Raise your hand if your CIO is making policy changes to check boxes for insurance instead of assessing how they'll affect the organization.
Posted by TheGreatestJaggi@reddit | sysadmin | View on Reddit | 135 comments
š It definitely feels like every day is a Monday now.
dubiousN@reddit
Being insured is pretty important for the organization
srbrega@reddit
Yep. We've had to use it, and it would have been catastrophic for the company had we not had coverage.
HotTakes4HotCakes@reddit
They didn't say these check boxes were requirements for coverage. It could just be their insurance charges a premium based on how many boxes they check.
srbrega@reddit
They're typically yes/no questions, or short answer questions. Such as "does your company require MFA for VPN connections?" Knowingly answering falsely could be grounds to deny coverage.
telaniscorp@reddit
A lot of company just tick these options just to satisfy the insurance but most of them do not invest on said tools or sloppy on implementing them.
3BlindMice1@reddit
Then the insurance company gets to dodge the bill when your company gets hacked and now you're out of a job (and possibly the industry)
bjc1960@reddit
Bingo, you won't think they all just gonna fork over 5M without reviewing the tenant audit/sign-in logs.
jduffle@reddit
Like this... article says 5 million but later says more like 18 million total https://www.cbc.ca/news/canada/hamilton/cybersecurity-breach-1.7597713
Bradddtheimpaler@reddit
Yes, Iāve made very aggressive changes, quickly, to make sure Iām not lying on a box I absolutely needed to check.
hubbyofhoarder@reddit
I fill out the questionnaire that our insurance broker uses to get bids for our cyber insurance coverage. It doesn't quite work like that.
While it doesn't say so on the questionnaire, there's only one thing that is a basically non-negotiable requirement to get cyber insurance right now: MFA coverage for all accounts, including MFA for admin account usage and for any remote access. Over time, what I see as the next non-negotiable requirement is some kind of management for privileged access beyond just MFA. That can take a bunch of different forms so I won't expound on that here.
Our renewal questionnaire runs roughly 180 or so questions, and requires a bunch of very specific info to answer all questions properly. It's not just a yes/no or check box thing.
I don't love filling out the questionnaire as it's a ton of work. However it's honestly a worthy effort even if the insurance renewal wasn't part of it. The questionnaire has forced me to evaluate stuff that wasn't necessarily on my radar, and it also helps by forcing my co-workers to participate in answering some of the questions.
Sometimes gathering the answers to the questions forces assessment and improvements. Example: one of our renewal questions asked for a full list of privileged service accounts with a business justification of all privilege. The process of generating that list and the justifications led us to reduce our count of privileged service accounts by 75 percent, and to the conversion of several of them to group managed service accounts (a more secure implementation).
ZPrimed@reddit
This must vary by location because my employer doesn't have MFA for everyone despite my protests as well as the IT person's protests (I'm not technically user-facing IT in my current role)
hubbyofhoarder@reddit
How small is your company? I suspect rather small when you write "IT Person"
We were flat out told "No MFA, no insurance". We're also a 2500 person company which is critical infrastructure for my city
ZPrimed@reddit
20-some person non-profit. So yeah size probably makes a difference too.
AccountantFree5151@reddit
Not on VPN?
jon13000@reddit
Ransomware insurance polices are being denied if the check boxes arenāt marked. They arenāt messing around anymore.
FastRedPonyCar@reddit
Yep and pretty much every one of those meetings Iāve been in as the technical āwhat will this break?ā consultant, usually itās āthese specific people will get irritatedā
Some of it was more delicate to daily operations but rarely was there anything that just set pants on fire other than the prospect of a company getting found out that theyād been lying on their security audits.
mirrorbirdjesus@reddit
Bingo, I wish they would
DefJeff702@reddit
This. If you couldn't check those boxes, be thankful you get the opportunity to check them BEFORE a breach is not covered by your insurance.
pinkycatcher@reddit
Yah I'm sitting here thinking I would do the same thing, in no world is a CIO going to have a job by saying "Let's not meet our insurance requirements"
The fact that a sysadmin has to do work because of it sucks, and yah it might not be the best decisions, but this a non-starter, it's going to get done. Don't rag your CIO over this.
HotTakes4HotCakes@reddit
I think the implication is you can go with other insurance providers with less stringent requirements.
They also didn't say "requirements" anywhere. It may be a "check these boxes and get a discount" type of a deal.
pinkycatcher@reddit
I agree with you about the implication but insurance is a CFO decision, and even if there is input, I doubt it's worthwhile for the CIO to spend political capital annoying the CFO just because some sysadmins are annoyed.
corruptboomerang@reddit
But I do love doing 'what the insurance requires' dispite the other glaring holes in security.
