this post was submitted on 15 Jul 2024
543 points (96.3% liked)

Cybersecurity - Memes

1964 readers
2 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
 

If a single click on a phishing email can ruin the entire company, the blame doesn't lie with that individual.

top 22 comments
sorted by: hot top controversial new old
[–] [email protected] 95 points 3 months ago (2 children)

There are very few one click total compromises out there.

Most of the time clicking on the link will get to a phishing page to harvest credentials or prompt to download a zip or pdf which has the actual malware exploit/payload.

[–] [email protected] 40 points 3 months ago

True, in many cases there is a whole chain of vulnerabilities and misconfigurations, and everything starts with one phishing mail. For example:

  • successful phishing
  • VPN without 2FA, allowing the attacker access to company services
  • internal services with vulnerabilities, allowing the attacker to compromise a server
  • permission misconfiguration, allowing lateral movement

That was the point of this meme. It is not phishing alone that gets the company in trouble, its mostly a series of misconfigurations.

I think that in cyber security, we have to assume that phishing will be successful sometimes - and be prepared when it happens.

[–] [email protected] 4 points 3 months ago

Yep and then whatever is trying to execute should be limited by user permissions, app whitelists, EDR / MDR, and a pile of other defenses.

[–] [email protected] 61 points 3 months ago (3 children)

That individual ABSOLUTELY has a piece of the blame.

[–] [email protected] 30 points 3 months ago* (last edited 3 months ago)

In my time as a cybersecurity professional, my approach is always to blame the system, not the person.

If they clicked on a phishing link: 1) that email should never have reached their inbox, 2) that link should never have loaded, and 3) our awareness training is not up to snuff.

[–] [email protected] 29 points 3 months ago (1 children)

We have test-phishing mails sent by our IT-Sec team on a regular basis. There's usually an obvious one and a better made one. First round 10% clicked the obv. one, 99% the good one.

We had a lot of trainings after that.

Last year the numbers went down to 5% and 80%.

If your security concept relies on both of these numbers being zero, you're an incompetent hack trying to shift the blame on end users instead of doing your job.

[–] [email protected] 13 points 3 months ago

Thank you, that was my point! Shifting the blame on the user doesn't help anyone.

[–] [email protected] 5 points 3 months ago (1 children)

Clicking a link isn't supposed to have side effects, if it does someone else fucked up.

[–] [email protected] 2 points 3 months ago

Welcome to corporate phishing emails, then, where the page that loads scolds you for being an idiot and submits your name to the boss for automated remedial phishing training, which must be completed lest it also tells HR...

[–] [email protected] 40 points 3 months ago (1 children)

"As an engineer, I reserve the right to click on the fake phishing emails from IT, just to see what they do."

My boss: "...god dammit."

[–] [email protected] 6 points 3 months ago

This is me lol, I have a sandbox machine on a fire walled subnet running tails that I use to open spam emails

[–] [email protected] 22 points 3 months ago (2 children)

While I somewhat agree, there are things even the best spam filters can't filter and Zero-Day-CVEs that Sys-Admins can't fix.

On the other hand, the company should be confident in their backups, which in most cases should allow for a continuation of their activities.

[–] [email protected] 8 points 3 months ago

You're forgetting all the hardening in the middle to prevent the privilege escalation that would enable mass deployment of ransomware.

[–] [email protected] 7 points 3 months ago

Adversaries are well prepared. Go restore your cold archive from tape, petabytes worth, see how long it'll take you. See how much data you missed before the last snapshot.

Ransomware is no joke and nobody is actually prepared for it.

[–] [email protected] 20 points 3 months ago (1 children)

As a system admin I can sympathize, but honestly I don't see any resolution that will fix this in the short or longterm. You just have to accept that the reality of computing is that if you interact with external data in a way that runs unfriendly code, you can/probably will compromise your system. It's just a consequence of making rocks smart.

[–] [email protected] 4 points 3 months ago* (last edited 3 months ago) (1 children)

Yes but not every user needs access to every system all the time and there should be alerts set up for logins outside of working hours, expected devices and IPs. There should be behavior based alerts, for example, why is the HR lady opening PS?

There are many things that can be done to secure the systems post-compromise.

[–] [email protected] 1 points 3 months ago

Oh, of course. But that's for compromises utilizing tool chains and exploits you're aware of. Zero day exploits are commonplace nowadays and often utilize complex tool chains to avoid detection or circumvent security posture. It's all a matter of how sophisticated the attack is and it all becomes a lot easier to do if you've got user level run permissions due to some user clicking a phishing email and tossing their creds in it or launching a random pdf with an embedded payload.

[–] [email protected] 7 points 3 months ago

Very nice og meme format.

[–] [email protected] 4 points 3 months ago

I'm so excited to see unpopular opinion puffin! 😁🎊🎉✨

[–] [email protected] 2 points 3 months ago (1 children)
[–] [email protected] 4 points 3 months ago

Thats a good start, yes. Combine strong authentication with the permissions that people really need.

[–] [email protected] 1 points 3 months ago

Maybe not finacilly or legally but image wise it can. Depending on the company and the people involved a company can 100% loose a lot image wise and in consequence, money wise