YOU are responsible for security. And you need to be diligent about it.
Posted by Calm_House8714@reddit | sysadmin | View on Reddit | 202 comments
This post is largely inspired by this guy/gal. https://imgur.com/a/5dSZQUD It's actually been bothering me to think back about it the last day or so. The fact that they simply left this as "welp, it's a mystery" instead of figuring out what happened whether benign or malicious. Just "well I can't figure it out so hopefully it's nothing".
So, just as a PSA, if you're in IT in any capacity and you notice anything like this; anything that could be a vulnerability, anything that looks like breach may have happened, past or on ongoing. You need to make sure it's investigated fully or get the attention of someone who can.
Now, I'm not saying you should spend time actively hunting for threats or vulnerabilities if that's not your job. But if in the course of doing your job you notice one, you should sound the alarm. At the very least send it to your security guys via ticket or in writing so they are forced to review it.
If you're a wear all the hats guy at a smaller org, then you need to brush up on security (studying for a cert is a good way to do that) and implement policies and tools that protect your organization and allow for proper investigation. Or at least get it in writing that you tried and were denied by leadership.
poolmanjim@reddit
A lot of IT folks I've worked with have the mentality "Do the job. Close the ticket. Move on" and don't give much thought to any of the details. I've even seen this behavior in Senior Engineers and those who "should" know better.
I've also be apart of orgs where the Enterprise Security / Cybersecurity teams are very closed door and don't want any help. They want their dashboards and won't take any feedback or input. I've been actively ignored by Cybersecurity teams I work with because I'm not "Cybersecurity" and just the lead Identity Engineer. They ignore expertise that isn't their expertise. It only takes getting shot down once or twice before you start having the mentality "not my problem" and move on to the next urgent item.
I think cyber, in general, needs more of a shakeup. Cyber, in my experience, has become a massive group of inexperienced auditors (your 4 year cybersec degree is not experience, FYI) who think they know stuff and dismiss everyone else. It is easy to tell everyone what to do when you're not responsible for the actual outcomes.
knightofargh@reddit
Vast majority of folks in cyber know how to run an NMAP scan from the GUI and email the spreadsheet to a systems person. That’s about it. They don’t have technical chops but probably understand larger concepts around risk and financial impact of risk.
There are organizations with real security engineers (I’m one) who can build tools from the ground up, but even in those organizations you have non-technical people driving technical solutions based on a high-level (at best) understanding of the risk.
A degree in cyber is worth the paper it’s printed on. Most of those degrees have a 2-5 year lag in knowledge.
At this point I stay in my silo because company culture rewards that.
traydee09@reddit
And here I sit, with 20+ years of progressive sysadmin experience with an actual fundamental understanding of the structure of packets and how they move. How AD, GP, DNS, Firewalls, Routers, Encryption, EDR, virtualization, processors, vlans, vulnerability scanning/patching, etc works. And I cant get a security role because I "dont have any experience in security"
effedup@reddit
You are my favorite type of profile. I manage a team of this profile and they're basically the SWAT team for IT.
traydee09@reddit
I studied CISSP back in 2011.
CISSP really just shows that people know terminology. But doesnt prove any ability to actually apply security knowledge. It is a Cyber Security Management focused Cert. Great for non-technical people to show knowledge of industry terms. Or convince unqualified HR that you "could" do the job.
effedup@reddit
You are correct. But it show you put in some effort to play the game.
traydee09@reddit
Too bad my diploma, degree and 3 other certs dont 😂
knightofargh@reddit
You hiring? Big Bank LLC has really soured my feelings about working security. They at this point demonstrate that execs don’t care about work product, the only metric they care about is shareholder value and proving my ass is warming a chair for N percent of the time in a physical office.
My 20+ years of practical experience along with engineering cloud based security tooling and doing GRC feel wasted. I guess at least I’m the top performer on my team, so that’s nice. But everyone gets paid the same since that’s how salary bands work.
fnordhole@reddit
Our CISOs make twice what I do and don't understand subnets. Don't understand anything networking. Absolute rubes.
ekaj@reddit
But do you know what they do? Pretty sure the gap goes both ways.
fnordhole@reddit
They run Nessus on default settings, ignorant of what bindings and ports are, generate tickets for DotNetNuke vulnerabilities on Linux servers, repeatedly, stand around in their fucking ballpit with their standing desks and their unlocked cpmputers, telling Rick and Morty jokes ad nauseum, go into meetings thinking they're hot shit. As long as other teams are complaining about how much they suck, they must be doing their job right. People just hate security. The system works. Fuck those guys.
Rentun@reddit
If your CISO is running nessus and generating tickets, you don't have a CISO. You have a "security guy".
A CISO's job isn't to run systems and open tickets, it's information security governance and strategy.
KantBlazeMore@reddit
it's funny to realize that's their job. You don't get to that level translating any level of detail or technical considerations to other executives. You get there by ignoring 99% of the ticking time bombs and massaging things enough it doesn't mess with the money, or allows the organization to close a deal. Everything is an MBA level trolley problem and if the deal is worth more than the bad publicity and the fine from the FTC for leaning customer data theyll do it every time
fnordhole@reddit
I work with these people. Bollards and knobs, the lot of them.
whythehellnote@reddit
They can play golf, deflect blame, and move on to other roles before they can be held accountable?
thecasualmaannn@reddit
I think our CISO is technically clueless too but you know what he does so well? Talk to execs, communicate risk, and get us the budget that we need to do our job. I’ll take that all day.
effedup@reddit
Subnetting doesn't even appear in the CISM course. It's not required for a CISO role, it's managerial not technical.
fnordhole@reddit
We have CISOs who think every network is a /24 and use this networking knowledge in an attempt to appear smart.
gruntbuggly@reddit
Maybe I’ll look for a CISO role to finish up my career
UMDSmith@reddit
Ironic, because I am a cybersercurity engineer and I started as network tech, then 16+ years as a sys admin. If anything, it has made me far better at cybersecurity. Yes, I have the masters in cybersec, and the CISSP, but being a sys admin actually has been the best background. 10 more years and you can have my job, because I'm done after that!!!
It could be a case of your resume not hitting the correct keywords?
traydee09@reddit
Well the CISSP and Masters is what convinces HR people.
But HR People cant understand that 20 years as a security focused sysadmin can do security. Maybe the trick for me is to get the CISSP just to "prove" it.
knightofargh@reddit
CCSP at the very least. What’s always amusing to me is that the ISC2 Certs are the “real” or “valuable” certs but the CompTIA Sec+ was a harder test than CCSP or CISSP.
