1. OCAU Merchandise now available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion here.
    Dismiss Notice

General InfoSec discussion

Discussion in 'Business & Enterprise Computing' started by Gunna, Nov 18, 2019.

  1. chook

    chook Member

    Joined:
    Apr 9, 2002
    Messages:
    2,147
    My other favourite one is that failure to plan on your part does not constitute an emergency on my part.

    (Unless you are paying me to consult for you, then emergency away).
     
  2. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,030
    Location:
    Brisbane
    Mine are. My ISP was chosen specifically for their "don't be a prick" attitude to customer service, including not over-provisioning links and having a call centre on AU soil. They give me graphs of their CVC bandwidth, and I noticed overnight they purchased an additional 20% bandwidth on my POI.

    My ISP is not Telstra/Optus, and there's a reason I avoided both (filed under "Audit your digital supply chain"). Telstra are the Microsoft of Australian Internet, and people who use them with no due diligence checking outside of "everyone else uses them" are welcome to the pain and suffering the cause.

    All the cloud services I'm using right now are holding up perfectly fine. Open source VPN DC/office links aren't capping out on licensing because there is none. Open source firewalls have jumped from 2% load to 8% load.

    Literally everything I've been preaching for the last decade is in and working and dealing with every strain being thrown at it, with overhead to spare. All the BCP stuff I've been in charge of is working as planned.

    I hear a lot aren't. Sounds like grading day arrived, and lots of people got Fs on their final assessment.
     
    Last edited: Mar 25, 2020
    scrantic and GumbyNoTalent like this.
  3. OP
    OP
    Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,624
    Location:
    Brisbane
    I'm secretly giving myself a high five at the moment.

    3 years ago I was pushing hard for Direct access as we had the infrastructure in place. IT director overload in the U.S always shot it down so we were forced to only have under 5 select staff on their CIscoVPN platform or and everyone else use Citrix which is housed int he U.S and latency apparently isn't a real thing.

    Director got fired, his replacement was someone I worked with closely so one of the 1st topics raised was DA\Always on VPN. We implemented it, with multiple pops globally and used Azure Traffic Manager to route to nearest pop. It was still in late beta testing when this kicked off but was 80 - 90% complete, we quickly moved from User based to device based VPN as well.

    Now we have hundreds of users on it and it is seamless. Without it our regional offices outside the U.S would be in all sorts of trouble.

    Our next issue is tackling local accounts and MFA as they would have VPN access to but is something we are addressing.
     
    Gargamel and elvis like this.
  4. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,920
    In your BCP, do you mandate employees use this company for their home internet? The link to the DC isn't a problem... users home internet connectivity is starting to be (depending on where they are).
     
  5. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,030
    Location:
    Brisbane
    You really have to question why. What's their agenda to constantly deny forward planning tech?

    Say I'm some bloated corporate CIO, and some motivated bikkie comes to me and says "hey, what about always-on VPN?". I'd be all "great idea, didn't even have to push some unmotivated chump, go for it!".

    Sounds like a wise business move.

    More and more jobs I see going mandate that the employee has their own vehicle, drivers license, phone and Internet. This is not new. At the absolute minimum, staff are offered WFH on the proviso that they provide the Internet link and their home isn't a death trap.

    Every job I've had this century assumed I had home Internet. The last time a workplace offered to pay for my home Internet was the previous century.

    Beyond that, part of my "hire smarter people" mantra is ensuring I hire staff who know how to use a computer and home Internet. Saves lots of problems downstream if you get that right at interview time.
     
    Last edited: Mar 25, 2020
  6. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,920
    These are far from normal times.
    Plenty of existing WFH's, that have been working just fine on their Dodo connections, are now struggling, This wasn't anticipated in the BCP
     
  7. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,030
    Location:
    Brisbane
    Adequate BCP is far from normal. And that was fact 6 months ago, before the current times.

    Any place with a paper thin, "ticking boxes" BCP when times were perfectly precedented rolled the dice on their risk matrix. But nobody at the casino plans on rolling snake eyes, and that's just what a million businesses did this week.