My work doesn't have any kind of network segmentation, yet my boss is going on about joint/generic accounts (they're essentially read only accounts for relief staff). But the fact that anyone on our network could access our firewall, or security system (cameras & doors etc) is totally fine. He won't even allow Port-Security! šš¤£ (Or even worse, his personal account that has total admin access to everything, has no password requirements and never expires, while everyone else is on 30 days.)
These doing stuff because it's in the insurance, that's cool, 100% behind that, I too like having cyber insurance. But also let's do the other basic stuff that goes without saying, let's actually do those things too. š
sybrwookie@reddit
I mean, mine has tried....and then had it nicely explained to him that no, that is not going to happen because XYZ, he marks it as a known exception and the reason for that exception, and moves on with his day.
OldschoolSysadmin@reddit
āWhy are you telling us to to violate NIST best practices?ā has worked re password rotation.
WackoMcGoose@reddit
I wonder what NIST would think of my current day job (Home Depot)'s policy of "not only is there 90 day rotation, but we blacklist certain arbitrary substrings of your password - can't use the word
hotfor example - oh and we also store every password hash you've ever used so you can never reuse a password from any point in your career, not even your very first password from ten years and three stores ago as a lot associate"......or worse, Amazon's policy of "the above minus the substring blacklist, but we store the actual previous passwords themselves for all eternity, in order to do similarity percentage checking, and every new password must be at least 25% different from every password you've ever used, not just your most recent one... oh, but we recently relented and will only force password changes once per year if you're a Level 3 employee or above. those Level 1s in the warehouse? fsck them, still 90 day changes"...
xzene@reddit
My answer to that kind of crap in the past was to switch to spelling out numbers most of the time I can use password123 as passwordone23, password1two3, password12three, passwordonetwo3, etc and meet the rotation and complexity requirements most of the time.
WackoMcGoose@reddit
Valid. Depot only checks for exact matches, so it's easily tricked by the "toggle upper/lowecase of a single letter or number" trick. Amazon... was a lot trickier. If you used
correcthorsebatterystapleat one point, it wouldn't allowcorrecthorsebbbbatterystaple(only 3/25 chars different, it was smart enough to recognize the mid-string insertion rather than count all the offset letters as "altered"), butcorrectelephantbatterystaple(8/25) would work, so you'd have to change an entire word of your passphrase if that was your password generating scheme...The part that really disquieted me about Amazon's method, it meant every old password I ever used, had to have been stored as plaintext (or at most, reversibly encrypted) somewhere. If it only did similarity checks between current and new, the similarity check could be done trivially, as you obviously had to type your old password first (the server could compare the two passwords in-memory in plaintext, and then only store the hash of the new one if it passed the check)... It's impossible to check the similarity of input strings only from their hashes (which is why I'm less concerned about Depot's anti-reuse method, as exact-reuse prevention can be done just by storing all old hashes), obviously š¤
xzene@reddit
Storing the plain text version is how several AD password filters work for enforcing complexity/history requirements, but of course compromising actual security in the name of checklist security seems to be the norm.
bobsmith1010@reddit
My CIO no. Because that how my security team operates. They don't care if it helps or hurt the business. It just a check on the sheet. The 50 people on that team is a waste of space.
Kumorigoe@reddit
Wait till the inevitable data breach. You'll be crying for the security folks to try and save the business.
bobsmith1010@reddit
what makes you think we didn't have one. And guess who the cause of it was. Yet we all told them the flaws.
Bubby_Mang@reddit
Serious lack of perspective on this post.
Why should another company award your sales team a 200 million dollar contract if you don't have soc compliance for example? If your competitor does, they are likely going to eat your lunch.
The rant posts in this sub are some of the biggest crybaby whiner fests I have to scroll through.
ThatBCHGuy@reddit
Some of my past CIOs would just lie instead.
thortgot@reddit
Which is effectively burning money. Do you think cyber insurance doesnt validate their underwriting at time of claim?
ThatBCHGuy@reddit
Apparantly that doesn't matter when you are Blackrock funded and they turn a blind eye, as long as your growing.
thortgot@reddit
It doesn't matter until you actually need the insurance. You may as well simply be uninsured.
ncc74656m@reddit
The one check box I don't have complete is the "Require changed passwords after X days" policy since that's sorely outdated and bad practice. I also walked all my users through resetting their passwords to be "compliant" with my "long password policy" (since Entra doesn't let you specify password length) when we did our Entra migration. So most should now have long and unique passwords.
That said, I do try to check boxes because our insurers demand it, it's handy proof you did due diligence when things go tits up, and many security baseline items really are good practice. That said, I try to be fully educated on what a change does, and its potential impact before implementing it. If I can't be sure it won't blow up, I try to test it, and then just make the informed choice to ignore it later on.
ElectroSpore@reddit
Usually that means doing that bare minimum for security.
