|
Subjunctive posted:Amazing troll, I gotta say. I think there's a cultural thing here, because in half my jobs it's been implied or outright stated that my education is irrelevant, and jokes have been made about it. I think maybe the manager style is more friendly in Denmark, I always got the sense that they were interested in me as a person. They were right though, linguistics and security don't have a lot of overlap. Also, my experience is that juniors get tons of mostly low level conflicts. The manager obviously has their back (unless they're poo poo), but yeah, I and my junior colleagues have often been sent to, say, explain to a team lead that they need to do separation of duties or stop downloading the entire dataset to a random share. But yeah, I'm gonna stop posting now and also don't listen to anything I said obviously.
|
#
?
Aug 21, 2023 20:34
|
|
|
|
| # ? May 24, 2024 07:40 |
|
|
Had an interview for a helpdesk job that had a Security+ cert as a requirement. Also, it needs a security clearance. And... it sounds like I'm actually getting an offer. It's going to pay WAY less than I hoped, but they are talking about putting me in for the clearance which is a huge step forward in my career. Crossing my fingers.
|
|
#
?
Aug 21, 2023 20:34
|
|
|
chin up everything sucks posted:Had an interview for a helpdesk job that had a Security+ cert as a requirement. Also, it needs a security clearance. And... it sounds like I'm actually getting an offer. It's going to pay WAY less than I hoped, but they are talking about putting me in for the clearance which is a huge step forward in my career. Crossing my fingers. If they put the clearance thing in writing, TAKE IT. Pay differential on Sec/TS IT jobs is like 25-50k in some areas. You can make filthy good money touching buttons for the government.
|
|
#
?
Aug 21, 2023 20:42
|
|
|
jesus christ do not neg your candidates. instead ask them to tell you about a time where they DEMONSTRATED_SKILL_YOU_CARE_ABOUT if you tell them before the interview to use the star method, you also get a reasonably decent guarantee that they'll give you an answer that covers all the bases. it will also weed out people who throw fits when they're given reasonable advice/requests. and if people give you non-star answers that is probably also a valuable signal about their ability to follow instructions e: looking at bonhair's more recent post, "oh hey you have a phd in WHATEVER but are doing infosec, how'd that happen?" is a perfectly reasonable and good question to ask. it just registers as "normal human interest/conversation" rather than teasing to me
|
|
#
?
Aug 21, 2023 21:16
|
|
|
Methylethylaldehyde posted:On the flip side, lovely people in the org love to go directly to the most junior person they can find with the permissions needed to do the wildly dumb thing they want. I've worked with total doormats who would just get harangued until they folded, time and time again, even after coaching and being told 'if this person ever talks to you again, you get me RIGHT AWAY, understand?'. You can ask "tell me about a time when you stood up to pressure in the workplace," but for junior candidates, responses will be all over the place. You need the right sort of work experience to have an answer, and you can't expect junior people to have it. I mean, I would probably settle for, "This one time a guy was so upset about the amount of ketchup on his burger that I had to silently nod at his abuse for eight minutes until my manager came out front," but it's not going to translate directly. To Methylethylaldehyde's post about juniors caving, if any of my team did that, they'd get some intensive mentoring, and then a performance improvement plan, and then a good solid firing. If you're too timid to do your job when I'm sitting here supporting you in doing it, you need a different line of work.
|
|
#
?
Aug 21, 2023 21:58
|
|
|
Yeah, behavioral interview questions (tell me about a time when you…) are very valuable because past behavior predicts future behavior, and it also makes it easier for the candidate to demonstrate competence than on the spot questions, which tell you more about how well they think on their feet than how competent they are. Its also much easier to tell when someone is bullshitting. It’s also helpful to have a list of questions you ask every candidate. It sounds unnatural and formulaic because it is, but the more you ask and hear answers to the same questions, the easier it will be to identify good answers and compare candidates’ answers to each other. There’s room for these even in more dialog-driven interviews. Well Played Mauer fucked around with this message at 22:24 on Aug 21, 2023 |
|
#
?
