|
So first of all, 100% appreciate everyone's feedback. It's helping me phrase the discussion, but moreso talking it out is helping me understand the breakdown. Security Handbook, as described, is probably some iteration of what I'm looking for, and it's maybe a piece that needs further refinement. I think my attempt to pragmatically distill the policies down to a checklist is sort of a shim layer that then would help inform the discussion around "ok do we have a security handbook for X technology/platform/concept that accounts for all of these items". I may still be talking nonsense, of course.
|
#
?
Oct 19, 2022 19:24
|
|
|
|
| # ? May 17, 2024 03:47 |
|
|
It's hard loving work either way, but I want to stress two things: when you get anywhere near the operational level, responsibility needs to be crystal clear. Like, I have to be able to step in from the street and understand who has to do what. And then the bit about controls: you want to check if every little thing is done right(but start small or you will die), and if it actually conforms to the policy. The main thing you want from this is to figure out the most obvious places where your rules/policies/procedures/etc are not being followed, so you can do some targeted investigation of why they're not being followed. That way, you gradually get everything to make sense to the relevant parties.
|
|
#
?
Oct 19, 2022 19:49
|
|
|
The bitter infosec part of me has given up all hope on policy being anything but legal and compliance checkboxes. If I have to rely on the goodwill of human beings to prevent something then I don't even want to loving talk about it.
|
|
#
?
Oct 19, 2022 20:29
|
|
|
Sickening posted:The bitter infosec part of me has given up all hope on policy being anything but legal and compliance checkboxes. I'm the same way. Any engineering I can do to just limit the ability to do dumb-bad is time better spent than working on policy.
|
|
#
?
Oct 19, 2022 20:36
|
|
|
BaseballPCHiker posted:I'm the same way. Any engineering I can do to just limit the ability to do dumb-bad is time better spent than working on policy. I have to remove the ability for people to gently caress up. That is my job. The old day of just telling people to not gently caress up are over and done. Nobody gives a poo poo about what a document says. If I can do a thing, I will do a thing.
|
|
#
?
Oct 19, 2022 20:39
|
|
|
where i work policy actually matters. our security posture is generally much better than that mandated by legal requirements, so policies we write have real meaning. which also means that there's no real impetus to write a policy that doesn't come with at least a roadmap for enforcement at scale
|
|
#
?
Oct 19, 2022 20:42
|
|
|
Sickening posted:I have to remove the ability for people to gently caress up. That is my job. The old day of just telling people to not gently caress up are over and done. Nobody gives a poo poo about what a document says. If I can do a thing, I will do a thing. +1 also the old days of it being generally _possible_ for non-specialists (and specialists too for that matter) to determine what counts as "a gently caress up" are long over
|
|
#
?
Oct 19, 2022 20:43
|
|
|
simply never ever use the web and also never interact with email and also don't look at your phone either, i am doing my job as a security person. no dont ask me to actually engineer a way for people to do their jobs safely and productively, what do i look like here?
|
|
#
?
Oct 19, 2022 20:45
|
|
|
Achmed Jones posted:simply never ever use the web and also never interact with email and also don't look at your phone either, i am doing my job as a security person. no dont ask me to actually engineer a way for people to do their jobs safely and productively, what do i look like here? Oh, I see you’ve met our Infosec.
|
|
#
?
Oct 19, 2022 21:27
|
|
|
Tryzzub posted:this is the same approach we have, works well; our systems/dev folks see the technical details in the standards only and know what to apply Microsoft published a response https://msrc-blog.microsoft.com/2022/10/19/investigation-regarding-misconfigured-microsoft-storage-location-2/ quote:We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.
|
|
#
?
Oct 19, 2022 21:44
|
|
|
You gotta gently caress up pretty badly for me to side with Microsoft on a security issue.
|
|
#
?
Oct 19, 2022 21:49
|
|
|
Achmed Jones posted:simply never ever use the web and also never interact with email and also don't look at your phone either, i am doing my job as a security person. no dont ask me to actually engineer a way for people to do their jobs safely and productively, what do i look like here? I had someone from the c-suite have a loving fit because he could not access yahoo mail from his work computer and then a few hours later complain that technology let someone do something dumb they knew they weren't suppose to do. Achmed Jones posted:+1 I don't even want to classify severity of events anymore. I don't want to use dumb risk calculation systems. I want to engineer preventions, automated remediations, and guardrails. I don't want to be involved with the fight over what is technically a security incident anymore or how a breach is defined. Let legal and the spin-doctors do all that.
|
|
#
?
Oct 19, 2022 22:09
|
|
|
rafikki posted:Microsoft published a response https://msrc-blog.microsoft.com/2022/10/19/investigation-regarding-misconfigured-microsoft-storage-location-2/ yep was about to post that as well tis what i get for reading before i have morning coffee
|
|
#
?
Oct 19, 2022 22:11
|
|
|
Sickening posted:I don't even want to classify severity of events anymore. I don't want to use dumb risk calculation systems. I want to engineer preventions, automated remediations, and guardrails. I don't want to be involved with the fight over what is technically a security incident anymore or how a breach is defined. Let legal and the spin-doctors do all that. not trying to be pushy, but realtalk if this is what you want apply to google once all the hiring freeze stuff blows over
|
|
#
?
Oct 19, 2022 22:48
|
|
|
Achmed Jones posted:simply never ever use the web and also never interact with email and also don't look at your phone either, i am doing my job as a security person. no dont ask me to actually engineer a way for people to do their jobs safely and productively, what do i look like here? Its the users I cannot tolerate.
|
|
#
?
Oct 20, 2022 00:04
|
|
|
PSA the cloudflare-yubico offer is still active but the coupon you receive will only cover four rather than the previous ten units.
|
|
#
?
Oct 20, 2022 06:12
|
|
|
some kinda jackal posted:So first of all, 100% appreciate everyone's feedback. It's helping me phrase the discussion, but moreso talking it out is helping me understand the breakdown. That's the public employee in me speaking but the security handbook that indicates what is being done should just be a checklist of what regulation your firm relies on (NIST/ISO), nothing else. If you want to try explaining, you do on a separate internal document coauthored with the CISO/CIO and legal offices, which should have ample preambles on that whatever is in there is guidance and not law, since mansplaining NIST/ISO regulations , and not providing everything, expose you to big issues if someone that your document for gospel and fucks up publicly due to something that was ignored or omitted. I'm currently commuting to the office. if you want, once i'm there, i can provide more operational samples on what a security handbook(derived from industry standards) could/should look. SlowBloke fucked around with this message at 06:27 on Oct 20, 2022 |
|
#
?
Oct 20, 2022 06:21
|
|
|
I'll never say no to some examples, if for no other reason than to clarify my own expectations on what I can and can't influence, thanks a ton!
|
|
#
?
Oct 20, 2022 11:24
|
|
|
I follow Kevin Beaumont on Twitter and, uh, the Microsoft response to the data exposure is looking worse and worse. Putting a notification in a proprietary message center, which they surely know very few customers regularly check, and saying you won't tell what data is exposed will not fly. At least not anywhere that has reported their own incidents according to the regulatory requirements. https://twitter.com/GossiTheDog/status/1583042989219139590 Further up that thread he quotes someone that posted screenshots of the customer notification: "We've identified that your organization was in scope of this incident. Affected data types that may have been involved included names, email addresses, company name, address, or phone numbers. We are unable to provide the specific affected data from this issue."
|
|
#
?
Oct 20, 2022 12:34
|
|
|
some kinda jackal posted:I'll never say no to some examples, if for no other reason than to clarify my own expectations on what I can and can't influence, thanks a ton! Since we are under the umbrella of the Italian government our rules are a derivative of gdpr and the document that implemented it in Italian legislation(CAD). What we get from those norms are two documents, one privacy document to provide to the users (written by our legal team), telling them what kind of data they are expected to handle and a second internal IT document, an implantation checklist, to validate against the environment and new installs. The checklist is in Italian but google/bing translate should make easy work of it, Link-> https://www.agid.gov.it/it/sicurezza/misure-minime-sicurezza-ict Other docs of interest might be found here https://cert-agid.gov.it/documenti-agid/ in particular the guidelines for code development -> https://www.agid.gov.it/it/sicurezza/cert-pa/linee-guida-sviluppo-del-software-sicuro SlowBloke fucked around with this message at 14:33 on Oct 20, 2022 |
|
#
?
Oct 20, 2022 14:29
|
|
|
SlowBloke posted:PSA the cloudflare-yubico offer is still active but the coupon you receive will only cover four rather than the previous ten units. But they’ve upgraded it from standard YubiKey to YubiKey 5 series
|
|
#
?
Oct 21, 2022 14:31
|
|
|
ShoeFly posted:But they’ve upgraded it from standard YubiKey to YubiKey 5 series It was always a security key to yubikey 5 upgrade, they just resized the amount of units you get a discount on.
|
|
#
?
Oct 21, 2022 18:02
|
|
|
Do you guys debate ciphers in here? I never ever wanted to look into tls this deep at all but my loving god. How the gently caress are you people actually like normal human beings? Are you solving prime numbers in your head in poo poo?
|
|
#
?
Oct 23, 2022 03:16
|
|
|
jaegerx posted:Do you guys debate ciphers in here? I never ever wanted to look into tls this deep at all but my loving god. How the gently caress are you people actually like normal human beings? Are you solving prime numbers in your head in poo poo? .. no?
|
|
#
?
Oct 23, 2022 03:24
|
|
|
I PM'd 3DES once and told it that its mom was fat, but it never answered.
|
|
#
?
Oct 23, 2022 03:51
|
|
|
jaegerx posted:Do you guys debate ciphers in here? I never ever wanted to look into tls this deep at all but my loving god. How the gently caress are you people actually like normal human beings? Are you solving prime numbers in your head in poo poo? I do all my ROT26 encodes in my head manually. 
|
|
#
?
Oct 23, 2022 05:57
|
|
|
jaegerx posted:Do you guys debate ciphers in here? I never ever wanted to look into tls this deep at all but my loving god. How the gently caress are you people actually like normal human beings? Are you solving prime numbers in your head in poo poo? RSA is really easy to do by hand! if the numbers are very small
|
|
#
?
Oct 23, 2022 07:37
|
|
|
Coursera has a solid course "Cryptography I" that's free if you don't need/want a certificate. You do sort of need to grasp modular arithmetic and also Python coding skill is needed for some exercises. I had fun, haven't used number theory stuff in a couple decades since I studied it. I also read Schneier's crypto opus 20 years ago.
|
|
#
?
Oct 23, 2022 08:29
|
|
|
I mean, just set proper cipher suite orders while trying to phase out CBC mode in favor of GCM because of BEAST/POODLE. The latter is mostly risk and application specific because I have no interest in breaking legacy internal comms unless it’s something that really shouldn’t be supported any more. If you need to evaluate new ciphers for a standard, don’t. Just read the RFC on TLS 1.3 or whatever and add the mandatory ones to the top of your order. They weren’t even supported until Windows 11/Server 2022 anyways.
|
|
#
?
Oct 23, 2022 12:43
|
|
|
https://wiki.mozilla.org/Security/Server_Side_TLS and ciphersuite.info will get you most of the way
|
|
#
?
Oct 23, 2022 15:58
|
|
|
This is what I would use, but I'm annoyed that "Intermediate" supports down to Android 4.4, but "Modern" requires Android 10. Is there not a configuration that would work with Android 7 or 8 or something.
|
|
#
?
Oct 23, 2022 18:04
|
|
|
Saukkis posted:This is what I would use, but I'm annoyed that "Intermediate" supports down to Android 4.4, but "Modern" requires Android 10. Is there not a configuration that would work with Android 7 or 8 or something. That's because of the exclusive TLS 1.3 support. There's not that much difference between the two other than that.
|
|
#
?
Oct 23, 2022 19:03
|
|
|
Yeah, a casual peek at the two levels is you only use Modern if you know your client runs TLS 1.3. Otherwise if you need 1.2, use Intermediate but with a cleaned up list of ciphers. Old is for like, un-upgradable poo poo like ICS networks that need pre-1.2
|
|
#
?
Oct 23, 2022 19:53
|
|
|
PSA Yubico has updated authenticator, v17 now fully supports usb-c iPads so no need for sticking to 5ci/lightning for Yubikey OTP
|
|
#
?
Oct 24, 2022 21:40
|
|
|
https://twitter.com/__agwa/status/1584916997472751618
|
|
#
?
Oct 25, 2022 17:35
|
|
|
I go on a week vacation the day the details will be released, thank god.
|
|
#
?
Oct 25, 2022 20:40
|
|
|
Is anyone else's heart feeling a little bleedy?
|
|
#
?
Oct 25, 2022 21:18
|
|
|
FungiCap posted:Is anyone else's heart feeling a little bleedy? yes but only because i'm depressed and lonely
|
|
#
?
Oct 25, 2022 21:22
|
|
|
Sickening posted:I had someone from the c-suite have a loving fit because he could not access yahoo mail from his work computer and then a few hours later complain that technology let someone do something dumb they knew they weren't suppose to do. as computer ability in new hires continues to decrease this is really the only option
|
|
#
?
Oct 26, 2022 01:03
|
|
|
|
| # ? May 17, 2024 03:47 |
|
|
Well, at least it won’t be a Friday. But also please someone cut my hands off if I somehow manage to raise them to volunteer helping during the upcoming ssl “incident”. I’ve learned nothing. SlowBloke posted:Since we are under the umbrella of the Italian government our rules are a derivative of gdpr and the document that implemented it in Italian legislation(CAD). What we get from those norms are two documents, one privacy document to provide to the users (written by our legal team), telling them what kind of data they are expected to handle and a second internal IT document, an implantation checklist, to validate against the environment and new installs. The checklist is in Italian but google/bing translate should make easy work of it, Link-> https://www.agid.gov.it/it/sicurezza/misure-minime-sicurezza-ict Other docs of interest might be found here https://cert-agid.gov.it/documenti-agid/ in particular the guidelines for code development -> https://www.agid.gov.it/it/sicurezza/cert-pa/linee-guida-sviluppo-del-software-sicuro Didn’t mean to let this go without thanking you. Good reading! some kinda jackal fucked around with this message at 02:55 on Oct 26, 2022 |
|
#
?
Oct 26, 2022 02:52
|
|