|
Oh neat there's an infosec thread. Currently freaking out about my impending CISSP debacle. Work is paying for it, but finance is v. bad at their jobs and has yet to actually send payment so while I'm technically registered for, and can attend the bootcamp on the 25th I can't get my exam voucher yet and now it's probably going to be like months between my camp and the exam. Working on OSCP in Q1 anyway, infinitely more interesting.
|
#
¿
Nov 6, 2016 03:23
|
|
|
|
| # ¿ Apr 26, 2024 15:03 |
|
|
Fun excuse to not be at work for a week at a time so I'll take it. Unless it's this upcoming bootcamp which seems like it will be less fun than average.
|
|
#
¿
Nov 6, 2016 18:25
|
|
|
fyallm posted:Taking the dumb CISSP tomorrow. Wish me luck. Good luck. I took it on Monday. It is indeed a dumb exam. Just remember to answer everything as if you're stuck in an elevator with your idiot CEO.
|
|
#
¿
Dec 2, 2016 04:21
|
|
|
Eh, Paypal's implementation could be better. You can still fall back to using your generic secret questions, plus I think SMS MFA is just stupid anyway when you could implement a TOTP solution but I guess it's better than nothing.Forgall posted:I can't find anything at all about 2-factor anywhere in my account pages. Only options on Security tab are Password, Security questions, Customer service PIN and Stay logged in for faster purchases. Are you adblocking anything? Just checked and mine is Gears Icon -> Security, and there I have "Password", "Security Questions", "Mobile PIN", "Customer Service PIN", "Security Key", and "Stay logged in bla bla"
|
|
#
¿
Dec 3, 2016 16:58
|
|
|
CLAM DOWN posted:root/calvin is my personal fave This one was really convenient for me after a merger a few years ago.
|
|
#
¿
Dec 5, 2016 18:33
|
|
|
Encrypt passwords with ROT-13 twice just to be extra secure.
|
|
#
¿
Dec 15, 2016 13:44
|
|
|
unknown posted:Back to infosec... Holy moly, thanks for pointing this out. I've been meaning to replace my dead yubi.
|
|
#
¿
Jan 2, 2017 19:53
|
|
gets you a usb U2F/Fido security key from amazon. (
|
My biggest issue with this is that it's unlikely to ever be properly supported in Safari and I'm way too lazy to switch to Chrome or compile plugins and switch user agent strings on a per-site basis to hack this into working.
|
|
#
¿
Jan 3, 2017 13:58
|
|
|
I put up a honeypot and a surprising amount of bots just downloaded themselves right from github. I f you want something that's out in the wild right now then just forward port 22 of a linux VM to your WAN IP, set the password to root/root and enjoy. Sitting in IRC C&C channels and making fun of nerds was fun for a few days until I realized I could spend my time more productively.. some kinda jackal fucked around with this message at 22:58 on Jan 10, 2017 |
|
#
¿
Jan 10, 2017 22:47
|
|
|
I never said it was the best method, but honeypotting was interesting and fun, so .. v v
|
|
#
¿
Jan 12, 2017 23:32
|
|
|
You can always look at the risk/assurance side of the house rather than the actual nuts and bolts implementation or BAU infosec. I'm kind of pivoting my career to crosstrain in aspects of this because I'm not sure I want to jump in headfirst (I'm fairly happy with the governance and implementation side right now) but it seems like a really stable offshoot. That's assuming that most companies separate the risk/assurance aspects away from the governance/implementation teams, which I've found to be the case at least in the financial sector I've been exposed to. Can't say whether that's true everywhere.
|
|
#
¿
Feb 17, 2017 16:03
|
|
|
Subjunctive posted:general system integrity rolls up to CIO or head of IT. IMHO this seems like a disaster waiting to happen if you don't have a head of IT with the right mindset. We were lucky enough to be report directly to our CRO, same as the r/a side of the house. It really helps when we need someone to champion an issue or light a fire.
|
|
#
¿
Feb 20, 2017 15:08
|
|
|
My inbox volume was fairly high this morning with staff asking which passwords they should change. I'm probably three emails away from replying with  because I'm not psychic and I don't actually know or care which sites you have accounts on.
|
|
#
¿
Feb 24, 2017 17:22
|
|
|
The most baffling disabling copy/paste is Namecheap's SMS "MFA" implementation. They won't let you paste into the textbox for the code. Not that typing in those digits is annoying, but the fact that they thought this was the hill to die on. Were people pasting in from Messages.app really that big a threat? 
|
|
#
¿
Feb 27, 2017 14:17
|
|
|
How do you guys deal with "black box" products going into your environments that are really just Linux based appliances? Enforcing hardening standards seems unfeasible since you typically have no visibility into the inner workings of the solution but just trusting a vendor to harden the device seems like a foolish thing to do. I'm fairly sure if I go to a vendor and say "we need this hardened to CIS level 2" they'll just reply "nope" so all of a sudden I have to create exceptions for my own policies and hope to put enough compensating controls around the black box. I'm getting a headache trying to figure out what kinds of questions to even ask short of just asking vendors to describe the security of their appliance to me which will likely result in a boilerplate PDF with buzzwords. This isn't even considering antimalware agents or HIDS.
