Virtually all cybersecurity breaches both by volume and by severity are via trivially preventable problems (reused passwords, failing to update, failure to use minimum standards), not anything particularly sophisticated - ThreadSky

pwnallthethings.bsky.social • 110 days ago

Virtually all cybersecurity breaches both by volume and by severity are via trivially preventable problems (reused passwords, failing to update, failure to use minimum standards), not anything particularly sophisticated

Reposted from Patricia Sauthoff 司徒雛菊

What is common knowledge in your field, but shocks outsiders?

Alchemy is about medicine and science way more than it is about magic.

Comments

stephen.oysterarchery.com•110 days ago

When I started working for a security company, I was astonished to learn how much security was “don’t be an idiot”

beckya.bsky.social•108 days ago

I find that quite plausible

farhanible.bsky.social•110 days ago

It’s a scale/volume problem. There are a lot of those tiny preventable things. And it gets more complicated with exceptions because in reality you can’t patch a hundred machines with accuracy 100% of the time.

alexcp.bsky.social•110 days ago

That is correct, but those are problems that are very hard to manage at scale, so this is why it keeps happening the same ways over and over again.

pwnallthethings.bsky.social•110 days ago

exactly. And a lot of new code is written every day

viss.hax.lol•110 days ago

and then theres this stuff: https://www.propublica.org/article/microsoft-white-house-offer-cybersecurity-biden-nadella

pwnallthethings.bsky.social•110 days ago

I've been a stuck record on this since, idk, 3400 BCE when writing was invented or whenever, but "stop trying to legislate technical requirements. Enable large civil judgments in the event of breaches with mandatory insurance if necessary"

viss.hax.lol•110 days ago

the lobbyists have the numbers - both in the budget, and dudes in suits who say 'bro' too many times in 60 seconds for anything they say to ever be taken seriously

boblord.bsky.social•110 days ago

And why do we blame the customers for not keeping up with the fire hose of security updates rather than the software manufacturers who could eliminate entire classes coding error? The list of top classes of defect are the same year after year, decade after decade.

daedricnonsense.bsky.social•110 days ago

So, in sports phrasing, unforced errors?

rstgermain.bsky.social•110 days ago

It’s frustrating talking with clients who say their next gen product would prevent everything BUT fail to rotate passwords and all of their priv service accounts have passwords listed on a breach website.

forevernever.bsky.social•110 days ago

A COO at one of my old companies refused to use PGP for email. It didn't lead to a breach... but that right there is how it happens.

sutur.cyberdelia.party•110 days ago

but... but... but... their breach message said it was a sophisticated attack pulled off by a nation state actor. and they said they take security seriously. _surely_ they aren't lying about all of this 😬

tbapple.bsky.social•109 days ago

Our neighboring county, Suffolk NY, was hit by a debilitating ransomware because months early a deputy IT commissioner had secretly hidden bitcoin mining machines in the building. He was caught but had already let in the breach that months later would be exploited by an internal phishing email.

maxmitroi.bsky.social•110 days ago

what is common knowledge in your field, but shocks outsiders?

An application server or a web server is never a physical device. It is a piece of software that you can have installed on your laptop.

ncweaver.skerry-tech.com•110 days ago

It really frustrates me when cybersecurity advice isn't ordered with the lead things being
1: Keep things up to date
2: Use a password mananger
3: Use a security key
4: Keep everything backed up

alttag.bsky.social•109 days ago

For cloud breaches, the biggest issues are from configuration problems, such as someone neglecting to mark a resource as private.

eloquentvogon.bsky.social•110 days ago

Shhhh they won't pay me if they know that

skiskamp.bsky.social•110 days ago

Obligatory xkcd:

https://xkcd.com/2176/

evankb.bsky.social•110 days ago

But...

dragonnexus.bsky.social•110 days ago

I imagine the reaction to most hacking attempts is "Huh. That worked."

blue-eyedsamurai01.bsky.social•110 days ago

Bluetooth printers being intercepted by 3rd party blah blah blah

metabluesky.bsky.social•110 days ago

griddygentilly.bsky.social•110 days ago

Yet many companies, including the one I work for, spend millions on tools that make employees' jobs incredibly difficult and often outright break stuff just so they can claim they are protected against the most sophisticated attacks

sardarji.bsky.social•110 days ago

Customers want service providers to certify security processes. This swells IT budgets so they can buy security infrastructure. Infrastructure providers create a climate of fear among customers by hyping potential threats, even corner cases.

It's a closed loop system.

sixnein.bsky.social•110 days ago

I convinced my company that the best approach is to attack employees. We sent out fake emails to our employees. If they fall for it, they get training.

virtualkat10.bsky.social•110 days ago

Same at my place. But now I suspect everything unexpected is a phishing test….

alttag.bsky.social•109 days ago

Seems it would be better to invest in systems less susceptible to phishing, including SSO and 2FA.

Antagonizing users won’t get you the gains you want.

sixnein.bsky.social•109 days ago

This form of training also helps them out in their own personal lives.

alttag.bsky.social•109 days ago

Only if one believes this sort of “training” is effective and sticky.

Evidence for that assumption is mixed.

https://link.springer.com/article/10.1186/s13673-020-00237-7

Simulated phishing isn’t consistently more effective than other training methods, but is likely to reduce trust in the IT org and the parent institution.

mwwaters.bsky.social•110 days ago

Which I think is part of the issue. Passkeys have some kludges to work out, but a sufficient corporate system would not be phishable through most employees.

There are still recovery mechanisms, which have been abused, but that’s a smaller surface area.

griddygentilly.bsky.social•110 days ago

Oh yeah, we also do the phishing tests with training for failures. But that hasn't stopped us from also buying multiple software and hardware solutions that do nothing but make everyone in IT miserable

sixnein.bsky.social•110 days ago

We're so locked down that I have to request admin even on test servers via ticket for a 12 hour window.

griddygentilly.bsky.social•110 days ago

I can check out admin passwords for a server at any time but they are only good for up to two hours and they reset as soon as I check it back in. This even applies to internal test servers

sixnein.bsky.social•110 days ago

The test servers is what annoys me because it delays anything that involves touching the web server configs. You can't for example mess with IIS without admin.

rjordan3.bsky.social•110 days ago

You must do a lot of training.

logophobe.bsky.social•110 days ago

Problem with these ime is that they don't actually work terribly well. My last company did phishing simulations, training, on and on for 2 full years, all to lower the simulation failure rate from 40% to about 33%

rweir.bsky.social•110 days ago

If you’re worried about phishing then 1) you have to not send out real emails that look like garbage and 2) buy buckets of yubikeys for every office so you’re technically unphishable rather than complaining that users “use” “email” “at” “work”. Anything less is just posing.

hellsop.ninehells.com•110 days ago

(counterpoint: if you have to whitelist your fake email to get it past the normal protections, to even reach employee inboxes, redteam takes the training.)

pwnallthethings.bsky.social•110 days ago

my strong opinion on this is that phishing emails are to train your blue-team and your red-team, not to train your employees

sixnein.bsky.social•110 days ago

I think the weakest link into systems are our users. I'd be a fan of even dropping USB sticks in the parking lot that behaves the same way. Big chemical company got burnt with that. People take it inside and plug it in to see what is on it.

pwnallthethings.bsky.social•110 days ago

When "USBs in parking lots" first became a thing, Windows (XP) would autorun files on that USB when it was plugged in. Windows Vista+ doesn't do that.

Technology solutions can (and do) mitigate or eliminate several categories of social engineering risks

solidphil.bsky.social•110 days ago

OMG I used to piss people off doing that. Big fun.

mlbiam.dev•110 days ago

That attitude won't sell my great new security product!

jjgass.bsky.social•107 days ago

I’ve always assumed this to be true given how little time the nerd in a cop/thriller movie or TV show has to type before announcing, “I’m in.”

martijngrooten.bsky.social•110 days ago

"Cybersecurity is a society science with a small technical component".

blackwjulie.bsky.social•110 days ago

I hate being forced to now use 14 character complex passwords, and having to renew them every 90 days, but at this point, it is completely necessary. I look askance at websites that use anything less.

gnufan.bsky.social•110 days ago

Password rotation is generally regarded as trying to transfer security work from IT to the end users. The users pick weaker passwords, and usually end up with a number or date on the end of an earlier password.

kulkan.bsky.social•109 days ago

and clicking on links.. I miss the 80s when we just had boot sector viruses.

bensmash.rocks•110 days ago

click here to update your payroll information

n0s0ul.bsky.social•110 days ago

The human vector is so much easier to exploit.
"Act like you own the place"
Or, when someone tries to stop you, with a commanding tone, say "That's a stupid question"
That kinda thing.

mrr3b00t.bsky.social•110 days ago

briecodes.bsky.social•110 days ago

I attended a great webinar on passwordless auth the other day and now I'm a big fan. FIDO indicates that 80ish percent of breaches are password related. That's wild!

agent51.bsky.social•110 days ago

And “non-trivial” exploits are pretty trivial fixes with basic best coding practices. Most companies are unwilling to invest any serious amount of money into infosec because it’s viewed as sunk cost. Companies need to be help accountable for their criminal level of negligence!

carpinsandiego.com•110 days ago

Cybersecurity out there raking in billions on keeping out chinese and russian hackers from getting into your system then Bill from accounting clicks a link. Ooops. 99% of the time.

narakuhanku.bsky.social•110 days ago

99.99% lol, fucking wild. Not only do they click the link, they log in to a fake portal from it, because it needed to authorize their credentials because of sensitive information. They failed to see the address of "jamordie.acd.asds.com" in the browser tab 🤦

narakuhanku.bsky.social•110 days ago

... And then you see these long ass email signatures from companies telling the person sending the email not to click a link from responders because it may be a phishing attempt lol. Like, my guy, who fucked up so bad that your company makes you look stupid with every email you reply to??? 😂😂🤦

robmallicoat.bsky.social•107 days ago

Prolly close to the same number of homes that are broken into or burglarized. Simple stuff, not implemented.😱

layer8.bsky.social•110 days ago

When I did my research fellowship, I aimed to quantify if the rise in frequency and severity of breaches resulted from attacker efficacy, defender dysfunction, or policymaker shortsightedness

My own bias left me with the latter as the presumed blame…

layer8.bsky.social•110 days ago

Indeed. Analysis of 10+ years of breaches from the UK NCSC proved otherwise (~25K incidents). Lightbulb moment for me like oh, wow, yikes 🥲

sixnein.bsky.social•110 days ago

I think most articles should say scammers gained access instead of hackers gained access.

Comments

Posting Rules

Reply