    These forums document endless business decisions to rationalise away the need to prepare for disaster (along with the decision to pander to hopeless staff). And while these decisions might have resulted in doing less work over the last few years, they've resulted in a collapsing house of cards this week.

    People forget the golden triangle of InfoSec. Most go all out on "confidentiality", half-arse "integrity", and then utterly fail at "availability". All three are equally important, and if your company's inaction has landed you in a company-wide DoS, that's as much of an InfoSec fail as getting hacked or cryptolockered.
     
    Last edited: Mar 25, 2020
  8. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,016
    Location:
    Brisbane
    If you have staff who have super critical connectivity needs, this should be part of the BCP and provide them with a dongle.

    My work is encouraging using home net but a good percentage of staff have mobile sims or have been told they can get reimbursed for mobile internet costs if they need to tether.
     
    elvis likes this.
  9. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,738
    Location:
    3350
    But the mobile networks are getting smashed as well, This isn't just isolated to NBN. We've also then got the cases of staff who live 15 km from Melbourne CBD who have horrible reception.
     
  10. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,030
    Location:
    Brisbane
    Was this tested before hand? As in, properly tested, full workload, same location, multiple users, not a 5 minute "yeah I can ping"?

    Previous place I worked at, the IT manager was remote managing video editing suites on the Gold Coast from a bullet train in Japan on a 4G connection. That was in 2018. We tested that shit every day, full production workload. And our budget was fuck all.

    At one point all our Telstra dongles went to shit. Something about issues in the area, but it was pretty wide spread. No love for a month, so we dumped Telstra, switched vendors, back to full speed again.

    Audit you vendors. Have contingency plans. Test every day. Make BCP kit work for you all the time, not just in an emergency.
     
    Last edited: Mar 25, 2020
    Gargamel likes this.
  11. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,738
    Location:
    3350
    So the shine is wearing off zoom pretty quickly. Headlines like FBI warns of Zoom security flaws will have C levels in a flap.

    https://www.abc.net.au/news/2020-04...ads-soar-but-fbi-warns-security-flaw/12113802


    https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

     
  12. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    41,030
    Location:
    Brisbane
    I commented in the teleconferencing thread about that. Zoom is copping a flogging from the media, and rightly so.

    At this point it looks like all the engineering efforts went into UX rather than any competent security.

    I've warned a few places off it. Ironically they were all O365/GSuite customers anyway, so they just went back to their native video conferencing tools.
     
  13. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,016
    Location:
    Brisbane
    I made a post in the BE&C thread with another view on that from someone working at rapid7. TL;dr hype is bad, zoom still not entirely ethical.

    I'll........ not use it thanks.

    I'm finding zoom / bluejeans surprisingly annoying to purge.
     
  14. tobes

    tobes Member

    Joined:
    Dec 23, 2001
    Messages:
    3,793
    Location:
    Melbourne
    My company is two feet fully into the Deep End of Zoom usage and not much I can personally do it. But apparently our CEO has expressed dissatisfaction strongly to Zoom.
     
  15. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    13,328
    Location:
    Canberra
    Good, that'll get things fixed.
     
    IACSecurity, millsy and PabloEscobar like this.
  16. tobes

    tobes Member

    Joined:
    Dec 23, 2001
    Messages:
    3,793
    Location:
    Melbourne
    Absolutely .... not
     
  17. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    13,016
    Location:
    Brisbane
    Nothing like a CEO thinking their opinion has merit

    *laughs into the abyss*
     
  18. ewok85

    ewok85 Member

    Joined:
    Jul 4, 2002
    Messages:
    8,104
    Location:
    Tokyo, Japan
    Hardly anything new - there are no products out there that have zero security issues or similar functionality flaws. Zoom is just the new hotness and they are finally getting their time under the microscope.
     
  19. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    2,295
    However sounds like they have more than their fair share of security issues?
     
  20. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,920
    Sounds like they have exactly as many as you would expect any company that built a platform with security as an afterthought.
     
    elvis likes this.

Share This Page

Advertisement: