Mastodawn

SwiftOnSecurity Jan 14, 2023

Note that OneDrive is actually pretty good now. (Yes, it was fucking garbage, I lived it every day, I know.) If your org is having consistent problems:

- Install OneDrive machine-wide with the installer switch, get binaries and maintenance tasks out of user profile
- Check your registry for weird old GroupPolicy still being applied
- Review and apply latest GroupPolicy settings
- If you use a proxy, make sure you're on latest vendor recommended exclusions. Call them and ask for a health check. We just did one and it found issues with our O365 settings.

We have largely moved users to OneDrive for business content and also selectively doing Desktop/Documents backup.

SwiftOnSecurity Jan 14, 2023

If your company uses Office365, your most important ransomware insurance is getting your user files on OneDrive. And it can transparently backup Desktop/Documents now, users don't need to put stuff in OneDrive manually if you manage the setting with GroupPolicy.

SwiftOnSecurity

Enterprise Security is Operational Excellence. If you can't even recover from non-malicious stuff like SSD crashes, you absolutely positively are going to get wrecked by ransomware. And you're wasting IT staff time on routine garbage instead of actual resilience engineering.

SwiftOnSecurity Jan 14, 2023

If you can't rebuild a dead machine in ~40 minutes with full data migration, you're going to be in a world of hurt either by hackers or an IT screwup. I've lived both of these lives, Helpdesk and Cyber. It's the same freaking continuum and it feels like I yell my throat raw trying to get people to realize this. If your user experience sucks you're not ready.

SwiftOnSecurity Jan 14, 2023

The reason I went from Helpdesk Engineer to Security Engineer is because a lot of it is a subset skillset, if you're trying to build truly resilient systems and ensure nobody fucking calls you with their problem because the issues never happened in the first place, because you designed for the worst possible scenario.

I didn't learn most of this stuff because I was responsible for Security. I learned because it was my job to clean it up, either per-machine or a whole-network compromise. And I really didn't want to do that.

Hot Mess Express Jan 14, 2023

@SwiftOnSecurity I'm a big fan of OneDrive for a lot of these reasons. Wish we could use it for more of our systems, but a lot of them are setup for local accounts that are used by multiple users.
I don't suppose you have any OneDrive magic for those sort of setups? 😮

rthonpm Jan 14, 2023

@severedaffect @SwiftOnSecurity I've got similar situations with SPE not bound to AD or connected to the internet. Onsite file servers still come in handy, and Documents directory can be redirected to a mapped drive even on older operating systems.

Ptisan Jan 14, 2023

@SwiftOnSecurity I hate to say this, but when people ask me about my work experience, I describe it as the SoS path to security. 4-5 years doing helpdesk and desktop support, lateral movement to the security team and working my way up there.

My formal education is in Architechture (non-IT) and business systems, so my path has been all on-the-job learning. I forever felt doomed to sysadmin work but the original SoS memes gave me hope!

Nerd That Talks Good Jan 14, 2023

@Ptisan @SwiftOnSecurity No kidding. theater > video game support > video game tester > enterprise help desk > SOC/NOC > server admin > compliance analyst > policy/comms > cyber product evangelism > cyber marketing (basically in theater again).

The path is long and twisted.

John Breen Jan 14, 2023

@SwiftOnSecurity FWIW, as an engineer, IT teams in some orgs take little time to understand what the engineers/devops guys are doing, need to do - they are just there to say "no" or "wait until we officially support it next year". I once burned a CD, took it home, and uploaded it via FTP because IT had blocked ST MicroElectronics site as "non-business related". We learn to go around them when they get in the way, rather than ask for help...and that's not good.

Nerd That Talks Good Jan 14, 2023

@SwiftOnSecurity The “this shit is broke!” to “how can I fix shit?” pipeline is real.

