Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Subjunctive
Sep 12, 2006

sparkle and shine



Defenestrategy posted:

signing emails with PGP

How does signing emails with PGP make a person safer?

Adbot
ADBOT LOVES YOU

droll
Jan 9, 2020


Why is mfa a tip instead of something that's already turned on for your company? Its opt in?

Defenestrategy
Oct 24, 2010

Worst decision I ever made.


Nukelear v.2 posted:

Maybe somebody will read it, but yea it's mostly CYA so they can't feign total ignorance when an incident occurs.

I've found that more active participation based events yield better dividends than just tossing reading material out into the world.
Phishing campaigns will tell you how many people will fall for obvious attacks and the user then sees oh hey maybe I'm not so clever about spotting these.
Same with doing capture the flag events with developers instead of just watching boring videos about owasp top 10.

I had an idea for a presentation, where I would use OSINT to gather information on a volunteer and then present a bio on them to be used for nefarious purposes and then show how to lock the information down to an extent, but I fear the ramifications on teaching the work place how to efficiently google-fu/harvester/etc their coworkers.

edit:

droll posted:

Why is mfa a tip instead of something that's already turned on for your company? Its opt in?
At the company, yea, but it's probably a good idea to help your employee's not get their personal accounts owned.

Subjunctive posted:

How does signing emails with PGP make a person safer?

In that case it was more about "What is a digital signature, and how can I use it" sort of thing.

Defenestrategy fucked around with this message at 15:51 on Mar 4, 2021

Nukelear v.2
Jun 25, 2004
My optional title text

Defenestrategy posted:

I had an idea for a presentation, where I would use OSINT to gather information on a volunteer and then present a bio on them to be used for nefarious purposes and then show how to lock the information down to an extent, but I fear the ramifications on teaching the work place how to efficiently google-fu/harvester/etc their coworkers.

Yea that's gonna get creepy super quick when you start presenting pictures of their kids and house. Really people aren't going to stop using social media anyway. I would imagine OSINT isn't really the biggest threat you have though, so I'd think more about how to target that.

droll
Jan 9, 2020


Nobody is reading your work newsletter about what they should do in their personal life lol

Sickening
Jul 15, 2007

Black summer was the best summer.

Defenestrategy posted:

I had an idea for a presentation, where I would use OSINT to gather information on a volunteer and then present a bio on them to be used for nefarious purposes and then show how to lock the information down to an extent, but I fear the ramifications on teaching the work place how to efficiently google-fu/harvester/etc their coworkers.

edit:

At the company, yea, but it's probably a good idea to help your employee's not get their personal accounts owned.


In that case it was more about "What is a digital signature, and how can I use it" sort of thing.

OH dear lord no, just no. Boundaries!

RFC2324
Jun 7, 2012

http 418



Nukelear v.2 posted:

Maybe somebody will read it, but yea it's mostly CYA so they can't feign total ignorance when an incident occurs.

I've found that more active participation based events yield better dividends than just tossing reading material out into the world.
Phishing campaigns will tell you how many people will fall for obvious attacks and the user then sees oh hey maybe I'm not so clever about spotting these.
Same with doing capture the flag events with developers instead of just watching boring videos about owasp top 10.

I have a 100% success rate at not falling for phishing emails. Lemme share my secret so you can tell your users.

I don't read my email.

Sickening
Jul 15, 2007

Black summer was the best summer.

Sickening posted:

OH dear lord no, just no. Boundaries!

On that very subject I find that people in our industry really have problems with boundaries. When filling open positions within my reports, a certain team had a habit of gathering intel of applicants and passing it around before their interview. I found the practice pretty loving gross and outlawed it. It gets way too out of control too quickly and leads to toxic poo poo.

Internet Explorer
Jun 1, 2005


Sickening posted:

On that very subject I find that people in our industry really have problems with boundaries. When filling open positions within my reports, a certain team had a habit of gathering intel of applicants and passing it around before their interview. I found the practice pretty loving gross and outlawed it. It gets way too out of control too quickly and leads to toxic poo poo.

God drat, that is awful.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!