|
|
#
¿
Mar 5, 2017 14:13
|
|
|
Yeap, sounds about on par with my thinking. I'm working with a storage vendor right now to identify their hardening standards but after learning it was just based on a Linux distro, my initial thought was to isolate that thing so hard that it'll be drawing faces on volleyballs.
|
|
#
¿
Mar 5, 2017 15:33
|
|
|
Boris Galerkin posted:What do you guys think about the CIA leaks? Mild annoyance at the fact that the serial numbers disclosed in the leak are to software I already own. No taxpayer-funder IDA Pro key for me, I guess.
|
|
#
¿
Mar 9, 2017 12:43
|
|
|
My boss asked me which US security conference I wanted to attend this year and I just told her I'm not stepping foot across that border right now. There's got to be something worthwhile in Europe
|
|
#
¿
Mar 14, 2017 20:05
|
|
|
I think the most sensitive things on my devices are my mail caches, and even then that's just proprietary information, not CHD/PII or anything like that. The company could FedEx me my devices to a hotel in the states but that seems like a lot of effort to go through to not send me to Europe, or at least that's how I'm going to try to position it
|
|
#
¿
Mar 14, 2017 20:13
|
|
|
Chromebook is one idea, but if it's tied to my Google account I'm not really leaping at joy giving my Gmail password at the border. Honestly what I'll do is just reformat my lovely old macbook air if I ever do need to travel. Computer is less problematic than cellphone anyway. Divorcing myself from my daily mobile device is much more effort. I guess I could get a burner SIM or something. I'll have to read that guide for Canadians as I have done absolutely zero research on this to date. Thanks for the links.
|
|
#
¿
Mar 14, 2017 23:22
|
|
|
Subjunctive posted:Does the SIM matter? I don't think anything interesting on my phone is tied to the SIM. No, you're right, I wasn't thinking. Daman posted:Canada actually has a bunch of the best conferences tbh, RECON cansecwest northsec etc Yeah, I'm probably going to be at northsec and sector this year, but I'm also pushing for something more exotic 
some kinda jackal fucked around with this message at 02:35 on Mar 15, 2017 |
|
#
¿
Mar 15, 2017 02:32
|
|
|
DEFCON is so ~~played out~~ man
|
|
#
¿
Mar 15, 2017 19:17
|
|
|
Dodged a bullet there!
|
|
#
¿
Mar 16, 2017 13:31
|
|
|
Has anyone done CCSP? Is there anything remotely interesting or useful in there? The outline isn't really a good indicator. My manager wants me to take it along with her later this year so .. hey, free cert and raise .. but I hope it's more applicable than CISSP.
|
|
#
¿
Mar 24, 2017 01:01
|
|
|
Yeah, I'm going to go for it just because. Didn't realize Lynda had any CCSP material. I'll have to check it out. Kind of want to go back through CISSP CBTs just to see if it matches up with what the test was like.
|
|
#
¿
Mar 25, 2017 01:36
|
|
|
Anyone using Tenable's products to run CIS benchmarks against assets? Just wondering how well that works vs running CIS's own benchmarking tool. I'm trying to revamp our CVA processes and I'd love to just kill two birds with one.. software.. Strip out my custom cis-cat cronjob on every server, etc.
some kinda jackal fucked around with this message at 22:37 on Mar 27, 2017 |
|
#
¿
Mar 27, 2017 22:34
|
|
|
Swank. I'm setting up a tenable.io trial right now. I like the idea of controlling everything from the cloud but I'm going to have to do a lot of due diligence to sell keeping a list of vulnerabilities and IPs in the cloud to my C-levels.
|
|
#
¿
Mar 27, 2017 22:41
|
|
|
I... don't get it. some kinda jackal fucked around with this message at 00:54 on Mar 28, 2017 |
|
#
¿
Mar 28, 2017 00:10
|
|
|
Phew, I thought I was just missing something obvious by not making a connection.
|
|
#
¿
Mar 28, 2017 00:54
|
|
|
Gyshall posted:Not sure if this is the best place, but I'm a 20 year SysAdmin/Network admin and I'm looking to get into more of an infosec position in the next year or so. What sort of position are you looking for? Infosec is a wide wide field. CISSP requires five years of "verifiable" work experience in three (I think) of its domains which you can probably talk your way through if you did any serious jack of all trade sysadmin duties, and it'll get you on recruiter lists but to be honest it won't really land you a job in and of itself without actual security experience. What material I'd recommend would depend entirely on the path you want to choose. CISSP is too "managerial" so even if you just wanted to use it to learn instead of get your foot in the door I still wouldn't recommend it as a source of real world security knowledge. SANS runs a lot of good courses but you need to sell a kidney if work isn't paying for them. OSCP I guess if you're interested in offensive security. I don't really know much about the entry level sec certs like Sec+ or CEH though, sorry.
