|
Is there a dumb free password manager for iOS? I just need like an encrypted notepad. No sync to PC or autofill or anything.
|
#
?
Mar 5, 2024 17:23
|
|
|
|
| # ? Apr 27, 2024 07:59 |
|
|
bolind posted:Is there a dumb free password manager for iOS? I just need like an encrypted notepad. No sync to PC or autofill or anything. Isn't that Apple Keychain?
|
|
#
?
Mar 5, 2024 17:30
|
|
|
Kibner posted:Isn't that Apple Keychain? Yes, this is the right answer. e: Actually, keychain can't do encrypted notes but the built in notes app does
|
|
#
?
Mar 5, 2024 17:33
|
|
|
The Fool posted:
This is extra janky because on the desktop it does store encrypted notes in your keychain. On iClod no less. Wish they'd just cross port that. e: iCloud, but the typo is apt so I'll leave it.
|
|
#
?
Mar 5, 2024 20:00
|
|
|
bolind posted:Is there a dumb free password manager for iOS? I just need like an encrypted notepad. No sync to PC or autofill or anything. Pass (word store) https://www.passwordstore.org
|
|
#
?
Mar 6, 2024 08:31
|
|
|
If you have a cloud adverse management and you work in Europe, prepare for legalese meetings. https://www.edps.europa.eu/press-pu...s-and-bodies_en Keep in mind that EDPS doesn't have direct compliance powers but its decisions will get used as reference by EU governments.
|
|
#
?
Mar 12, 2024 11:46
|
|
|
@bolind, Actually since you said you needed something akin to secure notepad for iOS, the Notes app lets you encrypt specific notes: https://support.apple.com/en-ca/guide/security/sec1782bcab1/web I forgot this was a thing and I just tested it now on my iPad. You can protect notes with your iCloud credentials or a bespoke password, and then you have the option of locking that behind FaceID/TouchID if you choose.
|
|
#
?
Mar 12, 2024 12:55
|
|
|
It's CISSP time. The office is willing to pay for training for me to get the CISSP. Our normal training providers are only offering a 5 day cram course, and I'd rather learn this properly so I can be sure of passing the test. ISC2 themselves offer an 8-week course (2 hour class, 2 days/week) that seems pretty decent. Has anybody taken any of the ISC2 courses before?
|
|
#
?
Mar 15, 2024 16:35
|
|
|
Yup, the instructor talked about himself and the other jobs he'd had most of the time, between intonations that the exam was too broad to get into in class and that we should read the book and memorize every page on an "inch-deep / mile wide" level, and I decided the money the training budget had burned on this bullshit wasn't worth the corresponding misery of dragging my unmanaged adhd rear end through that kind of studying
|
|
#
?
Mar 15, 2024 16:52
|
|
|
Work paid for a similar 5 day bootcamp through Deloitte. I’m sure they’re all fairly the same. It was the most boring five days of my life, and I still felt 50/50 walking out of the exam after going through the book and ancillary “cram” material, but I did make bank on the other side based on those five bullshit letters, so given my investment was just a few days of half assed “study” after the course I’d say it was a good use of my time. Anecdotally, I remember absolutely NOTHING from the course, aside from some vague notions of fence height or camera distance or something completely irrelevant to my actual job. E: I guess it varies wildly on your instructor. Ours specifically told us not to bother digging into the book unless we wanted more info on something he was teaching us or something wasn’t clear
|
|
#
?
Mar 15, 2024 17:13
|
|
|
I bought the 11th hour CISSP guide, watched some YouTube videos on it, and the old sunflower guide. That was enough for me to breeze through it and finish with the minimum amount of questions. This test is seriously overrated difficulty wise, and is the most overrated cert in history. Why we as an industry settled on this one is beyond me, other than it satisfied a bunch of dept of defense requirements I was told. Anyway, dont overthink it, know the basics and answer from a manager perspective instead of a technical one and you'll be fine.
|
|
#
?
Mar 15, 2024 17:15
|
|
|
11th hour CISSP,! That’s the book I was thinking of and couldn’t remember. Thanks. Yeah, that’s what my teacher recommended and I thought it was actually a really really good summarization of the textbook. I’d say I passed on that book alone.
|
|
#
?
