d0n7 p47r0n153 l33t 5k1ll5!
If big corporates with huge budgets, large IT teams and strict ITIL, Cobit and compliance rules can not keep it going, why government? Some examples:
- Two years ago half of Sita was running an internal botnet.
- For the longest time the SARS cage at IS had the most obvious passcode.
- With one hosting company you could push a network cable through the back of their rack and you DHCPed onto the network.
- One hosting company did not check customer credentials and a perp gained access to a cage and walked out with 3 servers (dumbass was arrested shortly afterwards, as he was on CCTV and left his valid contact details in the access log book)
- One financial institution didn't realise that their admins had bitcoin miners installed on their servers (and their direct competitor had NZBDrone and Sonarr running on their transactional servers)
- A payment gateway last year accidentally had a MySQL dump accidentally indexed by Google (as well as their my.cnf - with the MySQL server being open to the internet).