But it is a real Security issue, where the org has such a strict policy on ALL users to maintain a high level of security hygiene that it’s impossible to keep up with while doing normal work. It’s why there is such a big push for SSO systems/portals. As that way you can have 99% of users be kind of dumb - as long as they use your company portal - they should be good.. and a smaller team focused on the security of that portal and looking for odd login actions per user.

[–] invalidusernamelol@hexbear.net 13 points 1 week ago (1 children)

Requiring rotating key/authenticator access for remote work and allowing users to come up with a solid terminal password on local access is pretty good.

That way all local connections can be verified and remote logins have the extra security layer.

That being said, if a priveleged user manages to compromise their local work machine it's all fucked.

[–] Deadend@hexbear.net 2 points 6 days ago (1 children)

That’s where security experts who are checking for things to go bad come in.

Making everyone a security expert + doing their job is some uphill ice skating.

[–] invalidusernamelol@hexbear.net 2 points 6 days ago (1 children)

A good bet it to open a dummy ssh port that no one should ever connect to, then immediately add any ip that tries to connect to it to a blacklist.

At the end of the day every security measure can be bypassed, you just need to be prepared for that inevitability.

[–] Deadend@hexbear.net 2 points 6 days ago

Locks are based on time/difficulty/detectability in the real world. The goal is “can’t to break in without getting caught”

It’s all a balance between risk/security and actually being useful.