|
BlankSystemDaemon posted:I'd be very surprised if more than a fraction of all the people in infosec know how to estimate threat models correctly, and how it applies to themselves and others. Does anyone? Since the "correctly" is completely subjective.
|
#
?
Nov 3, 2021 20:06
|
|
|
|
| # ? May 26, 2024 07:33 |
|
|
cr0y posted:Ya I'm not super concerned because I am a garbage person and have nothing of value, but I'm now more aware of needing a better way to backup my TOTP secrets. nope
|
|
#
?
Nov 3, 2021 20:07
|
|
|
Well that's dumb
|
|
#
?
Nov 3, 2021 20:18
|
|
|
cr0y posted:Well that's dumb I mean any modern phone is encrypted and and siloing data per app, but a a device compromised by relatively high level malware (so not "you were watching porn" popups) could potentially look at the TOTP secrets
|
|
#
?
Nov 3, 2021 20:27
|
|
|
KillHour posted:The new place my SO works for implements two factor on their VPN with an automated phone call. To a softphone. On the same computer you're connecting from. We used to use RSA for 2-factor on the VPN. Using a virtual RSA SecureID dongle app running on the same computer that was typically logging into the VPN.
|
|
#
?
Nov 3, 2021 20:31
|
|
|
The whole webauthn thing has completely passed me by, I'm ashamed to admit. Is there a non-gag recommendation to a good primer? I feel I probably understand individual components and building blocks based on my 30 seconds of googling but not how this fits together.
|
|
#
?
Nov 3, 2021 20:44
|
|
|
Dongle? More like dong.
|
|
#
?
Nov 3, 2021 20:45
|
|
|
Buff Hardback posted:If you're paranoid, use a Yubikey and don't stress further about it. I'm trying to de-smartphone and TOTP authentication is one of my blockers. From what I understand, wouldn't all of my service providers that are currently using TOTP need to support my Yubikey? i.e. Yubikey is fine for access to systems I control, but I still need to rely on 3rd party decisions on MFA for access to 3rd party services. Is this understanding correct?
|
|
#
?
Nov 3, 2021 20:45
|
|
|
Mantle posted:I'm trying to de-smartphone and TOTP authentication is one of my blockers. From what I understand, wouldn't all of my service providers that are currently using TOTP need to support my Yubikey? Pretty much.
|
|
#
?
Nov 3, 2021 21:07
|
|
|
cr0y posted:Well that's dumb Now look at password managers on Windows where the user is running as admin.
|
|
#
?
Nov 3, 2021 22:47
|
|
|
Mantle posted:I'm trying to de-smartphone and TOTP authentication is one of my blockers. From what I understand, wouldn't all of my service providers that are currently using TOTP need to support my Yubikey? You could try something like GrapheneOS if you want to get away from using apps from big companies. Only works with Pixels phones which is kind of ironic but has an incredibly talented dev behind it. Been running it for about a year now and haven't really looked back. It is tough not using things like the Chromecast and whatnot but I'm okay with that tradeoff.
|
|
#
?
Nov 3, 2021 23:18
|
|
|
cr0y posted:Ya I'm not super concerned because I am a garbage person and have nothing of value, but I'm now more aware of needing a better way to backup my TOTP secrets.
|
|
#
?
Nov 3, 2021 23:34
|
|
|
BlankSystemDaemon posted:Here's a fun fact: For the longest time, and possibly to this day, Windows Bitlocker communicated over the I2C/SPI/1-wire bus TPM in plaintext. Yup: https://arstechnica.com/gadgets/2021/08/how-to-go-from-stolen-pc-to-network-intrusion-in-30-minutes/. Might be different in Win 11, but AFAIK this is still default behavior in Win10.
|
|
#
?
