[HN Gopher] The Original APT: Advanced Persistent Teenagers
___________________________________________________________________
The Original APT: Advanced Persistent Teenagers
Author : todsacerdoti
Score : 54 points
Date : 2022-04-06 18:05 UTC (1 days ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| flerchin wrote:
| Damages seem to have been pretty minimal. Yeah there's a lot of
| "This could have been worse" but defense in depth seems to have
| worked. Okta seems to have taken the worst of it, and that was
| mostly in terms of reputational damage.
| vegetablepotpie wrote:
| The way to fix this is that corporate IT needs to have more
| authority with the rest of the company.
|
| It's easy to blame the user when they get a phone call from IT
| that says their account has been hacked and they need to reset
| their password. Except it's not IT and the password reset tool is
| not the companies.
|
| The reason this happens is that the business side of the company
| always hampers security. You could have the best IT security
| training in the world that says not to share your password and do
| not click external links in an email. But that means nothing when
| you have Susan, the admin of your department manager, send out an
| email with a link to a survey outside your corporate domain with
| instructions, bright red in comic sans, we are using a new survey
| tool, all employees are required to complete the survey.
|
| So some things that should be red flags look acceptable. The
| people in charge consistently break their own rules that they
| impose on others. Companies set up conditions where the only
| thing preventing a breach is their employees ability to guess
| what feels like a phishing scheme, and what doesn't.
|
| IT security needs to identify and sanction activities in the
| business that trains users to produce bad outcomes.
| ipnon wrote:
| I once worked at a place that secretly red teamed it's
| employees with phishing emails. I diligently reported them all
| in public channels, unaware I was being duped, and received no
| response or promise to block the domains. Eventually I was fed
| up by the inaction, and inspected the payload in an isolated VM
| with execution disabled. I thought I was doing them a favor,
| but just the act of clicking on the link subjugated me to 3
| days of mandatory fishing training. The saltiness left over
| from that incident could pickle an entire nation's agricultural
| output.
| briandoesdev wrote:
| I ran internal phishing email exercises were I use to work.
| We never let users know when it was an exercise vs real-world
| event, they always got the same automated response that it
| was being looked into and that was all. I guess luckily for
| our users no one ever received any training or punishment for
| "falling" for our emails. We use to do it mainly for click
| rate tracking.
| not2b wrote:
| My company does phishing email exercises, and they've added
| a "report phishing" button to Outlook you're supposed to
| hit, either for the fake messages or any real phish
| attempts you get, or worse, fall for.
|
| The difficulty is that the company has outsourced many
| functions, meaning that there are external companies I
| often haven't heard of sending messages we have to interact
| with. Worse, one of those vendors has a very spammy-looking
| style and has even mis-spelled our company's name before in
| their mails.
| uuyi wrote:
| Totally agree. But the thing is that costs money and the real
| desire is to tick the compliance check list at the lowest cost.
| So they throw out some software assurance tech, force staff
| through a click through phishing training program once a year
| and low ball ISO 27001 and SOC 2 certs.
|
| Ass covered. Security and defence in depth? Hell no. They can
| employ the apologetics department dung beetles to roll that
| turd away quickly after the fact.
| BeFlatXIII wrote:
| See also: DEI and anti-harassment training
| AtlasBarfed wrote:
| At any given time, a company is actively working against the
| interests of 90% of its employees: trying to cut salary, reduce
| benefits, stack ranking, or squeezing their schedules.
|
| IT departments are among the worst of underfunding, exploitation,
| stressing. Because fundamentally the cool management guys see IT
| as a bunch of nerds to bully. But the problem is IT holds all the
| keys to the castle.
|
| Until this long-standing fundamental bias of management is fixed,
| companies will be security sieves.
|
| Unfortunately, what will be done is punitive to the employees:
| more red tape with no allowance for time, victim blaming, and
| ass-covering.
___________________________________________________________________
(page generated 2022-04-07 23:02 UTC)