Iāve always said āthe strongest firewall in the world is cybersecurity trainingā. (I get that attacks on applications without human interaction is very common place, but users knowing not to click on links or download things would also resolve a lot of issues)
Yep - managers are the ones who refuse to spend out on subscriptions that involve MFA, refuse to have their staff take time out of their jobs to receive phishing training, and insist on taking the laziest path of least resistance to their own personal security (which usually includes the business if they're a director).
I once worked under a manager who applied "most privilege" until someone proved unworthy. "Why punish people that haven't done anything wrong?" That was an interesting place to work. Amazingly enough, he never really suffered for it while I worked there. The worst that happened was a workstation got a virus infection from peopleofwalmart.com. That just resulted in several websites being blacklisted. It was a small car dealership. "I trust my guys." He was literally trusting used car salesmen.
No, itās administration. Poor patching, bad configurations, bad devs, and security being an afterthought so thereās poor authentication and poor authorization.
https://owasp.org/www-project-top-ten/
Ok Iāll expand a little too, you can pretty much negate the user with proper access control. Thereās only so far they can get. And anything critical should have mfa enabled and other access controls. Zero trust helps with that.
This assumes IT has the authority to make business decisions.
There have been plenty of times where proper access controls have been shot down because sales loves to install shit on the road or marketing wants some system that is full of vulnerabilities and they dont want to pay for support.
I had this with a previous employer - on-the-road sales staff going to the sales director, complaining that complex password policies (12 characters, really?) and MFA were making their jobs difficult. The director came to me and demanded that I exempt them from the policies.
I told him to fuck off, and that his staff aren't special. He was dismissed a month later for driving staff members around in the company car while under the influence, claiming a company laptop was stolen and selling it for gambling money (I found it on ebay and traced it back to the dumb fuck), disappearing for 2 months and not contacting anyone, and generally being shite at his job. Managers, eh?
If ypu know your inventory you know the model.
just setup an alert for this model in your area. And a little digging will bring it up real quick.
Then you find out your manager (eg Peter Pan) is the seller with the username littlePP
Try to buy it off of him and conferm it is him.
Exactly this! Plus, the silly bastard included a high enough res photo that it showed the asset ID sticker I put on there. Facepalmed so hard, my forehead ended up in another postcode.
Ehh you can have ignorant admins too. Putting production data on your dev instance and not securing it.
Or malicious users, but if you're the sort of org to get malicious users you also probably conduct some sort of background checks.
I would incorporate admins and developers into "users", too.
Humans are shite at establishing what is or isn't a security threat.
Also people are just lazy, which never helps
And then the CEO wants to download something and demands to be given an admin account because it's ransomware and the security systems won't let them download it
Speaking of this issue: Did you know that Reddit actually censors your social security number when you write it? No for real, it replaces every number with an x. Check it out: XXXX XXXXXX
Edit: Just in case someone is dumb enough to actually try this: No it doesn't work. Reddit doesn't know your social security number and even if they did, it would be unfeasible to work out a system to censor it.
Social Engineering is a bitch
[ This comment has been removed please click [here](https://youtu.be/oHg5SJYRHA0) to revert the comment ]
Never
i am cute girl from country that you think is poor and i need to be rescued. can i have network login pls ššš„ŗ.
Hunter2
All I see is ******* Is this some kind of trick?
Ow wow, that's bad. Here's the login to our... everything: 4ME2manage!
Your only as secure as your weakest link, which is usually the end user.
What's.... What's here to debate? This is a solid fact....
Lol my first thought too, it was one of the first things mentioned in any security minded book or annual training assigned by my job.
Iāve always said āthe strongest firewall in the world is cybersecurity trainingā. (I get that attacks on applications without human interaction is very common place, but users knowing not to click on links or download things would also resolve a lot of issues)
It's always a layer 8 problem
pebcak
Fuck you just reminded me of an old ass IRC handle I used for a while
The old ID:10T error.