Normally when we get asked insurance questions we have proactively implemented it in some way or form already.
autogyrophilia@reddit
Sometimes you do get annoying conditions.
Ok, sure, MFA in the VPN that is used to access services that all use OIDC/SAML with 2FA anyway.
90 days log retention for a SaaS app that only does 60 days, do I scrape it with selenium or do I just lie?
Defconx19@reddit
MFA is required for VPN as the attacker has now gained access to your internal network, so the creds guarding your services dont matter.Ā Everything should be shifted to ZTNA and access should only be allowed to specific resources instead of the entire network anyway.Ā If that were the case you'd have more of a point.
thortgot@reddit
ZTNA access should be MFA as well.
Defconx19@reddit
No argument there.
autogyrophilia@reddit
That's if you make a point to differentiate external and internal network.
Back when I worked there the VPN was merely a way to avoid bots hammering in internal services, but it could have been exposed to internet.
If your internal network relies in having no adversaries to be secure it isn't secure at all.
I'm an early adopter of ZTNA and a big proponent of it. But what ZTNA solves primarily is a simplification of fine grained network segmentation.
Sure, end to end encryption is nice, but if you need to rely in a VPN for that, that's the bigger issue.
Defconx19@reddit
I dont know what you're smoking but you might want to lay off it for a bit.Ā Or read up on how ZTNA can allow for secure access to a singular resource that could only be replicated by client isolation/a single resource for each network.
The whole point of ZTNA is to operate as least privilege reducing your external attack surface.
It's also not about security stack relying on attackers not being in the network, its the simple fact a traditional SSLVPN is going to land you on a network, that network is ALWAYS going to have a bigger reach than ztna setup to grant access to individual resources and apps.
Yeah, SSLVPN is not great. But that doesnt diminish the fact that it should leverage MFA regardless of how the assets inside of your network are secured.Ā This isnt the 90's MFA while not perfect is 1000x better than usernamr/password along getting brute forced into oblivion lock out rules or not.
autogyrophilia@reddit
First, bugger off with your tone if you are going to pontificate about things you don't understand.
I don't know why you bring up SSLVPN and your inability to make user targeted policies using them (admittedly, a laborious task)
Anyway, do you know what the ZT means in ZTNA?
You can do that, without the NA. You simply do not differentiate between internal and external services. In truth, at that point you could remove the internal part of the network, but it's helpful to keep services internal for audit processes.
Defconx19@reddit
š¤Ŗš¤Ŗš¤Ŗ
m1m1n0@reddit
You might be misunderstanding the OP. Let me give a couple examples. Q: Are you changing your user passwords once/twice a year? Best practice: do not force password changes based on arbitrary period of time blah blah Correct answer that gets you 1% insurance costs discount: YES
Q: Are you performing phishing simulation training for your employees? Reality: phishing simulation training trains employees to detect and report phishing simulation emails and not actual phishing emails. Correct answer that gets you 1% insurance costs discount: YES
and so on.
@u/TheGreatestJaggi: the answer is yes, it saves lots of money.
slawcat@reddit
Surely the OP realized that their one sentence post may be misunderstood.
Defconx19@reddit
Q: Are you performing phishing simulation training for your employees? Reality: phishing simulation training trains employees to detect and reportĀ phishing simulationĀ emails and not actual phishing emails.
Shitty bargain bin phishing simulations do.Ā The Sims and trainings should mirror current and emerging threats your users will be seeing.
Huntress does a great job with this and their SAT.Ā Others just send shit to check a compliance box.
Rolex_throwaway@reddit
The money and effort spent on phishing simulation is better spent mitigating the threat by properly managing privilege and credentials. If a phish leads to significant compromise of your organization, the phish wasnāt actually the problem in the first place. Sure, training users is good once you have done everything else right, but less than 1% of shops have done everything else right. The reality of phishing simulation is that itās mostly used by incompetent IT departments to shift focus off of their bad practices and onto users.
Defconx19@reddit
Couldn't disagree more.Ā The threat isnt only to your own organization but others as well and the only concern isnt a mass compromise it's any compromise.Ā Not to mention least privilege is a matter of whose account they access.Ā If they hit C-Suite they can get sensitive info easy.Ā If they land in fiscal, they can target your pokers with wire fraud.Ā Even if they are in Joe Nobody's mailbox, their ability to get more of your users goes up exponentially.
SAT and Phishing awareness is dirt fucking cheap compared to any other similar solution.Ā Users are your biggest weakness, they always will be.Ā Attacks are getting more sophisticated as time goes on, the ability to bypass security safeguards is more common.
Sate sponsored attacks from the war in Ukraine have repeatedly show governments will, so far, not be met with a traditional military response.Ā These attacks state entities are using are being repackaged as MaaS That's, and RaaS.
