Posts by RJX

Blah, blah, blah. Amazon tried the same thing and had to modify their policy to tell people they may not get promoted. How old generation is that thinking, even forgetting that IBM is a corporate dinosaur?

To all of the execs and managers talking about working effectively and collaboration being the reason, how many office locations do you have? Because every time an employee in one office works with an employee in another office it's the same as working remotely. That has not hurt companies a bit.

The one thing I was certain of before I retired from bank cybersecurity was that the numbers reported publicly were woefully low. For people who pooh-pooh things like port scans, let's do an analogy to your home. A port scan is the same thing as an unauthorized person walking up to your home and trying every door to see if it's unlocked and pushing on every window to see if it opens.

If you looked out the window at night and saw an endless stream of people walking up to your home and trying to get in how good would you sleep?

Familiarity breeds contempt and that's how that article and some of the comments read. We'll be reading about your organizations over at www.databreaches.net if we have not already done so, multiple times.

Meh. Just convince management to let you do your job the right way.

We deployed the predecessor, the Juniper remote access version. Then we upgraded to the Pulse Secure version when Juniper spun them off. And now it's the Ivanti version.

We have as close to a zero percent chance of an RCE or any other compromise as there is regardless of patch status or version. How did we do that?

It's dirt-simple to require a client certificate on the connecting computer in order to even connect to the port of the remote access box. We spun up a Certificate Authority for all remote connections (remote access, API, whatever) and we require a client certificate to even connect to the port. No cert means you don't even get a banner, just a dropped connection because you can't get past the port to anything else.

As a bonus the remote access log files drop to almost nothing because even scanners and attackers won't get logged, just connections with the proper client certificate. We can still see the unauthorized connection attempts in the firewall logs but not in the Ivanti logs.

In the words of a major pen testing company (that almost anyone in the business would recognize) when they could not do a thing to us:

"NOBODY DOES THAT!"

And that's the problem. We have a few thousand client certs authorized and the rest of the 3 billion people on Planet Earth with Internet access think nothing's there even if they dial up the URL.

Haha, did the same thing to the CIO, with his approval

All plants were connected to to HQ with a lousy T1 yet he had 100 M/bps connectivity. He got tired of the complaints and said 1.5 M/bps was good enough for anyone. Since he had a DHCP reservation we used QoS to throttle him to T1 speed. After three days he threw in the towel and approved the connectivity upgrades.

Had automation delete the entire Accounting department. Twice. In two days. And...

Reviewing my overnight security alerts before heading into work showed that every account in the Accounting Department was deleted at 7:15 AM. Odd. I went into work and asked my team members what happened. Blank stares as they scrambled to check the alerts they ignored. The security manager chuckled when he came in and said "Apparently we don't need an Accounting department."

The sysadmins, being sysadmins, recovered the accounts from the AD Dumpster, pronounced it a "glitch" that had never happened before so it would not happen again and they would do nothing else to investigate.

Yup, the next morning at 7:15 AM the entire Accounting Department got deleted again.

Now everyone is taking it seriously. Now.

At a meeting that afternoon they said the mass deletion was caused by a script they wrote to sync Oracle HR with AD, a script that ran at 7:15 AM. The script erroneously assumed that if a department did not have a manager then the department did not exist. So rather than just disabling the accounts it deleted them.

Turned out the Accounting Manager had gone on medical leave so he was removed as the department manager, leaving that position blank in Oracle HR.

Everyone in the meeting thought it was good they they had found the problem and prepared to leave because it really was no big deal, right?

Until I said "Wow, it's a good thing the CEO didn't go on medical leave, right? That script might have deleted every account in the company!"

Heads turned, faces got a shocked look, and that's when the sysadmin manager admitted that was exactly what would have happened.

---------------

Then they did a similar thing years later. They wrote a script to delete ex-employee Exchange mailboxes 90 days after the employees left the company. It worked great, until it didn't.

We were in a legal battle and there was a court order to preserve certain mailboxes for legal discovery. Some of the mailboxes were for departed senior managers. Their script dutifully deleted their mailboxes after 90 days because everyone forgot about it. Then the archive purge killed the backups some months later.

Then we were ordered to produce those mailboxes and Whoops! Their little automation script caused a massive legal problem with the court, you know, destruction of evidence...

Finally, after that disaster, senior managers ordered the sysadmins to put EVERY script they used into the Source Code system where they needed to check scripts out to use them or to modify them. The sysadmins whined and they got told that all code run on production systems was programming and now need explicit manager approval via a Change Control ticket, so they made it worse by complaining.

Trivia: Why were no digits higher than 7 used in CS IDs?

Because the original computers used by CompuServe used octal and not hexidecimal.

Regards,

72270,650