|
So what does that gently caress up mean for me? A person with Linux machines running ssh (w/ public key access only)? Should I just assume all my poo poo is out there now or …?
|
# ? Oct 17, 2018 07:47 |
|
|
# ? Apr 26, 2024 01:37 |
|
ratbert90 posted:This is why I use OpenSSH and LibreSSL.
|
# ? Oct 17, 2018 07:55 |
|
Boris Galerkin posted:So what does that gently caress up mean for me? A person with Linux machines running ssh (w/ public key access only)? Should I just assume all my poo poo is out there now or …?
|
# ? Oct 17, 2018 08:03 |
|
bitprophet posted:If you're using OpenSSH server (or, for that matter, even a libssh-based client), this means nothing to you, as far as I can tell. But as we see regularly (even sometimes, in this thread), everyone loves a good freak-out even if the practical impact is negligible. It's not a "freak out", it's enjoying this dumpster fire of an industry over a genuinely hilarious vulnerability.
|
# ? Oct 17, 2018 08:19 |
|
Boris Galerkin posted:So what does that gently caress up mean for me? A person with Linux machines running ssh (w/ public key access only)? Should I just assume all my poo poo is out there now or …? Probably not a lot. You can start by looking to see what depends on libssh on your system. For example: code:
|
# ? Oct 17, 2018 12:23 |
|
Volguus posted:Probably not a lot. You can start by looking to see what depends on libssh on your system. For example: Well one of these machines runs fedora which is what I assume yours is (guessing due to dnf), and i think I do use virtio (libvirt?) for running windows vms. I guess I should pull the plug until I get some time to read more about this / fix it. E: I’m more worried about my edgerouter being compromised. E2: Not “worried” worried but I mean, I’d rather not be a low hanging fruit. Boris Galerkin fucked around with this message at 13:32 on Oct 17, 2018 |
# ? Oct 17, 2018 13:28 |
|
CLAM DOWN posted:https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/
|
# ? Oct 18, 2018 16:51 |
|
So this question is going to be pretty vague, if only because I have literally 0 experience with the practical application of things beyond theory at this point and am going to be spending the next few months learning as I go, but I'm transitioning into a new role modernizing small business' security solutions and am curious what you guys think the best practices to implement might be. Assume I'm a complete loving idiot, if you don't mind (because I am), I'm mostly looking for a suite of solutions that'll cover most of the things they'll need, given that most of the systems I've seen in small businesses pretty much boil down to what you'd find in a tech illiterate SOHO, things like fresh out of the box firewalls, factory setting routers, no intrusion detection software, etc etc. This is probably a pretty broad question, but I trust you guys (lol) more than I trust just loving about on the internet looking for the best solutions blindly, so any help would be appreciated. ETA: Also if anyone has any links or something that might be useful instead, I'll totally take those too. Also ETA: I figure it's probably a good idea to give some context into what I'm familiar with. I've done IT administration with small businesses before in smaller roles, though it's mostly boiled down to building and configuring desktops, simple networks, and pretty simple help desk style troubleshooting. Tier 1 dabbling in more specialized stuff. I'm currently in a degree program for Cyber Security and Information Assurance, which is why I say I understand most of the theory and some of the fundamentals, though I haven't had any practical experience configuring secure environments just yet. I've recently gotten some pretty dope offers from some friends-of-friends to do some IT work for them, and figure this is a good way to get some of that practical training, but seeing as they handle things like social security numbers and do credit checks, I don't want to just run in without doing research first and end up getting them hosed over. I figure, bare minimum, I need to have a conversation with them about the basics of social engineering and best practices they can perform without much issue (like password strength, privacy filters, locking their loving computer screen when they step away), but seeing as most of these people fall into the "Click the phishing link because it offers to save them money" category of internet user, I want to try and make it as hands-off and idiot-proof as possible. Sab Sabbington fucked around with this message at 20:12 on Oct 18, 2018 |
# ? Oct 18, 2018 20:01 |
|
ThePagey posted:So this question is going to be pretty vague, if only because I have literally 0 experience with the practical application of things beyond theory at this point and am going to be spending the next few months learning as I go, but I'm transitioning into a new role modernizing small business' security solutions
|
# ? Oct 19, 2018 03:36 |
|
Does this count as DON'T ROLL YOUR OWN CRYPTO
|
# ? Oct 19, 2018 03:49 |
|
the bad news is that you can't quit because the person they hire to replace you is going to know even less than you do
