At last. been saying this for years
22 publicly visible posts • joined 26 Apr 2019
It's time to track people's smartphones to ensure they self-isolate during this global pandemic, says WHO boffin
Azure admins' cold sweat likely caused by a 'isolated' power problems that browned out West Central USA region
BOFH: Here he comes, all wide-eyed with the boundless optimism of youth. He is me, 30 years ago... what to do?
I read the responses with interest
In most instances I have learned that stress is caused by trying to change something that we are not empowered to change. leading to frustration. Simply inform in writing / e-mail to the management team.
Then its a case of Bean counters vs Auditors/Share holders.
When we get promoted to executives then we can take on the stress, accompanied by an appropriate level of pay
A familiar story.
But, 50% of the job is not IT related, IT knowledge just allows us to better understand the business problems and monitor for risk.
50% of the job is critical thinking and providing information and guidance to the business to allow it to make decisions that hopefully result in business successes
Yes, we often feel that the business is not doing the right thing (from our view) but the business is much bigger that one department (IT).
New starters in the industry will consider they have a full knowledge base. unfortunately their knowledge base will be 90% theory based on generic academic views of how things should be done (different between best endeavour and reasonable business endeavour based on risk analysis)
Us "time served" IT pro's need to enhance and shape new starters knowledge. So as to avoid the pain and business losses experienced by time served IT pro's
Over the years I try to detach from the emotional aspects and just try to provide information and guidance based on facts, if the business chooses not to act upon the information, I assume there is a good reason.
Flaws punched holes in Azure cloud, Apple patches pretty much everything, Eurocops cuff Maltese hackers, etc
Maybe would be of more value if the percentage of incidents that resulted in high business loss was presented. Its all about risk, does a hack equal a large loss to business or just and acceptable level of risk attributed to working in a highly connected world ?
As said previously, if you have limited visibility into abnormal activity you are unlikely to see a breach. I suspect in many instances, organised crime and nation states have better visibility of an organisations posture than a the C level of the org.
The cloud does offer access controls to prevent "rogue" developers. All production changes should go through change management established through a governance framework informed by risk.
I see many on-prem / hosted datacentres where they think they have good visibility. This tends to be limited to the O/S and net, with minimal understanding of app versioning or ownership.
Really need to have full visibility.
I guess the visibility is proportional to the size and complexity, just as risk is.
I unfortunately recognise your comments around "Throw it over the fence" I still have the mental scars :)
I suspect most of the orgs have limited visibility (major factor in risk management) on premise as well, all we are seeing is an extension of poor risk management practices into cloud.
Maybe we should focus on fixing broken business processes and actually implement a robust risk framework to cover all assets regardless of which piece of wire or "serverless" CPU they are attached to.
Remember: Cloud provider only provides security if you pay extra for it. Cloud is a business and unlike the datacentre hosting providers of old they have no real incentive to do stuff for free.
Your business = Your Risk.
Of course, AI can also replace end users, so we all be out of a job. Only people in work would be process architects feeding AI developers.
No system user/operator end points just a shared customer interface.
Hope governments have a plan to replace all the work options for people, many people find purpose in work.
I see a very depressing future ahead.
need to revisit the questions: Can we? AND should we ?
2001: Linux is cancer, says Microsoft. 2019: Hey friends, ah, can we join the official linux-distros mailing list, plz?
always makes me smile when these vulnerabilities that have obviously been around for years are suddenly a problem :) or are we expecting another list of leaks from certain intelligence agencies. As far as i cam remember TCP flow control and network protocols/file systems have always had these features.
thanks reg for keep us informed.
Microsoft: Yo dawg, we heard you liked Windows password expiry policies. So we expired your expiry policy
The point is that the attacker would need to take an additional action to generate the correct password, disrupting the process. Significant if the attacker has purchased the passwords / hashes and therefore would need to go back to point of extraction. Changing one character anywhere in the password would not be as easy to guess.
Re: Words of Satan
Maybe he pretends to be Nasty so that you remember what he says. Normally being nasty is the only way any one takes anything seriously (until the business is on its knees then everyone want to know what the security officer has to say). Security Pro's do not expect to be liked but are expected to secure the business.