Can someone explain how companies keep getting hacked?

Honestly, I'm a little lost how they aren't properly storing or at least air-gapping/internal intranet-ing a lot things.

Attached: 231-2314466_pepe-the-frog-sad-pepe-png.png.jpg (820x440, 76K)

Other urls found in this thread:

pastebin.com/raw/0SNSvyjJ
twitter.com/AnonBabble

They don't give a fuck.

I work at a rehab and the sysadmin is a complete tard.
>windows98 on some computers
>windows 7 on all others
>i can access any higher-ups account by cd../, listing all other accounts on network
>passwords/emails left at every computer
This rehab is going to face a serious security incident. I don't even know how to tell them without looking autistic.

you need to be autistic to get things right

no ur just dumb

getting hacked has minimal downsides, go to target and ask their customers if the even care or know about it.

If you have to use an air-gap or separate network to secure systems, it's only a matter of time before they will be exposed to malicious activity.

Look up zero-trust.

Typically: user stupidity.
Scenario 1:
>user receives an email with a "document attachment"
>user downloads and tries to open it
>malware now running on machine, spreads to other machines on the network
Scenario 2:
>sysadmin receives a phishing email
>they fall for it, enter their credentials
>access to infrastructure now granted

What does airgap mean?

inside job most likely kikes

Scenario 3:
>janitor has been fucking with computers since he was 9
>has access to entire physical building
>finds servers/network setup
>fucks shit up

Physical security is definitely necessary, but I'd bet it's a much smaller part of the puzzle.

Attached: IMG_20190818_203348_795.jpg (1000x837, 151K)

The question is whether there are any entities that are out to protect their users without any alterior motives.

Data is too valuable now for anyone just let it go to wastr

I honestly can't understand why we don't have actual rules stipulating basic security principals such as, "it's no longer acceptable in 2019 to use windows 95 in any form"

>but I'd bet it's a much smaller part of the puzzle.
Then you'd lose money, champ.

I think this is is right desu.

Because it's cheaper to hire a PR firm to help you keep your customers complacent instead of actually hiring and paying for real security audits and shit.

Paying multiple people full time $120K+/year salary + another $50k+ in bonuses/benefits a year. Is a LOT more expensive than paying for PR cleanup every 3-5 years if/when a hack gets publicized.

Until nobody trusts you or wants to share their data; then you literally don't have a business

Rarely happens if you're large enough of an entity.

Which are the primary hacking targets.

Rarely would someone bother hacking a tiny business that has less than $1M a year in cash flow.


Remember, too big to fail. Equifax proved that.

I don't know why we all haven't moved to something like datawallet at this point. Once the big companies get our data/transform it (in a second), they no longer care what happens to it really (other then it not going to their competitors).

They don't get "hacked" in the 90s sense. They just have security holes usually exploited by someone who works there and has access to the servers.

Very rarely is anything cracked, sniffed, or sql injected these days.

its intentional
prove me wrong
protip:
[spoilers]you cant[/spoilers]
protip

it's just the cost of operation.

It's cheaper to deal with the fallout of a hacking incident than it is to pay for a proper security team full time.

You don't have to know what it means. Just use it to sound smart. That's what professional IT is all about. Duh.

Because it's just wrong. Who cares about using Windows 95 when it's people using current software improperly that imposes the biggest threat. Besides, it's a free country, people can use whatever they want.

Windows 95... now that was an operating system.

Any apps that give users total control over who sees their data? Preferably ones that dont impede performance. Kek long shot i know

most security breaches are from inside not outside, it's also the reason why we don't hear in the news something like
>infamous hacker known as Jow Forums was caught for the security breach of company x
they need to keep it low because if things got out that anything and everything you upload on anything on the internet is basically accessible by the people working there, trust would be lost

Yep may not even be viable to set up a for profit organisation that in effect shreds customers data. They would be doing gods work though

Brave do this though yeah?

Not as far as I know. NT 4 was more popular in enterprise anyway, and more secure.

>Tell management about critical flaws on their systems
>weeks later get fired or harassed until you leave.
Quite often management at companies react badly to being told something is wrong. There's little incentive for employees to point it out.

Its a google clone. Very easily crackable for any spooks that want to meddle

>It's on our internal network, no one can touch it.

