Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Mr. horse

How screwed is my work.

Recommended Posts

Posted · Original PosterOP

So the higher ups at my work mandate some rather odd and bad policy's that they will not change. I do everything I can to work around these blunders and insane policy's but some higher ups are rather stubborn.  

 

Same admin password.

All users are given full admin rights on their workstations witch have the same admin user name/password as the network and servers.

All WiFi passwords are extremely simple and follow a recurring pattern.

Very crappy AV on domain systems and only free AV on non domain systems.

Very little is allowed to be done in group policy to lock systems down.

Guests (like sales agents and stuff) are given a full admin account to use. With admin rights to everything both on the workstation and network.

Unsecured servers and networks are shared with CC systems. Network equipment s turned off or unplugged to run PCI tests at one site. 😣 we pass at all but one site, but there are still many holes and PCI test allows or does not pick up on. I really wish I could fix that last site to at least be PCI complement but they will not let me.

 

What do you think? at lest I have job security haha. I should quit.

 


I have Dyslexia, my posts will have spelling and grammar errors. I try me best, but I will still make mistakes.

Link to post
Share on other sites

Maybe you need a random "infection" on one machine to randomly delete a load of data from the network. Restorable from a backup of course, and when you "remove" the "infection", you point out that it was done by "malware" that used a keylogger to obtain passwords and tried them on the servers until it got in and started buggering stuff up.

 

If they don't understand simple security measures I doubt they would question a non existant infection deleting files.

Link to post
Share on other sites
Posted · Original PosterOP
14 minutes ago, Curious Pineapple said:

Maybe you need a random "infection" on one machine to randomly delete a load of data from the network. Restorable from a backup of course, and when you "remove" the "infection", you point out that it was done by "malware" that used a keylogger to obtain passwords and tried them on the servers until it got in and started buggering stuff up.

 

If they don't understand simple security measures I doubt they would question a non existant infection deleting files.

That happens quite often. We do have a really nice back up system so these kind of event don't really affect us. 

We been hit by many keyloggers in the past but they do not care. The only thing that is secure are a few remote worksites were I was given free rain to setup the place how it should be. They never have problems and I wonder why.

 

They were using windows 95 up until 2009 on most workstations and we used to have a strict IE only policy. But given how IE11 does not really cut it any more I was able to talk them in to using Firefox ESR.

Chrome is a no go, they think it ether brings in malware or is malware.

 


I have Dyslexia, my posts will have spelling and grammar errors. I try me best, but I will still make mistakes.

Link to post
Share on other sites

You know, it's a good thing you're a good and decent employee without malice otherwise I would find an internet cafe on the other side of the country, gather as many proxies as I could manage and just ransom the fuck out of them and whenever or not they pay just sell the data to a newspaper to create another data breach scandal anyways.

 

But like I said you're a good, decent employee and I wouldn't dream of ever suggesting such a malicious plan of action of course. In any case best to start looking at the job market without quitting your current job and be honest about why you're considering leaving to other companies: They'll be for sure happy with your integrity as a person specially because you definitively resisted the temptation to screw them as I described above.


-------

Current Rig

-------

Link to post
Share on other sites
On 5/17/2019 at 1:02 PM, Mr. horse said:

only free AV on non domain systems.

Depending on what free AV they use, this could be a TOS violation. Because most free software if for personal use and commercial use. So at the very least a law suit maybe even Criminal charges depending on where your located in the world. 


You ever notice that many establishments have a sign that as "No Shirt, No Shoes, No service"? They never say anything about pants............ You know what that implies. You dont have to wear pants. 

Link to post
Share on other sites

When problem occurs, you get the blame. They might even criminally charge you. Enjoy 


Sudo make me a sandwich 

Link to post
Share on other sites
On 5/17/2019 at 1:09 PM, Curious Pineapple said:

Maybe you need a random "infection" on one machine to randomly delete a load of data from the network. Restorable from a backup of course, and when you "remove" the "infection", you point out that it was done by "malware" that used a keylogger to obtain passwords and tried them on the servers until it got in and started buggering stuff up.

 

If they don't understand simple security measures I doubt they would question a non existant infection deleting files.

Assuming you're joking... but just in case:

 

Do not do this - this is a federal crime in the United States and is illegal in most countries.


For Sale (lots of stuff):

Spoiler

[FS] [CAD] Various things

 

 

* Intel i7-4770K * ASRock Z97 Anniversary * 16GB RAM * 750w Seasonic Modular PSU *

* Crucial M4 128GB SSD (Primary) * Hitachi 500GB HDD (Secondary) *

* Gigabyte HD 7950 WF3 * SATA Blu-Ray Writer * Logitech g710+ * Windows 10 Pro x64 *

 

Link to post
Share on other sites

I'd put down everything fucked up in a document, send it to someone far above and quick asap


I spent $2500 on building my PC and all i do with it is play MTGA & watch anime at 720p...