UMDSmith@reddit
probably wouldnt hurt.
lonewanderer812@reddit
I've been saying for a long time the best security folks I've worked with have a background in either Networking or Systems or both. The ones that went straight into security are the most difficult to work with because they have no foundational knowledge of what they're asking for or writing policies about. I hear about all these kids going to college for cyber security and I feel like it should be an intermediate job just like in Final Fantasy Tactics. You can't become a black mage until you're a chemist for a bit. Education and certs are great obviously but going straight into the workforce starting as a security analyst seems like setting them up for failure.
whythehellnote@reddit
You likely wouldn't fit in well if your experience is real operational risk/reward rather than box ticking
scriptmonkey420@reddit
Same, 20 years also and done have experience for a cyber jobs but they will fill the job faster than you can sneeze... Like wtf do I need to be brain dead or just strait up lie on my resume?
ekaj@reddit
If you’re serious, rewrite the resume from the perspective of a security engineer. Ask ChatGPT for help. Feel free to pm if you want more advice.
HeKis4@reddit
The thing that infuriates me with most infosec teams is that they have no idea what runs what, how critical something is, and as a result don't have the beginning of the idea of our attack surface, or even of the probability+severity of the stuff they find. I mean ffs, I got taught "risk = severity * probability" in the first week of my systems admin course and it wasn't even a security-focused course.
Reverent@reddit
I don’t even want “real security engineers”. I don’t care about mythos or SOAR or whatever the latest kool aid vendors are selling.
I just want people to follow the basics. Document your environment. Tag your assets. Track your IT lifecycle.
The amount of places I’ve worked where they don’t even know what they operate or why is all of them.
bionic80@reddit
I had one of our 'cybersecurity engineer - sr' reach out to me a couple of days ago and want to know what robocopy was and why I was using it to transfer large amounts of data from point A to point B.
"Because this server is going to be decommed, and we're moving the data to a CIFS share so we can stop paying the MS tax every 3 years" wasn't good enough and they were very concerned that I had the rights to do this... as the senior engineer over storage engineering.
daschande@reddit
I went to my local community college for networking; they also offered a cybersecurity degree. Cyber students only learned enough networking and sysadmin to pass the A+, then they skipped the server and sysadmin classes in favor of kali linux and firewall certs.
They can say with "authority" that the scripts and group policies they copied from someone else are critical, but VERY few actually know what the scripts or policies DO, or WHY they're important.
Networking? Sysadmin? They're specialists; they don't have to understand that kind of stuff. That's beneath them.
poolmanjim@reddit
Most of the big cyber vendors automate all of that for them now. Cyber is staring at dashboards, sending, emails, and not really doing a whole lot. I actually feel sorry for those teams. They're being sold this bill of goods that they're protecting the company and elite defenders, when in reality they're just fodder.
I think every IT person should do a couple of years in a NOC or on a help desk and then a few years as an administrator before going into cyber. They'd be much, much better and way more useful to the organization.
Forsythe36@reddit
I wouldn’t say that. I am solo security engineer for an MSP and my job is dealing with incidents, reviewing vendor risk applications, running assessments, and reviewing policies. I wish I stated at a dashboard sometimes.
poolmanjim@reddit
I'm painting with a broad brush. MSP work is also a different kind of work that way.
You'd be surprised though how many "security engineers" I've worked with who've never actually touched a server.
Forsythe36@reddit
That just blows my mind lol. I went from our helpdesk to lead to project manager to security. I’ve touched just about every technical piece a business could have before I stepped into security.
knightofargh@reddit
Our SOC doesn’t do anything other than run the playbook they got handed as “investigation”. It really shows when they promote someone into an engineer role. I’m providing them the tools, but they don’t seem to develop any skills other than following a checklist.
The NOC at this point isn’t much better. I’m afraid of what fully outsourcing thinking to AI is going to look like.
coolbeaNs92@reddit
This is it really.
The lack of ability in InfoSec is woeful.
Rentun@reddit
Tenable generally isn't going to tell you whether a CVE is impactful or not. It'll tell you if it exists based on the software versions running on the device. If there's an RCE CVE on a digital sign running on an isolated VLAN behind a pane of glass, I don't really care about patching it.
coolbeaNs92@reddit
Sorry I phrased that badly.
By "are we impacted" I meant, "do our servers have this CVE".
Bright_Arm8782@reddit
You need less thinking and more confidence. You'll be vulnerability manager in no time.
HeKis4@reddit
Yyyyyup. It's an ivory tower where dashboards anter and "pls patch" tickets come out. I'm sure if we were to reuse "password123" as the password for all production systems they wouldn't bat an eye as long as the systems where it's used is CVE-free.
Johnny_BigHacker@reddit
Every single outsourced team I work with. They don't even bother to check if their solution worked. They just "solve" it and close the ticket.
It's too the point where when we are spitballing/planning projects/solutions, we avoid the outsourced teams which unfortunately are part of our AD/Azure team, part of our network team, and 100% of our servicenow team. Simply including them we know will mean lots more headaches, and senior leaders understand this would often prefer to by a COTS product than involve them.
I'm at a Fortune 200 for reference.
poolmanjim@reddit
I feel your pain. My group is actively resisting some offshoring "support" add because it's not going to help us despite what our leaders may think. I have had mostly negative experiences with outsourcing a lot of senior-level IT work especially and just don't see the value in going down that path 9/10 anymore.
wildcarde815@reddit
our security mandates in a nutshell. take guidance written to manage a building, attempt to apply it to each 'lab' inside that building, refuse to believe the people running IT in the building when they say 'this is completely unworkable'.
Norgyort@reddit
How many times have we as sysadmins seen the following requests from security:
Then when you dig into the mitigations you discover most don’t apply to your environment because they’re for a feature that isn’t installed, or for vulnerabilities that have already been patched and no longer require the mitigation. Security still wants you to make the changes though, otherwise their lists will get cluttered.
KantBlazeMore@reddit
Security just read the sheet from the vendor/auditor, their job is translate risk tolerance considerations from the business to policy, no?
Drakoolya@reddit
Sec easily the most overpaid industry.
fresh-dork@reddit
currently doing this because our security group is stodgy. mostly it's updating to non vulnerable versions of packages even though the actual usage of them is in build pipelines and never ships with the image.
wildcarde815@reddit
ours keep detecting old copies of matlab as java vulnerabilities, and like. ok? call fucking mathworks.
bbbbbthatsfivebees@reddit
Finally, someone who actually tells it like it is. So many cybersecurity graduates with all this impressive "School experience" think they fundamentally know cyber without having worked a day in systems in their life and who don't know the first thing about how to even begin to manage the practical effects of the policies they'd be recommending. I say that as someone with a 4 year cybersec degree, btw. I also have an extensive background in systems, having worked in IT before deciding to go get my degree.
It is genuinely insane seeing a lot of younger colleagues come in to the IT world from a cybersecurity degree program thinking they know everything, and then struggle to do something as simple as audit suspicious AD logins because they've never touched a Windows Server environment. Or they're put in an analyst role and start to recommend sweeping changes that never touch on the practical aspects of working in a corporate IT environment. Or (and my personal pet-peeve) are the people that think everything is going to be a red-team blue-team type of situation where there's constantly some sort of state-sponsored APT attempting to breach the network at all times and not the reality of working in a security role: Mostly dealing with phishing/spam emails, the occasional Huntress detection, and quarterly compliance audits.
dasunt@reddit
The "do the job, close the ticket, move on" can be a culture problem. I've seen it develop in a culture where metrics, not solutions, are emphasized.
And I've done something similar myself - spent a half day trying to track down the right team for a potential security issue, hitting dead end after dead end, before being forced to move on due to having deadlines to meet and "I was working on a security issue" was not an acceptable excuse.
Is it dumb and frustrating? Yes. But some companies have a reactive, not proactive, approach to problems, and being proactive is punished.
Academic-Proof3700@reddit
Well, its just the usual transition from the "cool active dude", when it turns out that the only thing you got in reward, was more work.
NoPossibility4178@reddit
I was that dude for 5 years, I was recognized for it during the first 4. You can figure why I didn't reach year 6.
2_Spicy_2_Impeach@reddit
Early on in my career it was the same. They didn’t make nearly as much but went home at 5 or 6 and no one bothered them. Wouldn’t be where I am without that experience but learned to set boundaries.
I understand there are times where shit hits the fan and need to dig in. But they shouldn’t be happening weekly due to poor design/planning/whatever.
Couple roles ago after I moved across the country I still would wake up thinking my phone was ringing. I wasn’t even in ops, I just knew all the systems (was documented) just folks didn’t care to look.
I remember I was on vacation and answered an unknown number. I asked if they reached out to the team that supports it or oncall? Nope.
Icuras1701@reddit
And then get a performance improvement review when you don't do the extra work on top of your normal job... like that's not an incentive to bring new ideas or threats to you...
RockinOneThreeTwo@reddit
Shockingly, if your business isn't a pleasant place to work, without real flexibility for employees (the most recent 'big ticket' on this list is WFH/RTO), and also your business doesn't pay your IT guys very well; it turns out they actually aren't motivated very much to do anything other than fire-fight tickets and then clock out.
Chris0x00@reddit
Like 90% of companies fall into this bucket.
RockinOneThreeTwo@reddit
I haven't really got any evidence to say whether this is true or not.
Chris0x00@reddit
I got written up for being the cool active dude once. They said I was “testing in prod” when I discovered the issue. You can bet I’m not doing that again.
poolmanjim@reddit
Pretty hard to write me up for that. My test environments are stuck in "need funding" most of the time. :)
LightishRedis@reddit
The devs I work with have a rule, “if troubleshooting fixes the issue, it doesn’t need to be investigated, close the ticket.” Which means an ongoing issue where the online payment portal doesn’t work isn’t getting fixed because step one for troubleshooting is to see if they can make a payment another way, which they can.
Skylis@reddit
sounds like their manager has a rule "unless my manager cares about it, we don't"
kirashi3@reddit
Bingo. And this applies well outside the cybersecurity realm, or heck, outside of the IT industry. If you're ignoring the cries / warnings of employees with legitimate complaints or process improvement suggestions, you don't get to be surprised when shit falls apart.
A company's high-functioning employee's are their biggest and most important asset. They best treat said employees with the respect, compensation, and care they deserve, otherwise those employees will become silent and eventually find a job elsewhere.
AnonAMouseOperator@reddit
I've met a bunch of Cybersecurity guys who do not even understand how data flows through a network... like how the fuck can you defend something you don't even understand?
gentlecrab@reddit
There is an apocalypse coming. AI being used to find vulnerabilities will turn the entire cyber security world on its head.
While missing a hole in a 20 year old LOB app isn’t necessarily their fault, management will come for their blood anyway.
poolmanjim@reddit
Oh yeah. I put on a comment earlier that I know lots of "security engineers" who've never actually touched a server.
I don't make it their fault necessarily. It's what the industry has pushed them to. That doesn't change my frustration, though. I'm tired of "cyber" initiatives that do little to actually secure and actually add a huge amount of operational risk. I literally have a slide about that in a talk I'm about to give.
AnonAMouseOperator@reddit
we have to do outside security audits for compliance reasons in my industry. our auditing company just told us a protocol that is literally needed to make our phones work is not needed. i was like "bro what?"
knightcrusader@reddit
Yeah shit like that blows my mind. Same with web developers that don't understand networking.
rosseloh@reddit
Even ignoring the cybersecurity side of things for the sake of argument, I've never quite understood this mentally. I get most of my troubleshooting (or problems headed off at the pass) done because I go "wait, that doesn't look right...". A lot.
gokarrt@reddit
it's been fully commoditized at this point, it doesn't require the foundation of knowledge that would both benefit it's efficacy and allow it to meaningfully interface with the other engineering teams.
15 years ago our head of security was a guy who used to be paid to test physical security at banks - literally attempt to break in.
now it's a dude in a suit who's really good with excel.
Calm_House8714@reddit (OP)
I think it's important to protect yourself and provide a paper trail that might lead execs to make real change should a breach happen. If they were clearly warned and ignored something that led even to a simple short lived BEC then that should be enough to push the guys in charge of them to whip em into shape.
So, I'd let them ignore all they want. Just have it written down that you tried. Because those same types will also try to shift the blame to you. CYA scenario.
poolmanjim@reddit
I didn't really give my opinion on the matter beyond the implied "people kind of suck" side of it. But I'm right there with you. See something, say something.
My reply was more a commentary on the overall failure of IT culture in encouraging proper responses.
Calm_House8714@reddit (OP)
Makes sense to me.
Humpaaa@reddit
You are the "Human Firewall", regardless of you job role. Even if it's not your job to identify and remediate the issue, if you notice it, REPORET IT.
AppIdentityGuy@reddit
I've done this tracked it down given them all my evidence of what I believe is happening and I got into trouble for stepping out of my lane.....
