|
rafikki posted:Other than the age old "OT is a secfuck nightmare" advice, are there are good resources I can start following about industrial/manufacturing specific infosec concerns? Doing some work for a customer in that space and anything I could start following with topical news would be appreciated. First off good luck! I fought that battle for a while at a previous employer and there was always such a divide between IT and the wrench turners that it was hard to get anywhere. NIST has/had some generic guidelines that are a good starting off point - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
|
# ? Feb 2, 2021 20:07 |
|
|
# ? May 24, 2024 16:37 |
|
Here we go...
|
# ? Feb 2, 2021 21:20 |
|
BaseballPCHiker posted:First off good luck! I fought that battle for a while at a previous employer and there was always such a divide between IT and the wrench turners that it was hard to get anywhere. This would be my advice as well, I've done a couple audits on industrial areas, and ICS is one of those weird things Business and IT tend to view as "Not IT" despite being connected to their network, and results in some scary and downright laughable exploitation opportunities.
|
# ? Feb 2, 2021 21:41 |
That's helpful, thanks! I have a subscription to the CISA industrial control systems advisories as well. Any recommendations for news sites/blogs/twitter accounts or whatever that I can follow for topical updates? Active campaigns targeting this sector, that sort of thing.
|
|
# ? Feb 2, 2021 21:54 |
|
Has anyone done the CCSP? I'm weighing the value of this exam versus actual technical exams in useful cloud spaces. My experience with CISSP is that I learned and retained almost zero useful or applicable information, that I didn't already have, coming out of that training. It did have the happy effect of raising my value and compensation significantly. I'm not sure CCSP is as "sought after", and I doubt it would have any stacking effect on compensation so I guess it would be more useful for any actual cloud security practices knowledge it imparts, but I can't really get a good feel versus just taking the AWS or Azure security tracks.
|
# ? Feb 4, 2021 15:25 |
|
I havent done it, but your experience with the CISSP mirrors mine. I guess I learned some useful manager speak and how to frame security decisions within the larger context of the whole business but that was about it. I've felt better about more technical training like the AWS security cert I am going for now, or even my old CCNA. But the CISSP did open some doors for me jobwise and got me a raise which was nice.
|
# ? Feb 4, 2021 15:45 |
|
While I can't speak to the technical value of it, from a compensation point you're very likely correct: unless you're looking at a job that specifically is asking for a CCSP, having a CISSP is likely already maxing our your value in terms of generalist certs and another cert that your employer isn't specifically asking for isn't likely to get you much (if any) of a raise.
|
# ? Feb 4, 2021 15:46 |
|
From what I've heard from people who have the CISSP is that is it far more of a "managerial cert" than it is a technical one. If you are looking for high value (vendor agnostic) technical certs I think beyond the basic Security+ and SSCP, you're going to be looking at the SANS or GIAC track of certs (GSEC, CEH, GCIA, etc) I have heard good things about the CCSP, but then again if you pump CCSP into indeed or linkedin or whatever then you're going to see less matches than if you search of the comparable AWS or Azure cert.
|
# ? Feb 4, 2021 18:14 |
|
Yeah CISSP is almost entirely the Project Manager cert for people who want to be managers in Infosec.
|
# ? Feb 4, 2021 18:18 |
|
The CISSP is definitely more managerial but I’m not sure I’d call the SANS certs technical. They’re more theory. I’ve got the GPEN and know a lot about the steps to a red team and how to set it up and make the final report but when I go to hackthebox I struggle with the simple stuff. I would days technical cert is the OSCP where you actually do something with technical skills and if you don’t have the skills you fail
|
# ? Feb 4, 2021 19:10 |
|
Pretty much. I tried being a manager and dealing with people is a huge pain in the rear end so I took the first opportunity to pivot back to a single contributor role in the cloud space. CCSP will likely be way too abstracted to be of much use.
|
# ? Feb 4, 2021 19:11 |
|
stoopidmunkey posted:The CISSP is definitely more managerial but I’m not sure I’d call the SANS certs technical. They’re more theory. I’ve got the GPEN and know a lot about the steps to a red team and how to set it up and make the final report but when I go to hackthebox I struggle with the simple stuff. I would days technical cert is the OSCP where you actually do something with technical skills and if you don’t have the skills you fail When you did your GPEN, did you do the labs and the CTF? SANS courses absolutely teach you and prepare you for the technical work. I've done quite a few of them at this point and you have to take the initiative to go beyond just reading the book and listening to the teacher.