Aug 21, 2023 22:22
|
|
|
I'm not in infosec, but I've been in gamedev for a long time and I've been doing interviews for over a decade. I do the experience/resume validation/soft skills portion of our interview now, and I tell the candidate straight up front that it's a chance for them to brag about stuff they've done. We usually drill down into their resume and ask about hard problems they've had to deal with and how they found solutions to them, which tells us a lot. For one, since I probably don't know much about the project (and in many cases, especially if they're new to gamedev, the problem space as a whole), it helps gauge how good they are at distilling a problem/system/whatever down to whatever level of understanding a person has. I don't know poo poo about rendering, but if you can explain a rendering problem you solved to me, you probably understand it quite well. It also makes candidates actually go into detail about what they did on a project, instead of just listing it on their resume. For juniors, there's still *something* you can do this with, even if the candidate doesn't actually have directly relevant experience in the field. Side projects, school work, even completely unrelated stuff. I'm trying to get an idea about how you approach problems, how you learn from them, etc.
|
|
#
?
Aug 21, 2023 22:41
|
|
|
Well Played Mauer posted:Yeah, behavioral interview questions (tell me about a time when you…) are very valuable because past behavior predicts future behavior, and it also makes it easier for the candidate to demonstrate competence than on the spot questions, which tell you more about how well they think on their feet than how competent they are. Its also much easier to tell when someone is bullshitting.  and make a rubric for objective properties of a good answer! when it turns out to be insufficient, update it
|
|
#
?
Aug 22, 2023 05:34
|
|
|
We never codified our rubrics, but we did agree on them as part of the process of determining which questions we wanted to ask everyone. Asking ourselves why we wanted to ask a question and what answers we were looking for was very instructive. There were some questions we started out liking, but which turned out to telegraph the answers. If the rubric starts to sound like, "see if the candidate can't take the hint or is obviously lying when they do take it," see if you can't find a better question.
|
|
#
?
Aug 22, 2023 05:40
|
|
|
I just give a hypothetical example of a stakeholder coming to them with a finished project to ask them to add more things that weren't in the requirements and ask them how they would respond. If they say anything along the lines of "implement it," doormat.
|
|
#
?
Aug 22, 2023 07:15
|
|
|
Well Played Mauer posted:For example I can teach hard skills but don’t have the EQ to coach assholes even if they’re brilliant, so I bias hires toward people with natural communication skills and a desire to learn rather than raw technical horsepower.
|
|
#
?
Aug 22, 2023 10:44
|
|
|
Even if they're technically brilliant, you can't use those people anywhere
|
|
#
?
Aug 22, 2023 18:38
|
|
|
It's officially  even though I failed to get a job in InfoSec. At least this place is getting me a security clearance so my range of possible positions opens up significantly next time I'm looking.
|
|
#
?
Aug 22, 2023 20:32
|
|
|
Well Played Mauer posted:Yeah, behavioral interview questions (tell me about a time when you…) are very valuable because past behavior predicts future behavior, and it also makes it easier for the candidate to demonstrate competence than on the spot questions, which tell you more about how well they think on their feet than how competent they are. Its also much easier to tell when someone is bullshitting. I've always liked to use the pair of questions "Tell me about a time you saved the day" followed by "Now tell me about a time you screwed up BIG." The first one gives them a chance to brag a bit about something they're proud of, and hopefully makes them feel a little more open to the second question, which is the more important one. Do they actually admit to a serious fuckup, or do they try to pretend they never had one and pass off some minor near-miss as their big mistake? Even more important, how did they react to the loving up -- how did they fix it, how did they prevent it from happening again, and what did they learn from it.
|
|
#
?
