In episode 1043 of Steve Gibson and Leo Laporte's "Security Now," I was startled from my comfortable listening by the following statement by Steve. Discussing the hopelessness of getting employees to consistently avoid clicking on links that lead to sites that serve malware, Steve said: Wait a minute -- don't they already do that? Does this mean that protecting against clicking on bad links with the kinds of software that we discuss on Wilders is not standard practice at companies and government agencies?? What else could Steve mean? Adding to my surprise and shock is that Leo didn't raise any objection to what Steve said, as if it were a simple, unremarkable fact. Is it really that bad out there?? Do we who use OSArmor, BlackFog, CyberLock and the like actually enjoy better protection than the banks, hospitals and public waterworks that we rely on? I must be missing something.
What it means is even the best, most secure, most advanced security solution possible is easily thwarted if the user opens the door and invites the bad guy in. And sadly, especially now with AI, the bad guys are creating links, emails, ads, and popups, etc. that are nearly impossible to detect, even by the most seasoned professionals. This has been made even worse by all the corporate hacks and breaches over the last 5 to 10 years where so many of us have had our personal data stolen. Much of that data is now in the in the hands of the bad guys and their AI machines and is being used to create even more authentic looking, but malicious links, emails, ads, popups, etc., many of which are actually targeted specifically for the recipients. So the problem is the human factor. Even though the user (a mere human) has been told, and taught, and told again and again NOT to click on unsolicited links, emails, ads, popups, etc., people still do - much in part because they do appear so legitimate. Not really - at least not in theory. There are two factors here. First and foremost, if you are a member of Wilders and reading this thread, odds are you are much more "security aware" and disciplined in the field of computer security than most bank tellers, hospital worker, and utility workers who do banking, health care and public utilities jobs for their livings. And the second factor is that, by far, most the security breaches at banks, hospitals, etc. are the direct result of those in charge of network security FAILING TO DO THEIR JOBS!!! For example, the HUGE Equifax breach a few years ago, where over 140 million users personal data was stolen happened because IT admin and upper level management where negligent - IMO, criminally negligent because they, essentially, allowed the breach to happen. How? Why? Because the developers of their network software had already identified the vulnerability in their own in-house/white hat testing, developed the "critical" patch AND had distributed that patch to Equifax nearly 6 months before the breach occurred! But the system administrators at Equifax sat on it. Never installed it. They failed to do their jobs! And so did the C-Level execs who never impressed upon their network admin and security people to do their jobs in a timely bases. Okay, there's third point here. NO ONE is ever held accountable! System admin don't get fired. C-Level execs don't get fired. No one goes to jail when criminal negligence happens. NO ONE is held accountable. If these lazy people know they won't get into trouble, what incentive do they have to do their jobs? In the case of the Equifax breach, only one low level manager spent a couple days in jail - but not because the breach happened. He went to jail for insider trading for selling all his Equifax stock when he learned of the breach days before the breach was reported and publicly announced. Surely the Equifax breach was one of the most egregious. But it still is rather typical of how they often occur. That is, due to negligence on the part of those responsible for preventing such breaches. And the scary part is really, nothing has changed! Those responsible still are not doing their jobs and applying available patches in a timely manner, nor are they or upper management being held accountable.
i dont care about GRC for decades. i am conscious about varies security software, i trialed a lot of them. not survived. on work we have defender, cisco and zscaler, and ofc a proxy which blocks several sites. for me, i experienced no issues in the last 2 decades without any antivirus or firewall. major issues are browser or mail (both clients). but it has no benefit to limit an OS (here: windows) in its basics with eg osarmor etc. blinded by the light. for all articles, most of them try to sell some software, or telling lies/myths. they want your hard earned money. stay clean, or recovery for issues!
I don't know about CyberLock or BlackFog, but static rule-based tools like OSArmor does not scale well in big enterprises.