It's a holistic approach. SAT and Phishing awareness isnt snake oil if done correctly.Ā Are some users going to take nothing away from it?Ā Of course.Ā But it's in EVERY security framework for a reason.
Rolex_throwaway@reddit
This is a pretty big mischaracterization of what I said. I didnāt call it snake oil, I said itās what you should do after youāve done everything else. Iāve investigated and remediated hundreds of intrusions, and I know that you havenāt done everything else. I have watched organizations that use all the tools available to them successfully repel very high end actors. The reality is that less than 1% of organizations implement all of these controls, and the reason is typically lack of talent in the IT org.
And the idea users are your biggest weakness is a useless platitude that isnāt true. The biggest weakness of most enterprises is far and away ineffective management of privilege. Note, I didnāt make any mention of the principle of least privilege in this or my previous comment, thatās one element of managing privilege. The second is internal organizational dynamics that prevent effective information security practices from being adopted.
The users are not a weakness, they are the organization. If you havenāt implemented all the controls available to protect them against attack, your IT organization is the weakness.
Defconx19@reddit
If a users hands over their credentials, it doesn't matter what privilege they have, depending kn the attack, the sophistication and the region the bad actors launches the attack from that user's mailbox at minimum is compromised.
I too have remediated hundred of compromises.Ā And the reality is no security solution is bullet proof.
I could have the best lock in the world that is guarded by a security guard and cameras, but if I give a copy of my key to someone unknowingly I've just increased my risk dramatically.
Sure you can have BEC tools, monitor Darkweb, have additional policies to lock users to joining from company devices, require hardware VPN devices or SASE, or any number of security measures or combinations.Ā Are there other items that are more important that departments should implement?Ā Sure.Ā But SAT is cost effective and has a positive effect on security posture.
SAT and Phishing simulation isnt pushing the burden of security onto the end users or the liability.Ā If someone sees it as that, they're a moron.Ā However from what I have seen in the past 3 years the evolution of attacks also limits what SMB's can realistically afford to implement.Ā A $2/user lift any org can make.Ā When you start getting into other solutions, you're not talking $2/user/month anymore.Ā Even something like a Entra ID P2 (which is a requirement for all of our customers as an example) is $9/user/month.
Is having a good security posture cheaper than recovering from a ransomware event?Ā Of course.
I also agree IT departments do misconfigure or not have the right priorites/practices when it comes to security, but your original post all but wrote SAT off the way it reads.
People being the weakest link includes IT as well.Ā The technology doesnt mean shit if the people deploying it dont know what they are doing.Ā It's not just the end users.
Tricking a person is always easier than beating properly configured security tools and devices.
Doesnt matter what the org is or what tools they have or how great their configured.Ā Everyone has had users get compromised.Ā Anyone who says otherwise is lying, hasn't been around for long enough, or is blind.
Rolex_throwaway@reddit
Iām not going to read all that, because your first sentence is absurdly incorrect on multiple levels. If your users are compromised by handing over their credentials, you have done your job entirely wrong. Second, saying it doesnāt matter what level of privilege they have really indicates you donāt know much about privilege at all.
BoltActionRifleman@reddit
Exactly, and what some people miss is if itās mirroring current trends, theyāre looking for basically the same thing. At a higher level, the goal is to get them to actually think before they click.
FrivolousMe@reddit
Got a link about the phishing simulations? I'm curious
vernontwinkie@reddit
Here you go. Worked a bit to find one not by a company selling their own product lol
https://people.cs.uchicago.edu/~grantho/papers/oakland2025_phishing-training.pdf
mnvoronin@reddit
Holy Dog! An actual scholarly article with (at a glance) solid methodology, large sample size and controlled for potential biases.
Bookmarked, thank you.
1kfaces@reddit
Surely such a thing cannot exist in CE 2025
BreathDeeply101@reddit
Google had an interesting opinion piece on it last year:
https://security.googleblog.com/2024/05/on-fire-drills-and-phishing-tests.html
ElectroSpore@reddit
Correct, in some way or form we comply and the answer is ether yes or no.
punkwalrus@reddit
There are two things I dislike about some of this. I had to do PCI compliance for a data center many moons ago.
The first is when the audit or requirements aren't realistic. We had one the wanted to make sure various protocols were disabled on some Linux systems. They weren't even installed services. We also had a "default deny, allow whitelist" policy, but you can't "prove port 25 isn't open" when you only have a default deny with port 22, 80, and 443 open. They wanted a rule that blocked port 25, like, okay... then they wanted a rate limiter for DDoS attacks, and we didn't have one because our firewall already took care of that. The head of our network, who was a VERY surly person, sent them pictures of just black nothing.
And it was accepted.