|
# ? Feb 4, 2021 19:14 |
|
That's kinda how that ends up working, though: most of the SANS stuff is vendor-agnostic and therefore cannot really dig super deep into the nitty gritty of the How To for specific things, but most of them at least cover the basics and the frameworks or methodologies for doing given tasks. For true technical certs you should be looking at actual platform/vendor specific certs that focus on exactly whatever it is you want to learn--which by their natures are going to be very narrow but deep. If you wanted to make a hierarchy of it, CISSP would be Managerial (90% policy / 10% doing stuff), SANS would be more mid-level manager (50/50, though some of them are up or down the chain depending), and topic-specific would be individual contributor (90%+ doing stuff). OSCP is an excellent cert, but sorta exists off in its own space way above the "hey I'd like some tech training and a cert to demonstrate that I know things" level.
|
# ? Feb 4, 2021 19:18 |
|
CLAM DOWN posted:When you did your GPEN, did you do the labs and the CTF? SANS courses absolutely teach you and prepare you for the technical work. I've done quite a few of them at this point and you have to take the initiative to go beyond just reading the book and listening to the teacher. I did my GPEN something like 6 years ago so I concede that the curriculum has probably evolved over the years. There was no ctf when I did mine. But I do want to clarify that I’m not knocking SANS. They’re my favorite place to get training and if my employer is willing to pony up for a class, I’m down. Their SIEM class (555) is amazing.
|
# ? Feb 4, 2021 19:18 |
|
I did SANS 660 and the GXPN exam and while I have some issues with the selection of topics covered in the course, it is absolutely a technical course.
|
# ? Feb 4, 2021 19:31 |
|
stoopidmunkey posted:I did my GPEN something like 6 years ago so I concede that the curriculum has probably evolved over the years. There was no ctf when I did mine. But I do want to clarify that I’m not knocking SANS. They’re my favorite place to get training and if my employer is willing to pony up for a class, I’m down. Their SIEM class (555) is amazing. Oh weird, yeah each class includes a day-long CTF now. It's so much fun, I won the SEC530 one and got a rad coin (it was Blade Runner themed)
|
# ? Feb 4, 2021 19:34 |
|
Slick coin. Wondering if they're just assuming no one from ATARI will ever win one and notice the illicit use of their logo.
|
# ? Feb 4, 2021 19:54 |
|
CLAM DOWN posted:Oh weird, yeah each class includes a day-long CTF now. It's so much fun, I won the SEC530 one and got a rad coin (it was Blade Runner themed) Holy gently caress that's cool
|
# ? Feb 4, 2021 22:05 |
|
CLAM DOWN posted:Oh weird, yeah each class includes a day-long CTF now. It's so much fun, I won the SEC530 one and got a rad coin (it was Blade Runner themed) Nice.
|
# ? Feb 4, 2021 22:09 |
|
DrDork posted:Slick coin. its cool you have to hack an atari to get it
|
# ? Feb 5, 2021 03:23 |
|
I also would like a Tyrell Corp medal
|
# ? Feb 7, 2021 01:42 |
|
Speaking of ICS and Infosec https://twitter.com/Bing_Chris/status/1358873543623274499?s=20
|
# ? Feb 8, 2021 22:44 |
|
Yeah but it's Florida so who would even know?
|
# ? Feb 9, 2021 00:15 |
|
CommieGIR posted:Speaking of ICS and Infosec quote:The computer system was setup with a software program that allows for remote access I bet you $100 it was the free version of TeamViewer
|
# ? Feb 9, 2021 01:02 |
|
MustardFacial posted:I bet you $100 it was the free version of TeamViewer I'm pretty sure TeamViewer will at least do some basic MFA using email by default these days. I somehow doubt it was that.
|
# ? Feb 9, 2021 01:07 |
|
Internet Explorer posted:I'm pretty sure TeamViewer will at least do some basic MFA using email by default these days. I somehow doubt it was that. VNC would be my next guess. CommieGIR fucked around with this message at 01:22 on Feb 9, 2021 |
# ? Feb 9, 2021 01:16 |
|
Internet Explorer posted:I'm pretty sure TeamViewer will at least do some basic MFA using email by default these days. I somehow doubt it was that. “These days”. It was probably installed 15 years ago, but yeah it was teamviewer. https://www.reuters.com/article/us-usa-cyber-florida-idUSKBN2A82FV
|
# ? Feb 9, 2021 01:24 |
|
I have a dumb email question: If I have DKIM set up, do I also need SPF for DMARC? I thought both should be aligned. I was checking our SPF record and noticed that mailchimp was missing. They don't have any SPF info on their site and their support just told me that they don't require me to put it in.