|
# ? Oct 19, 2018 04:03 |
|
https://twitter.com/RidT/status/1053097782427422721
|
# ? Oct 19, 2018 04:16 |
|
100% expected that kind of reaction, but it's a pretty fucky situation in that realistically I'm the only option they have, so, y'know. Gotta be prepared as best I can. I definitely know the whole thing is sub-optimal in like, literally every way possible, but for context I'm not exactly planning to go hard on this. Definitely a 0 to 1 kind of situation, not a 0 to 100. These are the kinds of people who are like, waiting to get shut down because they don't even know they're not doing something right. Though uh, man, it seems I may have underestimated the situation. ETA: Okay, so, it apparently didn't occur to me to stop and consider whether or not this was a bad loving idea, so, uh, if that's the case, thanks for the warning. Sab Sabbington fucked around with this message at 05:26 on Oct 19, 2018 |
# ? Oct 19, 2018 05:04 |
|
ThePagey posted:am going to be spending the next few months learning as I go [...] modernizing small business' security solutions [...] I'm a complete loving idiot, sever
|
# ? Oct 19, 2018 08:37 |
|
ThePagey posted:most of these people fall into the "Click the phishing link because it offers to save them money" category of internet user Your only real option is mitigation and remediation, since it sounds like prevention and training is out the window. Focus on hardening, and in particular giving them the least possible permissions to do their jobs, including the owners. Write their admin password on a piece of paper in a safe that only the owner has and tell him to only give it to your replacement. Don't accept any liability for anything dumb they do. I would say "give them password managers" but it sounds like they probably prefer to just have one password everywhere. ThePagey posted:I want to try and make it as hands-off and idiot-proof as possible. You can't. Cup Runneth Over posted:sever This too. if you're going to go through with this, at a minimum ensure that they know that you don't have any certifications or training and that you're performing this on a best effort basis as a courtesy to their usual business, with no expectations or guarantees of success.
|
# ? Oct 19, 2018 15:20 |
|
I think the XY Problem is at work here regarding the larger, much more important question of whether this is a really bad idea. ... as in, "'Y' did you think this was anything but?" You'll be on the hook for all their mistakes, for a start. Tapedump fucked around with this message at 19:02 on Oct 19, 2018 |
# ? Oct 19, 2018 18:56 |
|
Tapedump posted:I think the XY Problem is at work here regarding the larger, much more important question of whether this is a really bad idea. This is one of those situations where my drive to help people fix their problems kind of obscured the fact that I'd be pretty seriously liable. I've been looking for hands-on experience, too, I'll at least have Security+ before I start, and given that they plan to pay me for doing (what I figured would be) relatively simple work to at least secure their network (I have Network+, though I recognize that that's not exactly the most reassuring thing), I figured the rest I could pick up with some intensive studying/lab practice/advice from people who know what the gently caress they're doing in the next few months before I really get started. Bare minimum I figured I could go in an give the employees a brief overview of how to handle their own credentials and use practices. I've worked at a lot of small businesses in customer service roles where people seriously don't give a gently caress, and I'm set to work with mostly small independently owned places that do good, valuable work (in my opinion) that can't afford to use an actual consultant or company.
|
# ? Oct 19, 2018 19:19 |
|
it's fairly easy to just wing it at that kind of short consulting job but structure your business / contract such that you're not on the hook legally when it blows up
|
# ? Oct 19, 2018 19:39 |
|
And carry a million in professional insurance.
|
# ? Oct 19, 2018 19:42 |
|
Yes insurance was surprisingly cheap ime (UK; US feels way more litigious, ymmv) although one underwriter I tried wouldn't touch "cybersecurity"
|
# ? Oct 19, 2018 19:46 |
|
Luckily enough, one of my best friends is a dope lawyer who's worked in networking before, so he has some basic understanding of what's going on, and is willing to write up the contract for me. I'll definitely be grabbing some insurance before I get started (if I get started, I'm considering restructuring this a bit to just provide some basic IT services until I have at least some basic security certs to back the situation up). Main reason I popped in to ask my original question was to clarify things a bit, which this has helped. I mostly need to figure out exactly how to word the services I'll be providing since I figure I want to be as specific as possible in the contract. That's part of why I'm asking around and doing my research now, I'm pretty fundamentally a broke-rear end college student otherwise and getting sued would loving blow.
|
# ? Oct 19, 2018 19:58 |
|
ThePagey posted:I'm currently in a degree program for Cyber Security and Information Assurance, which is why I say I understand most of the theory and some of the fundamentals, though I haven't had any practical experience configuring secure environments just yet. So, given the reactions in this thread, and the fact that I'm a lowly server-toucher myself who is not in the security department, I figure I should ask: What qualifications would you expect before someone could attack their problem? I understand OP's not done with school yet, but is a degree not enough, or would you expect a colorful alphabet of certs under their belt at a minimum? Edit: A lot of posts happened in between my starting this one and finishing it. I get the liability concern. Is that the biggest one? azurite fucked around with this message at 21:40 on Oct 19, 2018 |
# ? Oct 19, 2018 21:01 |
|
Relevant professional experience.
|
# ? Oct 19, 2018 21:39 |
|
The Fool posted:Relevant professional experience. What would you look for? Someone who is trained in security but has worked in IT? I imagine you have to start somewhere.
|
# ? Oct 19, 2018 21:46 |
|
azurite posted:What would you look for? Someone who is trained in security but has worked in IT? I imagine you have to start somewhere. Actually working in security. Even if it's just handling AD administrative security, simple firewall changes, taking part in an incident response process, etc. I want to see something beyond just a piece of paper. Those courses are worthless unless you've put it to practice (speaking as someone who has a number of pieces of paper and just got approved for another one in December).
|
# ? Oct 19, 2018 21:50 |
|
Ok, that perspective is helpful. Thanks.
|
# ? Oct 19, 2018 21:56 |
|
azurite posted:What would you look for? Someone who is trained in security but has worked in IT? I imagine you have to start somewhere. You start like every other IT worker and move in to security. I don't feel like security roles should be given to entry level workers. Yes there are specific tasks that can be assigned to entry level people, but making decisions and giving advice is something that requires nuance and perspective gained by time spent in a relevant field. Not that actual security companies or departments actually agree with me.
|
# ? Oct 19, 2018 21:56 |
|
The Fool posted:You start like every other IT worker and move in to security. Imo the best security people are the ones who start elsewhere in IT, then slowly start showing interest in and performing some security things. Then they transition over. Starting full-bore in infosec right off the bat isn't good, again just imo. You don't have context for what you're doing, and don't know the effects of security things on other teams and technologies.
|
# ? Oct 19, 2018 22:03 |
|
CLAM DOWN posted:Imo the best security people are the ones who start elsewhere in IT, then slowly start showing interest in and performing some security things. Then they transition over. Starting full-bore in infosec right off the bat isn't good, again just imo. You don't have context for what you're doing, and don't know the effects of security things on other teams and technologies. Uhhhh, well poo poo. That's not great news.
|
# ? Oct 19, 2018 22:08 |
|
ThePagey posted:Uhhhh, well poo poo. That's not great news. I don't intend to discourage you, honestly. There's just a big gap in the people I work with in infosec, when comparing those who started slow by entering security from another part of IT, and those who jump right in from a school program without any experience. As I said, you just won't have context or awareness of what you're doing. It's not a matter of you being malicious, it's because what you learn in school isn't what the professional workplace is like. Sorry.
|
# ? Oct 19, 2018 22:52 |
|
CLAM DOWN posted:I don't intend to discourage you, honestly. There's just a big gap in the people I work with in infosec, when comparing those who started slow by entering security from another part of IT, and those who jump right in from a school program without any experience. As I said, you just won't have context or awareness of what you're doing. It's not a matter of you being malicious, it's because what you learn in school isn't what the professional workplace is like. Sorry. Nah nah, it's cool. I kind of hoped going into this that my experience loving around with computers since I was super young would carry me, beyond the sales/tech support hybrid jobs I worked in call centers when I was 18. I pick things up pretty quickly, so I'm not that worried, but I know that's not exactly a replacement for hands-on experience. Something to work towards.
|
# ? Oct 19, 2018 23:03 |
|
azurite posted:So, given the reactions in this thread, and the fact that I'm a lowly server-toucher myself who is not in the security department, I figure I should ask: You need the technical expertise to know WTF (hence all the comments about starting elsewhere) as well as an attacker mindset of how can poo poo go wrong, what happens when it does, and how you can stop it from going from. Certs are useless, I personally think they're worse than useless since they teach you a lot of wrong ways to think about security on top of super out of date info.
|
# ? Oct 20, 2018 00:40 |
|
apseudonym posted:Certs are useless, I personally think they're worse than useless since they teach you a lot of wrong ways to think about security on top of super out of date info. I'm pretty deep in this program at this point to do literally anything else, and uh, well, that's the first time anyone's actually told me that certs are useless, but I suppose that makes sense. Either way, I'm going to keep going with it. How would you recommend someone like me move forward with self-teaching outside of the undergrad/cert programs? I guess what I'm trying to ask is: Is there any way I can self-teach this kind of poo poo without the professional experience a job might provide? I'm down for anything, but the stuff I'd default to (books, labs, working with the commonly used programs/techniques) are more of the same that I'd do when getting a cert. I'm not exactly worried either way, 'cause I'm pretty confident I can get a job in the field with what I'm getting anyway, but I'd really, really rather not jump into a new role and massively gently caress it up if I can help it.
|
# ? Oct 20, 2018 01:01 |
|
ThePagey posted:I'm pretty deep in this program at this point to do literally anything else, and uh, well, that's the first time anyone's actually told me that certs are useless, but I suppose that makes sense. It's more that you're not asking the right questions. You've never worked in Enterprise IT before and you want to start a consulting firm on practical and effective infosec. You're running before you can walk. It's not that certs are useless or your education isn't helpful. But all the certs in the world don't mean a thing when you have absolutely no experience about how a business operates at any scale. You're billing yourself as a subject matter expert when you not only don't have expertise, but no relevant work history whatsoever. Take a few years before launching this and work for literally anybody doing systems or networking, or even desktop support (I.e. Not call center helpdesk), whatever. The literal technical skills are only a tiny fraction of this. Way more important is understanding how the work you do affects the day to day operations of the people and companies you support. The Iron Rose fucked around with this message at 04:11 on Oct 20, 2018 |
# ? Oct 20, 2018 04:09 |
|
The Iron Rose posted:It's more that you're not asking the right questions. You've never worked in Enterprise IT before and you want to start a consulting firm on practical and effective infosec. You're running before you can walk. Okay, that makes sense. I suppose I assumed that because I was getting approached pretty regularly by people that my understanding of the situation would put them in a better position than not doing anything at all, but contextually that's probably not the case when it comes to practical application. That makes sense, thank you for clarifying. It's not so much starting a consulting firm as being roped in to filling a position that it sounds like requires a significant amount more depth than I'd anticipated, I've never be involved in an IT situation before that couldn't be resolved by spending a month learning relevant content and then performing it with a little online reference, but it makes sense that creating a complete situation for a business is more complicated than just setting up a network so that it functions. In any case, I'm definitely glad I asked, because that would've been a real hosed up situation if I'd just ran in and tried to learn as I went like I'd planned to.
|
# ? Oct 20, 2018 06:31 |
|
CLAM DOWN posted:Imo the best security people are the ones who start elsewhere in IT, then slowly start showing interest in and performing some security things. Then they transition over. Starting full-bore in infosec right off the bat isn't good, again just imo. You don't have context for what you're doing, and don't know the effects of security things on other teams and technologies.
|
# ? Oct 20, 2018 11:11 |
|
CLAM DOWN posted:Imo the best security people are the ones who start elsewhere in IT, then slowly start showing interest in and performing some security things. Then they transition over. Starting full-bore in infosec right off the bat isn't good, again just imo. You don't have context for what you're doing, and don't know the effects of security things on other teams and technologies.
|
# ? Oct 20, 2018 12:30 |
|
so the DoD's DTS (Defense Travel System) recently got hacked https://news.clearancejobs.com/2018/10/15/dods-defense-travel-system-hacked-employee-credit-card-info-stolen/ and in slightly fun yet sad news for the USAF this is what Travis AFB has resorted too
|
# ? Oct 20, 2018 13:37 |
|
https://twitter.com/richinseattle/status/1053802123664576512
|
# ? Oct 21, 2018 02:22 |
|
|
# ? Apr 26, 2024 01:37 |
|
so, a -1157 day vulnerability?
|
# ? Oct 21, 2018 05:00 |