Rentun@reddit
I don't think that's the norm, it sucks that that's the case where you work though.
When infrastructure teams and development teams bring security issues to me, it's fantastic.
The life of someone who works in security architecture is filled with stressful nights where you lay awake worrying about random security holes you don't know about. When some other team brings you a finding, it feels good because you get the sense that you're not the only one who cares about this stuff, it lets you breathe a little bit.
I don't understand the mindset of someone that would be annoyed by that. Most people in security understand that they cannot possibly have visibility into everything in the environment, and that every security flaw isn't a reflection on their competence. If they didn't, I don't think they'd survive long in the field.
ButcheringTV@reddit
Yeah that isn't a you issue, thats an issue with who you worked for.
Sorry you had to deal with that. At the college I work at, we are always encouraging people to come forward with anything like this. Always reassuring that nobody will get in trouble, etc.
Humpaaa@reddit
This sounds like horrible company culture then, i'm sorry.
You did the right thing.
AppIdentityGuy@reddit
Some people have fragile egos and don't want to hear about things they didn't discover because it makes them look bad in front of their management.
Geodude532@reddit
My office has a pair of scissors in a glass case that is labeled "In case of data exfil, break glass". Can't have a data leak if your servers are violently airgapped.
agoia@reddit
I still regret not pulling the cables at the demarc when I was the first responder to what turned out to be an emotet outbreak.
Geodude532@reddit
We almost pulled the plug when log4j was announced and we immediately started getting various attempts to break in. Give ourselves time to breathe.
InnovativeBureaucrat@reddit
If you want people to report things, align rewards with outcomes.
Think about training a dog. A clicker means treat. You click immediately, you treat consistently.
If you make it hard, unpleasant, and unrewarding to report, guess what happens?
Punishment? Negative outcomes do not elicit action. They elicit avoidance. Fatigue.
I know what some of you are thinking, that’s not how I am! If you think that you’re delusional and maybe a psychopath.
MidnightBlue5002@reddit
it's like nobody learned from "XZ utils" in 2024.
ChrisTX4@reddit
This. Some years ago I worked in a research institute as a researcher and not in IT. after I was given access to a new system, I had realised it was possible to mount a specifically modified veracrypt container and chain that into getting network admin access. I reported that to IT at the spot and the head of IT called me shortly after and thanked me for it.
IT isn’t failure proof. Especially if you’ve got a smaller IT team - like that institute did - there’s a possibility they might miss something.
pegoman14@reddit
Thank you for saying this 👏🏻
conspicuousxcapybara@reddit
Well, I’m desperately trying to explain to Apple a security issue with Safari where denying access to websites for a certain extension does not work, and browser extensions can access / alter all website contents on blocked domains regardless, but they keep closing the issue.
a679591@reddit
This is good for newbies or people that are at small orgs. I will say the poster in the pic you linked did seem very relaxed about it, but also could've done many of the things mentioned before posting to reddit. I know I have.
Alaknar@reddit
Yup. A better way to frame the OP is "You ARE responsible for security". We have people being paid for handling security, I'm just a dude who knows that having a permanent Global Admin on an account without MFA is a bad idea and can voice my concerns.
EViLTeW@reddit
Every person in IT is paid for handling security. Some are just paid to focus solely on it. There's no one in an IT department that isn't responsible for ensuring secure operations and practices within their scope. If you're the M365 admin and you notice a connector appear/change with no idea how, you are responsible for ringing all the alarm bells. Unless you watched the Stryker debacle unfold and decided that seems like a fun year to have.
CommanderKnull@reddit
Ofc you are responsible for setting up an environment with proper permissions, not making ports public that shouldn't be etc but any respectable organisation should have an dedicated security team or atleast a dedicated person. Ultimately, it's the leaderships responsibility to hire staff for this or take the risk of something blowing up
AtarukA@reddit
I'd care about the security of the IT systems, if the company cared about me.
If they don't care about me, I'll do the bare minimum expected of me, which atm is completing a project and moving on to the next one.
Whether it's securely implemented or not will be highly dependant on whether they read my mail warning them I need more time to do it or not.
Responsible_Ad5216@reddit
Coming late to this thread, but we are exactly it. We lost a large number of files across multiple shared drives. Small team, no clear division of responsibilities. I had to tell my direct boss (CEO) all my work will be paused, went to a freak out mode, pulled all possible logs, created a jupyter notebook, found out discrepancies with actions and what was being reported and brought to report to the executives.
It resolved in termination of the actor, but I also received a lot of flak, because I "executed the guy."
Small teams sometimes do not act for a fear of workplace repercussions.
I wouldn't have changed my actions, given opportunity, because I am ultimately the one whose name is on the line.
rahga@reddit
My employer is responsible for paying market wages. Instead, they hid behind excuses like "Your position isn't responsible for generating profit."
Yeah, I'm 100% okay with the inevitable meltdown of IT in America.
helloitisgarr@reddit
I work somewhere that brags they pay under the market reference point…
AntagonizedDane@reddit
"We are leading in wages.... In a race towards the bottom"
NoPossibility4178@reddit
My employer: "don't think we have 'pay increase according to inflation' on our internal policy"
Guess what suffered some shrinkflation to make up for it.
flecom@reddit
I'm not paid to care, like one of my previous (great) bosses told me
AntagonizedDane@reddit
*Cries in "just because we assign you extra ordinary work and responsibilities doesn't mean you're obligated for a pay raise :\^) *
Original-Locksmith58@reddit
I think people are taking issue with your wording. They are absolutely responsible for reporting it but that’s not the same as “being responsible for security”. If I call the guard shack because of an issue I see on the property I’m not “responsible for physical security”. We all help keep things safe by reporting, even outside of IT, but sys admins touching security when they shouldn’t is a real issue. Report it and leave it alone if it’s not your job.
Drakoolya@reddit
"Also if you are solo IT or a small team with no dedicated InfoSec that means it's yours or everyone's job. If the owner/your boss doesn't agree then document and carry on. Some industries have legal responsibilities attached to security and you don't want to catch the blame, especially in situations where your title would suggest you own InfoSec"
I can't stress this enough. Cover yr arse.
Calizona1@reddit
If I saw that I would immediately call an exchange and security consultant! This would freak me out!
Public_Warthog3098@reddit
Imo, why are you guys killing yourselves for entities that don't care about you. There's always vulnerabilities and security flaws. Buy proper cyber security insurance and sleep well.
Unless your job duties specify you need to secure xyz, you should let leadship know the risks and use it as leverage for a pay raise. Don't be a sycka.
EchoPhi@reddit
It's easy. Ready?
Department you don't deal with often hired a 3rd party trusted vendor 2 months ago.
Vendor cleared all stop gaps, change controls, and approvals.
You credentialed them for - notmyproblemnow
One month ago everything was on fire (literally the bitchiest of departments needing some bs internal report page set up with embed on a weekend before Tuesday patch day)
You slept Sunday night the following week and literally forgot everything the year before. You didn't set an expiration or a reminder.
You are now your worst enemy and subconsciously know it.
Brain tells you to move on, you don't know why, but the brain does.
Problem remediation.
commissar0617@reddit
my security team is the source of ~25% of the major disruption incidents... and nobody bat an eye. the make changes without any review by SMEs or change controls.
the joys of Fortune 50 outsourced IT.
R4LRetro@reddit
This post hits hard as someone who learned the hard way back in 2018.
At the very least I'd recommend setting up something like Graylog Open where you can aggregate all your events, keep a history and set up alerts for specific event IDs.
Extra-Organization-6@reddit
the core failure in that original post wasn't laziness, it was treating 'we couldn't figure it out' as a successful investigation. in actual ir that's root cause unknown, which means you assume compromise until proven otherwise. rotate creds, preserve the logs before they rotate out, trace the connector auth events to a specific principal and timestamp, check the audit log back 30d.
paper trail is the right advice for cultural reasons but the technical discipline matters more. if you can't answer 'who did this and when', you don't close the ticket, you open an incident.
for the ones getting burned for 'stepping out of lane': file it as a risk memo to the security mailbox with a mitre or cve reference if one applies. that reframes it as 'i raised a risk per policy' instead of 'i critiqued your team'. same facts, different political valence, and now it's in writing.
Secret_Account07@reddit
I agree, however, I will say I’ve seen weird stuff over my career that makes absolutely no sense.
Things change and even MS couldn’t figure out. It’s funny how I’ve said “xyz isn’t possible” when it turned out to be some weird edge case.
Almost certainly not the case here but weird bugs exist.
Fallingdamage@reddit
I wrote a powershell script to pull the daily interactive and non-interactive activity for users, service principals and App Registrations each morning, filter out all activity from our state, and then format the remaining data into some nice HTML tables in the body of an email. It pulls IP location data and ASN data for each entry and adds it to the report. If anything is happening, its not long before I know. With the ASN data, its easy to tell if its a potential bad actor or an employees cell phone since telecoms often route activity through their own out of state networks.
I also backup all our Entra Audit Logs each day to a CSV and store it locally. We are able to go back to a specific moment in time years ago at this point.
For me, having audit logs available wasnt enough. I needed a filtered report to read on a daily basis. I dont want to wait for a problem. I want to know what's going on every day.
That and people need to start using Conditional Access more. It stops a LOT of stuff from happening.
Extra-Organization-6@reddit
this is the real move. ms 30/90 day audit retention (depending on license) is exactly why exporting to local csv matters. the number of orgs who find out their retention window lapsed right at the 'investigate this weird login from 6 months ago' moment is painful.
quick add to the asn+geo filter: hash and log the user-agent string alongside it. catches token-replay scenarios where the geo looks right but the client fingerprint doesn't match the usual one. if someone's session token leaked to a stealer dump, they often use it from a different device in the same geo, so geo alone won't catch it.
and yeah, conditional access doing the heavy lifting is underrated. the 'block legacy auth' policy alone kills most password spray attacks. that's a one-click win most shops never get around to.
Fallingdamage@reddit
What might the best way to detect irregularities in a session? From the hip, I could see perhaps comparing the uniqueTokenIdentifier to the userAgent string. The string should match the token and if the same uniqueTokenIdentifier is found matched against different useragent strings, it might imply token theft?
Extra-Organization-6@reddit
your instinct is right but ua alone is noisy. browsers auto-update, mobile apps rotate ua strings, corporate proxies rewrite them. the more reliable signals entra already tracks:
kql pattern worth running daily:
okta's system log has equivalent fields (session.id + client.device.fingerprint). same query shape works there.
Fallingdamage@reddit
Thanks. This has been helpful. We dont use intune so deviceID field is empty unfortunately. Checking some properties on report, sessionID and userAgent appear fairly uniform, however, things like AppDisplayName vary without that output. A single session ID might be associated with Office 365 Exchange Online and Outlook Mobile while also being associated with multiple IP addresses as I roam between my home wifi, my work wifi, my cellular network and anything else in the 15 minute drive to work.
Will need to work out some mental gymnastics on how I want to parse additional data to figure out what kind of activity I really want to be worried about.
Extra-Organization-6@reddit
yeah the mobile-carrier-ipv6-in-san-jose problem is universal. two things that let you keep the signal without drowning in false positives:
for the no-intune case, CorrelationId on the sign-in event is your lightweight DeviceId substitute. not cert-stable but it persists across token refreshes in the same client instance. same correlationId showing up from non-adjacent asn classes inside 5 min is a strong theft signal.
the mental trick: baseline your own pattern for a week, then alert on deviation from your own baseline. don't try to catch 'weird', catch 'new-and-impossible'.
I_cut_the_brakes@reddit
You have to realize that there are a ton of people who don't work for giant corporations.
You want me to send a memo to myself?
ChevronEncoder@reddit
No, you send a "we might have gotten hacked, but idk" email to the CEO who knows less than you do, obviously.
Extra-Organization-6@reddit
fair hit. for small shops / solo admin, the equivalent is an email to the owner or gm with the risk assessment and your recommendation, cc yourself. if there's nobody above you, a dated entry in a security log file (even a git repo with commits) serves the same function. the point isn't the corporate process, it's a dated written record that exists outside your head.
matters mostly for the 'we got breached and now there's an insurance claim or legal discovery' scenario. 'i emailed dave on march 2 recommending we disable rdp' is very different from 'i meant to mention it but forgot'.
Calm_House8714@reddit (OP)
Exactly, spelled it out better than I did :)
Extra-Organization-6@reddit
cheers. honestly your paper-trail framing is the thing most 'stepping out of lane' folks actually need to hear. the tech part is the easy part, the org politics is where careers get burned.
Secret_Account07@reddit
The only catch is if you work at a massive org and cannot get a damn answer to save your life.
I stg I’ve pissed some people at my org off for not dropping stuff. My boss legit had to tell me sometimes it’s best to let stuff go. Even stuff I perceived as important
Like okay, I’ll do my job and that’s it.
With all of that said, yeah this 100% shouldn’t have been one of those things, but if I was told not to 🤷🏼
No_Ionger_interested@reddit
The thing is - IT is already such a specialized field that one cannot reasonably perform well both in administration and dealing with security beyond the very basics. It's already hard to be fair admin in 2 domains (choose your poison - Linux, Windows, network, databases) and me with my some Linux + network administration background and after 7-8 years in infosec still feel like a dumbass, regularly. But rather it should be collaboration between IT ops and IT sec as we're covering for each other - if shit hits the fan, I hopefully manage to detect it; then you'll be informed and have to kick the attackers out, restore systems, patch the vulnerability (assuming that I find the initial entry point) and I'll be there holding your hand along the way. And then management wants to point fingers and pulls some knee-jerk actions - who's at fault (that's likely me!), but you'll still have a lot of extra work on your table.
Security at your employer is hopefully not a joke who sends you untuned vulnerability scanner's report while pointing at some stupid vulnerability and asking you to fix it ("it's red and critical!!!"). At the very least should perform first validation and help you prioritize issues. Unfortunately in many cases that is not the case. I recall one of my former CISO-s sending sysadmins a bleepingcomputer.com article link about a bad vulnerability with comment "check if we have it and if we do, fix it". I later stumble on the same article, send out a message "this vuln is bad because X will happen without any authentication, user interaction, by merely sending a packet. Affected systems are RHEL <=X and Debian <=Y, here's a vCenter printout of systems that are potentially vulnerable, configuration parameter Z present proves that it's vulnerable".
agoia@reddit
Good administration is rooted in security practices, though. Should be reasonable for a decent sysadmin to at least do some cursory reviews if random shit starts happening in the tenant.
Skylis@reddit
That sysadmin was just the best their budget could afford. We'll see if they see actual consequences from that choice.
BrokenByEpicor@reddit
As a protip for anyone here, you can configure custom alerts in O365 for things that really, REALLY should have predefined alerts for them but don't. Allegedly you can configure a report that monitors more than one cmdlet at a time but in my experience that's not true. I believe it does require you to have an E5 license, but just you.
StarSlayerX@reddit
These kinds of incidents should be immediately reported to whomever is in charge of security or security team.
dnz007@reddit
> IT Manager Large Enterprise
You're in a bubble, just fyi.
I_cut_the_brakes@reddit
What an odd reply.
dnz007@reddit
Do you need elaboration?
I_cut_the_brakes@reddit
Not at all, howver you need to absolutely need to develop tact.
ChevronEncoder@reddit
I mean, your comment was pretty sanctimonious for someone who isn't even responsible for this kind of breach in security. Reporting is easy, knowing what to do and how to do it when you're a sole admin is a different story.
I_cut_the_brakes@reddit
I think you might have your people confused here, not sure what you're talking about.
ChevronEncoder@reddit
Right, you have noooo idea lol
I_cut_the_brakes@reddit
I'm not the OP, holy fuck you guys need to learn to read.
ChevronEncoder@reddit
Yeah, you just responded with a defense of them in the same comment chain. You're basically completely uninvolved, right?
dnz007@reddit
I think you do. The concept of accountability at a large enterprise from most other situations is vastly different, like night and day. In charge of security? Security team? The comment assumes either of those things exist at OOP's org.
I_cut_the_brakes@reddit
Look at the usernames, dipshit.
dnz007@reddit
> What an odd reply.
This is you.
> Not at all, howver you need to absolutely need to develop tact.
This is also you
I_cut_the_brakes@reddit
yeah, nothing about all of the shit you were talking about. I can't tell if you're trolling or mentally stunted.
dnz007@reddit
I'm explaining how the comment I replied to represented a thought bubble.
I_cut_the_brakes@reddit
MetalEnthusiast83@reddit
Everyone is in a bubble. You're just in a different bubble than him.
dnz007@reddit
I wouldn't assume that accountability in one situation is equal to another, which many sysadmins do when this topic comes up.
StarSlayerX@reddit
Hopefully I get to stay employed....
MeanPrincessCandyDom@reddit
Agreed.
Even in small orgs, it's not up to some random, underpaid, overworked sysadmin to determine how to do incident response. Management is on the hook for setting the rules and providing resources and training. That is their whole job.
Humpaaa@reddit
As a large enterprise security practitioner, you are absolutely correct.
Tremores@reddit
Job is done when it’s done. I don’t get paid to implement security as an IT admin. Maybe execs should reward talented security professionals.
Chareon@reddit
Security is everyone's responsibility at least to some degree. IT admins who say security isn't my job and then go and set the file permissions to 777 on the web server because it's easier are just bad admins.
NoPossibility4178@reddit
That's commiting a mistake vs finding one.
Chareon@reddit
Yeah, fair. Part of that was my frustration for a few colleagues who treat security the way I described (and have done exactly that with permissions).
If your org is big enough for a seperate security team, escalating discovered issues to them makes sense to me.
BendSensitive9524@reddit
I work in a bank AND in employee network security, security is every employee's job. We all have our part to play.
Someone working in the business should not let someone without a badge enter, while we shouldn't save passwords in clear text. But we all contribute to security in our own way, and everyone needs to be educated in how to best be secure.
sccmjd@reddit
I can understand it. I've seen other IT jobs around me that look like little boxes. You can tell there's friction between people. If you suggest something, it gets struck down. So why bother trying to improve things at some point? It's not your job to do that. And if you don't like the people who's job it is, you might not be unhappy to see them trip up.
In my own job role, I've gotten dirty looks and big sighs for mentioning things like that. Software update out? Article about a flaw that affect our environment? I pass it along but once in a while I've noticed it's more like I've given someone an extra piece of work, that they've now officially been informed so they must act on it. After a few times like that, if it's not that important, I don't bother. It's not worth creating a few waves. And if it's not my area.... not my circus, not my monkeys....
And then there's just noticing and pulling a thread. Looks small but odd at first. Ends up being way more involved that it appeared to be initially. And then if it's not critical it just ends up being a odd rabbit hole to go down.
I can understand "not seeing it" though. Get your hand slapped a few times. Stay in your lane. Get dirty looks for bringing up a new topic. After a while of that, you just wouldn't mention anything odd or interesting anymore.
Jazzlike-Vacation230@reddit
I mean yes, but the nonchalant IT Admin or IT Security Admin whith a huge ego who dismisses things us folks in IT Support see and catch is a constant issue. My guy, we work for the same company and department technically. I'm seeing something that can potentially help YOU cya. Smh.
DramaticErraticism@reddit
Don't tell me what to do.
