British Library Cyber Attack

[monkeytassle]

Nope. HR or unions too concerned about how that data might be used against employees. Like I say, seemed crazy to me.

Had similar problems when we wanted to deploy a tool that tracked usage by users on their computers including applications and websites visited as part of preparing for an application modernisation programme.

We were sent a directive saying our card swipes would be monitored. 3y earlier they'd been used at a bonus round to prove. Reach of holiday allowance.

Not so long back I saw an instance where a new password strength rule was brought in. 14 or more digits, upper, lower case, no repeating characters etc. Loads of people were flummoxed by it and were complaining. Someone, who has a bit of a reputation as a know it all, replied saying "I just use the names of my three dogs with an exclamation mark and the year."
I think security teams can go too far at times, but I feel for them when they are dealing with this level of stupidity.

Doesn't help you have to change them every 6w

 

[GordonMuchallNo1Fan]

@Ambivalent Dave
In common with other on-premise servers, this terminal server was protected by firewalls and virus software, but access was not subject to Multi-Factor Authentication (MFA).

The lack of MFA on the domain was identified and raised as a risk at this time, but the possible consequences were perhaps under-appraised




The data they copied amounts to some 600GB of files, which in real terms equates to just under half a million individual documents. Detailed analysis of this data is ongoing, which is estimated to be complete by the end of March 2024.

 

[DaveH]

I worked for a company and we had a public sector client and we ran their IT. We wanted to do some phising testing to check vulnerability and look how secure. Anyway iirc they wouldnt let us. HR concerns about making judgements on employees. Seemed crazy to me.

The community is divided on this.

On one side, phishing your own staff means people are more on their guard. They don't know what is a test, what is real, what is legitimate, so from that side it is positive. On the other side it creates hostility towards the IT department and makes security education feel like a punishment. That causes people to disengage on the security side or have a fear of reporting.

If someone clicks on a link and realises what they have done, if they feel like there is a culture of punishment then they might keep quiet and hope nobody notices. A place that is supportive is more likely to get someone saying "I have clicked on a link and I'm just not sure, can you check this out please".

The first way gives better tests results but the other way gets more positive engagement when accidents do happen.

@Ambivalent Dave
In common with other on-premise servers, this terminal server was protected by firewalls and virus software, but access was not subject to Multi-Factor Authentication (MFA).

The lack of MFA on the domain was identified and raised as a risk at this time, but the possible consequences were perhaps under-appraised




The data they copied amounts to some 600GB of files, which in real terms equates to just under half a million individual documents. Detailed analysis of this data is ongoing, which is estimated to be complete by the end of March 2024.

I can imagine the conversations, because I have been in so many similar.
We need to do this, we are failing basic security standards by not having it
Yeah, but it is difficult, will take time and I can think of a number of staff who really will not like it. Can you write a paper for the next board meeting
FFS, ok (start another half day of work rewording the same thing again to look different)
Sorry, we didn't have time to look at it, I think we will at the next meeting....and so on and so on

I have been in so many similar meetings, and are you not Uni IT too? Things are far too slow, and Library related even more so.

Where I used to work, we got MFA put on the VPN because of me standing up in a meeting saying "There are hackers on our VPN right now and we have no way of keeping them out. We have 40,000 user accounts and only need one to have their password compromised to allow hackers in, and we can not tell what is legit and what is not until it is too late. Are you happy for the minutes of this meeting to reflect that you are content with that status and you will defend that to the ICO when we are compromised?". Said in quite an angry voice after we had been trying for a year to get the go ahead. I felt a bit like Bob Geldof and his famous "We need the money NOW".

It still took a few more months before we were able to start rolling it out, because it might upset this event and this other time of the year and and.....

Universities - really interesting and diverse sector to work in with lots of challenges, but bloody frustrating for the slow speed of things.

 

[Ambivalent Dave]

Not putting MFA on any remote access solution is asking for trouble.