The second is that frankly, it was all a lot of pencil whipping check marks because literally nobody was verifying anything. We had various layers. The main one being the PCI compliance itself from Visa, which in those days was 4 layers, I think. Personal, server, network, data center. Something like that. I might be misremembering, but we needed the 4th layer, which was a "PCI compliant data center." There were about 200 pages of stuff we had to check off, and I know a good third were out of compliance. But I was "overruled" by the CTO. Lot of self-assessments. Far too many, if you ask me.
For example, one was about recording security cameras. The system we had was WAY outdated, still on coaxial CCTV using cameras that hadn't been made in over a decade. About 20% of them didn't work, we didn't have replacements, and we couldn't get replacements because our system wasn't supported anymore. And so many sat at various angles "looking" like they were doing something, but were essentially junk. The "system" was a desktop program that worked only on Windows 98 (this was 2005-2012), an AGP video card and external concentrator, and would stop if the screen saver kicked in, or you logged out. So you have to log in, make sure it was running, turn off the monitor, and walk away. And it silently crashed at least once a month. We were supposed to keep all recordings for 90 days, but we kept recordings of some cameras only 30 days max. Plus it recorded in some proprietary compressed format specific to the software itself, and and client that played it ALSO ran only on Windows 98. The license keys were owned by the CTO, and AFAIK, we didn't have a Windows 98 system to play ti on other than the "server" collecting the recordings.
To update the system to modern needs would have cost tens of thousands of dollars, and the owner didn't want to pay that. "Nobody looks at the recordings anyway."
Thus it was dubious that we could pull a recording 15 days old, if at all, The CTO said, "I'll take responsibility if it gets down to it," and he just marked it as "compliant." The owner supported this
MikeS11@reddit
PCI assessments sometimes feel like liability hot-potato - the assessment companies sending you self-assessment checklists, the CTO just fraudulently telling you to mark the camera system as compliant. Btw, I hope you got that in writing from the CTO, or youāre now the one with the hot potato.
punkwalrus@reddit
Oh, I left. I have been in situations previous to this one where I was set up to be a patsy. PCI is definitely a liability hot potato. I left another company when they did that shit with HIPAA, too. "Everyone does it, nobody is 100% compliant." Yeah, well maybe so, but that's not exactly gonna stand up in court, so I will be taking my leave now.
DookieNuts@reddit
Fair points, but PCI is usually much more specific and detailed than an insurance assessment.
CEONoMore@reddit
Your companies are doing more than bare minimum???
ElectroSpore@reddit
Based on this thread many companies are CIOs are lying and doing less than the minimum.
The the insurance compliance bar is a really low one.
mahsab@reddit
Usually that means buying into a solution that check the most boxes without doing any assessment at all.
uninsuredrisk@reddit
Insurance has never asked me for anything that unreasonable although we are a SMB. Two factor on office accounts made the entire company bitch but lets face it they should have it.
E-werd@reddit
Yeah, that's how it is. Yeah, these requirements for compliance suck and sometimes go against industry best practice. But accounting insists, and money runs all. Day-to-day life gets harder when we have to work around these changes, and we all move forward.
I can't tell you how much I love using MFA every time I elevate or RDP. I love it so fucking much. It's my fucking favorite. Fuck.
PoolMotosBowling@reddit
Gotta do it get the good rates or not get dropped. Soooo hand raised.
Intelligent-Magician@reddit
I can neither confirm nor deny it
Steve----O@reddit
We once had an audit with a typo, and they wanted nothing in the data center under 4 feet from the floor. It took me 4 months to get them to acknowledge it was supposed to be 4 inches. They had ā instead of ā
aguynamedbrand@reddit
Instead of raised floors you had suspended server cabinets. LOL
ExceptionEX@reddit
Yeah as one of those guys making those changes, some I think are stupid and a waste of resources, and don't take the nature of our environment into account.
But the options are, do it, be insured, not do it, pay 3x to 5x for insurance, or no insurance at all.
We all have to do stupid shit, for stupid reasons, I'm just sort of numb to it after this many years in IT.
rafteran@reddit
Because of insurance we are required to reauth every 12 hours.Ā
AccountantFree5151@reddit
Reauth what
rafteran@reddit
Entra. Teams, Outlook, SSO
ITAdministratorHB@reddit
Unfortunately, being insured or not trumps actual practicality 100/100. For good reason, but it's still unfortunate.
Rolex_throwaway@reddit
Lmao, yeah, go without the insurance.
come_ere_duck@reddit
Just do your job bro.
Pristine_Curve@reddit
Making durable policies based on risks is exactly what you want from leadership. A bad organization is one where the hard choices are never made. Then they are upset/confused that anarchy is uninsurable.
