this post was submitted on 05 Oct 2023
464 points (100.0% liked)

196

17637 readers
344 users here now

Be sure to follow the rule before you head out.


Rule: You must post before you leave.



Other rules

Behavior rules:

Posting rules:

NSFW: NSFW content is permitted but it must be tagged and have content warnings. Anything that doesn't adhere to this will be removed. Content warnings should be added like: [penis], [explicit description of sex]. Non-sexualized breasts of any gender are not considered inappropriate and therefore do not need to be blurred/tagged.

If you have any questions, feel free to contact us on our matrix channel or email.

Other 196's:

founded 2 years ago
MODERATORS
 
all 20 comments
sorted by: hot top controversial new old
[–] [email protected] 103 points 2 years ago* (last edited 2 years ago) (1 children)

if an end user can serve as an entry point to the entire domain for ransomware, the end user hasn't failed, IT has.

[–] [email protected] 73 points 2 years ago (2 children)

Upper management: "GIVE ADMIN PRIVELEGES TO ALL ACCOUNTS TO STREAMLINE THINGS. I DON'T CARE IF ITS INSECURE DO IT!"

[–] [email protected] 30 points 2 years ago* (last edited 2 years ago) (1 children)
[–] [email protected] 8 points 2 years ago* (last edited 2 years ago)

[Fired for noncompliance]

Sad truth of IT. Being ordered around by tech illiterate bosses who refuse to listen. And they often don't even seem to value their employees, thinking they're easily replaced (they aren't)

[–] [email protected] 21 points 2 years ago* (last edited 2 years ago)

But sire, our employees will be in potential violation of SOC 2 compliance should we be audit—- “JUST DO IT!”

[–] [email protected] 59 points 2 years ago (5 children)

Today I got an email from management, something along the lines of "you didnt click the link in this email we sent as a required questionnaire about phishing, some people reported it as phishing: a reminder, all emails from [email protected] are not phishing"

There was no previous email

I checked the message details and it said "THIS IS A PHISHING TEST BY external company"

It was a phishing test disguised as an urgent reminder to answer a phishing questionnaire, replying to a nonexistent email. I can't wait until Monday when they round up everyone who clicked the link

[–] [email protected] 16 points 2 years ago (2 children)

This is a good one. We get standard phishing tests which make no sense. It is usually a person I don't know, from a company I haven't heard of asking me to edit/review a file they share. People who design these tests should know that people do NOT jump into the opportunity of editing/reviewing files or receiving tasks. I imagine real phishing attacks must be smarter than this.

[–] newIdentity 5 points 2 years ago

Not nessecarily. They only need one person to run the file

[–] [email protected] 4 points 2 years ago

I work for a small-ish but fast-growing municipality, and we're getting increasingly well-targeted actual attacks. Instead of posing as "The IT department" they're posing as my boss or the City Manager by name.

This week they even started name-dropping the conference most of the directors were actually attending as an excuse why we wouldn't be able to reach out and talk to them before the "request$ was due.

[–] [email protected] 10 points 2 years ago

Wow damn that'd trick whole swaths of our org 🤦. Sad how many people we still get with the super obvious "Free $5 on Venmo" phishing tests...

[–] newIdentity 9 points 2 years ago

That's actually pretty smart.

[–] [email protected] 4 points 2 years ago

They did something similar at our university, I wonder how many fell for it. They never told us

[–] [email protected] 24 points 2 years ago

Usually a company needs a ransomware attack or some other digital tragedy before they learn the importance of security.

Sometimes they need a few incidents, and need to be reminded when upper management deprioritizes IT security.

[–] [email protected] 20 points 2 years ago* (last edited 2 years ago)

Nothing like running a ransomware on a government computer causing huge leak on a government run health database exposing everyone to a potential security risk.

Case in point: https://gulfnews.com/world/asia/philippines/philippines-hackers-reveal-hospital-bills-health-data-after-failed-ransomware-demand-1.1696339629351

[–] [email protected] 15 points 2 years ago (1 children)

And this is why I decided to not do IT.

[–] newIdentity 18 points 2 years ago

She probably doesn't do IT and that's the problem.

[–] [email protected] 3 points 2 years ago (1 children)

I don't mind, that not the support departments job, probably more like Info sec or dev ops or something.

[–] [email protected] 3 points 2 years ago

laughs in small company

[–] [email protected] 2 points 2 years ago

Mr.Robot.jpg