|
xtal posted:Maybe there's a better thread for this, but I have a friend who works in HR and they want to use their people skills to get hired as a social engineer. Does anyone have recommendations for certifications, courses or must-read books, or other tips about how to get a job doing soceng? They've already read the books by Hadnagy and Mitnick. I feel that doing social engineering is a part of doing pen-testing stuff, rather than a job unto itself, or at least I've never come across it scouring for security jobs/titles. I could be wrong though.
|
# ? Sep 18, 2019 00:38 |
|
|
# ? May 30, 2024 18:25 |
|
Defenestrategy posted:I feel that doing social engineering is a part of doing pen-testing stuff, rather than a job unto itself, or at least I've never come across it scouring for security jobs/titles. I could be wrong though. I think it’s called espionage.
|
# ? Sep 18, 2019 00:43 |
|
Find a grifter, if they can convince you they're worth hiring despite their complete lack of qualifications, they can probably talk their way into anywhere.
|
# ? Sep 18, 2019 00:46 |
|
Subjunctive posted:I think it’s called espionage. Oh. According to an FBI guy that came and gave a talk to the InfoSec department at my school; The Chinese are scouring college campuses for people like us(IT/CS nerds), and they'll give you tuition assistance, and a stipend to grab any kind of government/dod contractor job, also that they'll bribe you with northwards of 250k to pass on information, but that was being a cheap date and you should ask for more. What I'm saying is the Chinese seem to be way kinder to american entry level college grads than American companies.
|
# ? Sep 18, 2019 00:50 |
|
I mean, I’m not recommending against it. I will say that HR people skills don’t seem like the kind that suit themselves well to soceng. Everyone always knows when the HR person is lying, they just can’t do anything about it. You want someone in sales or private equity or Congress.
|
# ? Sep 18, 2019 00:53 |
|
Defenestrategy posted:I feel that doing social engineering is a part of doing pen-testing stuff, rather than a job unto itself, or at least I've never come across it scouring for security jobs/titles. I could be wrong though. Yeah, the only people who do social engineering or physical security that I've seen are also pentesters. Unfortunately that area is super saturated; when I did campus recruiting for my security engineering team probably 95% of the people looking for security jobs wanted to be pentesters. The media tends to portray the sexy side of red teaming (or the .01% of people like Mitnick who are super specialized), but not so much the hard technical skills, report writing, and miserable consulting lifestyle that come with it.
|
# ? Sep 18, 2019 04:04 |
|
Yeah, when you tell interns that Red Teaming is mostly documentation and report writing with some cool exploitation mixed in, they tend to get a little less interested.
|
# ? Sep 18, 2019 04:14 |
|
Man, I would so sign up for that if I weren't disabled. I wrote documentation, and I think this sort of thing is fun.
|
# ? Sep 18, 2019 04:18 |
|
CommieGIR posted:Yeah, when you tell interns that Red Teaming is mostly documentation and report writing with some cool exploitation mixed in, they tend to get a little less interested. LoL. Now imagine trying to get people into vulnerability management consulting.
|
# ? Sep 18, 2019 04:47 |
|
Defenestrategy posted:According to an FBI guy that came and gave a talk to the InfoSec department at my school; The Chinese are scouring college campuses for people like us(IT/CS nerds), and they'll give you tuition assistance, and a stipend to grab any kind of government/dod contractor job, also that they'll bribe you with northwards of 250k to pass on information, but that was being a cheap date and you should ask for more. Proving once again Bernie is right to push for free college education.
|
# ? Sep 18, 2019 05:12 |
|
Arsenic Lupin posted:Man, I would so sign up for that if I weren't disabled. I wrote documentation, and I think this sort of thing is fun. You should do it. Being disabled doesn't mean you cant be a pen tester.
|
# ? Sep 18, 2019 14:20 |
|
CommieGIR posted:You should do it. Being disabled doesn't mean you cant be a pen tester. Depends on the disability, I imagine.
|
# ? Sep 18, 2019 14:39 |
|
Subjunctive posted:Depends on the disability, I imagine. True, but I wouldn't want someone feeling like they can't try it out.
|
# ? Sep 18, 2019 14:53 |
|
CommieGIR posted:True, but I wouldn't want someone feeling like they can't try it out. That's really kind and thoughtful of you. Unfortunately, my disability is a chronic pain disorder, not something that accessibility/adaptability aids will help.
|
# ? Sep 18, 2019 15:05 |
|
fyallm posted:LoL. Now imagine trying to get people into vulnerability management consulting. I have a vacancy open for vendor babysitting. It’s a tough sell.
|
# ? Sep 18, 2019 15:11 |
|
Arsenic Lupin posted:That's really kind and thoughtful of you. Unfortunately, my disability is a chronic pain disorder, not something that accessibility/adaptability aids will help. What do you do for work right now? Are you IT? If so: There's no reason you can't do the more technical side and documentation side of Pen Testing.
|
# ? Sep 18, 2019 15:24 |
|
CommieGIR posted:What do you do for work right now? Are you IT? If so: There's no reason you can't do the more technical side and documentation side of Pen Testing. There will be customers who do not want physical presence pen testing to be part of it (for whatever reason), and there are plenty of garbage firms that just run automated scanning tools and call it a day.
|
# ? Sep 18, 2019 15:29 |
|
CommieGIR posted:Yeah, when you tell interns that Red Teaming is mostly documentation and report writing with some cool exploitation mixed in, they tend to get a little less interested. It's even worse. You might have gotten into some really odd places or installed a pi in a network jack in the meeting room but you have to word the document in a way that does not come across as creepy even when you stating the facts. "We were able to convince the secretary to buzz us through the east wing and was then able to install a remote admin server in the baby nursing room" is not what you want to put down at all even though it is WHAT you did. You might change "nursing room" to Room-342B but everyone reading the report knows what room that is and a stranger was in there doing things.
|
# ? Sep 18, 2019 15:58 |
|
EVIL Gibson posted:It's even worse. You might have gotten into some really odd places or installed a pi in a network jack in the meeting room but you have to word the document in a way that does not come across as creepy even when you stating the facts. Documentation is critical, I had an engagement where we both slipped past the secretary and got into a sensitive area, we managed to GUESS the root password to the DB server. Extensive photos and documentation for both (very flat network). They didn't believe us when we told them until we pointed at the specific captures/images in the exit meeting. They got furious, claiming it wasn't possible until they saw the photos and the file list from their DB server, as well as a table export from their DB user table. Volmarias posted:There will be customers who do not want physical presence pen testing to be part of it (for whatever reason), and there are plenty of garbage firms that just run automated scanning tools and call it a day. Yup, and there are plenty of Pen Test firms out there who just want technical assets and will help handle documentation efforts for the final report. Some audit teams even have a dedicated EM who just collects the documentation for final presentation. CommieGIR fucked around with this message at 16:07 on Sep 18, 2019 |
# ? Sep 18, 2019 16:01 |
|
Not sure if this is the right thread for this. My company has been hit by the Ryuk ransomware. I have my own keyboard and mouse at the office that I brought in from home. It seems like my keyboard has upgradeable firmware which would mean it could be written to. I'm not sure about the mouse. Are these vectors for spreading infection? Should I not use these peripherals on my home network again after this?
|
# ? Sep 18, 2019 16:22 |
|
Shofixti posted:Not sure if this is the right thread for this. My company has been hit by the Ryuk ransomware. I have my own keyboard and mouse at the office that I brought in from home. It seems like my keyboard has upgradeable firmware which would mean it could be written to. I'm not sure about the mouse. Are these vectors for spreading infection? Should I not use these peripherals on my home network again after this? Not likely, Ryuk is mostly spread via network, powershell, and a combination of other things quote:An obfuscated PowerShell script is executed and connects to a remote IP address.
|
# ? Sep 18, 2019 16:26 |
|
CommieGIR posted:What do you do for work right now? Are you IT? If so: There's no reason you can't do the more technical side and documentation side of Pen Testing.
|
# ? Sep 18, 2019 16:28 |
|
Arsenic Lupin posted:You're very very kind, but I'm disabled, as in on Social Security Disability. If I hadn't become disabled I'd still be working for a very large search company. If I were able to do any sort of work, I would be doing it. No reason you can't setup a little lab and be an amateur researcher then. There's plenty of need, and I doubt you are the sort to sit idle.
|
# ? Sep 18, 2019 16:34 |
|
Arsenic Lupin posted:You're very very kind, but I'm disabled, as in on Social Security Disability. If I hadn't become disabled I'd still be working for a very large search company. If I were able to do any sort of work, I would be doing it. I am good friends with someone is legally blind. He cannot see anything without zooming in at least 20 times. Watching him run applications is wild because he knows where everything should be on the desktop while only being able to see 1/20 of it at the time. One thing I would recommend is getting the certs to do basically the rote stuff and knowing how to report it is easy but you really make money if you are really get into subject and become an expert at it. Like reversing, web security (not just running scans, but knowing what to look for to give you a hint something is wrong), or hardware compromises (knowing how to find the JTAG ports or bypassing logic on the board); the list is neverending. Another friend works at a large DNS company and told me about how they hired someone because he was good at the DNS protocol enough to the point he was making the servers respond in way even network experts had no clue was possible. It's been awhile since I heard the last story (drunk at derbycon) but it was something like figuring you could push shellcode into the DNS flag field and getting netcat to talk back. Flags are only supposed to be 1 to 4 bits long but he was able to make the server ignore this and continue reading. Or something like that. Final suggestion: get interested in something and get passionate about it. Learn something on your own time that you feel will be cool to do. Even if it's something like following a guide to root a Nintendo switch and trying to figure out by watching talks/papers and learning how it actually works. Doesn't have to be that but something you are interested in already.