|
|
#
¿
Mar 29, 2017 03:02
|
|
|
Just my two cents but I have to believe that there are way better sources for picking up cryptography than the ISC2 material. Maybe check out the 11th Hour CISSP book for a much more readable version of the syllabus if you're really interested.
|
|
#
¿
Mar 29, 2017 13:26
|
|
|
CLAM DOWN posted:Oh my god ArcSight is such a bloated piece of poo poo Agreed 100%, and also "this but QRadar" And also most SIEMs I'd still rather use ArcSight over anything else, if it weren't as expensive as it is bloated.
|
|
#
¿
Apr 12, 2017 19:40
|
|
|
Ugghhghghg you can't create exceptions in Nessus for compliance scan items? Do I seriously need to export CSVs and come up with some custom database to report on only items I care about?Solaron posted:My only experience with SIEM is NetWitness (formerly Security Analytics, formerly NetWitness), which we use at my current employer. How does that stack up? I thought I'd touched a lot of SIEMS but I always forget about this one. I had the misfortune of having to work with RSA enVision a few years ago and I think that set the bar for the worst software I have ever used in my entire life.
|
|
#
¿
Apr 13, 2017 00:11
|
|
|
Double Punctuation posted:“So what are we having for dinner today?” This is stupid and I'm not siding with the company, but I'm genuinely surprised there are so many people using the app. It takes me longer to open the app, connect it to my Anova, and set the temperature than it does to just walk up to the anova (which I have to do, to turn on BT) and turn the knob to set temperature. It's literally "app for the sake of having an app".
|
|
#
¿
Apr 13, 2017 17:30
|
|
|
My surefire method of firewall review for PCI compliance is: Delegate it to someone with more patience (who is obligated to do what you say) some kinda jackal fucked around with this message at 00:33 on Apr 20, 2017 |
|
#
¿
Apr 20, 2017 00:30
|
|
|
I'm not the PCI dude so maybe I'm interpreting the requirements incorrectly, but in my mind the intent of the firewall audit is to be certain that the rules you have in place are least privilege and up to date. So I mean you could have rules which may have been put in incorrectly, or made sense at one point, but no longer make sense, applications/servers that were decommissioned still being granted access through zones, etc. I can run a scan against a subnet and it won't trigger if the server that was decommissioned is down, but that doesn't mean the rule shouldn't be removed once found. Just stuff like that. some kinda jackal fucked around with this message at 01:32 on Apr 20, 2017 |
|
#
¿
Apr 20, 2017 01:29
|
|
|
The problem is that the PCI guy will just say this needs to be done and documented and supporting evidence made available. You still need to do the work yourself, or if you're someone who doesn't have intimate knowledge of every single port and component of an application that has to communicate between zones then you'd better hope you have up to date documentation (hint: you probably don't), because then that means week long meetings with business owners while they try to track down engineers responsible for everything and make them come to "useless" meetings. That's why I try to push to do reviews quarterly to not let too much cruft build up, before things have a chance to wildly deviate from what I remember last time. When I went through my first PCI audit the QSA chuckled and told me that it stands for "Pain Commences Immediately" and we all had a laugh. Little did I know he wasn't joking. some kinda jackal fucked around with this message at 02:07 on Apr 20, 2017 |
|
#
¿
Apr 20, 2017 02:05
|
|
|
What's a good go-to management system when you're responsible for storing and managing things like encryption keys, privileged account usernames and passwords, private keys, etc? I'm looking at Vault Enterprise, is there anything similar? My google-fu comes up with a lot of KEY management systems, but I don't want to look at solutions for specific types of secrets, just a generic secure secret vault. I have a number of HSMs kicking around I'd love to repurpose for this which is why I'm leaning towards Vault but I don't know if there's anything better.
|
|
#
¿
Jun 3, 2017 13:56
|
|
|
https://www.theregister.co.uk/2017/06/12/tata_bank_code_github/quote:Staff at Indian outsourcing biz Tata uploaded a huge trove of financial institutions' source code and internal documents to a public GitHub repository, an IT expert has claimed. Let's hope nobody hardcoded anything fun in 
|
|
#
¿
Jun 12, 2017 17:17
|
|
|
|
| # ¿ Apr 26, 2024 15:03 |
|
|
The most annoying thing about Petya isn't Petya itself, it's the hundred AV vendors who suddenly have my email address out of the blue barraging me with "information" about how their product will protect my org. And then the cold calls. I'm going to start getting fake email/phone business cards printed up for trade shows.
|
|
#
¿
Jun 28, 2017 14:11
|
|