This thread is absolutely chock full of real stories about really dangerous configurations.
But instead of seeing and blaming the *people* behind those stories, we should be identifying and understanding the *patterns* in these stories.
Some quick thoughts in this thread: 🧵
But instead of seeing and blaming the *people* behind those stories, we should be identifying and understanding the *patterns* in these stories.
Some quick thoughts in this thread: 🧵
https://twitter.com/_wald0/status/1502475482004041730
There are 3 major reasons I see why we should not be blaming the people behind these dangerous configurations:
First: It doesn't help. Honestly, what evidence do we have that screeching at admins to do "the basics" has created positive outcomes?
First: It doesn't help. Honestly, what evidence do we have that screeching at admins to do "the basics" has created positive outcomes?
Second: Don't forget where you came from. No one is born with all the knowledge needed to avoid these mistakes. What you see as "basic", someone else sees as secret arcane knowledge. A little empathy goes a long way here.
Third: When we blame others, we pass the buck on to them and absolve ourselves of any responsibility to affect change. "Our industry would be 100% perfect if not for those admins messing everything up". Grow up. Take responsibility. Help or get out of the way.
Now, what patterns can we observe in those replies, and what conclusions can we draw from those patterns? There are three patterns and conclusions I see:
Pattern #1: "What you don't know will hurt you." Many of these stories include the pentester surprising the customer with the finding - the admin didn't know about that config, or didn't know the impact of the config.
Conclusion #1: The tools, techniques and procedures used by the pentester to generate the finding for the customer created a positive outcome for the customer. "If you aren't aware, you can't prepare" -- OSS tooling and the pros who use them create that awareness.
Pattern #2: Common platforms, common problems. So many replies in that thread have their own replies chiming in with, "I've seen that, too", or "Did we go to the same place?" It seems almost everyone testing a type of platform sees the same issues across all instances.
Conclusion #2: These issues are exceedingly *common*, and NOT exceedingly *rare*. Shift your thinking from, "No admin in their right mind would do this" to "Many admins running this platform do this."
Pattern #3: Backdoor, or bad config? Many replies in the above thread mention initially confusing a dangerous configuration with a backdoor. Something so egregious, only an adversary could have put it there as a back door. I've seen plenty of examples of that myself.
Conclusion #3: Remember Murphy's Law: "Whatever can happen will happen". This applies to everything, including how IT systems are configured. If the IT system or product *allows* a particular configuration, that configuration *will* happen.
Final thought: do not be so quick to blame people for the dangerous configurations in their environments. Be kind. See and recognize the patterns across industries and do something positive to help.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
