[TiMSport]

This most recent event involving Colonial Pipeline (based here in Alpharetta, GA) is the latest example but it's very concerning to say the least. With so much of our critical infrastructures dependent upon IT systems and their vulnerabilities. This case involves a ransomware group known as DarkSide, but there are plenty out there. It does seem that some experts are suggesting this particular group wasn't aiming to cause chaos as much as it was just trying to get money. I hope authorities can get to the bottom of this and nail these bastards no matter what.

With that being said, we really need to be prepared for this kind of thing as it's just going to happen more and more. We've all read the stories about corporations and even local municipalities getting shut down and being victimized by these so-called ransomware groups. I just wonder how many of them are in China or Russia. Perhaps even N. Korea. Of course they may very well be right here in our back yard as well. Scary thought.

[Buug959]

You may find this article interesting TiMSport It seems that DarkSide is avoiding any IT system that the language is set to Russian.

https://www.bbc.com/news/business-57050690

[zx10guy]

This crap is going to continue until there are fines and penalties (which may be as extreme as jail time) for critical industries to put money into INFOSEC. No one is talking about this. I've been harping about this for a long time both in various online forums and with my job as a technology advisor for various clients. These rules need to be similar to HIPAA, PCI, and FedRAMP.

Talking about beefing up security is not going to do a damn thing as putting money into security doesn't reflect in the balance sheets or ROI of executives. But what will is if they don't upgrade their systems to established minimum guidelines that those making decisions on implementation and budgeting get fined personally or thrown in jail. I bet you this whole thing will turn around within in a few months. I don't need to go that far back to bring up a classic example of the failure of how things are being done by bringing up Equifax. The idiots in management knew they had vulnerabilities in their systems and chose not to patch their systems.

[TheWatchGuy]

as long as they keep hacking nudes, I'll allow it

[4Hockey4]

Quote:

Originally Posted by LemansE90335xi

You may find this article interesting TiMSport It seems that DarkSide is avoiding any IT system that the language is set to Russian.

https://www.bbc.com/news/business-57050690

scary stuff, but more importantly thank you for getting your information from an actual news site, not our current propaganda entertainment stations.

[vreihen16]

Colonial Pipeline's IT architects should be unemployed on the spot if their control infrastructure was accessible for any type of remote exploit via the public Internet! This is a no-brainer, and the feds have been publishing warnings to utilities and others that all of their infrastructure needs to be air-gapped to prevent this very thing from happening.....

[TiMSport]

Quote:

Originally Posted by zx10guy

This crap is going to continue until there are fines and penalties (which may be as extreme as jail time) for critical industries to put money into INFOSEC. No one is talking about this. I've been harping about this for a long time both in various online forums and with my job as a technology advisor for various clients. These rules need to be similar to HIPAA, PCI, and FedRAMP.

Talking about beefing up security is not going to do a damn thing as putting money into security doesn't reflect in the balance sheets or ROI of executives. But what will is if they don't upgrade their systems to established minimum guidelines that those making decisions on implementation and budgeting get fined personally or thrown in jail. I bet you this whole thing will turn around within in a few months. I don't need to go that far back to bring up a classic example of the failure of how things are being done by bringing up Equifax. The idiots in management knew they had vulnerabilities in their systems and chose not to patch their systems.

F'n Equifax! Don't remind me of that. Argh. I agree there needs to be accountability and punishment for not securing critical infrastructures.

[TiMSport]

Quote:

Originally Posted by TheWatchGuy

as long as they keep hacking nudes, I'll allow it

LOL. Yeah keep up the good work with hacking celeb iPhones and continue "The Fappening" trend.

BTW, I saw your signature and was wondering what kind of hacked nudes you're hoping for...

[jmack]

Quote:

Originally Posted by zx10guy

This crap is going to continue until there are fines and penalties (which may be as extreme as jail time) for critical industries to put money into INFOSEC. No one is talking about this. I've been harping about this for a long time both in various online forums and with my job as a technology advisor for various clients. These rules need to be similar to HIPAA, PCI, and FedRAMP.

Talking about beefing up security is not going to do a damn thing as putting money into security doesn't reflect in the balance sheets or ROI of executives. But what will is if they don't upgrade their systems to established minimum guidelines that those making decisions on implementation and budgeting get fined personally or thrown in jail. I bet you this whole thing will turn around within in a few months. I don't need to go that far back to bring up a classic example of the failure of how things are being done by bringing up Equifax. The idiots in management knew they had vulnerabilities in their systems and chose not to patch their systems.

There are critical infrastructure regulations similar to HIPAA and PCI, it's called NERC CIP. But I absolutely agree that executives need to be held personally responsible for violations like this.

[unluky]

We have no fingers to point here........

Great watch if you've never seen it!

https://www.imdb.com/title/tt5446858/

[EME_Bounce]

The problem is, as a career field, IT is a dumpster fire that should be avoided at all costs. It intersects poor, ignorant management, skilled sales babes and smugly incompetent "IT" people put in charge of critical infrastructure. Hiring is generally done by certification and those doing the hiring couldn't determine if someone was competent if they tried.