Builds:

The Toaster Project! Northern Bee! The Cassette Deck!

 

The original LAN PC build log! (Old, dead and replaced by The Toaster Project & 5.0)

Spoiler

"Here is some advice that might have gotten lost somewhere along the way in your life. 

 

#1. Treat others as you would like to be treated.

#2. It's best to keep your mouth shut; and appear to be stupid, rather than open it and remove all doubt.

#3. There is nothing "wrong" with being wrong. Learning from a mistake can be more valuable than not making one in the first place.

 

Follow these simple rules in life, and I promise you, things magically get easier. " - MageTank 31-10-2016

 

 

Link to post
Share on other sites
On 5/17/2019 at 1:02 PM, Mr. horse said:

So the higher ups at my work mandate some rather odd and bad policy's that they will not change. I do everything I can to work around these blunders and insane policy's but some higher ups are rather stubborn.  

 

Same admin password.

All users are given full admin rights on their workstations witch have the same admin user name/password as the network and servers.

All WiFi passwords are extremely simple and follow a recurring pattern.

Very crappy AV on domain systems and only free AV on non domain systems.

Very little is allowed to be done in group policy to lock systems down.

Guests (like sales agents and stuff) are given a full admin account to use. With admin rights to everything both on the workstation and network.

Unsecured servers and networks are shared with CC systems. Network equipment s turned off or unplugged to run PCI tests at one site. 😣 we pass at all but one site, but there are still many holes and PCI test allows or does not pick up on. I really wish I could fix that last site to at least be PCI complement but they will not let me.

 

What do you think? at lest I have job security haha. I should quit.

 

To me it depends on what kinda of data they store. Who their customers are. If its bull shit data then no biggie. At my job we have the same user name and pass word for all users on the floor. For the software we use we all use the same creds as well, with exception some of those who have been there for a long time. But we dont have what I would say is critical data. The system is used to track unit repair so my company knows what to charge the customer for. 

 

Now if you worked for a company that has government contracts and this was going on. Id contact the government right away. But if your not dealing with personal data (address, phone, SSN, CC data, etc) then I wouldn't sweat it. If you are dealing with critical data then you need to do what @Bananasplit_00 suggested and document everything. Put it in to a report to be given to the highest authority in your company. Maybe even the hint that there could be legal repercussions if they dont secure the data. Its all fun and games until your customers have a class action lawsuit against you. Then its a fucking festival. 


You ever notice that many establishments have a sign that as "No Shirt, No Shoes, No service"? They never say anything about pants............ You know what that implies. You dont have to wear pants. 

Link to post
Share on other sites
Posted · Original PosterOP
On 5/18/2019 at 4:16 PM, wasab said:

When problem occurs, you get the blame. They might even criminally charge you. Enjoy 

Believe it or not no I do not get the balm. 

Our policy mandate who ever caused the problem or who every workstation is the root of the problem is to blame. 

If its problem on a server, firewall or router then we shift the blame onto a crappy outside IT company that is supposed to be securing them but doesn't really for anything.  

On 5/18/2019 at 3:43 PM, Donut417 said:

Depending on what free AV they use, this could be a TOS violation. Because most free software if for personal use and commercial use. So at the very least a law suit maybe even Criminal charges depending on where your located in the world. 

I agree. And they don't care that the same software key is used on many systems. In fact they are unwilling to buy the number of software keys needed and usually only buy enough keys to cover 50-75% of our systems. The rest use the same keys from another system. 

On 5/18/2019 at 8:09 PM, Donut417 said:

To me it depends on what kinda of data they store. Who their customers are. If its bull shit data then no biggie. At my job we have the same user name and pass word for all users on the floor. For the software we use we all use the same creds as well, with exception some of those who have been there for a long time. But we dont have what I would say is critical data. The system is used to track unit repair so my company knows what to charge the customer for. 

 

Now if you worked for a company that has government contracts and this was going on. Id contact the government right away. But if your not dealing with personal data (address, phone, SSN, CC data, etc) then I wouldn't sweat it. If you are dealing with critical data then you need to do what @Bananasplit_00 suggested and document everything. Put it in to a report to be given to the highest authority in your company. Maybe even the hint that there could be legal repercussions if they dont secure the data. Its all fun and games until your customers have a class action lawsuit against you. Then its a fucking festival. 

Oh that is were it gets interesting. We do accept credit cards but don't handle/store any of that data ourselves. I actually put my foot down and have all but one site 100% pci complaint, the one site they will not let me make 100% compliance only fails on one thing witch wouldn't cause a breach. 

We have government contracts too. But the data we handle is  junk that no one would care about if it was leaked.

 

And this the problem goes all the way up to the CEO. So yeah not a hole lot I can do but quit, witch is something I been planning. 


I have Dyslexia, my posts will have spelling and grammar errors. I try me best, but I will still make mistakes.