|
# ? Sep 18, 2019 18:25 |
|
Arsenic Lupin posted:You're very very kind, but I'm disabled, as in on Social Security Disability. If I hadn't become disabled I'd still be working for a very large search company. If I were able to do any sort of work, I would be doing it. You've had enough time and energy to set up a Shitposting as a Service sole proprietorship, surely you can do something new
|
# ? Sep 18, 2019 18:42 |
|
EVIL Gibson posted:Final suggestion: get interested in something and get passionate about it. Learn something on your own time that you feel will be cool to do. Even if it's something like following a guide to root a Nintendo switch and trying to figure out by watching talks/papers and learning how it actually works. Doesn't have to be that but something you are interested in already. This is the best advice. Don't let your disability keep you from something you love, and even if you can't work, Security is very much driven by the community, and you can be a member of that community, no job necessary. Never stop learning.
|
# ? Sep 18, 2019 19:03 |
|
Yes, let's all tell the disabled person exactly what they can and can't do on account of their disability, of which we know nothing except the vague category that it falls into.
|
# ? Sep 18, 2019 19:59 |
|
Powered Descent posted:Yes, let's all tell the disabled person exactly what they can and can't do on account of their disability, of which we know nothing except the vague category that it falls into. Its like you didn't even read the posts you are fake raging about.
|
# ? Sep 18, 2019 20:04 |
|
Stop.
|
# ? Sep 18, 2019 20:07 |
|
fyallm posted:LoL. Now imagine trying to get people into vulnerability management consulting. ayy i do vuln management (and automation and IDR and and and and, whatup small teams). I'd love for you to expound on what vuln management consulting is like. I'm imagining either: A) "no really you should be scanning a lot and build out a program where stakeholders own the risk their department generates and yes definitely patching" B) "I will build configure and run TVM for you for 3 months and then hand it off peace" my next steps after my current job are pretty limited if I'm looking for continued growth; either a Very Small company where i own more poo poo, a very large company where I own one thing and get to dig in, or consulting to grab even more breadth, pay, and lose my social life. Any deets you wanna pass on wrt consulting i'd love to hear.
|
# ? Sep 18, 2019 20:29 |
CLAM DOWN posted:Stop. Also, Linus is Linusing around again.
|
|
# ? Sep 18, 2019 22:08 |
|
Why am I not just blocking all of china?
|
# ? Sep 19, 2019 00:39 |
|
The Fool posted:Why am I not just blocking all of china? We're about ready to, we have a small team in China but they are largely whitelisted by provider IP.
|
# ? Sep 19, 2019 00:40 |
|
D. Ebdrup posted:In the name of love? well, i can see the point Linus to trying to make. he is saying that if you think random is always going to be random, then to you should know why there is random and urandom exist in linux and realize why they are different and what case to use either in. if you throw in a random call but have not set a seed, where are you pulling that and the entropy source?
|
# ? Sep 19, 2019 02:10 |
|
Yeah, mandatory 2FA for all logons from outside north america will be coming to our systems soon.
|
# ? Sep 19, 2019 02:10 |
|
2FA on phones has been proven to be hopelessly insecure (duh). Are any of you going with some sort of biometric system on the laptop, or are you sticking to Yubikeys and similar?
|
# ? Sep 19, 2019 02:31 |
|
Arsenic Lupin posted:2FA on phones has been proven to be hopelessly insecure (duh). Are any of you going with some sort of biometric system on the laptop, or are you sticking to Yubikeys and similar? "on phones" or "via SMS codes"?
|
# ? Sep 19, 2019 02:48 |
|
Arsenic Lupin posted:2FA on phones has been proven to be hopelessly insecure (duh). Are any of you going with some sort of biometric system on the laptop, or are you sticking to Yubikeys and similar? It's not so much mobile 2fa as it is sms 2fa right?
|
# ? Sep 19, 2019 02:49 |
|
Arsenic Lupin posted:2FA on phones has been proven to be hopelessly insecure (duh). Are any of you going with some sort of biometric system on the laptop, or are you sticking to Yubikeys and similar? SMS MFA is insecure, mobile apps like the Google and Microsoft Authenticator apps are fine. BangersInMyKnickers posted:Yeah, mandatory 2FA for all logons from outside north america will be coming to our systems soon. We have mandatory MFA for any logon outside of our primary network.
|
# ? Sep 19, 2019 02:51 |
|
|
# ? May 30, 2024 18:25 |
|
The Fool posted:We have mandatory MFA for any logon outside of our primary network. Yeah, this is the route to go unless you are all remote workers or something. Which then I guess all <insert country> might make more sense but if probably just do MFA all the time instead.
|
# ? Sep 19, 2019 02:53 |