The best point in a post full of good points! (To be clear: I'm not being argumentative in what follows, just shocked and curious to learn more. ) I think what surprised me when I heard Steve Gibson was that it sounded like these large organizations don't use security software that will backstop negligent link-clicking. None of us is perfect and anyone can fall for some cleverly designed email, so when the inevitable finally happens -- isn't that what layered protection is for, to identify unknown software; detect suspicious behavior; inspect the sites that malicious links lead to, and so on? Even dutiful regular patching with new updates won't protect against zero-day attacks. But again, isn't that what layered protection is for? Definitely we can't expect every bank teller and government clerk to be as security-conscious as Wilders participants, but surely we could expect the IT department to be, such that it implements layered security. Or not really? I can think of one alternative explanation that doesn't involve incompetence or criminal negligence. Could it be simply that professional hackers are so good that they will defeat even a well-designed defense? Given that no single protective measure will provide 100% protection, maybe what's happening is that protection is indeed deployed but what we hear about is the 0.000001 attack that manages to get past the three layers of 99% protection.
This is intriguing. If you have discussed this idea before, I'd love to read more about it: on some forums, people would freak out to read a statement like that.
I only worked in 1 large company and not in security or IT team, so my view may be not representative. There are protections, but they are far from perfect. When I click a link in Outlook or Teams or other apps, something installed within an OS replaces it with a link to reputation service. There is logging and monitoris so if user executes any program, log event is sent to centralized storage where security teams and software can analyze it. Of course there is (so called) next-gen AV beginning with letter C that crashed and stopped from booting many Windows systems on the global scale last year. More importantly access to internal services is role-based: you need to request role and your manager (or service manager - depending on the role) needs to approve it, or you should have your request rejected if your job does not need it. In R&D part of company there is also network segmentation by rules on firewalls/routers/managed switches (IP, port, VLAN etc). So yeah, there are protections but they are far from perfect. In large organizations security is done by products that can be used at scale - no time for precise, custom-tweaked OSArmor rules for each and every employee.
I don't see how that is possible. How is software to determine which user is being negligent and which is not? And it would mean the software would have to be actively monitoring essentially every keypress and mouse click every employee makes - including their log-in credentials. Layered protection? No. It is not about layers but what each layer does. Having layered protection in no way ensures 100% effectiveness and for that reason, gives a false sense of security because the assumption is made that regardless what is thrown at the system, one of the layers will catch it. That is a bad assumption. And frankly, there is nothing to suggest (except marketing hype) that a single, quality layer is not just as good as multiple layers. This is particularly true since just about every security software program out there already is layered by using several techniques to identify and block known malicious code and several techniques to identify and block unknown malicious code AS WELL AS several techniques to identify "suspicious behavior". This would be easy if security software was foolproof - 100% effective at blocking malware. But that will never happen. When operating systems and corporate applications have 10s of millions of lines of code, there will always be new vulnerabilities being discovered. If the bad guys discover them, they attempt to exploit them. If the good guys discover them, well, that then relies on the system administrators doing their jobs - and we see how well that works. Don't forget (1) the bad guys have access to all these security programs, (2) many of the bad guys are extremely well funded (some state sponsored) and (3) many of the bad guys are just as knowledgeable as the good guys.
Thank you for that, it too helped to understand the situation better. I did want to clarify something I wrote: Here's a simple example of what I meant. Our home isn't a corporate environment, but hopefully the analogy will still work: 1) I click on a link to download some random program on the Web that turns out to be malicious. My AV detects the download and quarantines the program. 2) My wife gets an unsolicited email from what claims to be her bank, containing a link to a phishing site. She clicks on the link, and Quad9 DNS or Heimdal DarkLayer Guard prevents the connection. In both of these cases it doesn't matter which user was negligent or what else they were doing, only that a malicious link was clicked on.
Yes, but in your home network, like essentially all home networks, it was separate programs that blocked the malware. On your computer, it was your AV. On the wife's it was probably her browser's anti-phishing feature (as any good one has) backed up by her AV. It likely was not Quad9 or Heimdal as it was blocked before they could intervene. That is not the same as some software running on a corporate network.
