May 16, 2025 at 12:00 am
Comments posted to this topic are about the item Are Data Breaches Inevitable?
May 16, 2025 at 6:26 am
Where there is honey it will attract wasps. There are many types of wasp:
* Inexperienced, mostly young and independent, playing with the free stuff that is out there and working out new ways to use it. Hopefully company defenses are good enough to keep these wasps out.
* Semi-professional, willing to invest a few hundred $ on tools over a year or two, but agnostic on who they hit. A company needs to get its cyber defenses well organised to keep these wasps out.
* Professional gangs, willing to invest $10k on tools, who have drive-by constantly running, but also look for targets in countries they feel are operating against their own. They have programmers who can exploit zero-day bugs and craft phishing scams. Most companies will struggle to keep these people out, and need to be lucky as well as organised. This is where getting compliance right and having defense in depth becomes vital.
* State actors, willing to spend maybe $100k to hit a specific target, either via in-house teams or increasingly by commissioning a gang to do the work to allow plausible denaiability. Attack methods will include bribery and injecting staff into company employment. These attacks are almost impossible for a company to defend against. The best that can be done is good compliance and damage limitation, and hope that our state actors have not had their jobs cut and get to their state actors before theirs get to our company.
The more useful a company becomes as a target, the more likely it will be targeted. Data breaches will happen, but the damage caused will depend greatly on how organised a company is to survive what happens.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
May 16, 2025 at 8:42 am
I have a couple of friends who are in the cyber-security. I used to imagine that hacking was done by technical geniuses operating at a level of capability far beyond mere mortals.
My friends said that, while these people exist, they are in the minority. The majority of hackers are technically competent but no more so than you or I.
The Marks & Spencer hack was done by social engineering. This is a human thing and all humans are fallible. When I went through the annual security awareness training one of the techniques hackers use is to send a message with an urgent call to action that looks like it comes from a senior figure in the organisation.
There is an organisational failure that can make companies more susceptible to these sorts of attacks. If you are maxed out on your workload then it is far easier to miss a subtly crafted phishing attack. If urgent calls to action are your norm then what differentiates the legitimate from the scam.
May 16, 2025 at 6:43 pm
One of our Project Managers also processes all of the Purchase Orders for all of the tools the IT department uses. On a security meeting in July they joked that if Security wanted to catch more people in the tests, Security would use the PM's email, in late December/early January and everyone would click any PDF sent. We all had a good laugh.
I clicked on that PDF this January because I forgot the conversation until I got the "You're Busted" pop-up. I was expecting a PO! I should have looked just a little closer, it was so obvious, ugh! Word got around pretty quick and numbers were still low, but had the PM really been compromised, the whole place would have crumbled. Lucky they are smart and talented so I am not worried about them compromising themself.
Point is, I consider myself security savvy and someone was able to craft a scam I would click on.
I think small companies that pay for training to make smart people smarter may go forever uncompromised, especially if they know each other's voices over the telephone. Larger companies looking to hire, "any idiot to fill a chair," are going to get crushed.
And then consider that a thousand person company can easily have 1% of its people having an off day and 10 people getting compromised.
Also, some email scanning software (defensive) can't handle the relatively new process of signing up a person from your the public directory for ALL the industry publications plus some extras (like Depends, which made me laugh), then pretending to be Help Desk calling to help them with their unprecedented email load.
As long as 1) the bad people are innovative and one step ahead of the tools, 2) reasonable people can have off days, 3) social engineering drops defenses 4) not everyone in the company knows the speech and typing patterns of everybody else, then yes, inevitable sounds reasonable. It doesn't even matter if you are using all the best practice settings.
The brief period of time where the hackers have access to quantum computers and CEO's and CFO's don't want to, or simply fiscally can't, justify the cost of new architecture as part of their defense...just wow! Inevitable indeed.
May 16, 2025 at 9:35 pm
We've had test emails from the CEO and others that were designed to catch people not paying attention. A few of those a year seems to get more people to pay more attention
May 18, 2025 at 1:32 pm
I have a couple of friends who are in the cyber-security. I used to imagine that hacking was done by technical geniuses operating at a level of capability far beyond mere mortals.
My friends said that, while these people exist, they are in the minority. The majority of hackers are technically competent but no more so than you or I.
The Marks & Spencer hack was done by social engineering. This is a human thing and all humans are fallible. When I went through the annual security awareness training one of the techniques hackers use is to send a message with an urgent call to action that looks like it comes from a senior figure in the organisation.
There is an organisational failure that can make companies more susceptible to these sorts of attacks. If you are maxed out on your workload then it is far easier to miss a subtly crafted phishing attack. If urgent calls to action are your norm then what differentiates the legitimate from the scam.
David, your last question is very pertinent. There's an upper-level manager at work, who only sends out panicky emails demanding everyone that receives the email to instantly drop what they're doing and attend to whatever it is she wants you to do. It is impossible to distinguish a spam message that didn't come from her to any of the dozens of, "we're all gonna die" messages she routinely sends out.
Kindest Regards, Rod Connect with me on LinkedIn.
Viewing 6 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply