1. If you're receiving a message that you are banned from the Current Events or Politics forums, it's not you specifically: those forums have been hidden for all users. For more info, see here.
    Dismiss Notice

bloody bloody cryptolocker bloody

Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.

  1. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    4,095
    Location:
    Sydney
    I got an EOFY deal and it included some other nice stuff like Large File Send and Signature management which is neat.

    Their product is very swish, all steps of the migration were super smooth and they were amazingly helpful. Very impressed.

    Its roughly 30k for the year for 800 seats for us, We were using Symantec mail gateways on prem before which were less than great and the less on premise crap I have to deal with the better :)
     
  2. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,383
    Location:
    Brisbane
    Can you PM me your Account Rep?
     
  3. BlueRaven

    BlueRaven Brute force & optimism

    Joined:
    Jul 29, 2010
    Messages:
    5,283
    Location:
    2076
    Damn, good deal. What endpoint security are you using?
    Do you handle BYOD or lock them down?

    Context: I've been asked by a friend to help implement security, collaboration and backup strategies for her small enterprise, which has the potential to quite rapidly become a medium enterprise so I'd like to plan for the future with regard to email-based threats (she's in real estate, the whole industry runs on it), while also providing solid cross-platform security for local attacks. Looks like it will be a mix of iOS, MacOS and Windows devices... fun!
     
    Last edited: Jul 13, 2016
  4. shredder

    shredder Member

    Joined:
    Dec 26, 2001
    Messages:
    13,969
    Location:
    New Zealand
    Valid points elvis. In and of itself, it might not work. It would need to be part of a wider culture.

    Without overarching standards, each company does it's own thing. Unfortunately this means any company taking a harder approach is going to be 'giving' it's employees to other less fussy firms. Thusly no one takes a harder approach.
     
  5. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,855
    Location:
    Brisbane
    Precisely. Our company, for example, very much puts the demands and tantrums of users first. IT security and policy comes a distant second to placating staff.

    And while that's great and wonderful for staff empowerment, it's resulted in some terrible things happening over the years that were utterly avoidable.

    It's at the heart of our culture, however, due to our client base which is extremely demanding. The notice and turn around times we get from our customers is tiny. I mentioned in another thread somewhere that we can provision workstations to staff from bare metal in around 30 minutes. We got there because that was what was demanded of us. I see other businesses give an SLA of next business day, or even 2-3 days on new workstation rollouts. For us, from the moment the hardware lands on site, we have 30 minutes to get it working and on the floor.

    That's just one example. Extend that culture across all aspects of IT, and you can see where problems start to arise when business level demands trump even security best practice.

    For us, a "email security" course is pointless. Our business staff are running on nervous energy most of the time, fearful to ignore any communication from clients for fear of their anger and retaliation. As such, people click very dumb things in emails, because they're afraid of what happens if they don't. That's a huge problem for us, and not one that's trivially solved.
     
    Last edited: Jul 14, 2016
  6. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    4,095
    Location:
    Sydney
    Sure, i'll send you some details.

    We are using Trend, I'm just finalising a deal to have it managed by a security company. I learnt a long time ago to get security experts to manage/configure etc. I can do basic policies but those guys know the best way to set it all up and will monitor it and do health checks regularly etc.

    BYOD currently we don't really have even a lot of laptops, company is in a bit of transition but not a lot of remote users etc and BYOD is not a big thing here yet except for people accessing their mail on their iPhone etc which is not an issue for us :p
     
  7. daehenoc

    daehenoc Member

    Joined:
    Nov 4, 2005
    Messages:
    2,855
    Location:
    Mt Gravatt E, BNE, QLD
    You mean ... 2-3 days? (You probably pack a bigger knife than the penguins...) Sorry, couldn't resist...
     
  8. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,855
    Location:
    Brisbane
    Hahaha yeah. :lol:

    Fixed. Cheers.
     
  9. KDog

    KDog Member

    Joined:
    Jan 9, 2002
    Messages:
    270
    Location:
    ACT
    You sound pretty lucky if IT is ranked second!!!!

    Approx correct ranking: OH&S, Compliance, Security, IT, Business, Engineering, anything a chief/executive wants.

    Usual ranking: Anything a C/Exec wants, sales.................................................................................../end.
     
    Last edited: Jul 14, 2016
  10. hawks667

    hawks667 Member

    Joined:
    Jun 28, 2001
    Messages:
    1,498
    Location:
    Kilsyth
    Just got the subpoena email, me thinks it's cryptolocker or some other nasty...
     
  11. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,531
    Location:
    Brisbane
    Hence my suggestion of running a phishing campaign against staff and running info sessions leading with how badly they fucked themselves initially. It works for gaining attention trust me, even had finance people come up and ask for better training because they receive so many invoices and they *have* to check them.

    Good for finding bad internal behaviour and teaching staff, but it's gotta be done right. Also staff need to care, and if the org generically doesn't give two fucks about it then so be it.

    I always find pointing out to management that the cryptolocker existing means that people will be opening up RAT's etc helps the argument a bit.
     
  12. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,855
    Location:
    Brisbane
    Most businesses hate their IT departments already. All that would do is worsen the "us versus them" mentality.

    Yup. And the downside is that, as a result, you can't prove "potential" to these people.

    Sales show up on the bottom line. Preventing disaster does not. Training and education goes under that "potential" umbrella, which you can't demonstrate in your profit and loss, and thus has no value compared to sales.
     
  13. FromPaul

    FromPaul Member

    Joined:
    Oct 14, 2006
    Messages:
    1,184
    Location:
    Sydney
    Our UK office did the phishing email with help of their marketing dept, everyone who clicked the link had a talking to, everyone who forwarded it to IT got a paid for lunch at a one star michelin restaurant, reason the restaurant was so good was the budget didn't get split very far :)
     
  14. FromPaul

    FromPaul Member

    Joined:
    Oct 14, 2006
    Messages:
    1,184
    Location:
    Sydney
    I guess it depends if you can consider your entire staff as being the first line of defence to help save you from your systems lack or preparedness or if you consider your systems the first line of defence to save you from your staffs lack of knowledge....

    When they consolidated a number of their apps into amazon & were able to get rid of 5 share drives it helped a lot. The entire processing team didn't need a share drive and that pretty much stopped the rot.
     
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,855
    Location:
    Brisbane
    $100 says everyone that got a talking to now hates IT even more, and if you re-test the same group of people in 12 months time, the results will be identical.

    Another $100 says your entire marketing team would have fallen for the trap if they weren't in on it.
     
  16. FromPaul

    FromPaul Member

    Joined:
    Oct 14, 2006
    Messages:
    1,184
    Location:
    Sydney
    Oh they hate us already, we get a lot of SOX stuff and keep having to update the policy, so every one has to reread the policy and verify back...

    Its not as bad as the ergonomics training they made us do last month, that was really bad.
     
  17. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,855
    Location:
    Brisbane
    Precisely my point. Running sting operations on your staff to make them look like fools isn't doing your poor relationship with the business any favours.

    Yes, people need educating. No, making them feel sheepish and stupid (even if they are) isn't the answer.
     
  18. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,610
    What is?

    Without phishing your own users, how can you gauge how effective any preemptive training is? Or where resources should be focused.

    If the training (of which a phishing campaign can be part of) makes the trainees feel stupid, then its either poorly designed training, or poorly designed trainees.
     
  19. daehenoc

    daehenoc Member

    Joined:
    Nov 4, 2005
    Messages:
    2,855
    Location:
    Mt Gravatt E, BNE, QLD
    The answer is a raft of measures that has to be promoted from the top and accepted from the bottom to the top. Technical things (WAF/fw/AV/trust|not-trust/hardening/access.control/SOE/MOE/etc) combined with education that users fully understand and that they can see the benefits of, is the answer.

    However, people don't engage with training, boards/CTO/bosses don't understand or promote IT Security sufficiently, it's impossible to state "We spent a million dollars on this security widget and it saved us a billion in payouts/ransom/rebuilding our entire IT environment" and the playing field is horribly skewed towards the attackers (they only need one way in/one user/one zero day/one weak password/one bad configuration/etc) when we have to defend against everything, anywhere, anytime (THE GOODIES!).

    Security vendors keep throwing $TECHNOLOGY at the problem, and we keep spending $BIGBUCKS on the shiny, but the root causes are not addressed. Users keep responding to the 0.00001% of a spam run so the bad guys collect money/clicks/underpants/whatever. Cybersecurity people/sysadmins/manufacturers are able to (by design or lazy) create insecure products and configurations by default, due to market forces (get that product out now! it reports to a server in China? don't care, get it to market to beat our competitors!). There are tons of ways for script kiddies/black hats/(dis)organized crime to discover ways of stealing or extorting information/money from users/businesses (hello cyptolocker and back to the OP).

    I can't see it getting better. The underlying problem is sex. People keep on having sex and making more people, this grows the global population and brings more people on the Internet. So no more sex! Yeah, that probably won't work.

    TL;DR

    Edit: hm, must be Friday, that turned into a bit of a rant
     
    Last edited: Jul 15, 2016
  20. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,383
    Location:
    Brisbane
    [​IMG]
     

Share This Page

Advertisement: