[ejcx]

I'm sure Marriot had an IDS that created 10000+ alerts per day.

I'm sure they also had a credential rotation policy, hired 3rd party pentesters, had a vulnerability management program, etc

Securing systems is really hard. A lot of the old school recommendations create more issues than they solve, like rotating every database login password every 90 days or so.

[joncrane]

>A lot of the old school recommendations create more issues than they solve, like rotating every database login password every 90 days or so.

This is one of the ones that drives me crazy. You can maybe make it work if you have a really good secrets management system, especially if it's hooked into AWS EC2 roles. But having to manually log into servers to change config files/passwords every 90 days is ridiculously disruptive.

[inetknght]

> having to manually log into servers to change config files/passwords every 90 days is ridiculously disruptive

Then make it so you don't have to manually log into servers to change files/passwords.

[jacquesm]

> I'm sure they also had a credential rotation policy, hired 3rd party pentesters, had a vulnerability management program, etc

Why are you so sure? The vast majority of the companies out there is terribly sloppy when it comes to security and does not have any of those. I doubt the effectiveness of credential rotation by the way, that's mostly outdated advice.

Six letter passwords without any complexity requirements are still pretty common ('123456'), as is unsalted MD5 for password hashes, IDS is a term that usually requires explanation and if there has been a 3rd party pentest it usually was long ago.

Some industries are better than other (fintech, medical), but there too you find terrible examples.

I look at another company every week and the state of security at most of them is usually fairly bad with a few exceptions where things are mostly in order. Note that we do not do a security audit, this is just a general look at company affairs and security is only a very small part, just enough to tell whether or not they take it serious or not and how big the risk of an embarrassing hack is, and what the damage would be if one took place.