Turdulator@reddit
There isnāt much of choice.
theomegachrist@reddit
We just renewed an awful security tool we hate and disabled thousands of accounts that may or may not need to be enabled to save money on licensing to check an insurance box. The tool is supposed to report and execute things against AD and we used PowerShell to find the users we can disable instead.
cubic_sq@reddit
Unfortunately most orgs donāt even have the minimum controls and systems in place to mitigate common attacks.
Use it to your advantage to get the budget for tools and staff you need to secure your environment.
flummox1234@reddit
As a programmer, I call it lawyer driven development
5GallonsOfMayonaise@reddit
Honestly, I have found insurance requirements to be a good unwitting ally in my push to implement some unpopular security measures
Wagnaard@reddit
Someone has a case of the MOndays.
Be embarrassing if something happened
Bad_Mechanic@reddit
Generally cyber insurance requirements are the BARE MINIMUM any company should be doing. If you're complaining about implementing them, you might want to take a long look at your security and your personal relationship to it.Ā
Cyber insurance requirements have been a godsend since they've forced a lot of companies to at least a base-level of security.
pzschrek1@reddit
Welcome to business and actually all of life if you own anything of any value
hubbyofhoarder@reddit
Having just been through a relatively serious security issue that required use of our insurance: yes, we are in the process of making policy and operational changes to check off boxes for insurance. However many of those boxes also objectively improve our security posture.
Real talk: going through a major security incident sucked ass as hard as ass can potentially be sucked in the entire possible worlds of asses and sucking. Every day might feel like Monday for you right now because of what might feel like arbitrary CIO choices, I get it.
However, during our big issue, every day was Monday for 3 fucking months, including cancelling vacation, long weekdays, work on holidays and working weekends. We're back to normal now, but no one on the security/infrastructure/software/ops/dev teams wants to fucking go back to when we were in the shit in the foreseeable future. My to do list is long AF and gets longer with new requirements over time. I'll gladly plug away at those requirements if that effort keeps me out of another major incident.
stumpymcgrumpy@reddit
Your perspective changes when you become legally accountable for a thing.
heapsp@reddit
You can certainly use this to your advantage by making suggestions around compliance and insurance for tools you want but cant normally afford. Like wiz.io for example is a complete visibility tool and it means you don't have to deal with know nothing security people telling you how to fix vulns or do audits of inventory.
sudonem@reddit
Sometimes itās just as bad for the opposite to be happening.
I know of more than one case in which the CIO/CTO has been repeatedly informed that XYZ cybersecurity insurance requirement isnāt being fulfilled and what can happen as a result if there is an incident.
That said - itās worth having a look at some of those policies because they can often be weaponized to your advantage.
For example - many cybersecurity policies require that all systems have active support contracts with vendors.
Iāve used that in the past as part of the business case to stop installing random versions of Linux (whatever was convenient for someone at the time) and instead commit to actually deploying something unified like RHEL because the insurance policy had a clear requirement for active support AND dedicated endpoint management tools for proper compliance scanning and remediation.
The insurance requirements, combined with the fact that virtualized RHEL is almost always more cost effective than Windows servers by a large margin made the pitch so much stronger.
Also - some insurance policies require adherence to certain compliance standards - so for example making the pitch to implement a proper password management policy is easier when you combine NIST guidelines with insurance policies.
That goes down a lot more smoothly when trying to convince a set in their ways C-Level that no, we should not be changing passwords every 30 days. š
Live-Awareness722@reddit
I wish more applications would support Debian. I've had hosts that have been upgraded in place from as early as wheezy still in production. If insurance requires support, I'm sure you can find an MSP for it. The thing is, in over 20 years, the only thing I've ever needed Linux support from a vendor was with RHEL having a bug in their Python CPU detection as part of their subscription manager. Support wasn't helpful and I just updated the code myself.
RHEL is a huge PITA. I prefer to run package managers through an SSL bumped squid proxy vs local repos. That way I only download what I need and updating 100+ hosts at a time doesn't bog down the Internet connection. Spacewalk/satellite are more trouble than they are worth to me. Not only that, running allow list style firewalls doesn't need a gazillion rules for repos, just on the proxy.
As much as I hate Oracle, I honestly prefer Oracle Linux over RHEL because it doesn't require their damned subscriptions.
Jhamin1@reddit
Early in my career an old-timer told me "never let an audit go to waste". He was so, so correct!
Insurance requirements, client-demanded audits, all of it. They are *all* opportunities to make sure the stuff you want gets done! Do you think the firewall policies are junk? Make sure the pen-testers include them in the test. Do you think the backups are inadequate? Make sure the insurance guys look at them.
You will get back reports saying that the firewalls need help & the backs are not going to cut it. At that point the improvements you have been fighting for forever suddenly get green lit. I've gotten more done on the back of audits & insurance that I have ever gotten by saying "you know, this really is best practice"
sudonem@reddit
Yes exactly!
pdp10@reddit
The worst of all Linuxes.
sudonem@reddit
I meanā¦ I mostly agree. Itās not what I choose as my daily driver by any means, but if youāre working in enterprise environments (as I do) it generally does make the most sense.
