|
everythingWasBees posted:Not sure this is the right place to ask, but I've ended up being tasked with putting together a website that will be sending financial documents to a AWS database. I know nothing about cybersecurity or infosec and am somewhat terrified doing something like this, though thankfully I am not personally liable if anything goes wrong. Is there a good resource for like, putting together something simple and not loving over a bunch of customers due to a lack of research? Depends a bit on what kind of information you store and what you're supposed to do with it. Large banks are using AWS, so it's no inherently a problem. You just have to do the right things to prevent abuse or leaks. PCI-DSS v3 has a simple list of things to do, AWS themselves have best practices too, if you *really* want to be sure you're not doing something dangerous look into what the cloud security alliance matrix (which is basically ssae16/iso27001/hipaa/pci/etcetcetc controls combined into one massive list, may be missing gdpr technical controls - haven't checked) expects of you. And then consider what meets your risk appetite and how much you or your employer cares about and/or are liable for people's personal lives. Without any more information about what you're supposed to be doing, it's hard to give specific advice.
|
#
¿
Dec 30, 2017 10:49
|
|
|
|
| # ¿ Apr 25, 2024 11:24 |
|
|
That code matching thing was already implemented before tavis tweeted about it so ai don’t think that’s what’s up, but maybe they used it that way afterwards, who knows
|
|
#
¿
Feb 26, 2018 18:15
|
|
|
EVIL Gibson posted:Nothing to hide means even though you are not doing anything illegal doesn't mean people can't judge you. I dislike the guy, but Snowden once (famously?) said "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say." I still think that's apt. And that's before I start on a privacy is the basis of freedom tangent.
|
|
#
¿
Apr 1, 2018 07:59
|
|
|
PBS posted:Yeah, I assume that's talking about using it for pages that it should be used for, not recommending it be blindly set for 100 random applications. It goes for APIs over http used by websites too (hello overcomplicating “front end engineers”), not just pages; but generally this is a problem with authenticated pages and leaking through user state for other users if it’s cached somewhere. So as stated before: cache nothing is a good default for “logic” endpoints.
|
|
#
¿
Apr 30, 2018 06:42
|
|
|
McAfee has a siem? Oh my god I wouldn’t touch that with a 10 foot pole
|
|
#
¿
May 23, 2018 17:52
|
|
|
dogstile posted:If this thread has taught me anything its that I should never get into infosec or i'll be abrasive and mad all the time. I prefer cynical and alcoholic
|
|
#
¿
Jul 9, 2018 16:38
|
|
|
A CISO needs to be able to speak business and convince his peers and "higher ups" through common knowledge and relationships. Usually fed with domain knowledge. But my God, I pity you if you have a raw technical CISO. You're hosed. They are cursed with knowledge and more often than not struggle to get their very specific message across to people who regularly ask their son to reboot their laptops. Oh and that they should report to CEO or COO is about right. If a CISO reports to CIO or CTO you're way on the track towards conflict of interest and you'll see the problem being turned back at you. I reported to the audit committee of the supervisory board for actual content, and to CEO for salary/bonus purposes. Advice and personal results are decoupled from what IT and Dev are doing, and that's good also: they have very different targets. Your strategy will lie in having them understand the importance of the strategy and you make agreements based on that. However, as soon as they fail to live up to those agreements; shareholders will know in detail through the committee reports. Moving on from infosec to privacy however gave me a lot more handholds to get poo poo done because somehow that suddenly hits home with colleagues. That's my CISO story thanks for reading
|
|
#
¿
Jul 17, 2018 20:26
|
|
|
Apple keychain on iCloud or 1password are your only bets. Keychain is fine, it integrates with basically all apps too
|
|
#
¿
Jul 19, 2018 23:19
|
|
|
long-rear end nips Diane posted:They've got other problems to deal with for the next few months But once those couple of months pass, privacy finally isn't a concern for them anymore, either.
|
|
#
¿
Dec 13, 2018 15:41
|
|
|
Patriot act also caused a lot of orgs to host and deploy their stuff in other regions to dodge that. Ironically nowadays a lot of it with gcp/aws/azure but the idea counts. Still MSFTs fight over digital jurisdiction about the emails of drug dealers stored in Ireland is an interesting read.
|
|
#
¿
Dec 14, 2018 08:01
|
|
|
porktree posted:Every time I see this it is because of SOX compliance written as 'passwords must by x char in length', instead of 'at least x char'. Then to comply with audit... Any auditor worth their salt looks past this though
|
|
#
¿
Dec 19, 2018 17:16
|
|
|
Ida recently updated their free version to something from the past 20 years also, and it’s really good
|
|
#
¿
Jan 5, 2019 18:07
|
|
|
Nothing about that should surprise you about Facebook’s conduct. What im surprised about is that Apple hasn’t pulled their enterprise deployment license (yet?)
|
|
#
¿
Jan 30, 2019 07:33
|
|
|
ChubbyThePhat posted:That's some crazy poo poo. Good find. The best part is Microsoft saying “please wait on our patch”. Ok, Microsoft.
|
|
#
¿
Feb 6, 2019 20:10
|
|
|
Maybe true about logging but I really like the idea of waf detection at the tls termination rather than having it fully routed through their “cloud”
|
|
#
¿
Feb 6, 2019 21:57
|
|
|
We’ll see about that in court!
|
|
#
¿
Feb 18, 2019 07:02
|
|
|
Turns out writing articles about security does not actually require understanding scope or preexisting levels of access and their complications, as long as you can poo poo on random tools even if your “finding” is hardly of consequence.