Nov 3, 2021 23:42
|
|
|
cage-free egghead posted:You could try something like GrapheneOS if you want to get away from using apps from big companies. Only works with Pixels phones which is kind of ironic but has an incredibly talented dev behind it. Getting untracked is one aspect of my motivation, but the biggest driver is more trying to break the cycle of addiction to doomscrolling. My wife keeps telling me to stop "Trumping myself" which is what she calls me reading the Trump megathread for lols.
|
|
#
?
Nov 3, 2021 23:45
|
|
|
BaseballPCHiker posted:
Are we saying that when it comes to infosec, torture does work?
|
|
#
?
Nov 4, 2021 00:02
|
|
|
Mantle posted:Getting untracked is one aspect of my motivation, but the biggest driver is more trying to break the cycle of addiction to doomscrolling. My wife keeps telling me to stop "Trumping myself" which is what she calls me reading the Trump megathread for lols. Yep, that was a part of my motivation too. And all the incessant fighting over dumb bullshit. It's been nice going back to just using forums as my only social media exposure.
|
|
#
?
Nov 4, 2021 00:07
|
|
|
Is it possible to setup multiple hardware devices for Google's impending mandatory 2FA? I need to maintain access to my kids' accounts, but won't always have their phones on me.
|
|
#
?
Nov 4, 2021 00:09
|
|
|
Ynglaur posted:Is it possible to setup multiple hardware devices for Google's impending mandatory 2FA? I need to maintain access to my kids' accounts, but won't always have their phones on me. If they're using TOTP then you could theoretically provide a shared seed to multiple devices/applications, if you can get the seed.
|
|
#
?
Nov 4, 2021 00:15
|
|
|
Mantle posted:If they're using TOTP then you could theoretically provide a shared seed to multiple devices/applications, if you can get the seed. If just keep a screen shot of the QR code and scan it on multiple devices.
|
|
#
?
Nov 4, 2021 00:16
|
|
|
Thank you both!
|
|
#
?
Nov 4, 2021 00:23
|
|
|
Martytoof posted:The whole webauthn thing has completely passed me by, I'm ashamed to admit. Is there a non-gag recommendation to a good primer? I feel I probably understand individual components and building blocks based on my 30 seconds of googling but not how this fits together. https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Overview.html And https://fidoalliance.org/fido2/fido2-web-authentication-webauthn/ Should be a decent starting point.
|
|
#
?
Nov 4, 2021 10:56
|
|
|
Thank you! U2F/FIDO/etc has been on the periphery of my thought progress for years now but with 1001 fires to put out it’s always fallen victim to “I’ll look at it next week” syndrome. And now suddenly webauthn is something I really need to understand.
|
|
#
?
Nov 4, 2021 12:39
|
|
|
Microsoft are going big on passwordless so they have some great material out about it as well
|
|
#
?
Nov 4, 2021 14:15
|
|
|
I've lurked this thread for a long time just out of curiosity. Security and system exploitation has always been interesting to me and this thread turned me onto the Darknet podcasts and some other things I'm a regular reader/listener to now. I'm a senior product guy whose been in the healthcare space for the last 7 years. Built out an enterprise care platform with some business platforms plugged into it. I'm considering moving to a company that secures protected health information in the cloud. They're like hire a security team and you can offload all that (not exactly sure what [that] is, its why I'm here) as a managed platform or you can use their platform, get trained on it and let your own security team run it. They do active management, active monitoring, migration and some other services. I don't know anything about cloud security and I also don't know anything about cloud security in the healthcare space where you have a layered regulatory environment with federal HiPAA at the top (or GDPR in E.U.) regulation as well as state level and potentially client/customer level requirements. I understand that stuff more from a front end user oriented perspective than a back end technical position. Is the healthcare space sufficiently different from just like the standard security space in the cloud to warrant such a specific suite of services? They've been successful and in business for some time, so I imagine yes...but I literally know nothing about this area. They're interested in me for my healthcare experience not my security experience but I'd like to understand this a little better. I also really like them. I don't even really have the ability to form good intelligent questions here but I'd appreciate any words or directions or blogs the thread can provide and if this is out of scope will remove. e: I googled secure PHI cloud and some other things and I mostly just found some similar providers in the space selling their services via white papers before posting this Waroduce fucked around with this message at 14:24 on Nov 4, 2021 |
|
#
?