There are good people but they're usually shunned away and can't stand the idiots and go to work for the places that don't get hacked.

[EME_Bounce]

Quote:

Originally Posted by zx10guy

This crap is going to continue until there are fines and penalties (which may be as extreme as jail time) for critical industries to put money into INFOSEC. No one is talking about this. I've been harping about this for a long time both in various online forums and with my job as a technology advisor for various clients. These rules need to be similar to HIPAA, PCI, and FedRAMP.

Talking about beefing up security is not going to do a damn thing as putting money into security doesn't reflect in the balance sheets or ROI of executives. But what will is if they don't upgrade their systems to established minimum guidelines that those making decisions on implementation and budgeting get fined personally or thrown in jail. I bet you this whole thing will turn around within in a few months. I don't need to go that far back to bring up a classic example of the failure of how things are being done by bringing up Equifax. The idiots in management knew they had vulnerabilities in their systems and chose not to patch their systems.

You can make up a bunch of laws, rules, requirements, but if the person implementing them is nothing more than a button pushing monkey that doesn't understand aspects of how systems work and work together, this will always continue.

Laws/regulations/PCI/HIPPA all lag technology and are written by bureaucrats, not intelligent computer engineers. (yes, there is a HUGE difference between an IT weenie and a computer engineer). IT management is excited in nothing but reading blogs and the latest IT buzzword.

I've seen all of this first hand in commercial industry.

There are good people but for the most part it's a mess.

[Tommy-G]

We had a scary one locally, you guys may or may not have heard about. Some hacker got into the water system computer and raised the amount of LYE by 100 times. It triggered an alarm but other areas don't have the same alarm system apparently

https://www.wired.com/story/oldsmar-...-utility-hack/

[unluky]

Quote:

Originally Posted by EME_Bounce

The problem is, as a career field, IT is a dumpster fire that should be avoided at all costs. It intersects poor, ignorant management, skilled sales babes and smugly incompetent "IT" people put in charge of critical infrastructure. Hiring is generally done by certification and those doing the hiring couldn't determine if someone was competent if they tried.

There are good people but they're usually shunned away and can't stand the idiots and go to work for the places that don't get hacked.

I agree with all this. I know enough about IT to be mildly dangerous and watching my old boss interview potential IT people was embarrassing. He can barely run outlook or find a folder on the server - but he is trying to integrate these people about their IT knowledge. I was surprised many did just get up and leave.

It's be like me trying to hire Stephen Hawkins for a job he was qualified for - how in the hell would I be able to vet him?

Any real programmer has to be driven crazy by the request from their bosses - who always "know better".

[TiMSport]

Quote:

Originally Posted by unluky

We have no fingers to point here........

Great watch if you've never seen it!

https://www.imdb.com/title/tt5446858/

Didn't see it but I will now, thanks.

[BMWGUYinCO]

The problem is a combination of apathy and simple financials. I work in IT so I've seen it many times.

Companies are always reactive rather than proactive...and that's where the apathy as well as finances come in.

A good CISO will assess the vulnerabilities of the company and then propose a remediation plan. That cost will make the board swallow their tongues. So a small percentage will be allotted each year towards proactive measures and some in just maintaining services/support....until a major incident happens.

Then unfortunately, the blame has to fall on someone, - so the CISO usually has to fall on the sword and then miraculously the money is produced.

[unluky]

Quote:

Originally Posted by BMWGUYinCO

The problem is a combination of apathy and simple financials. I work in IT so I've seen it many times.

Companies are always reactive rather than proactive...and that's where the apathy as well as finances come in.

A good CISO will assess the vulnerabilities of the company and then propose a remediation plan. That cost will make the board swallow their tongues. So a small percentage will be allotted each year towards proactive measures and some in just maintaining services/support....until a major incident happens.

Then unfortunately, the blame has to fall on someone, - so the CISO usually has to fall on the sword and then miraculously the money is produced.

That is why a good CISO always......ALWAYS keeps emails. LOL

[TiMSport]

Came across this explanation of what makes a good CISO. Don't know anything about BMT but this article sounded legit.

https://www.bmc.com/blogs/ciso-chief...curity%20risks.

[vreihen16]

Quote:

Originally Posted by unluky

That is why a good CISO always......ALWAYS keeps emails. LOL

...printed on paper!!!!!

[Murf993]

Might be the rum talking but here goes. Why doesn't the command and control system for any infrastructure have a stand alone system for the expressed reason of avoiding hacking.

[vreihen16]

Quote:

Originally Posted by Murf993

Might be the rum talking but here goes. Why doesn't the command and control system for any infrastructure have a stand alone system for the expressed reason of avoiding hacking.

Even with the rum and zero professional IT experience, Murf gets the stupidity of Colonial Pipeline's IT architectural blunder!!!!!

[Murf993]

Quote:

Originally Posted by vreihen16

Even with the rum and zero professional IT experience, Murf gets the stupidity of Colonial Pipeline's IT architectural blunder!!!!!

Thank you. I mean I loved to google at work as much as the next guy but I'm thinking that you can't get hacked if you're not connected to the inter web right?

Might be the rum talking but maybe I should go into consulting.