Mar 15, 2024 17:16
|
|
|
I'm familiar with the kind of content that's covered in the CISSP, so I'm already expecting to be bored out of my god damned mind during the course. Normally I would just buy the study books from Amazon and sit here for 3 months pounding 1000+ pages into my head, until I feel confident enough that I could pass the test on the first try (I get extra nervous about exams I have to pay for). But since the exam is changing in April and work is willing to pay for it I figured it might be better to try some actual course instruction. I feel a 5-day course is too short to adequately cover something as big as the CISSP (and by the sounds of everyone's experiences, I'm right) which is why I was looking at the 8 week course ISC2 is offering. I'm still a rookie in this field and impostor syndrome is hitting me hard, so this year is my cert year. In addition to the CISSP I also want to get: - AZ-500 - SEC450 - FOR500 (I don't really want to do this one, but it's a gap we need in our team) BaseballPCHiker posted:I bought the 11th hour CISSP guide, watched some YouTube videos on it, and the old sunflower guide. Thanks for the recommendation on the book, I'll probably pick it up. I agree it's a super overrated cert and I don't understand why everyone wants it so much when the SSCP or even the Sec+ is imo, a much better comprehensive overview of the field as a whole, The CISSP to me is a cert for managers primarily and holds no real day-to-day value.
|
|
#
?
Mar 15, 2024 18:31
|
|
|
flakeloaf posted:Yup, the instructor talked about himself and the other jobs he'd had most of the time, between intonations that the exam was too broad to get into in class and that we should read the book and memorize every page on an "inch-deep / mile wide" level, and I decided the money the training budget had burned on this bullshit wasn't worth the corresponding misery of dragging my unmanaged adhd rear end through that kind of studying Dude what the gently caress is with so called instructors of the infosec industry: Start paid video lectures with 10 to 20 minutes of self promotion including a brag that they graduated 7 million people. Next disclaimer that watching their 20 hour series of lectures isn't enough to pass the exam unless you read the entire 800 page official guide. As if I don't loving know that I can pass a test by reading a book. Earlier this year I took one where the guy introduced himself and went straight into salesman brainwashing affirmations "You made the right choice with this course, this is a good course, I will get you through the exam, etc" Like 5 minutes later he was going on about how losers don't read the book and get what they deserve. Yep that's a refund you bald jerk. It was for the Pentest+, not even a hard exam. some kinda jackal posted:11th hour CISSP,! That’s the book I was thinking of and couldn’t remember. Thanks. Yeah, that’s what my teacher recommended and I thought it was actually a really really good summarization of the textbook. I’d say I passed on that book alone. This is the smallest CISSP book that does the job. If you have a feel for IT politics, read this book, and brush up on whatever stuff you don't crush in a practice exam you will pass. The CISSP test is crazy as gently caress though and uses some sort of statistical crap to make sure you always get challenging questions no matter how well you're doing. So if your questions are all barely comprehensible jibberish or you're made to choose between 4 wrong answers. You're doing pretty good. MustardFacial posted:The CISSP to me is a cert for managers primarily and holds no real day-to-day value. It's probably the oldest security cert. I suspect the whole "management" thing came later after they needed to differentiate their brand from newer certs that popped up as former hackers and script kiddies started influencing the profession on a much more practical level. Notice there is no M in CISSP but newer isc2 management certs have one? That said it forced me to learn poo poo I didn't want to learn and definitely helps me understand what management wants. Internet Old One fucked around with this message at 22:13 on Mar 15, 2024 |
|
#
?
Mar 15, 2024 21:49
|
|
|
Internet Old One posted:Dude what the gently caress is with so called instructors of the infosec industry: Yeah, I’m about to go for the CISSP partially because I want some exposure to the management viewpoint and other facets of security that I haven’t been exposed to in my career so far.
|
|
#
?
Mar 15, 2024 22:30
|
|
|
hate turnstiles, love mantraps, simple as
|
|
#
?