Nov 4, 2021 14:21
|
|
|
I'm not in healthcare, currently finance, but work pretty exclusively in cloud security. If you were just starting out I'd recommend taking a course and working towards a cert with whatever provider you'll be working with the most AWS Solutions Architect or the equivalent for Azure or Google Cloud. Learn the basic cloud concepts then once you have that foundational knowledge start looking into more security focused areas to learn about. I imagine, but dont know, that most of the healthcare specific stuff just has to do with data classification, what is/isnt HIPAA and how data is handled as a result of that classification.
|
|
#
?
Nov 4, 2021 14:28
|
|
|
Yeah, get some cloud experience under your belt for sure. Look at a Security cert of your choice. Depends also on what you'd like to do: Incident Response? Pen Testing? Security Engineering? Application Security?
|
|
#
?
Nov 4, 2021 14:35
|
|
|
I'm interested in certs for professional development (better system design) but I would be in the product space not engineering. An associates AWS/Azure would probably help me craft better, more specific value statements that would resonate with buyer/stakeholder personas and assist with nailing product positioning in the market and paint a clearer picture differentiating data governed by HiPAA regulation vs standard protected data best practices and why the product is necessary. It would also probably asssit me with making more informed decisions regarding roadmapping instead of leaning heavily on the engineers on the team to frame features and stories for me. I didn't consider just going to get a cert......quote:I imagine, but dont know, that most of the healthcare specific stuff just has to do with data classification, what is/isnt HIPAA and how data is handled as a result of that classification. off to google data classification and such now this is a great starting point thanks.
|
|
#
?
Nov 4, 2021 15:02
|
|
|
Womp womp https://twitter.com/campuscodi/status/1456231697402449920?s=20
|
|
#
?
Nov 4, 2021 19:17
|
|
|
CommieGIR posted:Yeah, get some butt experience under your belt for sure.
|
|
#
?
Nov 4, 2021 19:18
|
|
|
BlankSystemDaemon posted:s/cloud/butt/g still coming in handy Butt is critical for the security.
|
|
#
?
Nov 4, 2021 19:18
|
|
|
I'm betting a lot of execs would invest in butt security rather than cloud security.
|
|
#
?
Nov 4, 2021 19:41
|
|
|
In our province, cyber insurance providers are finally getting their act together and requiring anything with sensitive information that's available remotely/via cloud be protected via MFA. The amount of IT people who view this as a completely unreasonable request astounds me. It's the single best/easiest factor to securing private information available. A while back MS hosted a free seminar on Infosec with a bunch of us and nobody seemed to clue in when one of them said "One of the biggest obstacles for information security is IT departments." I didn't know what he meant then but I certainly do now.
|
|
#
?
Nov 4, 2021 20:19
|
|
|
Fart Amplifier posted:In our province, cyber insurance providers are finally getting their act together and requiring anything with sensitive information that's available remotely/via cloud be protected via MFA. Nice, I know a lot of cyber insurance providers are refusing payout if you don't have basic security requirements met, as they should.
|
|
#
?
Nov 4, 2021 20:51
|
|
|
Fart Amplifier posted:The amount of IT people who view this as a completely unreasonable request astounds me. It's the single best/easiest factor to securing private information available. At least from the perspective of a MSP, it's not IT itself, it's the poo poo software vendors IT is stuck with. I'm still to this day having to fight battles with vendors over loving UAC and how there is no chance in hell we're giving the receptionist local admin. Anyone who tells me normal users need admin to run some software with a straight face should be banned from ever working in a computer-related job again. Either way, I am 100% onboard with cyber insurance providers requiring that things be done right. That unfortunately seems to be the most effective way to actually improve things, is make sure it costs someone a lot of money to get it wrong.
|
|
#
?