@SwiftOnSecurity yep my path as well. Help desk->sys/net admin->sec engineer. You learn real quick to assume it’s going to break and come up with how you’d fix it if it did. I have a bunch of automation ready for scenario’s such as the asr debacle today. Not affected, but could have recovered quickly. Bad AV sigs are what keep me up at night. So I plan for it, and have abilities beyond the vendors consoles to disable/remove/etc their product en masse.

Andrew Bucko Jan 14, 2023

@SwiftOnSecurity Also listen to your front-line employees — whether the customers are internal or external. They’re typically the only touchpoint the company has.

@SwiftOnSecurity I 100% am of the mind that service / help desk is the first line of defense in cybersecurity. Not only do you get to see the types of issues and fixes that are common for your environment, you are often the first to notice when things are a bit ‘off’. Service desk is a great source of threat intelligence for an org that is all too often overlooked.

Wendy Nather Jan 14, 2023

@jasonelrod @SwiftOnSecurity 1000%. The best thing is when someone comes into my office, shuts the door, and says, “I think there’s something you ought to know.”

Philip Mallegol-Hansen Jan 14, 2023

@jasonelrod Second line of defense. The first one is end users well educated about the common risks and patterns of cyber threats.

mhoye Jan 14, 2023

@philip @jasonelrod of people don’t trust and love your helpdeskies, that second critical conversation doesn’t happen.

Mike Ely Jan 14, 2023

@jasonelrod @SwiftOnSecurity also useful when moving to operations as well. Having a foundational rather than theoretical understanding of vulns, exploits, and user behavior informs good decision-making more or less daily.

It's for this reason I lurk in the tech support channel in our org. They are very often the canary in the coal mine.

Mike Ely Jan 14, 2023

@jasonelrod @SwiftOnSecurity also... as well... argh. Fried-day has assaulted the part of my brain that grammars rightly. Cheers!

@me @SwiftOnSecurity Way back in the day, I would sometimes stop by the helpdesk on the weekend, sit at a desk, and jump in the queue with the team and take calls alongside them for while. I was easily the worst one on the shift, but some of the best opportunities and ideas for improvement across stability, scalability, security, and supportability came from those weekend visits.

Flint Jan 14, 2023

@me @jasonelrod @SwiftOnSecurity the number of production level issues I've identified from a single overlooked customer support email...

Nerd That Talks Good Jan 14, 2023

@jasonelrod @SwiftOnSecurity help desk made me the man I am today. And I can never forgive that.

David D. Levine Jan 14, 2023

@SwiftOnSecurity That's how I went from Technical Writer to Software Engineer to UX Designer. I wanted to fix or prevent UI problems instead of documenting the workarounds.

hacknsec Jan 14, 2023

@SwiftOnSecurity Amen!

@SwiftOnSecurity what helps is we still have network shares but I am getting different departments to migrate to sharepoint/one drive.

@SwiftOnSecurity that's why I literally documented the backend for a payment processor so it can be setup from scratch within less than 15 minutes by literal #TechIlliterates following the instructions word-by-word.

Philip Mallegol-Hansen Jan 14, 2023

@SwiftOnSecurity I should put my IDE configs in source control… That’s probably the only reason I couldn’t rebuild my environment on a new device quickly 😂

AliSnarkbar Jan 14, 2023

@SwiftOnSecurity It’s RAW!!!!

Eric Maino Jan 14, 2023

@SwiftOnSecurity reminds me of days I’d find ways to keep my father away from his computer as I was rebuilding it.

Henry Edward Hardy Jan 14, 2023

When I worked at One Laptop per Child, each machine had a wiki page w/ a complete, step-by-step rebuild for hardware & configuration & software from scratch.

At Tufts, we could and did flip data centers with all, literally everything everything, with < 1.5 seconds interruption in service.

At Tufts we had the "two H-Bomb rule" no loss of service unless someone dropped an H-Bomb on two data centers of ours or two top-level exchanges.

Then be back up in one day.

@SwiftOnSecurity

David Costa Jan 14, 2023

@SwiftOnSecurity I received this notification from Twitter too. 😄