Security missives from the front lines

This is a curated collection of my own encounters as well as some that were contributed by others. If you have some gems to share please send them along or leave a comment below. I’d love to build this list out as I know there are many more out there.

This is a curated collection of my own encounters as well as some that were contributed by others. If you have some gems to share please send them along or leave a comment below. I’d love to build this list out as I know there are many more out there.

  1. "VPN users are all thieves" (Uttered by VP of a company who also sells...VPN services.)
  2. “What's wrong with iframes?” (former CISO)
  3. "I don't understand all this security crap. I'm just going to outsource it all" (Former short lived CIO)
  4. “You can’t connect to SSH without an ssh client.” (lead developer on a security project"
  5. “Of course it’s secure, we have a firewall.” (comment made by a Fortune 500 VP)
  6. “We have two factor authentication, a) username b) password”
  7. “We don’t need to harden internal servers, we have a firewall”
  8. "UDP is far more reliable than TCP” (a former CTO imparted that one)
  9. “No one can hack the application because it uses SSL”
  10. “Disable “view source” in the browser to secure the application”
  11. “Just disable the users telnet client” (comment made by a CTO in relation to an internet facing ecommerce app)
  12. “Just fdisk the hard drive to wipe the data” (made prior to disposal)
  13. “I have a complicated SSID that people will not be able to guess” (indeed)
  14. “That’s not the way the application is supposed to work so, users will not see that behaviour.”
  15. “Cross Site Scripting? Just disable javascript.” (Sigh)
  16. “You can see that data because you are using a proxy. If you go directly to the web app it is secure.”
  17. “The storage tapes do not have to be encrypted because no one will have a device to read these tapes.”
  18. “We use base64 encryption.”
  19. “Oracle 8 is totally secure. There is no reason to upgrade.” (Conversation I had with a VP...not many years ago)
  20. “Yes, I know what a cross over cable looks like”
  21. “It’s 100% secure.”
  22. Why do we need to secure this? We are not a bank. (from the CTO of a manufacturing company)
  23. We need to get this fixed. We’ll worry about security tomorrow (yeah right)
  24. We have no security policy
  25. Why can’t we allow ipsec from the vendor into this blackbox in the corporate LAN? (aka preventing the huge hole in the firewall)
  26. A vendor’s response to notification of a format string bug: “I don’t understand. You should be typing your password. Where are all those %n’s coming from?”
  27. Upon notifying a security hardware vendor that their device reboots when running an snmpwalk against it, i was told “you shouldn’t do that – we don’t support snmpwalk”.
  28. “If thats so vulnerable, why hasn’t it been attacked yet?” — customer questioning advice to firewall a server better
  29. “But I thought Firefox was a firewall!!” (customer being advised on need to firewall their LAN.)
  30. "Firefox is not open source software. It cost me over $200 for the guy to install it on my home computer" (A former VP of IT)
  31. “I’m not sure why you are calling this abuse, it’s not like he’s doing it on purpose.” — customer objecting to being held accountable for their malware infestation
  32. “You guys call here, you little pissant trying to tell me about my computers” (some self described network administrator complaining of being notified his LAN was overrun by spambots and malware.)
  33. “I have a Law Degree from Harvard…. I don’t need you to tell me how to troubleshoot.” — customer complaining when given troubleshooting advice
  34. “I checked the machine and it was not connecting anywhere on port 25. It was only connecting on port 80 to find hosts to compromise so I have no indication that it sent any spam.” (customer baffled as to how his LAN could be outbounding malware spams.)
  35. “Loyalty tests have been given to all computers on the network, and all failing members have been purged. The streets run red with blood.” (amusing customer who audited his LAN successfully.)
  36. "We bought that remote dial-in system on eBay." (IT Architect describing system connected to critical servers) 
  37. “We have a pix box so am I correct in assuming that acts as a firewall?” (alert customer)
Got any gems that you would like to share?

Join the CSO newsletter!

Error: Please check your email address.

More about eBayindeedLANOracleSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dave Lewis

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place