Nov 4, 2021 21:56
|
|
|
wolrah posted:Either way, I am 100% onboard with cyber insurance providers requiring that things be done right. That unfortunately seems to be the most effective way to actually improve things, is make sure it costs someone a lot of money to get it wrong. 
|
|
#
?
Nov 4, 2021 21:57
|
|
|
wolrah posted:At least from the perspective of a MSP, it's not IT itself, it's the poo poo software vendors IT is stuck with. I'm still to this day having to fight battles with vendors over loving UAC and how there is no chance in hell we're giving the receptionist local admin. Anyone who tells me normal users need admin to run some software with a straight face should be banned from ever working in a computer-related job again. This was a major pain for me as well when I designed and rolled out our Least Privilage program. Everyone wanted to run things as admin or make changes to their machines. After we trained up the L2 support guys, that shrunk rapidly. And yeah, people whining because of UAC was always hilarious.
|
|
#
?
Nov 4, 2021 22:08
|
|
|
BonHair posted:I'm betting a lot of execs would invest in butt security rather than cloud security. You could call it Cover Your Butt Insurance, they would immediately fund it.
|
|
#
?
Nov 4, 2021 22:08
|
|
|
wolrah posted:At least from the perspective of a MSP, it's not IT itself, it's the poo poo software vendors IT is stuck with. I'm still to this day having to fight battles with vendors over loving UAC and how there is no chance in hell we're giving the receptionist local admin. Anyone who tells me normal users need admin to run some software with a straight face should be banned from ever working in a computer-related job again. IT is definitely part of the problem in a bunch of areas. You can have a group of people who are brilliant at setting up a network and implementing network security. It's a (relatively) slow moving field, But some of these same people who are (rightly) willing to break outdated clients to enforce strict TLS standards somehow think that MFA, EDR, etc are just the newest buzzwords we have to implement simply to check boxes and not for any real gain. At least where I work (k-12 education) this seems to be incredibly common. I honestly think a lot of it has to do with when these people received their training. Someone that became a Cisco networking wizard 15 years ago doesn't necessarily need to build up a whole new set of skills to build a secure performant network now, whereas Infosec as it exists today is completely different. Trying to explain that "Malware installed on an end user domain machine is like 5 steps away from giving access to delete our MFA-protected offsite cloud backups" is like yelling into a void. Trying to explain that "Letting users install browser extensions, OAUTH apps, or run out of date Chromebooks is just giving random access to random people" was, until somewhat recently, completely ignored. And the insurance company aren't "requiring that things be done right" for us. It's good that they're requiring MFA and EDR, but they're really dropping the ball on this whole thing too. They're about 10 years behind. Anything less than a complete, regular, end-to-end audit of their clients is going to end up costing them. It's seriously insane how lax it is in our province. Nobody wants to be the first one to think about any of this because there's no pressure and no money.
|
|
#
?
Nov 4, 2021 23:31
|
|
|
It's really damning with faint praise when people say that insurance companies or client audits are what push companies forward. It's by no means great or even good, but often times it's the only ammunition you have. I have been at places that will blatantly lie on insurance or client audit forms. They'll somehow bother to do a yearly pen test, but completely ignore it when the red team gets domain admin year after year after year. Totally appropriate that the dumpster fire is Infosec's national bird.
|
|
#
?
Nov 4, 2021 23:34
|
|
|
|
| # ? May 26, 2024 07:33 |
|
|
Internet Explorer posted:It's really damning with faint praise when people say that insurance companies or client audits are what push companies forward. "It's completely outrageous that we have to put MFA on our VPN because insurance told us to" "We have to put MFA on our VPN for a lot of reasons. We're only doing it because insurance told us to"
|
|
#
?
Nov 4, 2021 23:39
|
|