Ynglaur posted:Are you interested in cloud architecture of any kind? Quite possibly! I did some AWS training and labbing about two years ago and I found it clicked pretty well although I haven't had much chance to use it recently other than a project to implement PAN firewalls with transit gateways last year. I've done a little bit with Azure but for some reason it didn't click as readily as AWS did for me.
|
|
# ? Sep 29, 2021 00:46 |
|
|
# ? May 29, 2024 00:24 |
|
Even if you were not I'd highly recommend at least getting a feel for it, its where most things are heading.
|
# ? Sep 29, 2021 02:36 |
|
So... unpreventable brute-force attacks against any AzureAD account with a password? https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/
|
# ? Sep 29, 2021 03:41 |
|
AlternateAccount posted:So... unpreventable brute-force attacks against any AzureAD account with a password? i love cloud
|
# ? Sep 29, 2021 03:54 |
|
AlternateAccount posted:So... unpreventable brute-force attacks against any AzureAD account with a password?
|
# ? Sep 29, 2021 12:53 |
|
"Security was out of scope for this project" - Microsoft
|
# ? Sep 29, 2021 13:03 |
|
Everyone at the ForgeRock and Oktas of the world are high-fiving each other right now.
|
# ? Sep 29, 2021 13:06 |
|
https://twitter.com/MikaelThalen/status/1443303462054236160?s=20
|
# ? Sep 29, 2021 21:21 |
So I got dropped in the deep end (aka the job that was told in the interview has little resemblance to the job I am now required to do) and so now I need to create and implement a data governance policy for this organisation. I'm currently going through some MS learn modules on DLP, retention policies, data sensitivity labels and all that poo poo, but are there any other resources out there that can give me a hand?
|
|
# ? Sep 30, 2021 06:29 |
|
NPR Journalizard posted:So I got dropped in the deep end (aka the job that was told in the interview has little resemblance to the job I am now required to do) and so now I need to create and implement a data governance policy for this organisation. When in doubt, throw it out. My advice is to take a clue from GDPR and require everyone who is collecting data to note down what days they are collecting and for what purpose. And then say that they can't have data more than 5 years old unless they have a good reason. It's an impossible sell to anyone though. Honestly, it's a tough job. Getting an overview of what data you have is basically impossible, which is why I recommend distributed responsibility to data owners. Then a broad strokes policy on how long to keep like 5 types of data (PII, sensitive PII, financial, commercial sensitive, public stuff, other - just very generically). You want to automate stuff, because no one is gonna manually label anything.
|
# ? Sep 30, 2021 06:41 |
|
NPR Journalizard posted:So I got dropped in the deep end (aka the job that was told in the interview has little resemblance to the job I am now required to do) and so now I need to create and implement a data governance policy for this organisation. What is the scope of the data you are trying to write a data governance policy for? Sounds like you were given the work nobody else wanted to do. Writing policies is maybe the worst infosec duty there is.
|
# ? Sep 30, 2021 06:42 |
|
Sickening posted:What is the scope of the data you are trying to write a data governance policy for? Sounds like you were given the work nobody else wanted to do. Writing policies is maybe the worst infosec duty there is. I can't see how policy writer is worse than soc monitoring duty.
|
# ? Sep 30, 2021 07:08 |
|
Defenestrategy posted:I can't see how policy writer is worse than soc monitoring duty. p sure you can spend alot more time loving around in any monitoring duty than something where you have to actually produce results this depends on how noisy your environment is, obviously
|
# ? Sep 30, 2021 07:15 |
|
RFC2324 posted:p sure you can spend alot more time loving around in any monitoring duty than something where you have to actually produce results The skills that make you a good policy writer really don't overlap much with the skills that make you a good inforsec employee. Your average infosec person is going to write poo poo policies and is going to hate themselves while doing it.
|
# ? Sep 30, 2021 07:19 |
|
Sickening posted:The skills that make you a good policy writer really don't overlap much with the skills that make you a good inforsec employee. Your average infosec person is going to write poo poo policies and is going to hate themselves while doing it. what? I was just saying monitoring duty isn't all bad because you can get paid to spend a much larger portion of your time on the forums/playing video games/whatever when I get sunday monitoring duty I just set my laptop next to me in the living room while playing games, and its pretty nice. then everything catches fire at once and I log 6 hours on a pause screen
|
# ? Sep 30, 2021 07:26 |
BonHair posted:When in doubt, throw it out. My advice is to take a clue from GDPR and require everyone who is collecting data to note down what days they are collecting and for what purpose. And then say that they can't have data more than 5 years old unless they have a good reason. It's an impossible sell to anyone though. Yeah, the more I read, the more issues pop up and the worse this project gets. It's a health care provider in Australia though, so there are legislative requirements for some stuff as well. Definitely going to go the automation route, with generic labels for users to apply. Sickening posted:What is the scope of the data you are trying to write a data governance policy for? Sounds like you were given the work nobody else wanted to do. Writing policies is maybe the worst infosec duty there is. Scope is fairly broad. Health records, financial data, personal stuff. There is effectively nothing being managed right now.
|
|
# ? Sep 30, 2021 07:38 |
|
Sickening posted:The skills that make you a good policy writer really don't overlap much with the skills that make you a good inforsec employee. Your average infosec person is going to write poo poo policies and is going to hate themselves while doing it. Eh, this is only true if you consider infosec a technical field. You need policymakers in your infosec team if you want to have meaningful security governance. But otherwise yeah, totally agree, technical experts write terrible policies, as do most narrow field experts. I'm looking especially at legal here. You need to look at the big picture and the target audience, and that's hard as gently caress, especially if you know all the computer/legal/financial/etc details and want to cover them all. A policy should have intentions and a few minimum requirements, and, if you don't use rule based governance, very clearly defined responsibilities. And then you have to implement the thing, and then you can look at whether the idiots in IT (or wherever) actually follow the policy at all, and if they do, if their practice is what you intended. Then begins the cycle of plan, do, check, act.
|
# ? Sep 30, 2021 07:44 |
|
NPR Journalizard posted:Yeah, the more I read, the more issues pop up and the worse this project gets. Doesn't sound automatic enough in my experience. Users will not apply labels, even if it's literally one click on a flashing button with a chocolate reward. You want to define, for the previously mentioned broad data sets:
Then, I would probably look at systems and figure out responsibility for them. And then you can assume that all data in a given system is of the most critical type and treat the system accordingly. Afterwards you can get fancy and think about interconnected systems, different applications of data (warehouse data vs active patient files for example) and differentiation within systems. But that's later. Hint: the AD gives access to probably everything, and there's a dude with global rights.
|
# ? Sep 30, 2021 07:55 |
|
Sickening posted:What is the scope of the data you are trying to write a data governance policy for? Sounds like you were given the work nobody else wanted to do. Writing policies is maybe the worst infosec duty there is. Sickening posted:The skills that make you a good policy writer really don't overlap much with the skills that make you a good inforsec employee. BonHair posted:Hint: the AD gives access to probably everything, and there's a dude with global rights. evil_bunnY fucked around with this message at 13:51 on Sep 30, 2021 |
# ? Sep 30, 2021 13:47 |
|
evil_bunnY posted:
Not at the application level, but at the database level.
|
# ? Sep 30, 2021 14:48 |
|
I'm using Pi Hole. After updating it today, I noticed some of the default adlists are defunct. Trying to figure out where to find a Pi Hole curated list of current sources, I'm being sent all over the web to assemble poo poo on my own instead of getting just simple recommendations. What am I doing wrong? I mean, the install came with some defaults way back then, why can't I seem to find a curated current list (other than I suppose reinstalling from scratch)?
|
# ? Sep 30, 2021 16:00 |
|
Check the reddit for Pi-Hole. There are a ton of links to curated lists. Also thanks for the reminder to update my Pi-Hole!
|
# ? Sep 30, 2021 16:09 |
|
The Apple hits keep coming. Don't scan found airtags because apple didn't sanitize the phone number field and it could be used to inject any manner of fun stuff into a browser. https://arstechnica.com/information-technology/2021/09/apple-airtags-can-be-abused-to-direct-finders-to-malicious-websites/
|
# ? Oct 1, 2021 01:35 |
|
bull3964 posted:The Apple hits keep coming. Don't scan found airtags because apple didn't sanitize the phone number field and it could be used to inject any manner of fun stuff into a browser. Don't tell me what my phone number is or is not <>
|
# ? Oct 1, 2021 01:40 |
|
bull3964 posted:The Apple hits keep coming. Don't scan found airtags because apple didn't sanitize the phone number field and it could be used to inject any manner of fun stuff into a browser. "Stop auditing our products for security holes, all right?" - Apple.
|
# ? Oct 1, 2021 01:42 |
|
CommieGIR posted:"Stop auditing our products for security holes, all right?" - Apple. Lol, like people are going to stop buying our stuff nerds? - Apple
|
# ? Oct 1, 2021 02:50 |
|
"All the bitcoin miners were put there by us, okay?" - Apple Support
|
# ? Oct 1, 2021 14:04 |
|
NPR Journalizard posted:Yeah, the more I read, the more issues pop up and the worse this project gets. I do this as part of my jerb, and I get to try to wrangle defense-adjacent info as well. M365 is your friend, you're definitely barking up the right tree. All products in this space are awful, to M365's isn't quiiiiiiiiite so bad
|
# ? Oct 1, 2021 14:52 |
|
Is everyone laughing at Facebook right now? I am https://twitter.com/briankrebs/status/1445077617426718725?s=19
|
# ? Oct 4, 2021 20:24 |
|
I am, but krebs description of the issue bothers me
|
# ? Oct 4, 2021 20:27 |
|
BonHair posted:Is everyone laughing at Facebook right now? I am This particular tidbit is unconfirmed, but I still laughed my head off at it: https://twitter.com/sheeraf/status/1445099150316503057
|
# ? Oct 4, 2021 20:31 |
|
Powered Descent posted:This particular tidbit is unconfirmed, but I still laughed my head off at it: Finally the internet of poo poo comes home to roost.
|
# ? Oct 4, 2021 20:32 |
|
Powered Descent posted:This particular tidbit is unconfirmed, but I still laughed my head off at it: I hope they don't have any locked from the inside doors
|
# ? Oct 4, 2021 20:34 |
|
Some intern /must/ have fudged something, I can't imagine Facebook not being their own registrar Imagine Facebook forgetting to pay their domain fee to themselves
|
# ? Oct 4, 2021 20:41 |
|
Barring a statement from Facebook directly, the consensus among Twitter experts is that there was a config issue with bgp that resulted in a huge chunk of routes to fb infra just being straight up deleted. The most visible of which was the dns servers.
|
# ? Oct 4, 2021 20:45 |
|
Powered Descent posted:This particular tidbit is unconfirmed, but I still laughed my head off at it: The interesting thing for me is that the card readers should still have some local copies of the credentials. They may not have the entire company but generally you should be able to access your building. A network failure is something you plan for with access control.
|
# ? Oct 4, 2021 20:48 |
|
The Fool posted:Barring a statement from Facebook directly, the consensus among Twitter experts is that there was a config issue with bgp that resulted in a huge chunk of routes to fb infra just being straight up deleted. The most visible of which was the dns servers. I'm assuming the reports that the domain is up for sale are just automated ads posted for every domain record that doesn't have a functional resolution?
|
# ? Oct 4, 2021 20:53 |
|
Facebook seems like the sort of place that would roll their own door access and not really take advice from existing vendors
|
# ? Oct 4, 2021 20:53 |
|
Thomamelas posted:The interesting thing for me is that the card readers should still have some local copies of the credentials. They may not have the entire company but generally you should be able to access your building. A network failure is something you plan for with access control. "But here at FB we're very smart and the local LAN will always work!" <proceeds to use external DNS for services>
|
# ? Oct 4, 2021 20:54 |
|
|
# ? May 29, 2024 00:24 |
|
Krebs loving sucks, but this entire problem is lol
|
# ? Oct 4, 2021 21:04 |