I have set up several servers and webshops up for companies.
And I am pretty sure that none of them have been updated since I created them.
And the passwords they use are all hilariously bad.

When I did my internship at a non-profit they made me admin in the first week, because nobody knew how to computer.

I worked for the gubberment and I had access to all kinds of files. When I mentioned it to the bosses they said: well, we've all sworn an oath here. So there is nothing to worry about. But I was never asked to swear an oath at all.

Also, most hacks are simply done through
a) phishing via email
b) reusing passwords found online

They hire Chinese, Chinese walk out with data.

Also this. Pajeet coding using the book on lap method. And treaterous Chinks.

Agreed, Jow Forums jannies are underage and retarded.
Fuck jannies.

Attached: big_frick_jannies.png (929x1175, 119K)

>datawallet

What are you talking about?

"Never attribute to malice what can be attributed to stupidity"
This is probably the most important thing that you learn in InfoSec. Most attacks require ill intent, but they are always made possible by sheer incompetence.

The bigger an organization gets, the harder it becomes to keep track of data. If you don't how data travels or where it is stored, you can't can't secure it. Simple as that. It can be an idiot from accounting who clicks on a phishing email, a port left open by an obsolete application on an exposed server which has not been decommissioned, a poorly coded website or application which get exploited, a janitor who gets bribed to connect a device into an Ethernet port with no port security/authentication or somebody from HR whouses his/her LinkedIn account, chock full of CVs, on a public computer. If I were to look at the incidents that I've seen in the last year, I can probably come up with like 50 events where data was leaked by mistake or intentionally.

Perfect security only exists if you shut everything down. Otherwise, the outer shell starts to crack and leak little by little, until somebody notices. Risk management and InfoSec try keep track of those cracks and patch them up as best they can, at least in theory. When you talk about large corporations probabilities are so high that it's not a question of "if", it's a question of "when".

even if they keep their systems secure there is still the risk of zero day vulns

people can use whatever they want but its all our data being leaked

I can't wait until companies are forced to work with companies like datawallet where the individual actually controls/permissions their data

Its some small crypto project trying to wall off all your data from amy prying eyes. I wouldn't worry too much about it probably won't amount to anything

I'm not an it guy at our company but judging by the emails I get this seems to be pretty much the way they do it.

It exists, it’s called the CIS top 20 security controls. Companies either follow them halfassedly or not at all. While simple in theory, some are difficult to implement in large organizations.

Explain. I missed out on all that crypto tomfoolery

>user is hired to company X
>The sysadmin offers user a few choices for the OS,
>user goes ahead and installs his favorite a non-conforming OS
>security updates cannot be managed remotely to his OS, so user is now a black box within he company network
>user catches a new virus because his Office replacement, email client, browser and OS are out of date
>Company network is screwed

Its a wallet that holds all your data so that buzzards cant feed on your thoughts. Good idea but it was wrecked from ICO to today

It's not connected to the internet or any other outside network. Pretty unrealistic and unnecessary in most cases. OP just through it out to look smart.

So how do you secure a network so millions of records don't get hacked?

many admins are being paid minimal amount so they put in minimal effort because they don't give a fuck if company burns down

And how did it go in 2017 when all thw madness was happening?

It got obliterated in 2018 thats all i know.

The idea is one of the absolute best in all of crypto but it was mismanaged.

test

I feel this is the million dollar question everyone is asking, if anyone knows, might be worth selling to a big company

>too big to fail
*cough* Enron *cough* Lehman Brothers *cough*

Yeah, the exceptions, one of which, Enron only got fucked because it was rich cunts fucking other rich cunts out of their money.

Unironically because of legacy C/C++

They guessed the password to the admin account is "P@55word".

>zero-trust
I just looked it up. I though this was how everyone did everything. Are you telling me this is some ground-breaking method or some shit?

Inject harmless virus. Be hero and save the day. They listen to you now.

>move fast and break things :^)
>oh fugg we got hagged :-O

>security is easy
eh

Sounds like a real stupid idea

This, companies only care about growth, which means marketing above everything else. That's how they get investor bucks.

>just through it out to look smart
>through
Well you did a fine job of looking dumb

pastebin.com/raw/0SNSvyjJ

Something like this. The company he's talking about is an infosec company