Generico300@reddit
I agree with your statements there, but also, companies treat employees like shit. They give the minimum compensation they can. They give the minimum trust they can. They give the minimum loyalty they can. So they get the minimum effort. You reap what you sew.
When I worked for a privately owned company that treated me like a human and gave real raises, and bonuses, and trusted me, and gave me agency; I went above and beyond for them all the time. And I was rewarded tangibly for that. I gave them my best because it felt like they were doing their best for me. Now that I work for a publicly traded org that quite clearly doesn't give a shit about me, and fights tooth and nail to pay me as little as they can, I give them minimum effort. That's all they deserve. If I saved their asses from a breach by doing more than what's required by my job title, I would get nothing in return for that extra effort. So why would I stress myself for them any more than I absolutely have to?
SevTheNiceGuy@reddit
sorry.. but I gotta disagree
You don't do security by hand..there is too much data to sit down and go through to be actively be in a place to catch a "vulnerability".
Also, the owners of the products that you are using have to agree that it is a vulnerability.
You have to have good hardware/software solutions in place to cover this for you and then have defined policies in place that the business will accept when one of those policies needs to be enforced
WhataburgerFreak@reddit
Newbie here, what’s a good security cert to study?
Calm_House8714@reddit (OP)
The amount of people missing the third paragraph and just posting something along the lines of "I'm too busy fixin shit to investigate, track down leads or otherwise do infosec's job for them" is concerning haha
Also if you are solo IT or a small team with no dedicated InfoSec that means it's yours or everyone's job. If the owner/your boss doesn't agree then document and carry on. Some industries have legal responsibilities attached to security and you don't want to catch the blame, especially in situations where your title would suggest you own InfoSec
neoKushan@reddit
I know a lot of us are self-taught, so I'll just say this - I've been downvoted on /r/selfhosted because I said encryption was an important part of security.
Too many people don't understand security for it to be their job.
OMGItsCheezWTF@reddit
I have often said that every developer should have a working knowledge of cryptography. What algorithms to use and when to use them, what they are for, what their strengths and weaknesses are.
Not like, a mathematical understanding of how they work internally, but how to use them and how your language's standard library implements them.
neoKushan@reddit
I completely agree and I think that equally applies to sysadmins. You need to understand how things like SSL work at a high level so you know what it means when an algorithm is deprecated.
Entire_Dependent8214@reddit
You’re making a good point. Unfortunately people don’t care …most of the time.
antrov2468@reddit
You think I have time for that? I’m covering break/fix for an office and doing system admin work and doing projects. I don’t have time to sit down and track something, and I’m not going to care about the security more than the company cares about it since they don’t want to hire additional staff.
bitcraft@reddit
It depends on the company. Some positions have no authority and there isn’t a point to really caring. CYA is always a good policy, but ranting about people “not caring” about security when it’s not their responsibility is tiresome.
Office politics play a role here as well and honestly there is no standard advice for security that applies.
Kuipyr@reddit
I just end up being looked at like a raving lunatic when I point out issues with systems outside my purview.
ImCaffeinated_Chris@reddit
I reading the title I thought this was a CCW or firearms sub 🤣
khantroll1@reddit
Man, I'm really going to make you unhappy.
It's not my job. It USED to be my job, but now I work for a place that has a whole department for that.
My job is make sure a thing is built, stood up to best practices, documented, and troubleshot when broken.
It is not to tell cyber how to do their job, even though frankly I have the certs and experience to do that.
GreatAlbatross@reddit
It's like using a swiss-army-knife to make a sandwich.
It'll do a decent job, but so does the butter knife.
And the butter knife isn't always needed elsewhere.
Calm_House8714@reddit (OP)
LOL, very unhappy indeed :P Hey man, I get it. I wouldn't actively threat hunt if it weren't my job either. TBH it's not, and I don't.
But it almost certainly is your job to report it if you see it. Hell, your organization probably does cyber-sec training for even non-technical end users that says the same.
khantroll1@reddit
I mean, define cyber-sec training here, because I feel it means something else to me then it does to my leadership.
Do they give powerpoints to people about how to spot spoofed email addresses? Absolutely.
And yeah, if I happen to be working on something in 365 and I see something weird I'm going take whatever steps.
(365 used here only because I used powerpoint above).
At the same time though, like you said, I'm not making it my business to go back and double check cyber's work, or whether the EDR policies are working correctly, or doing forensics on every problem to eliminate the possibility of a cyber incident.
Calm_House8714@reddit (OP)
haha, not saying you should go double checking EDR configs or do any hunting yourself. In fact, my post says you shouldn't if it's not your job. The only thing I said was that if you notice something, at the very least report it.
In a scenario, where you knew about a breach, or a massive vulnerabilty and didn't report it.
Do you think you'd keep your job if a breach with massive financial impact happened and told everyone you knew about it beforehand? Would execs at your company simply think "well it wasn't in his job description to report it".
No, you'd keep your mouth shut and smugly watch things burn and people lives get turned upside down. Not everyone can easily pivot, especially skilled labor in a niche field, to a new company like we in IT can and these things can ruin a business.
khantroll1@reddit
I mean, I’d hope both and I and cyber would do our jobs better than that.
And I really can’t think of situation where it could fly under the radar.
But yeah, I’d say something if I somehow noticed it.
Of course, if I didn’t notice…I’d absolutely keep my head down later
OforOatmeal@reddit
There's a lot of "fuck you, got mine" attitude in this thread and subreddit in general that I just don't agree with. I understand being burned out and fed up with the job market and industry in general, but your suggestion is really more a matter of operating with basic integrity.
CherrySnuggle13@reddit
This is a fair point. You don’t need to be a full-time security analyst to recognize when something feels off and escalate it. Ignoring suspicious behavior because it’s inconvenient is how small issues become major incidents later. Documentation and raising the flag matter a lot.
Fallingdamage@reddit
It really bothers me when people on r/sysadmin will say that "everything is working well, im bored, what should I do?"
There is always something to do. Yeah, my environment works, but I'm always planning my next move, my next reporting system, my next automation, my next network segmentation plan, etc. I dont even think about it as whether im vulnerable anymore. I look at my work as "What would an auditor / pentester think was a bad idea?".
The best time to really take your skills and security up a notch is when everything is working. You have less distractions and can keep polishing your solutions every day. Never get complacent and always be two steps ahead of where you're required to be.
KeyHalf6609@reddit
I'm 100% with you, if you see something you should at the very least say something. Even if you're someone who is only there to push buttons, work their tickets, and get a paycheck. Because at the end of the day even if it's not your job to deal with these kinds of things it's a very real possibility that it can cost you and others their jobs if ignored and it spirals out of control.
