A few jobs back, I was on a contract with a federal agency where it seemed that the #1 threat was internal problems with Layer 8. However, there were also constant attacks from outside in the way of email phishing. So it really depends on where you define the problem. Is it the fault of the malicious, or the fault of those who just like to click on things? Perhaps we will never know...
Good luck with the future engineer, have a restful leave!
Loop1 Systems: SolarWinds Training and Professional Services
Figuring out who the victim is makes it sound like one of those complicated cop drama shows where they try to demonstrate things are much more complicated than they seem
Users (themselves or the machines) are also really hard to control and monitor thanks to scale and the human factor... even if they aren't the source of the attack, if we could crack that nut we could prevent exposure better.
Our current attack surface is very low. Being privy to our penetration scans, and often having to confirm said vulnerabilities. We don't worry so much about remote attacks. The focus is mainly on 0 day stuff, and the users that already have access into our infrastructure. So I would say in our environment its the "insider" that poses more of a threat. Although that's not always the case. At a previous job it was a mixture of both.
I worry that we are a target of just about everything. I feel that many people at our company as well as many of our customers feel that the legacy model of a firewall and end-point AV is enough for security. I not only worry that we are a target but often worry that we are also a victim and just don't know about it.
A few of my top concerns regarding security are as follows...
- Inadequate patching policies
- Poor end-user security awareness
As I become more and more enthralled in the world of security I continue to be an advocate within the company for security practices. We have a few customers that have had us build very secure environments that include top notch security technology as well as very secure and strict access policies. Those environments not only held up to rigorous pen testing but have also had all of the forensic data to do a use case being able to show how the test was conducted and trace it back to it's source. These environments are a lot of fun to work with and exciting to be a part of.
I believe that I am a target of the 'deflector' personality types. I enjoy creating standards for both delivered services and the processes behind them. However, there are some who don't want to do the dirty work of cleaning up the existing services or improving processes, even though we have a very strong 'lean commitment'.
My instinct to lead where leadership lacks often lands me with the cleanup work, the process improvement work and the education work. So, maybe not an intentional target of the 'deflector' personality type, but I end up being the final landing place of their work. Unfortunately, I don't delegate so well and the responsibility (and blame) stays with me. My desire to make my company the best it can be often leads me into political trouble when I call out the 'deflectors' on their wasting of company dollars and effort.
I lose both ways. Stress abounds!
To sum up the second question, everyone involved is a 'bad' guy. Myself for not being skilled enough to delegate, the 'deflector' for their lack of ownership, leadership for not identifying the deflection practice or overburden of employees, and the company for not truly following up on where their money is actually going (not just budgeted). So many places to improve, so little time.
Thanks everyone for your two cents in this discussion... it was super insightful to the problems people are facing in reality.
I put up the next discussion, which this one reminded me of: LEM Thought of the Week: Realistically, how careful can you be about admin rights and shared passwords?