| ▲ | Topfi 2 days ago | |
Any security team that gives unrestricted admin privileges to random employees is not a security team. So doing the most basic parts of their job, that would be my proposal. If specific to my hiring comment, was meant a bit facetious, though I will point out this line in their "compliance" report by "auditor" Delve: > The organization carries out background and/or reference checks on all new employees and contractors prior to joining in accordance with relevant laws, regulations and ethics. Management utilizes a pre-hire checklist to ensure the hiring manager has assessed the qualification of candidates to confirm they can perform the necessary job requirements. Maybe those pre-hire checklists should include a question like "Are you a massive idiot, who'd install a game on their work computer, then on top of that be the type of idiot who likes to cheat, then on top of that be the type of idiot to install cheats on your work computer?", maybe that'd prevent this in the future. Or again, just don't give everyone Admin privileges... | ||
| ▲ | baxtr a day ago | parent [-] | |
I think one of us misunderstood how the event happened. In my understanding restricting local admin rights would not have change anything here. The Vercel employee signed up for Context.ai (a third-party tool) using their work account and granted it "Allow All" access to their environment. Maybe Admin-Managed Consent would have helped prevent context.ai access the environment but this is not configured locally on the employee's machine. It is a cloud-level setting managed within their identity provider's administrative portal. | ||