That said, I also get why people just don't report these kinds of things. So many departments are unreasonably siloed these days, and in my experience cyber especially. I can fully understand why someone may see something and ignore it, security tends to just be dicks that brush off what people say more often than not at the places I've worked. Like, I get it, it can be annoying when people see something that may be a problem but actually isn't. But this kind of attitude is just a bomb waiting for the right fuse to be lit.
I know not every security team is like this, and I'd be happy to be proven wrong and this is the minority in terms of attitude, but I've yet to work at a place where it wasn't there.
mikeyvegas17@reddit
Literally wouldn't stop investigating this until an answer was found. If I worked in a place where leadership stopped me, I'd find a new job.
woemoejack@reddit
The worst part is when you scream and yell from the hilltops about potential issues and they're ignored or not taken very seriously and you get denied to take any action, 'accepted risk'. It will happen often enough that you stop caring. CYA, gentlemen.
Nietechz@reddit
I send emails warning of something outside my capacity or my job. If management won't take action. NOT MY PROBLEM.
Yokoblue@reddit
I disagree as well. If my employer always push me to do the tickets and not troubleshoot further and ask questions, its a company process problem not an employee one.
Most IT companies would rather you push the problem later down the line and the client is happy rather than troubleshoot for 3h because you found something off.
F0rkbombz@reddit
As someone who works in security I just wish people would accept when they’re out of their league and seek out experts.
Not just sysadmins, but infosec folks too. Know your limits and know when to bring in folks who have the skills you need to get the answers you seek.
hasthisusernamegone@reddit
So, can someone who can actually access that image summarise it for me please?
1z1z2x2x3c3c4v4v@reddit
Most small and mid-sized companies do not have a security guy or department, and have no idea about the implications they sometimes discover.
I have seen the dark side on the dark web, where exploits, vulnerabilities, and corporate compromises are discussed with absolute malice.
Many security professionals and departments are ill-equipped to deal with what exists out there.
MadMonksJunk@reddit
after 25 years if it's not in my performance requirements or specified in the contract directly its literally not my problem to do more than send an email informing the actual "Security IT" weenie.
Asleep_Spray274@reddit
This is exactly what the op is saying.
MadMonksJunk@reddit
OP put more time into this post than the email necessary to notify the people paid (aka not me) about it.
punkwalrus@reddit
I have had an uphill battle with one client who their last third party support put in a huge security hole that allowed passwordless access to root on all of their systems. Incredible. I had to explain why this was bad, and it was like they had amnesia because I had to explain, explain, and explain again. Every meeting. Like explaining to kindergarteners.
"Well, if we don't have that, we can't do XYZ, which is a show stopper."
I showed them they could do XYZ via the cloud, but they didn't want to do it that way. They wanted free root access without "the hassles of passwords which nobody can remember anyway." Then I got dinged for being difficult and "pedantic." Luckily, my boss backed me up. "If you allow passwordless access to root, you violate our SLA and some of the basic tenets of your security certification." Because there is no fucking way they'd pass an audit. "Oh, well we self-audit."
Great.
Sasataf12@reddit
I disagree with your advice. Do not go into full freak out mode. That's when mistakes happen.
That OP listed the steps they went through to investigate the issue. It's not like they turned a blind eye to it.
Calm_House8714@reddit (OP)
Wat. I didn't mean actually go insane?? https://imgur.com/a/otsTXgN haha
I just meant he should be very concerned. They or someone at their org deffo needs to rotate all creds for admin accounts and then figure out who added the connector. Ask ALL the people who have access to make that change. He can reach out to DropSuite to figure out if was them. If not, he should assume breach.
https://imgur.com/a/otsTXgN
Sasataf12@reddit
What do you think "full on freak out mode" means?
Yes, they should be very concerned and approach the situation calmly and methodically.
Calm_House8714@reddit (OP)
Mannnn, idk about ya bro. I think in the context in which I said it, it means exactly what I described haha.
Nexzus_@reddit
Sometimes shit happens, or you can't rule out intentional sabotage.
I had a shitty bridge job for 4 months a few years ago, had applied for and gotten a better job. I had 5 weeks lead time until the start date, and just mentally checked out until I could give "proper notice" of two weeks. Got put on report a week or so into this 5 weeks, and committed to slightly do better for my time remaining (still didn't tell anyone I was leaving)
Few weeks later I had renewed our certificate for our Hybrid Exchange through GoDaddy, applied it, tested, and all was well. Next day people can't receive email. Double checked everything. Microsoft says it can't reach our email server. Checked our DNS. See someone had logged in before me. Our email domain was pointed at what I believed to be the wrong address, but maybe there was a reason unbeknownst to me for that. IT manager was away at this time.
Wracked my brain for the rest of the day, said fuck it, and left. That was a Tuesday. Called in sick for the rest of the week. Go back in Monday, manager meets me at my desk with my termination notice. The email thing was the last straw. He apparently had to fix it. It was the DNS.(Like always). I made some slight protestations that I never touched those entries, but it didn't matter. Got my last paycheck which included paying out my vacation. Started my new (current job) two weeks later. The vacation payout didn't quite cover that, but that didn't really matter.
Anyway, to this day, I still believe he somehow found out about my new job and sabotaged me.
Man-e-questions@reddit
Yes boss
Thizzz_face@reddit
I’m not the poster, but I’m like him. I’m just one guy doing my fucking best here (my best is really bad)
Lower_Fan@reddit
To complain about other admins is that way ——> r/shittysysadmin
Glittering_Power6257@reddit
Seeing the sort of behavior that image describes would chill my blood faster than the prospect of being dropped into a Silent Hill game.
realgone2@reddit
People that take their jobs way to seriously are really fucking cornball.
DropTheBeatAndTheBas@reddit
sure ill let the correct people know, does not mean anything may be done 😂
ncc74656m@reddit
I mean... "Duh." Anyone who doesn't know this shouldn't be in IT.
If you're a solo admin, you still probably have cyber insurance. That usually covers some kind of IR service bc it can always get worse. IR will not only tell you what someone did and how they got in, but also a list of recs - and sometimes even step by step instructions on how to fix the holes and other recs.
Leinheart@reddit
Look. Either yall can pay me, or I can sell company secrets to North Korea.
atbims@reddit
It's giving "I didn't do any sort of training for this, some boomer just thought I was good with computers and pays me for it"
winmace@reddit
But
publicdomainadmin@reddit
Okay.