Mar 17, 2024 14:11
|
|
|
MustardFacial posted:It's CISSP time. Yeah, in uh, 2001. I passed! CISSP #2xxxx some kinda jackal posted:Anecdotally, I remember absolutely NOTHING from the course, aside from some vague notions of fence height or camera distance or something completely irrelevant to my actual job. Hahaha same  . How bright are your exterior lights?
Rust Martialis fucked around with this message at 22:08 on Mar 18, 2024 |
|
#
?
Mar 18, 2024 22:06
|
|
|
vanity slug posted:hate turnstiles, love mantraps, simple as I, also, have confused my LinkedIn and Grindr profiles on occastion. Glass houses, stones, etc.
|
|
#
?
Mar 18, 2024 22:58
|
|
|
After a long time in ops/network infra, I recently started studying for and I passed Sec+. We have a Udemy subscription I've been using for material(The Dion training material helped a lot), but I'm curious what the next one should be. I started into CySA+ since it was on Udemy and it's sort of kicking my rear end to be honest. There are so many tools to learn with names I can't remember, it's a little overwhelming. I feel like I've concentrated so much into network over the years, I've lost my grasp of a lot of other stuff, especially server architecture. Would my time be better suited to a different cert? I'm worried I may not be cut out for sec ops.
|
|
#
?
Mar 19, 2024 17:56
|
|
|
Farking Bastage posted:After a long time in ops/network infra, I recently started studying for and I passed Sec+. We have a Udemy subscription I've been using for material(The Dion training material helped a lot), but I'm curious what the next one should be. I started into CySA+ since it was on Udemy and it's sort of kicking my rear end to be honest. There are so many tools to learn with names I can't remember, it's a little overwhelming. I feel like I've concentrated so much into network over the years, I've lost my grasp of a lot of other stuff, especially server architecture. Would my time be better suited to a different cert? do you enjoy networking in general? there is serious $$$ in network security and I’d recommend you focus on improving your skillset from a security perspective if it keeps you going
|
|
#
?
Mar 19, 2024 17:59
|
|
|
Network security is a very tough gig at times as there is a giant split of companies needing you to be a functional network engineer along side being a network security person. There is a huge need for network security engineers who are real network engineers but kind of a unicorn at times. Its also a trap of trying to fold too many duties into a single person/team.
|
|
#
?
Mar 19, 2024 18:21
|
|
|
I find at times as Principal Security Engineer that I am being asked to be SRE/Network Engineer/PM/Architect so often now that its not even surprising. The squeeze from the market is just too real.
|
|
#
?
Mar 19, 2024 18:26
|
|
|
I've hit the point now where I need to let the network guy be the network guy, because giving in to the temptation to play his position for him sends me on increasingly deeper dives into man pages and configuration manuals and endless tech bulletins all describing the care and feeding of equipment I will only be touching if something has gone catastrophically wrong, which is a lot of work for a yea/nay call on a suggested upgrade or whatever. So yeah, nothing wrong with specializing. If you can be a great network person, be a great network person, and build a bit of mutual trust and respect with your itsec person so they can do itsec policy wonk poo poo.
|
|
#
?
Mar 19, 2024 18:28
|
|
|
I feel seen. I jumped from railway-oriented industrial automation to being an OT network engineer at a metro transit authority in January 2022. Now I am basically the principal engineer responsible for four separate city-wide OT networks, and while I have a reasonably good grasp of how things work, and we're doing a pretty good job of designing and rolling out a new SPBm/fabric based consolidated OT network, the additional workload from also dealing with network security, particularly for the OT virtualization stack (because IT dropped the ball, those fuckers) is quickly proving to be too much. At least we're adding headcount, but it takes time to get people up to speed.
|
|
#
?
Mar 19, 2024 18:32
|
|
|
Sickening posted:I find at times as Principal Security Engineer that I am being asked to be SRE/Network Engineer/PM/Architect so often now that its not even surprising. The squeeze from the market is just too real. Same. I keep being asked to handle Cloud Engineer and Infra Engineering. Not great and I try to avoid it because, to twist a quote from Kelly's Hero's 'Oddball', jokingly: "I just secure em I don't know how they work or anything."
|
|
#
?
Mar 19, 2024 20:49
|
|
|
Booked my first SANS course and cert attempt. Apparently they're going to mail me books or something and the cert is only 75 questions and open book? This is unlike anything I've ever done before.
|
|
#
?
Mar 26, 2024 20:05
|
|
|
MustardFacial posted:Booked my first SANS course and cert attempt. Apparently they're going to mail me books or something and the cert is only 75 questions and open book? First SANS cert I did I didn't realize the back of the last book had an index. I spent so much time in the GICSP exam going, "was that in book 2???" and flipping through the books. (I passed.)
|
|
#
?
Mar 26, 2024 21:26
|
|
|
^^^^ I stressed out too much on the index creation for GIAC defensible security architecture. Yeah it’s like 6 books and 1200 pages but you can generalize and subsection all of it for reference in a few hours. Don’t psyche yourself out like I did.
|
|
#
?
Mar 26, 2024 23:33
|
|
|
Agreed, having an index is important but putting a decent one together isn’t that hard and the tests are incredibly straightforward if you do.
|
|
#
?
Mar 26, 2024 23:35
|
|
|
We infosec'ed so hard that a redundant pair of PA firewalls that all traffic in the environment has to pass through failed in an odd way and took down everything for an hour because it didn't fail over as designed.
|
|
#
?
Mar 27, 2024 00:50
|
|
|
Anyone here gone through an environment certification before? I've been working on CMMC and we're approaching d-day in a month or two. Just wondering how people do that. Does a dude just come in with a check list and you justify how you've fulfilled the requirements?
|
|
#
?
Mar 27, 2024 01:01
|
|
|
Wibla posted:We infosec'ed so hard that a redundant pair of PA firewalls that all traffic in the environment has to pass through failed in an odd way and took down everything for an hour because it didn't fail over as designed. do you work in my NOC, we had a bad PA fw failover during updates mess us up for a good hour when everyone started filtering back from lunch Defenestrategy posted:Anyone here gone through an environment certification before? I've been working on CMMC and we're approaching d-day in a month or two. Just wondering how people do that. Does a dude just come in with a check list and you justify how you've fulfilled the requirements? [vibrates in CMMC Implementer] yeah so, you are talking about D-Day for your certification process? have you guys engaged in any talks pre-certification, done any pre-certification environment reviews to look for obvious problem areas ahead of time? what has your journey looked like I won't say its as intrusive as a DIBCAC assessment but you are going to be exchanging an awful lot of artifacts with your third party assessor over several weeks. Definitely far FAR more pain than PCI edit: Also do you have a large gap between your assessment date and when you anticipate needing to perform on contracts that scoped you into CMMC, for the purpose of mitigating Its never too early to ask them to expand the SOW to include pre-reviewing SSPs so they can give you ballpark "this control is enough, hey start working on this inadequate control" feedback, if you haven't started doing that. Yes that involves money, yes it is worth it, hands down -- lead times on new hardware can gently caress you if you guys only start getting feedback after the assessment has started and your entity needs to start billing work on CMMC-scoped contracts shortly thereafter. Nobody really has a good baseline for how provisional certification will look yet. Potato Salad fucked around with this message at 01:13 on Mar 27, 2024 |
|
#
?
Mar 27, 2024 01:02
|
|
|
Potato Salad posted:[vibrates in CMMC Implementer] yeah so, you are talking about D-Day for your certification process? have you guys engaged in any talks pre-certification, done any pre-certification environment reviews to look for obvious problem areas ahead of time? what has your journey looked like From what my boss has told me we have a pre-certification audit in mayish which is supposedly just a regular audit except it's cheaper and they'll give us a report card, then we theoretically fix it by augustish for the certification run. As far as the journey we've been getting stuff ready for two years now, my boss had the foresight that CMMC would probably be something along the lines of FISMA/DFARS compliance, so we where using that as a guide to work towards assuming that CMMC wouldn't be far more strenuous than that, and by the time it was settled that CMMC would basically be NIST 800-171 anyway we where sitting fairly pretty. quote:edit: Also do you have a large gap between your assessment date and when you anticipate needing to perform on contracts that scoped you into CMMC, for the purpose of mitigating mostly encryption related things that they'll be sticklers about whatever gaps are found From what boss has said is that worst case scenario, is that once CMMC becomes an active standard we'll have six months from that day as a grace period to get anything together. So theoretically Q2 next year is drop dead? We don't currently have contracts that require it to my knowledge this was more of a get poo poo together before the military starts requiring it eventually. Defenestrategy fucked around with this message at 01:16 on Mar 27, 2024 |
|
#
?