DrierFish@reddit
May I introduce you to Oracle Enterprise Linux?
angrylawyer@reddit
we've got arbitrary password resets because of auditors/insurance and it drives me nuts. I've shown them the us/uk government's recommendations not to force password resets, I've shown them google and microsoft's recommendations not to force password resets. But I guess they're following 1994's hottest book on security best practices, and don't want to hear any modern takes on the situation.
Hey, ya know how you get people writing their password on post-its and 'hiding' it under their keyboard?
Psdyekick@reddit
It's all security theatre.
brekkfu@reddit
Deal with it?
The other options are, get dropped by your insurance provider, or lie and get charged with Fraud.
clexecute@reddit
Meh, wouldn't necessarily be charged with fraud, you just won't get a payout in the event you need the insurance
hermslice@reddit
Lol in the tech world of "if it works in dev ship it to prod". "Wouldn't necessarily be charged with fraud" is how a company blames the IT guy for the issue, and fires him. For a number of reasons.
Blame placed, is blame off of the company. Someone punished, is a "problem solved" and an insurance payout fixed.
Bad advice/take in general.
clexecute@reddit
I'm confused how anyone could think it's fraud tbh. If you lied and received a payout it would be fraud.
If you lied on the policy and were paying a premium for the coverage and then the payout was denied because you lied on the policy agreement you wouldn't be charged with anything, you would be dropped from coverage and be out all the premiums you had paid...
It also isn't advice...my advice is to be honest in your policy check sheet and when in doubt error on the side of caution.
Warm-Reporter8965@reddit
I feel like compliance and security trumps everything. I don't give a fucking about policy changes as long as when shit goes down our asses are covered.
Slim_Charles@reddit
You do what you've got to do. I'm a public sector CIO, and a significant number of policy changes I've implemented are simply to check boxes so I can pass a clean audit, and meet regulatory and statutory compliance. Are some of these changes beneficial to the organization? Yes they are. Are some pointless wastes of time? Absolutely. Still have to check those boxes to comply with regulations and keep my boss from getting grilled by a legislator at an appropriations hearing, though.
1fatfrog@reddit
Being insured is super important. A single ransomware incident for a small company with say 150 endpoints and 40 servers will still cost \~30k JUST to stand servers back up including the hypervisors. That'll take a few weeks minimum. You're also still paying salaries for that time and nobody is making a dime for the company. Let's say that costs you $25k/day in salaries alone, not including insurance premiums etc... Thats about 350k over 2 weeks. being paid out and NOT being covered by new revenue. If your business is working on 20% margins You're going to miss about $420k in revenue. This is a best case scenario... A 2 week ransomware incident can easily rack up $1M in bills when you factor in all this plus DFIR team(s), legal, ransom negotiations and payments.
Pushing some annoying new processes on your sysadmin is way cheaper. Sorry dude. I would suck it up because it means job security. More to fix when it breaks, but there will still be something to fix after Scattered Spider or Akira have their way with your environment.
agent-bagent@reddit
Idk whatās happened to this place in the last 5 years but itās like so many of you forget your job exists because your employer is a business who makes money.
forgotmapasswrd86@reddit
Bro crying about having to work.
FlatusGiganticus@reddit
I like having insurance.
majornerd@reddit
Iām was a CIO and CISO that did the same thing. The first job is to make sure the business runs. Part of that is having insurance.
Was it something I ever liked doing, no. Iād rather have all the resources necessary to build a protected and resilient enterprise with zero compromise.
Iāve been in the c suite at a bunch of companies. Havenāt found that one yet. Itās all about what can I get done with the budget, people, and political capital I have at my disposal.
stedun@reddit
š šš»š
kop324324rdsuf9023u@reddit
OP, have you considered that maybe you're the goof in this scenario?
RememberCitadel@reddit
You are doing it backwards. The push should come from you.
We meet with finance and the insurance company and they list everything out and discount.
We come up with a plan to implement it, discuss cost, discuss insurance savings, time/manpower to implement, industry best practices/how they differ from insurance recommendations, and aggravation to end users.
Then we present to leadership our recommendations backed up by data. They pretty much go our way all the time.
Defconx19@reddit
Seeing as insurance questionnaires are just security frameworks, I'd consider it a lot more than just checking a box.
Doodenkoff@reddit
The label printers I supported recently had a default PIN of 1234 that permitted a person to make configuration changes. Because of a "security audit", my boss made my department change the default PIN from 1234 to a more random set of numerals. The system allowed only 4 character PINs and you could only use the 10 digits 0 - 9. All because it's a "default password", despite not being associated with any user account. The kicker is that simply holding the power button for the necessary length of time to reset the printer would put the PIN back to 1234.