Link to post
Share on other sites
2 hours ago, Mr. horse said:

And this the problem goes all the way up to the CEO. So yeah not a hole lot I can do but quit, witch is something I been planning. 

exit plan, discreetly but quick. ._.

Link to post
Share on other sites
Posted · Original PosterOP
7 hours ago, VegetableStu said:

exit plan, discreetly but quick. ._.

I agree, but its hard to quit. Its a grate place to work aside from these Infosec problems. My co workers are grate too.

Its just the penny pinching higher ups that want everything tech related to be as simple and easy as possible.


I have Dyslexia, my posts will have spelling and grammar errors. I try me best, but I will still make mistakes.

Link to post
Share on other sites
1 hour ago, Mr. horse said:

Its just the penny pinching higher ups that want everything tech related to be as simple and easy as possible. 

Can you reasonably estimates costs of a potential attack and the financial loss that will be incurred and the probability of an attack? Send it up and essentially they could lose their Intellectual Property (commercial works, like code, documentation etc.) and that it would hurt them in Public Relations and could harm customer trust which could in turn harm the organisation's prospects?

 

The higher ups want profit. Show them the profit is in dire risk and that the fix is using decent security, that cost of securing systems is lesser than the loss incurred in an attack.

 

This is, if you really give one. If you don't, document everything, past attacks, violations of compliance standards (if they are ISO Certified or something) before you got there, make requests to fix them and document their refusal.

 

Then move (copy) the evidence away of their incompetence from their systems onto yours so that any malicious attempts to remove it in case of any attacks and an attempt to shift liability can be lifted from your shoulder (note: IANAL, this is just what comes to mind)

 

On 5/17/2019 at 10:02 AM, Mr. horse said:

Guests (like sales agents and stuff) are given a full admin account to use. With admin rights to everything both on the workstation and network. 


They really WannaCry, don't they? (only ransomware that comes to mind that can be in a sentence)

Link to post
Share on other sites
Posted · Original PosterOP
9 minutes ago, NyetARussianSpy said:

Can you reasonably estimates costs of a potential attack and the financial loss that will be incurred and the probability of an attack? Send it up and essentially they could lose their Intellectual Property (commercial works, like code, documentation etc.) and that it would hurt them in Public Relations and could harm customer trust which could in turn harm the organisation's prospects?

 

The higher ups want profit. Show them the profit is in dire risk and that the fix is using decent security, that cost of securing systems is lesser than the loss incurred in an attack

I have done that, they just don't care about things that way.

To be honest when we have a breach or attack the loss is rather small, usually just lost of time. 

We have very little in the way of intellectual property aside form typical paper work/forums. The only real problem would be if it hit payroll/HR with a key logger and SSNs got out. But given how things are structured the blame would be on HR.

The same can be said for out CC systems, if they get hit it would fall on the CC processing company as we do not handle any of the data and its their equipment so if you stay PCI they can't come back on us. 

 

Pretty much I been here long enough that I find every way to work around these blunders.


I have Dyslexia, my posts will have spelling and grammar errors. I try me best, but I will still make mistakes.

Link to post
Share on other sites
4 minutes ago, Mr. horse said:

if you stay PCI they can't come back on us

 

On 5/17/2019 at 10:02 AM, Mr. horse said:

there are still many holes and PCI test allows or does not pick up on

Sounds like something that a professional can pick up on and can shift the blame on towards the company (you picked it up and acknowledged it, so can another person tasked with indemnifying the CC company)

 

I would say pack up and GTFO, not because of their shoddy practice, but because your job is to rectify that and for legal purposes, you may end up becoming the fall-man for whatever happens in case of litigation, despite the lack of co-ordination with upper staff. You might want to go through your contract, if there is a possibility that you could be held liable, you need a new job.

Link to post
Share on other sites
Posted · Original PosterOP
2 minutes ago, NyetARussianSpy said:

 

Sounds like something that a professional can pick up on and can shift the blame on towards the company (you picked it up and acknowledged it, so can another person tasked with indemnifying the CC company)

Very true. But they are not things that can or at lest do not get brought up in a PCI case. I do not want to get into details, but what I can say is that if there was a breach it would be over looked or not cared about unless if they were what cased the breach. Even then it would not be an internal IT error but a HR or external IT error.

We are 100% PCI at all but one worksite and that worksite does not take CC anymore as far as I know.


I have Dyslexia, my posts will have spelling and grammar errors. I try me best, but I will still make mistakes.

Link to post
Share on other sites
Posted · Original PosterOP
1 minute ago, NyetARussianSpy said:

@Mr. horse Well, a lot of advice here is to jump ship and I agree with that, but I don't know what happens on the inside. I can only wish Godspeed!

Agree. And its something I been looking into. But mostly for other reasons.

 

Oh did I tell you guys that our phone system is from the late 80s early 90s and it used to get hacked and used to make called outside the US?


I have Dyslexia, my posts will have spelling and grammar errors. I try me best, but I will still make mistakes.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×