Mar 27, 2024 01:12
|
|
|
Defenestrategy posted:From what my boss has told me we have a pre-certification audit in mayish which is supposedly just a regular audit except it's cheaper and they'll give us a report card, then we theoretically fix it by augustish for the certification run. As far as the journey we've been getting stuff ready for two years now, my boss had the foresight that CMMC would probably be something along the lines of FISMA/DFARS compliance, so we where using that as a guide to work towards assuming that CMMC wouldn't be far more strenuous than that, and by the time it was settled that CMMC would basically be NIST 800-171 anyway we where sitting fairly pretty. If you haven't put it together yet, CMMC 2.0 Level 2 is "Validate your 800-171 controls, show us you can actually exercise your review and risk acceptance processes, and demonstrate some basic dfir/hunt capacity (install EDR)." You won't "basically" be NIST 800-171 (and friends) compliant, you will be -171 compliant. I'm glad to hear you're doing a pre-validation run. It is going to pay off. Do you have a big ol' nested directory of "Here's our screenshots and printouts for this control, for this control, for this control..." etc yet? You can save yourselves some pain by going ahead in any spare time you have and substantiating every single thing you claim in your SSP(s) as thoroughly as possible. Pretend you are going to court and the 75 year old judge is friendly but professionally skeptical of your claims.
|
|
#
?
Mar 27, 2024 01:19
|
|
|
Potato Salad posted:If you haven't put it together yet, CMMC 2.0 Level 2 is "Validate your 800-171 controls, show us you can actually exercise your review and risk acceptance processes, and demonstrate some basic dfir/hunt capacity (install EDR)." You won't "basically" be NIST 800-171 (and friends) compliant, you will be -171 compliant. Yep, we built one of those assuming it'd come up, just a big repo of documentation and screen shots
|
|
#
?
Mar 27, 2024 01:20
|
|
|
Potato Salad posted:do you work in my NOC, we had a bad PA fw failover during updates mess us up for a good hour when everyone started filtering back from lunch No, I'm an OT network engineer at a metro transit authority  ... also on vacation! We also have a change freeze in place for Easter, so it was just normal operations... I'm looking forward to the post mortem.
|
|
#
?
Mar 27, 2024 01:21
|
|
|
Defenestrategy posted:We don't currently have contracts that require it to my knowledge this was more of a get poo poo together before the military starts requiring it eventually. This sounds incredible actually. A company that bothers to proactively fix their security poo poo is not the norm in my experience. I'm seeing a lot more faking it until well past deadline and then panic implementing something with an army of consultants.
|
|
#
?
Mar 27, 2024 19:25
|
|
|
BonHair posted:This sounds incredible actually. A company that bothers to proactively fix their security poo poo is not the norm in my experience. I'm seeing a lot more faking it until well past deadline and then panic implementing something with an army of consultants. We had the benefit of a lot of things coming together at once to make it possible to do. Covid19, government infighting for budgets, getting acquired, a manager who knows how to play the game, just lots of things.
|
|
#
?
Mar 27, 2024 19:38
|
|
|
1password rules, thank you for the suggestions
|
|
#
?
Mar 28, 2024 04:16
|
|
|
|
| # ? Apr 27, 2024 07:59 |
|
|
Defenestrategy posted:Anyone here gone through an environment certification before? I've been working on CMMC and we're approaching d-day in a month or two. Just wondering how people do that. Does a dude just come in with a check list and you justify how you've fulfilled the requirements? It's weird for me to see that CMMC is a real thing now. I was part of the DIBCAC pilot going around conducting assessments 4 years ago. I've moved on now to another role and agency but if I can help anyone prepare for or pass a CMMC or DIBCAC assessment reach out to me via PM.
|
|
#
?
Mar 29, 2024 05:26
|
|