this post was submitted on 05 Oct 2023
474 points (99.0% liked)

196

16511 readers
3018 users here now

Be sure to follow the rule before you head out.

Rule: You must post before you leave.

^other^ ^rules^

founded 1 year ago
MODERATORS
 
all 20 comments
sorted by: hot top controversial new old
[–] hypnicjerk 112 points 1 year ago* (last edited 1 year ago) (1 children)

if an end user can serve as an entry point to the entire domain for ransomware, the end user hasn't failed, IT has.

[–] Sheeple 74 points 1 year ago (2 children)

Upper management: "GIVE ADMIN PRIVELEGES TO ALL ACCOUNTS TO STREAMLINE THINGS. I DON'T CARE IF ITS INSECURE DO IT!"

[–] [email protected] 30 points 1 year ago* (last edited 1 year ago) (1 children)
[–] Sheeple 9 points 1 year ago* (last edited 1 year ago)

[Fired for noncompliance]

Sad truth of IT. Being ordered around by tech illiterate bosses who refuse to listen. And they often don't even seem to value their employees, thinking they're easily replaced (they aren't)

[–] [email protected] 21 points 1 year ago* (last edited 1 year ago)

But sire, our employees will be in potential violation of SOC 2 compliance should we be audit—- “JUST DO IT!”

[–] [email protected] 60 points 1 year ago (5 children)

Today I got an email from management, something along the lines of "you didnt click the link in this email we sent as a required questionnaire about phishing, some people reported it as phishing: a reminder, all emails from [email protected] are not phishing"

There was no previous email

I checked the message details and it said "THIS IS A PHISHING TEST BY external company"

It was a phishing test disguised as an urgent reminder to answer a phishing questionnaire, replying to a nonexistent email. I can't wait until Monday when they round up everyone who clicked the link

[–] [email protected] 16 points 1 year ago (2 children)

This is a good one. We get standard phishing tests which make no sense. It is usually a person I don't know, from a company I haven't heard of asking me to edit/review a file they share. People who design these tests should know that people do NOT jump into the opportunity of editing/reviewing files or receiving tasks. I imagine real phishing attacks must be smarter than this.

[–] [email protected] 5 points 1 year ago

Not nessecarily. They only need one person to run the file

[–] chiliedogg 4 points 1 year ago

I work for a small-ish but fast-growing municipality, and we're getting increasingly well-targeted actual attacks. Instead of posing as "The IT department" they're posing as my boss or the City Manager by name.

This week they even started name-dropping the conference most of the directors were actually attending as an excuse why we wouldn't be able to reach out and talk to them before the "request$ was due.

[–] [email protected] 10 points 1 year ago

Wow damn that'd trick whole swaths of our org 🤦. Sad how many people we still get with the super obvious "Free $5 on Venmo" phishing tests...

[–] [email protected] 9 points 1 year ago

That's actually pretty smart.

[–] [email protected] 4 points 1 year ago

They did something similar at our university, I wonder how many fell for it. They never told us

[–] [email protected] 24 points 1 year ago

Usually a company needs a ransomware attack or some other digital tragedy before they learn the importance of security.

Sometimes they need a few incidents, and need to be reminded when upper management deprioritizes IT security.

[–] [email protected] 20 points 1 year ago* (last edited 1 year ago)

Nothing like running a ransomware on a government computer causing huge leak on a government run health database exposing everyone to a potential security risk.

Case in point: https://gulfnews.com/world/asia/philippines/philippines-hackers-reveal-hospital-bills-health-data-after-failed-ransomware-demand-1.1696339629351

[–] [email protected] 15 points 1 year ago (1 children)

And this is why I decided to not do IT.

[–] [email protected] 18 points 1 year ago

She probably doesn't do IT and that's the problem.

[–] gmtom 3 points 1 year ago (1 children)

I don't mind, that not the support departments job, probably more like Info sec or dev ops or something.

[–] [email protected] 3 points 1 year ago

laughs in small company

[–] [email protected] 2 points 1 year ago

Mr.Robot.jpg