He may have been annoyed when I asked him if he was aware of how long a modern computer would need to brute force through that key space to find the PIN. He was the head of security. Got to make that insurance company happy. Regardless of the time wasted.
Jhamin1@reddit
Sometimes you gotta push the "risk accepted" answer.
I once had a client insist that everyone in the office had to have security badges with photos of the employee on them to increase security. We had rfid cards to let us in the office, we had cameras, we had audit logs. Not enough. There needed to be photos on the badges.
We were a small software company with 9 people that worked in the office. I pointed out that the person none of us had seen before was going to be pretty obvious & that the security added with photo badges was nonexistent, especially considering the expense of getting them. It went back & forth for weeks before the owner found out how much it was going to cost to comply & told the client that he would personally certify that everyone in the office was supposed to be there (he was one of the 9).
ohyeahwell@reddit
It doesn't matter how they'll affect the org. If you're not meeting compliance with your cyber insurance, you need to git gud. Ours is entirely reasonable. Every once in a while, they add a new condition but I don't mind. Either we already address the condition, or we need to.
dirtyredog@reddit
does that make me the CIO?
aguynamedbrand@reddit
The CIO is making policy changes because insurance is often a requirement so the business has to adapt. Typically if you are not already doing the things required by the insurance company then you are doing it wrong.
Negative_Call584@reddit
Yes in general - but I have seen plenty of insurance companies making stupid demands for cyber cover - one of the most egregious wanted us to open port 3389 to our DC so that their Ā«analystsĀ» could connect to the domain admin accounts they also wanted, they also wanted us to provide them a global admin account for 365. lol no. Fortunately SLT were amenable to speaking with an insurer that has actual experience of cyber / tech risks.
jonowelser@reddit
Jesus I hope those requests were actually just an elaborate test where standing your ground and refusing was the only way to pass.
āWhoa you actually considered those absurd requests? No way weāre insuring you nowā
ApricotPenguin@reddit
I'm sure those things you've been trying to push for are also required for insurance ;)
RabidBlackSquirrel@reddit
Welcome to the realities of security and risk management, where compliance requirements, insurance requirements, customer requirements, and regulations almost always lag behind best practices.
We still do 90 day password resets. Why? Because like, half of our customers demand that we do it or we can't engage with them (banks). We exist to make money, so we do it.
The art of it all is in complying with whatever shenanigans you have to in order to conduct business, while designing controls that cover for the shortfalls of having to meet legacy rules. We also do like, five factor authentication at this point so to further my example, password reset time is largely just annoying rather than creating any real vulnerability. Password, plus MFA authenticator, plus physical location validation, plus device validation, plus device compliance checks, all tied into every system.
It's really, really easy to look at something from the outside like "lol what an idiot that guy must be, making us have insert antiquated control here". You also have no idea on the context behind it, or understanding of the business case that needs to be weighed against the ask. And that's what's really hard for technical people to grasp, as a group we tend to only look at the specific, literal thing right in front of us and go "lol 90 day resets is the dumb" in the case of my example.
sir_mrej@reddit
"where compliance requirements, insurance requirements, customer requirements, and regulations almost always lag behind best practices."
And where Cybersecurity and IT can be seen as a cost center, so doing the bare minimum to get insurance costs down IS required.
We work for companies, not for places-that-want-perfect-cybersecurity.
Walbabyesser@reddit
Nope
Statically@reddit
Yes
Zaphod1620@reddit
This is normal. Hopefully you are doing reasonable changes to protect your org in addition to whatever nonsense your cyber insurance requires. We have some audit reports that we have to produce that are absolutely meaningless, but if we don't provide it, we don't have insurance. It is what it is.
asic5@reddit
Better than not making changes because it might inconvenience the business.
Insurance requests the minimum for security. If you are unwilling to pass that bar, you should find another job.
Accomplished_Sir_660@reddit
Its always about the money.
I know of managers that had to terminate people because their healthcare was costing too much. Illegal? Sure, but it happens because its always about the money
BrainWaveCC@reddit
I feel your pain, but not having insurance, or having stupid high premiums also impacts the organization.
Get it out of your head that any organization ever evaluates privacy and security from a purist standpoint. It never happens, and will never happen.
We live in a world of compromise that is beholden to money -- that's always going to be a factor.
No_Investigator3369@reddit
This is why I am thinking about paying for a qualys or tenable licensable product and just running my own drop in security scan product as a service. The sole purpose of this is just to undercut the competitors. And give the report of course.
admlshake@reddit
Typically it's more about "what will inconvenience me the least" and that includes VP's and managers complaining to him. But yes, we've certainly implemented things for insurance reasons.