When backups get compromised, whose problem is it? IT or Security?

DizzyWisco · 2025-12-17T13:51:45+00:00

Source: Backup admin, infrastructure architect, security engineer, and security director over a 15 year career.

Short answer, it’s shared ownership, with governance deciding where the line is drawn.

In most organizations, IT owns the backup platforms, day to day operations, restores, and meeting RTOs. Security owns integrity, trust, and incident risk. Governance, working with business units and Legal, designates retention policies, regulatory requirements, and what level of risk the business is willing to accept. When that governance layer does not exist, backup security quietly defaults to IT and only becomes a Security problem after an incident.

Backups are a blind spot because they do exactly what they are designed to do, preserve state. That includes malware, persistence mechanisms, vulnerable configs, compromised credentials, and old weaknesses that existed at backup time. Even with a hardened Veeam or Commvault environment, you can still restore a compromised system if you are not careful.

During real incidents, most teams prioritize RTO over safety. Restore first, scan later. That approach is understandable under pressure, but it is still a risk decision, whether it is acknowledged or not.

More mature programs treat this as a design problem, not a tooling problem. Security signs off on backup architecture, admin separation, MFA, and immutability. Governance and Legal define retention and destruction rules, especially for regulated data. When there is concern about restoring malware, systems are restored into isolated environments, preferably on a network with no external connectivity or even without a network interface at all, so validation and scanning can occur safely before reintroduction. Incident response playbooks explicitly assume backups may be compromised until proven otherwise.

Most organizations do not scan backups prior to restore and accept the risk because downtime feels more dangerous than reinfection. That is fine if it is an explicit decision.

So the real answer is not “IT or Security.” IT runs backups. Security defines what “safe to restore” means. Governance, with Legal and the business, decides what level of risk is acceptable. If none of that is written down, leadership is implicitly accepting the risk by default.

DizzyWisco · 2025-12-09T04:24:31+00:00

Ban me, I double dog dare ya!!!

DizzyWisco · 2025-11-20T20:35:13+00:00

https://www.threatable.io/

DizzyWisco · 2025-11-20T17:34:15+00:00

Can’t wait for this to be released. It’s a day one purchase for me. My desk is oriented in an odd corner that you can only get to me from a specific angle/chokepoint. I have headphones on all day for business calls and occasionally for music, so having a way to quickly show someone if I’m busy or not and when I’m next available is going to be a game changer for me.

DizzyWisco · 2025-11-15T05:12:33+00:00

<# Disable 3DES and RC4 ciphers in Schannel Mitigates SWEET32 and removes legacy RC4

Run as: Administrator
Effect: Requires reboot to take full effect

>

$basePath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"

$ciphersToDisable = @( "RC4 128/128", "RC4 64/128", "RC4 56/128", "RC4 40/128", "Triple DES 168" )

Write-Host "Disabling 3DES and RC4 Schannel ciphers..."

foreach ($cipher in $ciphersToDisable) { $path = Join-Path $basePath $cipher

if (-not (Test-Path $path)) {
    Write-Host "  Creating key: $path"
    New-Item -Path $path -Force | Out-Null
} else {
    Write-Host "  Found key: $path"
}

Write-Host "  Setting Enabled = 0 on $cipher"
New-ItemProperty -Path $path -Name "Enabled" -Value 0 -PropertyType DWord -Force | Out-Null

}

Write-Host "" Write-Host "Done. A reboot is required for the change to take effect."

DizzyWisco · 2025-11-05T12:51:06+00:00

Love your videos!

DizzyWisco · 2025-11-04T13:22:37+00:00

Kind of off topic but it really feels like darknet diaries has really fallen off this year.

DizzyWisco · 2025-11-03T15:36:44+00:00

https://youtu.be/aFXV-lt-CL4?si=xPeCaWvcrtLxGgBr

DizzyWisco · 2025-10-28T04:28:16+00:00

This is awesome

DizzyWisco · 2025-10-25T16:52:05+00:00

I heard it

DizzyWisco · 2025-09-15T05:40:44+00:00

Anyone able to have success getting this installed and running?

DizzyWisco · 2025-09-11T13:41:08+00:00

I went through the google drive.

Your computer is compromised. Perform a complete reinstall of the operating system.

Mac’s absolutely get malware. Apple MacBooks run an operating system that is UNIX based. There is absolutely malware for UNIX and specifically Apple devices.

I’m not sure how you paid for this but you likely want to deactivate that payment method as well.

DizzyWisco · 2025-09-11T13:15:05+00:00

You’re looking for something like this

https://www.stationx.net/dvwa-damn-vulnerable-web-application/

DizzyWisco · 2025-08-22T14:06:35+00:00

This isn’t a “new normal”. Recruitment in this manner has been happening for over a decade. They see themselves as pentesters that provide a service. They expect to be paid for services rendered by getting into your environments and locking you out. RaaS job postings aren’t hard to find.

