separation of duties entirely. Anyway, auditor talk: in Denmark, we have a very real problem where anyone remotely qualified as an it auditor gets sucked into private consulting/auditing houses (way better pay and career options), leaving government auditors only the terminally incompetent, people with no experience or training and like two guys who are genuinely passionate about oversight of banks. This means that government auditing is not very good, in either the overly focused on details way or just being way too easy to talk yourself out of. Private auditing, which also happens, has an institutional problem of the auditor being paid by the audited, so everything is negotiable in reality, and the auditors know not to rock the boat too much.
|
# ¿ Sep 10, 2021 20:29 |
|
Absurd Alhazred posted:I mean, it's generally good practice to have at least one other person look over your code before you push it through, right? For more than one reason, yes. But there's both the "I want to make sure I didn't gently caress up anything" aspect and the more security related aspect of "we want to make sure the coder didn't put anything bad in there". And if you were maliciously putting in stuff, you'd probably forgo asking someone to look over your code. And for that reason, you need some separation of duties type check if the code (in some cases).
|
# ¿ Sep 10, 2021 21:17 |
|
BlankSystemDaemon posted:Do comment, style, typo fixes and other changes of that nature require review? Risk based approach: is the text/style part of the application separate from the important bits? Sure, you can probably do changes without supervision. Is it the same rights you need to reroute cash flow to your Swiss bank account? Yeah, do a review. Is the application managing payroll or internal news? That makes a difference as well. As alluded to earlier, absolute rules are poo poo, you need to figure out what is relevant case by case.
|
# ¿ Sep 11, 2021 19:24 |
|
CommieGIR posted:Yeah I had to explain, very slowly, how mainframes do not have anti-malware. Not yet, because nobody really targets mainframes. And I wasn't going to waste my time on a finding for something that doesn't exist. I know this, but I don't get it. Most mainframes I've heard of do really loving serious financial stuff. Like, one (actually more than one because redundancy) handled all money transactions of the Danish state, as just part of the scope. And I think most banks have mainframes doing stuff like that. It seems like the biggest and bestest target for APT type attacks, especially since they will be internet facing to communicate with each other (I'm guessing here for the record). My understanding is that something about the framework makes malware almost impossible, but that seems unlikely in actual reality.
|
# ¿ Sep 11, 2021 21:55 |
|
Contact us for consulting related to decrypting, including help with prioritizing, rollout and communications.
|
# ¿ Sep 24, 2021 18:12 |
|
Reminds me of this guy who bought domains early and noticed that corp.com was used as a fun default in Windows: https://krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-for-sale/
|
# ¿ Sep 24, 2021 21:25 |
|
NPR Journalizard posted:So I got dropped in the deep end (aka the job that was told in the interview has little resemblance to the job I am now required to do) and so now I need to create and implement a data governance policy for this organisation. When in doubt, throw it out. My advice is to take a clue from GDPR and require everyone who is collecting data to note down what days they are collecting and for what purpose. And then say that they can't have data more than 5 years old unless they have a good reason. It's an impossible sell to anyone though. Honestly, it's a tough job. Getting an overview of what data you have is basically impossible, which is why I recommend distributed responsibility to data owners. Then a broad strokes policy on how long to keep like 5 types of data (PII, sensitive PII, financial, commercial sensitive, public stuff, other - just very generically). You want to automate stuff, because no one is gonna manually label anything.
|
# ¿ Sep 30, 2021 06:41 |
|
Sickening posted:The skills that make you a good policy writer really don't overlap much with the skills that make you a good inforsec employee. Your average infosec person is going to write poo poo policies and is going to hate themselves while doing it. Eh, this is only true if you consider infosec a technical field. You need policymakers in your infosec team if you want to have meaningful security governance. But otherwise yeah, totally agree, technical experts write terrible policies, as do most narrow field experts. I'm looking especially at legal here. You need to look at the big picture and the target audience, and that's hard as gently caress, especially if you know all the computer/legal/financial/etc details and want to cover them all. A policy should have intentions and a few minimum requirements, and, if you don't use rule based governance, very clearly defined responsibilities. And then you have to implement the thing, and then you can look at whether the idiots in IT (or wherever) actually follow the policy at all, and if they do, if their practice is what you intended. Then begins the cycle of plan, do, check, act.
|
# ¿ Sep 30, 2021 07:44 |
|
NPR Journalizard posted:Yeah, the more I read, the more issues pop up and the worse this project gets. Doesn't sound automatic enough in my experience. Users will not apply labels, even if it's literally one click on a flashing button with a chocolate reward. You want to define, for the previously mentioned broad data sets:
Then, I would probably look at systems and figure out responsibility for them. And then you can assume that all data in a given system is of the most critical type and treat the system accordingly. Afterwards you can get fancy and think about interconnected systems, different applications of data (warehouse data vs active patient files for example) and differentiation within systems. But that's later. Hint: the AD gives access to probably everything, and there's a dude with global rights.
|
# ¿ Sep 30, 2021 07:55 |
|
evil_bunnY posted:
Not at the application level, but at the database level.
|
# ¿ Sep 30, 2021 14:48 |
|
|
# ¿ May 8, 2024 07:12 |
|
Is everyone laughing at Facebook right now? I am https://twitter.com/briankrebs/status/1445077617426718725?s=19
|
# ¿ Oct 4, 2021 20:24 |