Pillbug

Sickening posted:

On that very subject I find that people in our industry really have problems with boundaries. When filling open positions within my reports, a certain team had a habit of gathering intel of applicants and passing it around before their interview. I found the practice pretty loving gross and outlawed it. It gets way too out of control too quickly and leads to toxic poo poo.

That's an oof.

CLAM DOWN
Feb 13, 2007


RICKARUS

It's Moot baby!




Sickening posted:

On that very subject I find that people in our industry really have problems with boundaries. When filling open positions within my reports, a certain team had a habit of gathering intel of applicants and passing it around before their interview. I found the practice pretty loving gross and outlawed it. It gets way too out of control too quickly and leads to toxic poo poo.

I'm glad you outlawed that. Wtf.

i am a moron
Nov 12, 2020

Gettin' woke about vaccines

Sickening posted:

On that very subject I find that people in our industry really have problems with boundaries. When filling open positions within my reports, a certain team had a habit of gathering intel of applicants and passing it around before their interview. I found the practice pretty loving gross and outlawed it. It gets way too out of control too quickly and leads to toxic poo poo.

This is quite possibly illegal depending on the state itís occurring in

Potato Salad
Oct 23, 2014

Nobody Cares




yeah, it's best to leave any doxing and any racism/classism/sexism/etc to the machine learning HR resume/hiring applications popping up everywhere


(strictly off topic for infosec, but Jesus Christ some of the reporting that's coming out on how terrifically biased some of these systems are)

Diva Cupcake
Aug 15, 2005



https://twitter.com/ericgeller/status/1367534978167406595

Zorak of Michigan
Jun 10, 2006

Waiting for his chance

Defenestrategy posted:

As part of my role as infosec guy, I've been tasked with doing "employee education", and so every two months I've been putting out a short company newsletter that has broad stroke significant company affecting infosec event summaries, such as successful phishing attempts on employees, or foreign IP logins,etc as well as a "infosec tip of the day" kind of thing where it outlines a thing to be slightly safer, like enabling MFA or signing emails with PGP, stuff like that.

My question is: Am I just pissing in the wind with this, or is this kinda thing worth while?

One good thing that might come of it: an improved internal recruiting program, as junior IT guys read it and think, "hey, that sounds interesting, that's a cool job to which I might aspire."

Hah hah who am I kidding, nobody ever promotes internally.

apseudonym
Feb 25, 2011



Sickening posted:

On that very subject I find that people in our industry really have problems with boundaries. When filling open positions within my reports, a certain team had a habit of gathering intel of applicants and passing it around before their interview. I found the practice pretty loving gross and outlawed it. It gets way too out of control too quickly and leads to toxic poo poo.

That is seriously unprofessional and uncool, yikes.

droll
Jan 9, 2020


Is looking at the applicant's LinkedIn, noticing they worked at a company where I know someone, and asking that someone I know about the applicant, gross/bad?

Mr. Crow
May 22, 2008

Snap City mayor for life


droll posted:

Is looking at the applicant's LinkedIn, noticing they worked at a company where I know someone, and asking that someone I know about the applicant, gross/bad?

Isn't that de jure what HR is already doing I don't think so depends on your questions I guess


vvvv assuming nobody talks to *current* company, that would be awful

Mr. Crow fucked around with this message at 21:10 on Mar 4, 2021

CyberPingu
Sep 15, 2013


droll posted:

Is looking at the applicant's LinkedIn, noticing they worked at a company where I know someone, and asking that someone I know about the applicant, gross/bad?

Untrustworthy if anything. Also people at the other company might not know the applicant is looking for jobs

droll
Jan 9, 2020


.

droll fucked around with this message at 21:24 on Mar 4, 2021

droll
Jan 9, 2020


Mr. Crow posted:

Isn't that de jure what HR is already doing I don't think so depends on your questions I guess

HR don't know who my friends are and where they work/worked.

CyberPingu posted:

Untrustworthy if anything. Also people at the other company might not know the applicant is looking for jobs

Yeh that would be bad if my friend was working at the applicant's current place of work.

Mr. Crow
May 22, 2008

Snap City mayor for life


droll posted:

HR don't know who my friends are and where they work/worked.

They know what companies the applicant worked for and are surely asking them about them.

Absurd Alhazred
Mar 27, 2010

I'm the babyliberal, gotta love me!


droll posted:

Is looking at the applicant's LinkedIn, noticing they worked at a company where I know someone, and asking that someone I know about the applicant, gross/bad?

I mean, even if this doesn't violate the applicant's privacy, it sounds like a great way to perpetuate one of the many established cliques of tech, so probably don't do it?

Edited to remove sexist phrasing

Absurd Alhazred fucked around with this message at 21:28 on Mar 4, 2021

Sickening
Jul 15, 2007

Black summer was the best summer.

droll posted:

Is looking at the applicant's LinkedIn, noticing they worked at a company where I know someone, and asking that someone I know about the applicant, gross/bad?

No. An example what is gross and uncool is to take the email address that is presenting in the resume and checking across the internet to see what that email is registered for. Gross looking at their social media to figure out the things they are into. Gross is trying to figure out their reddit account based on similar usernames on their social media handles and finding out they have a panty hose fetish.

It became known to me as one of my sr guys alerted me to the fact that a potential candidate had a blog from 2012 with some vial stuff on it. gently caress that sucks and the content was really REALLY bad. When I pressed him how he found this he went down the entire long rabbit hole and I wanted to vomit. My predecessor apparently had sanctioned this type of thing in the past and he thought I was going to praise him for his hard work.

You can't foster this type of behavior at all. Promoting this level of snooping means that your company employees are going to get the same treatment eventually and nobody wants that. The snooping only escalates if it goes unchecked.

CyberPingu
Sep 15, 2013


We actually went through this with one of our IT techs

I asked a guy at his last place who I went to Uni with what he was like.

He gave him a not great review because he worked on the night team.


Im so loving glad I didnt listen to that guy and its the last time ill ever do that

droll
Jan 9, 2020


Absurd Alhazred posted:

I mean, even if this doesn't violate the applicant's privacy, it sounds like a great way to perpetuate one of the many old boy's clubs of tech, so probably don't do it?

I am neither old nor a boy FYI. Please don't make assumptions like that, that's actually gross.

Sickening posted:

No. An example what is gross and uncool is to take the email address that is presenting in the resume and checking across the internet to see what that email is registered for. Gross looking at their social media to figure out the things they are into. Gross is trying to figure out their reddit account based on similar usernames on their social media handles and finding out they have a panty hose fetish.

Woah that is way more hosed up than I envisioned.

droll fucked around with this message at 21:28 on Mar 4, 2021

Absurd Alhazred
Mar 27, 2010

I'm the babyliberal, gotta love me!


droll posted:

I am neither old nor a boy FYI. Please don't make assumptions like that, that's actually gross.

Fair enough, edited.

Adbot
ADBOT LOVES YOU

Saukkis
May 16, 2003

Unless I'm on the inside curve pointing straight at oncoming traffic the high beams stay on and I laugh at your puny protest flashes.
I am Most Important Man. Most Important Man in the World.

Defenestrategy posted:

As part of my role as infosec guy, I've been tasked with doing "employee education", and so every two months I've been putting out a short company newsletter that has broad stroke significant company affecting infosec event summaries, such as successful phishing attempts on employees, or foreign IP logins,etc as well as a "infosec tip of the day" kind of thing where it outlines a thing to be slightly safer, like enabling MFA or signing emails with PGP, stuff like that.

My question is: Am I just pissing in the wind with this, or is this kinda thing worth while?

It might be more useful if you can find subjects that people will care about. Just this week our IT sec did presentation where they told about a recent small scale phishing campaign that snared about a dozen people. Instead of immediately using their accounts for spamming as usual, the phishers waited until near the payday, logged in to our SAP HR system and changed the bank account numbers. People started asking questions when their pay euros were no where to be seen. Beside the multitude of organisational failures that this was possible, this is the best example why you should not get phished that I have seen.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply