Sure, Hamlet isn't always right. However, I've been living in Denmark in the past 20 years and I see what I see 🙂 But's not discuss that.
I am going to show them, that they have to disconnect unused ports. Simply because of very low practical security problems:
Low risk: I can print on their printers (recently, I logged on to the guest network of a public library. They are having a printer which can be used by citizens, when they pay a little amount using a service called Princh. However, I could see the IP address of the printer, and add it to my printers list, if I would.
Medium risk: I could access non-patched, non-secure IoT-devices, if I would
High risk: I could access NAS and computers on the network, and plant malware into the machines. Many computers are running with Windows 7 - anno 2023!
I totally agree that the approach is to educate the organization. But unless I show them what is possible, they won't listen.
The average teacher tells
The good teacher demonstrates
The extraordinary teacher inspires
I am beyond the "average teacher" phase, but inspiring is not what the target group is looking for at this moment. IT Security is really a very unknown thing.
Yesterday, I got an e-mail from an organization. I had a bad feeling, half a year ago, about their IT-security, and told them. They said: "We are managing it". Then I got an email two weeks ago: "Somehow, personal sensitive information has been shared with a partner, without consent of the involved citizens". I asked again: "Do you need someone who can tell the personnel as well as the top management team, how hackers work, what can be done, how to recognize them and how to act if they strike?" The email I got yesterday stated: "No thank you. We are managing it". Until they get hacked for real.
If you would, you could find some spicy stuff about the ongoing hack of the Danish realtor-chain EDC: They make mistake on mistake, and no-body is doing something. The personnel does not know anything!
Danes thinks that IT-problems only exist under the hood, and that nobody is having any responsibility, except their own IT-companies. Ethical hackers do not exist in Denmark. Believe me, it's true! Try to find any jobs in IT-security in Denmark ... They're hard to find.