|
# ? Feb 9, 2021 01:30 |
|
spaced ninja posted:“These days”. It was probably installed 15 years ago, but yeah it was teamviewer. TeamViewer has gotten better about their lovely swiss cheese program, but we're talking about ICS infrastructures here. They're frozen in time for 10+ years because they run on some way outdated protocol.
|
# ? Feb 9, 2021 01:31 |
|
MustardFacial posted:I bet you $100 it was the free version of TeamViewer https://twitter.com/Bing_Chris/status/1358893389115256833
|
# ? Feb 9, 2021 02:13 |
|
Guy Axlerod posted:I have a dumb email question: If I have DKIM set up, do I also need SPF for DMARC? I thought both should be aligned. I was checking our SPF record and noticed that mailchimp was missing. They don't have any SPF info on their site and their support just told me that they don't require me to put it in. As far as I can see, you need code:
|
# ? Feb 9, 2021 04:18 |
|
You shouldn't need to change your SPF records for mailchimp - they use their own servers for the 'envelope from', so they are the custodians of the SPF records not you You can use this checker once it's all set up https://www.sparkpost.com/email-tools/authentication-checker/
|
# ? Feb 9, 2021 04:38 |
|
|
# ? Feb 9, 2021 06:39 |
|
The cyberpunk game developers got cyberpunk'd: https://twitter.com/CDPROJEKTRED/status/1359048125403590660
|
# ? Feb 9, 2021 14:49 |
|
Albinator posted:As far as I can see, you need Thanks, I eventually found that one. Rufus Ping posted:You shouldn't need to change your SPF records for mailchimp - they use their own servers for the 'envelope from', so they are the custodians of the SPF records not you Yeah, SPF has been passing on mail clients for example. However, I set up a DMARC report and it's showing mailchimp as 0% SPF aligned: I also see emails from rsgsv.net which I believe is also mailchimp. On other services, like SES, I've had to set up whitelabel return path domains.
|
# ? Feb 9, 2021 14:54 |
|
Doesn't MailChimp make you go through its custom domain authentication thing to get it to use your domain in FROM?
|
# ? Feb 9, 2021 16:10 |
|
They're only doing DKIM now I guess? https://mailchimp.com/help/set-up-email-domain-authentication/ I don't see any further authentication I can set up from the mailchimp side. They do have stuff in Mandrill, but we aren't using that currently. E: https://support.google.com/a/answer/10032169#alignment google posted:To pass DMARC, a message must pass at least one of these checks: So I guess SPF isn't required if DKIM is in place. Guy Axlerod fucked around with this message at 17:35 on Feb 9, 2021 |
# ? Feb 9, 2021 17:18 |
|
Strawberry Pyramid posted:The cyberpunk game developers got cyberpunk'd: That's the most Cyberpunk thing to be associated with that game other than the name.
|
# ? Feb 9, 2021 17:43 |
|
CommieGIR posted:Speaking of ICS and Infosec Thanks for posting this: I work in the wet infrastructure sector (water and wastewater specifically) and this is actual nightmare fuel. When I was in working as consultant for a medium/large regional firm that specialized in wet infrastructure, I asked my group manager a few times if we had any internal cybersec/infosec talent to offer our clients and the answer was "kinda" I'm on the public side of the equation now and our leadership is definitely worried about incidents like this. I don't think that the wet infrastructure sector takes this stuff seriously enough: I read about this incident here before I heard about it any professional capacity, but AWWA did email me about an hour after you posted this. These guys got extremely loving lucky, it reads like someone just happened to be babysitting the right part of the system when it was hacked.
|
# ? Feb 9, 2021 17:53 |
|
|
# ? May 24, 2024 16:37 |
|
We use both Mandrill and Mailchimp. Mailchimp uses their own mail-from, so SPF on your domain is not required, they do use DKIM though. Mandrill also uses DKIM, but additionally can be set to use your own custom return path/mail-from, if you have this setup, then you do need to include Mailchimp/Mandrill in your SPF. (this is what we do) Report from DMARCian on our domain: We have a published DMARC of Reject.. DMARC passes if either SPF or DKIM passes, so this works fine. Strangely.. occasionally a email will go out from Mandrill using their mail-from, and not our custom one. Like 1-3 in every few thousand. Hence the 99.9% SPF on that report.
|
# ? Feb 9, 2021 18:13 |