|
|
#
¿
Feb 20, 2019 07:30
|
|
|
Thanks Ants posted:On browsers - have they stopped auto-completing forms where the field is hidden yet? I also feel there should be a way to prevent text entered into autocomplete fields from being sent to the server until the form is submitted. Yes. This is now even a really annoying anti-pattern where, for example, the password field only shows up after entering your username. Thanks Delta.
|
|
#
¿
Feb 20, 2019 15:28
|
|
|
0xdude is a good follow also
|
|
#
¿
Feb 22, 2019 12:43
|
|
|
Lain Iwakura posted:
Is the Y axis short for "Ability to Remote Code Execute"?
|
|
#
¿
May 11, 2019 06:44
|
|
|
Lain Iwakura posted:Outside sales is how I indicate how my time will be with them. I've had to have sales persons banned from my company due to their poor behaviour elsewhere. My favorite sales person keeps spilling beans about his other customers. It’s great. He was really upset when we told him he wasn’t welcome to our meetings anymore.
|
|
#
¿
May 14, 2019 17:30
|
|
|
Doesn't surprise me that someone would describe that as an active attack when we're in an age where having your 18 year old leaked password being abused to steal your icloud photos is called "hacking".
|
|
#
¿
Jun 11, 2019 17:46
|
|
|
fyallm posted:LoL. Now imagine trying to get people into vulnerability management consulting. I have a vacancy open for vendor babysitting. It’s a tough sell.
|
|
#
¿
Sep 18, 2019 15:11
|
|
|
CommieGIR posted:White house cut their Infosec staff and CISO. Didn’t know trump took organization advice from the “failing” New York Times
|
|
#
¿
Oct 24, 2019 06:03
|
|
|
stevewm posted:I am all for security, but when it prevents your users from doing their job, you might need to re-think things... I still giggle every time I’m reminded the HMRC only accepts unencrypted digital revenue statement files through Dropbox or snail mail. Its all a good case of the cybers.
|
|
#
¿
Oct 31, 2019 15:21
|
|
|
I like to believe the MS Teams team works with Teams themselves and that's why they can't get any poo poo done.
|
|
#
¿
Jan 22, 2020 18:28
|
|
|
Ynglaur posted:I can confirm that they do. I also like to believe they’re so hyped up about teams because the only comparison they have is Skype for business and have actually never collaborated with any other human being
|
|
#
¿
Jan 22, 2020 22:34
|
|
|
The UNC bug I found a bit odd (but kudos for fixing it), but the privilege trampoline on osx as part of their installation package is a lot worse. Still needs someone to have unprivileged local access of course in order to use it, but come on.
|
|
#
¿
Apr 2, 2020 21:27
|
|
|
Cup Runneth Over posted:How viscerally offensive would it be to SHA1-hash a password 100,000 times to send it to a database server to be bcrypted for storage if your threat model is "bored 13-year-olds," on a scale of "disappointed in you" to "crimes against data"? This is not very far from any passwords stretching method, so yeah not terrible, but also not great. But why don't you just use pbkdf2 or {b,s}crypt and let something do this for you
|
|
#
¿
Apr 8, 2020 10:26
|
|
|
I'm sure Alex "yahoo and facebook" Stamos is going to save them from this
|
|
#
¿
Apr 9, 2020 16:06
|
|
|
Did someone at github try to move it to azure and failed?
|
|
#
¿
Jun 22, 2020 22:43
|
|
|
Hubspot does the same, if you have an account that uses SSO, you can just call password reset and use either way. There's lot of saas tooling that just implements SSO hilariously lovely.
|
|
#
¿
Jul 1, 2020 10:22
|
|
|
Shuu posted:I literally cannot tell what Darktrace is supposed to do from their website. I think Darktrace's mission is to bother you as much as possible in the most aggressive way possible, while selling you absolutely nothing. It's the true shitstain of the industry.
|
|
#
¿
Jul 30, 2020 10:36
|
|
|
Potato Salad posted:like, what threat model does darktrace help address the threat model of your employer not spending enough money on bullshit
|
|
#
¿
Oct 6, 2020 21:34
|
|
|
The magical combination of EDR + zscaler + device trust on authentication is fantastic for solving most problems tbh
|
|
#
¿
Oct 7, 2020 14:30
|
|
|
CyberPingu posted:Oh...my...christ lol this happens all the time, I just ask them to remove it and send them a box of goodies / gift cards after (if it was a valid finding). You'll make a friend who's on your side forever and ever.
|
|
#
¿
Mar 1, 2021 11:26
|
|
|
Internet Explorer posted:Fun one, but who has their vCenter exposed to the internet...? Why..? You know all those things that say "Do not expose to the internet", like vSphere, or Jenkins, or Redis, or k8s. People don't read that and just deploy.
|
|
#
¿
May 26, 2021 10:21
|
|
|
https://twitter.com/InvestorsLive/status/1407780136188002304?s=20 He hasn't been _really_ infosec in a while, of course, but still.
|
|
#
¿
Jun 23, 2021 20:34
|
|
|
I don't think he's been in a mentally healthy state for at least a decade. This news comes in an hour or so after there was an extradition agreement as well. I'm not speculating but 1+1 seems to make sense.
|
|
#
¿
Jun 23, 2021 20:40
|
|
|
|
| # ¿ Apr 25, 2024 11:24 |
|
|
klosterdev posted:Is there a super-rich insurance where the moment you've lost all chance at living in luxury for the rest of your life an assassin is contracted by the company to kill you in jail I feel like there should be
|
|
#
¿
Jun 23, 2021 20:59
|
|