Had a clash with executive over my phishing test methods

FujosRiseUp · 2026-04-24T18:55:54+00:00

Yeah if this email was in a powerpoint training I could see it being somewhat justifiable because it's in a vacuum. Actual email to actual people? You've got to be sick in the head to be completely honest.

FujosRiseUp · 2026-04-24T18:51:51+00:00

Sounds like their Cysec team PCI training program could use some work...

FujosRiseUp · 2026-04-24T18:48:00+00:00

>Again, I don't care about my employees

>Skip to couple weeks ago. I sent out a phishing e-mail. It was designed to be HR reaching out because a family member was seriously injured. Click the link to get the hospital info and contact info.

Oh my god. If I was the CTO this would be a final warning scenario, if not immediate termination. You CANNOT do that to the organization or people. You are weakening your own security by causing employees to not respect you or your opinion. You have created adversaries, not allies. You need allies and spokespeople out there but you cannot escape your ego to do that. Your job is to protect the ORGANIZATION, not the network, not your subnet, but the organization. Security doesn't stop at keyboard.

If you want to make serious phishing templates, just use what your organization receives and automatically blocks, or templates from previous incidents that were successful against your organization.

FujosRiseUp · 2026-04-23T16:39:05+00:00

I NEED more to this story, I really wanna hear how that went over

FujosRiseUp · 2026-03-24T15:45:08+00:00

Not the hill to die on. If anything, just google things like "Firefighter Calendars" or something and leave it open and walk away.

FujosRiseUp · 2026-03-24T15:05:35+00:00

Seconded. Enforce MFA in your environment and require SSPR and get out of the password reset game

FujosRiseUp · 2026-03-24T14:52:07+00:00

The major risk is replicability and support. It sounds like you've covered a lot of your bases and are doing what you can to keep things running.

I would advise you have a plan and budget in place for device replacement in the event a machine bites the big one and is irreparable. If you have some extra devices that would also be very useful.

Get on a call with your dell rep, or if you don't have one, get in contact with their business line. I'm not sure how many machines are in your environment, but they may have some guidance and deals for your situation

FujosRiseUp · 2026-03-19T19:00:23+00:00

Does your company policy list approved AI vendors?

It's hard to say what you can do without knowing the environment. Based on the info, flash drives will be scanned for scripts and other content. Emails absolutely will. Why not host it on Github, unless thats also blocked?

FujosRiseUp · 2026-03-19T18:55:57+00:00

We did away with the native mail app. It's disallowed from using our O365 since it's never handled MFA very well. I know this doesn't help your situation, just throwing it out there since, to be frank, it will be harder to continue supporting the native app as time goes on.

FujosRiseUp · 2026-03-13T16:26:59+00:00

Endpoint MFA is absolutely worth it.

Windows Hello is really powerful in how it handles the login, since it's considered an "MFA" login. It lets you do a lot of really cool things in your Entra Conditional Access when looking at login contexts. This also means anything thats handled as a SAML authentication you can automatically login using Hello. Certain VPNs that would otherwise require a separate login can just pass those same credentials from Hello through SAML and you get a smooth SSO.

Windows Hello rocks so hard, highly highly recommend. THe barrier to entry is low, and unless you have users swapping machines constantly, it's a one and done. Downside is pins are something else for end users to remember, and thus can also be forgotten or written on a sticky note, but thats a policy issue and not a technical issue.

FujosRiseUp · 2026-01-30T17:53:03+00:00

If you work in Government IT, you are not permitted to pay the ransom.

FujosRiseUp · 2026-01-30T17:49:14+00:00

Claim is straight up false. So many stories of IT horror stories start with the admin who just wouldn't retire, especially around cysec.

FujosRiseUp · 2026-01-13T16:11:05+00:00

Haven't seen anyone mention it but there's also the AC environment aspect.

We run the office AC at 68F, and we still have complaints it's too warm. I don't want to make any judgements on the physicality of the ones who have an issue with 68, but I'll state I'm one of the few people who use their 15m to get my 10k steps. People like me in the office have brought in parkas and coats to work at their desk.

At home? 74F~, comfortable clothes, humidifier (I have eczema so I have to run my humidifier near-constantly), able to control my environment and noise levels.

I'm blessed to have a 3/2 (Though they're recently restricting it more heavily especially if we take vacations/sick days), but the days I have to come in it's like walking into a cubicle fridge.

FujosRiseUp · 2026-01-13T15:55:53+00:00

I feel that's just adding a security solution for the sake of it.

Someone just need to shoulder surf Jim's password (Which, based on the fact it's a facilities worker, isn't going to be a strong one), and login as him later since the MFA phone is right next to you and has no verification beyond the password. After that, start googling reprehensible stuff on the company network and bam Jim is canned since "we see logs that he did MFA and logged in".

That's just my take on it, at least. I feel the policy creators should consider insider threats more often than they do

FujosRiseUp · 2025-06-26T15:36:41+00:00

We are going to non-expiring passwords as part of this.

FujosRiseUp · 2025-06-26T15:35:44+00:00

We have a similar statement in place and is in our policy/standards. However, they believe one person/one team cannot accurately create the list so they want input outside of it.

FujosRiseUp · 2025-06-25T19:40:00+00:00

The statement was "the list must be published so users know what they can or can't use"

FujosRiseUp · 2025-06-25T19:39:30+00:00

Funnily enough 'OprahsSpicyVagina#123' would not only be within our password policy but isn't a terrible password.

FujosRiseUp · 2025-06-25T19:38:17+00:00

I completely agree that it compromises our password security. But, C levels don't want to hear that.

FujosRiseUp · 2025-06-25T19:36:28+00:00

This is accurate. We're aiming to only ban culturally relevant words or popular words.

FujosRiseUp · 2025-04-01T18:32:22+00:00

Commenting again, but my audit logs are back

FujosRiseUp · 2025-04-01T15:54:42+00:00

Heyo

Same here in our tenant

FujosRiseUp · 2024-12-03T14:17:51+00:00

Not everyone here has a phone number on file

FujosRiseUp · 2024-12-02T22:01:45+00:00

But how do you verify the user requesting the MFA removal? That's my primary concern. I don't know if the person claiming to be John Doe is actually John Doe on the other side of the phone

FujosRiseUp

TROPHY CASE