|
wyoak posted:I just ran into an issue where some of our partners were pulling the incorrect IPv4 addresses for their payment processor (CES / FirstData). According to good old What's My DNS, most of the world has it correct, but there are a few out there (in Pakistan and Australia at the time I ran the test) with the 45.x.x.x address. Might be something malicious, might just be a misconfiguration. But anyway, it's NOT just you, and the datawire people are the ones who need to look into it and fix it. https://www.whatsmydns.net/#A/vxn.datawire.net
|
# ? Jul 13, 2018 23:53 |
|
|
# ? Jun 9, 2024 18:54 |
|
https://twitter.com/matthew_d_green/status/1018197338878341120 https://twitter.com/matthew_d_green/status/1018203991463915520 There's a bunch more in that thread.
|
# ? Jul 14, 2018 19:43 |
|
For the grizzled and seasoned infosec pros in this thread: Would you recommend making the jump from IT Manager to CISO at an organization with ~700 employees? We don't currently have a separate infosec team, so I am already performing much of the function already.
|
# ? Jul 17, 2018 03:23 |
|
adorai posted:For the grizzled and seasoned infosec pros in this thread: Would you recommend making the jump from IT Manager to CISO at an organization with ~700 employees? We don't currently have a separate infosec team, so I am already performing much of the function already. Yes, but be aware A) the job, if done right, is VERY different than typical manager positions. You will be the one setting policy and practices and all responsibility for security starts and stops with you. B) You’ll spend more time in meetings than you thought existed. B) You’ll be painting a BIG target on your back.
|
# ? Jul 17, 2018 03:36 |
|
Proteus Jones posted:Yes, but be aware A) I already do this. B) I already do.
|
# ? Jul 17, 2018 03:46 |
|
Who would you report to? You need high level buy in from the start; if you don’t have that, or are not in a position to be able to quickly build it things might be tough.
|
# ? Jul 17, 2018 03:56 |
|
Albinator posted:Who would you report to? You need high level buy in from the start; if you don’t have that, or are not in a position to be able to quickly build it things might be tough. Typically a CISO will report directly to the CEO or COO. Occasionally for very large companies, I've heard of them reporting to the CIO, but that seems counterproductive.
|
# ? Jul 17, 2018 03:57 |
|
Albinator posted:Who would you report to? You need high level buy in from the start; if you don’t have that, or are not in a position to be able to quickly build it things might be tough. Management buy in would not be an issue.
|
# ? Jul 17, 2018 03:58 |
|
adorai posted:I am in the position where I am trying to decouple IS from IT already. I am on a first name basis with every executive as well as numerous board members. If I were to guess, the reporting would be a solid line to the board with a dashed lines to the CIO and the CRO. I'd definitely go for it. I'm currently fighting the "divorce IS from IT" battle myself. I'm getting some traction, but it's so god drat frustrating to explain to people why it needs to be done over and over again.
|
# ? Jul 17, 2018 04:04 |
|
Proteus Jones posted:I'd definitely go for it. i work for a bank so i can fall back on the FFIEC guidance. Lucky, i guess.
|
# ? Jul 17, 2018 04:09 |
|
Proteus Jones posted:I'd definitely go for it.
|
# ? Jul 17, 2018 04:15 |
|
Proteus Jones posted:Typically a CISO will report directly to the CEO or COO. Occasionally for very large companies, I've heard of them reporting to the CIO, but that seems counterproductive. In one large company I worked for, the CSO reported to the GC.
|
# ? Jul 17, 2018 15:46 |
|
Subjunctive posted:In one large company I worked for, the CSO reported to the GC. CSO or CISO? And what is GC?
|
# ? Jul 17, 2018 15:54 |
|
CLAM DOWN posted:CSO or CISO? And what is GC? CSO, responsible for both internal IT and product-behaviour security. GC is general counsel.
|
# ? Jul 17, 2018 15:57 |
|
Subjunctive posted:CSO, responsible for both internal IT and product-behaviour security. GC is general counsel. I've never heard it being done that way, but that might be a good way to ensure compliance. "Do this, because not doing this can open us up from a liability standpoint". Plus it keeps InfoSec silo'd away from IT.
|
# ? Jul 17, 2018 16:01 |
|
Subjunctive posted:CSO, responsible for both internal IT and product-behaviour security. GC is general counsel. I've never heard of a CSO being that, and never heard of one reporting to a lawyer.
|
# ? Jul 17, 2018 16:05 |
|
Proteus Jones posted:Plus it keeps InfoSec silo'd away from IT. This is not a good thing.
|
# ? Jul 17, 2018 16:05 |
|
CLAM DOWN posted:This is not a good thing. I'm not saying IS shouldn't work with IT, but security should absolutely have a different reporting line than IT. Especially when it comes to incident handling and postmortems. IT should not be investigating itself.
|
# ? Jul 17, 2018 16:10 |
|
CLAM DOWN posted:I've never heard of a CSO being that, and never heard of one reporting to a lawyer. You have now!
|
# ? Jul 17, 2018 16:16 |
|
Proteus Jones posted:I'm not saying IS shouldn't work with IT, but security should absolutely have a different reporting line than IT. Especially when it comes to incident handling and postmortems. IT should not be investigating itself. Operations reports through CTO, security through CISO/CIO
|
# ? Jul 17, 2018 16:40 |
|
BangersInMyKnickers posted:Operations reports through CTO, security through CISO/CIO Good call, I wasn't thinking about Ops.
