We were performing an audit on one of our customers who had a "friend of the family" doing their IT work for them. We do a LOT of work with friends of the family, nephews, nieces, you name it (we call this "near-sourcing") and provide assistance where needed. For this one the "friend" had proclaimed the Internet facing server safe. One hour and 12 minutes later, he found out how safe it wasn't because he forgot to configure a timeout for failed logins. As we say "The bad guys only need to get lucky once, but we have to be perfect all the time". Thanks to Ari and his team for allowing us to publish this after- we fixed it of course!.