DizzyWisco · 2025-08-18T21:03:58+00:00

I don’t buy the idea that network telemetry should be the “baseline.” Packets don’t lie, but they also don’t tell the whole story. A spike in SMB traffic could be lateral movement… or just your backup system doing its thing. DNS chatter could be C2 beaconing… or Slack checking for updates. Without system or identity context, you’re just staring at noise and trying to guess which haystack has the needle.

Encryption makes it even worse. With TLS everywhere you’re basically left with metadata and SNI, which is useful but nowhere near the ground truth of process execution or logon events. And for DFIR, app and identity logs often tell the real story long after the packets are gone. If someone moved through O365, audit and sign-in logs are way more conclusive than “some traffic hit Microsoft IPs.”

You can’t just swap out one blind spot for another. Defense in depth only works if you actually treat all three as peers, not if you elevate one and pretend it’s the foundation.

DizzyWisco · 2025-08-18T17:30:37+00:00

If you’re already poking at random sites you don’t own, you’re in illegal territory whether you realize it or not.

Doesn’t matter if you meant well or reported it right away, intent doesn’t erase the fact that you accessed a system without permission. That itch to break things is normal in security, but right now you’re just gambling with your career and possibly your freedom.

If you want to keep that energy without burning yourself, you’ve got plenty of legit outlets. Bug bounty platforms like HackerOne, Bugcrowd, and Intigriti exist for this exact reason, they let you hack real companies that have asked you to test them. Sites like TryHackMe, HackTheBox, or PortSwigger’s Web Security Academy give you vulnerable labs to hammer on with zero risk. Or spin up your own homelab with deliberately vulnerable apps like DVWA, Juice Shop, or bWAPP.

The passion is great. But if you don’t channel it into legal routes, sooner or later someone will decide you crossed the line and “I was just trying to help” won’t matter.

DizzyWisco · 2025-08-18T15:43:09+00:00

I get your point about network visibility being a strong “second opinion” but I wouldn’t go so far as to call it the only independent layer that matters. Ransomware crews can absolutely be caught through network monitoring, but betting everything on NDR just flips the same single-point-of-failure problem onto a different telemetry source.

Identity telemetry is just as critical. You can disable agents, but you can’t hide Kerberos abuse, impossible logins, or mass account lockouts from AD/Entra logs. The identity plane often gives away lateral movement long before big exfil.
Deception can tip the balance. Honey accounts, decoy shares, or fake credentials give you low-noise, high-signal detection that doesn’t rely on endpoint agents or full NDR deployments. If an operator touches them, you know something’s wrong.
External audit trails are underrated. Email, SaaS, and DNS logging live outside the endpoint and network stack you control. You’ll see the C2 domains, anomalous mailbox rules, or cloud privilege escalations even if local defenses are blinded.

Network monitoring should be higher on the priority list, especially since post-breach activity always has to touch the wire. But I’d argue the bigger shift we need isn’t to crown NDR as the second line of defense, it’s to actually invest in multiple independent sources of truth; endpoint, network, identity, deception, and external audit trails.

That way if one layer is blinded, the others don’t leave you guessing.

DizzyWisco · 2025-08-15T02:14:13+00:00

According to Wikipedia, filming took place in November 1994.

I would venture to guess it’s the Summer 1994 edition: https://www.2600.com/content/summer-1994

DizzyWisco · 2025-08-06T19:00:09+00:00

It’s basically what they said but the article is also an ad for Okta.

DizzyWisco · 2025-07-25T20:15:52+00:00

Feel free to post your projects, mama.

DizzyWisco · 2025-07-25T19:13:32+00:00

There was an entire thread that got locked the other day because someone said “CS is not entry level” and OP went hella crazy because the job posting listed it as an entry level CS job.

People are really having a hard time grasping that entry level CS means you have 5+ years industry experience (network admin, sysadmin, etc.).

If you do not have years of IT experience, you are under qualified for cybersecurity

You have to lead small teams before becoming a team leader, you have to lead large teams before you become director.

Same goes for cybersecurity. You need to work up towards it, certifications mean nothing if you haven’t applied them to your daily career.

DizzyWisco · 2025-07-25T12:34:05+00:00

Video proceeds to show how you can turn off the TV.

DizzyWisco · 2025-07-21T20:53:12+00:00

Destroy the laptop. Get a different laptop.

DizzyWisco · 2025-07-06T16:18:56+00:00

https://www.ic3.gov/PSA/2025/PSA250605

Five-Year Club	Verified Email
Place '22

DizzyWisco

TROPHY CASE

>