|
# ? Jul 17, 2018 17:18 |
|
adorai posted:A) I already do this. There's a diff between inplementing policies and implementing policies well. I've seen several new CISOs think their word is law and gently caress you just immediately lose control and try to fight back to respect through years of corporate security report bitch work. Important is also your relationship with not only the other executives (you should be able to turn any complex CVE into a three sentence explanation with an additional sentence to explain why your company is at risk) but also business. Mannnn, the wins I got because I knew and socially connected to the people that made the money. If they are on your side, even the CIO will not be able to gently caress with you if business has a stink in their mind about security.
|
# ? Jul 17, 2018 17:40 |
|
EVIL Gibson posted:CISOs should be able to turn any complex CVE into a three sentence explanation I wanna know what CISOs you've been hanging around, the majority of the ones I have had interactions with would struggle stringing 3 sentences together and that's even before we start getting things like computers involved.
|
# ? Jul 17, 2018 18:05 |
|
Sorry your CISO sucks, mine is good.
|
# ? Jul 17, 2018 18:12 |
|
Proteus Jones posted:I'm not saying IS shouldn't work with IT, but security should absolutely have a different reporting line than IT. Especially when it comes to incident handling and postmortems. IT should not be investigating itself. But the police do it, and look how well that works!
|
# ? Jul 17, 2018 18:12 |
|
22 Eargesplitten posted:But the police do it, and look how well that works! Seems to work fine for them, pensions, job security, and if you gently caress up at work and ruin lives you get a free vacation... hold a sec while I talk to management about a reorg.
|
# ? Jul 17, 2018 18:20 |
|
SeaborneClink posted:I wanna know what CISOs you've been hanging around, the majority of the ones I have had interactions with would struggle stringing 3 sentences together and that's even before we start getting things like computers involved. My angle is I try to turn the target to "us as the company" rather than "random Linux machine". Educated generalizations is key.
|
# ? Jul 17, 2018 18:51 |
|
ElCondemn posted:Seems to work fine for them, pensions, job security, and if you gently caress up at work and ruin lives you get a free vacation... hold a sec while I talk to management about a reorg. get a union!
|
# ? Jul 17, 2018 20:07 |
|
wrong thread
|
# ? Jul 17, 2018 20:09 |
|
A CISO needs to be able to speak business and convince his peers and "higher ups" through common knowledge and relationships. Usually fed with domain knowledge. But my God, I pity you if you have a raw technical CISO. You're hosed. They are cursed with knowledge and more often than not struggle to get their very specific message across to people who regularly ask their son to reboot their laptops. Oh and that they should report to CEO or COO is about right. If a CISO reports to CIO or CTO you're way on the track towards conflict of interest and you'll see the problem being turned back at you. I reported to the audit committee of the supervisory board for actual content, and to CEO for salary/bonus purposes. Advice and personal results are decoupled from what IT and Dev are doing, and that's good also: they have very different targets. Your strategy will lie in having them understand the importance of the strategy and you make agreements based on that. However, as soon as they fail to live up to those agreements; shareholders will know in detail through the committee reports. Moving on from infosec to privacy however gave me a lot more handholds to get poo poo done because somehow that suddenly hits home with colleagues. That's my CISO story thanks for reading
|
# ? Jul 17, 2018 20:26 |
|
ElCondemn posted:pensions, job security The nerve
|
# ? Jul 17, 2018 21:06 |
I got a yubikey and I’m starting have some buyers remorse. Seems like the implementations and vendor support aren’t really there yet, especially for mobile. Like for google I have to use chrome to use it for authentication. I guess I should have read closer into it.
|
|
# ? Jul 19, 2018 20:32 |
|
skooma512 posted:I got a yubikey and I’m starting have some buyers remorse. Seems like the implementations and vendor support aren’t really there yet, especially for mobile. Like for google I have to use chrome to use it for authentication. U2F is a great idea that just isn't ready for primetime outside Enterprise space. Hell, Google still "strongly recommends" putting a phone number as a backup 2FA, completely defeating the point of using non-SMS 2FA options. Asking companies to support USB/NFC dongles is apparently asking the impossible at the moment. And have fun selling ordinary people on the need to buy a $50-$100 phone-compatible auth dongle when we still can't even get more than less of a third of them to spend a few bucks a month on password managers. Kerning Chameleon fucked around with this message at 20:56 on Jul 19, 2018 |
# ? Jul 19, 2018 20:44 |
|
G Suite can ask people for an employee ID as well now, though that's not much use if all your staff wear their lanyards on the train and people are really determined to get into your systems. Windows is going to work with FIDO2 shortly, so with any luck that will kick adoption up a notch.
|
# ? Jul 19, 2018 20:51 |
|
Can anyone recommend a good, free password vault for iOS that supports sync? My 73 year old mom is finally willing to move away from having a printed list of passwords, her only devices are an ipad and an iphone, but I can't seem to find anything good as far as keepass apps.
|
# ? Jul 19, 2018 22:55 |
|
Does the iOS vault not sync between devices? I use 1password and like it. There is an extension to fill passwords in iOS. And in iOS 12, they are supposed to support auto-fill
|
# ? Jul 19, 2018 23:00 |
|
I wouldn't recommend Keepass for non-techies, anyway. In my experience, Keepass is just a bit too finicky and user-unfriendly for regular older folks to use without handholding. 1Password is your best bet in this case.
|
# ? Jul 19, 2018 23:15 |
|
Apple keychain on iCloud or 1password are your only bets. Keychain is fine, it integrates with basically all apps too
|
# ? Jul 19, 2018 23:19 |
|
Thanks. I was thinking keychain but have no experience with it. I'll let her know its the recommended option
|
# ? Jul 20, 2018 01:07 |
|
|
# ? Jun 9, 2024 18:54 |
|
Dropbox account and iOS app Keepass Touch are also any option. Fair comments about simplicity/usability, though.
|
# ? Jul 20, 2018 02:08 |