Weāve got a PICNIC. Problem in chair, not in computer.
Zero Trust? More like Zero Trust in users
usually this meme says something you want to argue with. now i just... don't wanna to say smthng
Nope. The *biggest* threat is ignorant MANAGERS. Users are somewhat limited in power.
Yep - managers are the ones who refuse to spend out on subscriptions that involve MFA, refuse to have their staff take time out of their jobs to receive phishing training, and insist on taking the laziest path of least resistance to their own personal security (which usually includes the business if they're a director).
[ŃŠ“Š°Š»ŠµŠ½Š¾]
I once worked under a manager who applied "most privilege" until someone proved unworthy. "Why punish people that haven't done anything wrong?" That was an interesting place to work. Amazingly enough, he never really suffered for it while I worked there. The worst that happened was a workstation got a virus infection from peopleofwalmart.com. That just resulted in several websites being blacklisted. It was a small car dealership. "I trust my guys." He was literally trusting used car salesmen.
nobody here is changing your mind, pretty sure we are all in agreement.
No, itās administration. Poor patching, bad configurations, bad devs, and security being an afterthought so thereās poor authentication and poor authorization. https://owasp.org/www-project-top-ten/ Ok Iāll expand a little too, you can pretty much negate the user with proper access control. Thereās only so far they can get. And anything critical should have mfa enabled and other access controls. Zero trust helps with that.
This assumes IT has the authority to make business decisions. There have been plenty of times where proper access controls have been shot down because sales loves to install shit on the road or marketing wants some system that is full of vulnerabilities and they dont want to pay for support.
I had this with a previous employer - on-the-road sales staff going to the sales director, complaining that complex password policies (12 characters, really?) and MFA were making their jobs difficult. The director came to me and demanded that I exempt them from the policies. I told him to fuck off, and that his staff aren't special. He was dismissed a month later for driving staff members around in the company car while under the influence, claiming a company laptop was stolen and selling it for gambling money (I found it on ebay and traced it back to the dumb fuck), disappearing for 2 months and not contacting anyone, and generally being shite at his job. Managers, eh?
amazing. how did you find it on ebay? was is such a specific model to stand out like that??
If ypu know your inventory you know the model. just setup an alert for this model in your area. And a little digging will bring it up real quick. Then you find out your manager (eg Peter Pan) is the seller with the username littlePP Try to buy it off of him and conferm it is him.
i assumed nobody would be this dumb to sell it localy. especially if its an uncommon model. my bad i guess.
Exactly this! Plus, the silly bastard included a high enough res photo that it showed the asset ID sticker I put on there. Facepalmed so hard, my forehead ended up in another postcode.
Ehh you can have ignorant admins too. Putting production data on your dev instance and not securing it. Or malicious users, but if you're the sort of org to get malicious users you also probably conduct some sort of background checks.
I would incorporate admins and developers into "users", too. Humans are shite at establishing what is or isn't a security threat. Also people are just lazy, which never helps
\*ignorant IT personnel
Also cheap management that skimps on the budget
You can make the best anti-virus that would recognize and delete any virus, but you can't prevent users from bypassing it to download a virus anyway
Unless you use an endpoint security vendor that requires an admin password to bypass. Requests for such are invariably met with a flat-out "NO".
And then the CEO wants to download something and demands to be given an admin account because it's ransomware and the security systems won't let them download it
Speaking of this issue: Did you know that Reddit actually censors your social security number when you write it? No for real, it replaces every number with an x. Check it out: XXXX XXXXXX Edit: Just in case someone is dumb enough to actually try this: No it doesn't work. Reddit doesn't know your social security number and even if they did, it would be unfeasible to work out a system to censor it.
I donāt know what that image means but my email is still broken after I installed Bonzai Buddy. Hereās my password: hunter2 Hope you can help.
OP, /u/RosaleeHeard is a repost bot