Aug 22, 2023 20:50
|
|
|
Powered Descent posted:I've always liked to use the pair of questions "Tell me about a time you saved the day" followed by "Now tell me about a time you screwed up BIG." The first one gives them a chance to brag a bit about something they're proud of, and hopefully makes them feel a little more open to the second question, which is the more important one. Do they actually admit to a serious fuckup, or do they try to pretend they never had one and pass off some minor near-miss as their big mistake? Even more important, how did they react to the loving up -- how did they fix it, how did they prevent it from happening again, and what did they learn from it. Answer 1: "There was an adverse response to a networking configuration change. The whole site was hard down, including phones. I was able to diagnose the issue, determine the config changes needed to restore service, and restore the service within 15 minutes of the outage." Answer 2: "It was me, I made the change that caused the outage in the first place. My boss at the time treated the entire event as a learning opportunity, and I have learned that Cisco switches do NOT like trailing semicolons in the config, but will happily take them. I now do potentially breaking config updates after hours, and only after passing the changes through the test network.
|
|
#
?
Aug 22, 2023 20:56
|
|
|
chin up everything sucks posted:It's officially Small steps friend, but congrats! Powered Descent posted:I've always liked to use the pair of questions "Tell me about a time you saved the day" followed by "Now tell me about a time you screwed up BIG." The first one gives them a chance to brag a bit about something they're proud of, and hopefully makes them feel a little more open to the second question, which is the more important one. Do they actually admit to a serious fuckup, or do they try to pretend they never had one and pass off some minor near-miss as their big mistake? Even more important, how did they react to the loving up -- how did they fix it, how did they prevent it from happening again, and what did they learn from it. Yup, one of my interview questions to candidates is usually "What is the biggest screw up you've made on a job, how did you fix it, who did you tell, did you take responsibility." You will gently caress up. We've all done it. Its how you dealt with it that matters. CommieGIR fucked around with this message at 21:40 on Aug 22, 2023 |
|
#
?
Aug 22, 2023 21:35
|
|
|
It’s also very useful to have an “anti-rubric”: what are things that you explicitly exclude from a candidate’s evaluation? For example, one of our interviews has the candidate describe a time that they led a change at their organization. We explicitly don’t care if it’s a big change or small one, and we don’t care if we would agree with the change. That was important to make clear so that we got more consistent evaluation, and to guide candidates on how to prepare. The really strong move is to tell the candidate the rubric.
|
|
#
?
Aug 22, 2023 22:05
|
|
|
BonHair posted:Yeah, this is very true. The main issue with phishing campaigns is the same as "awareness" campaigns: they're just an easy way to do something that you can measure and check off the box about security for the year. If you actually manage to follow up with talking about why it's important and don't punish or shame people, it might have some (still small probably) effect, but often it's either just execute and report or execute, identify those that got got and punish. Jesus Christ, don't get me started. At my company, we have MFA (was DUO, switching to MS Auth,) Security awareness, blah blah blah... but literally every person is an admin. Only on their own box, but still, WTF? We have bitched endlessly about it, but the VP IT thinks people will be unhappy if we revert take away admin. Meaning, *he* doesn't want to not be an admin. To be fair, we're only just now moving to AAD and Intune, so we can have a self-service software store, so people don't have to be admins to install stuff they actually need, but OMG the potential for destruction. Did I mention that we're a security company?
|
|
#
?
Aug 22, 2023 22:56
|
|
|
Darchangel posted:Jesus Christ, don't get me started. Getting Intune installed on people's phones can be a massive pain, less so on iPhones. God help you if you allow work emails to be viewed on their phones through Intune/AAD policies. I'm currently doing IL testing for a SOC entry level position and I have to say I don't really like ProcMon, but I think that's coming from being taught more Linux stuff than anything else and going back to Windows and it's syntax is just jarring.
|
|
#
?
Aug 22, 2023 23:20
|
|
|
Subjunctive posted:It’s also very useful to have an “anti-rubric”: what are things that you explicitly exclude from a candidate’s evaluation? For example, one of our interviews has the candidate describe a time that they led a change at their organization. We explicitly don’t care if it’s a big change or small one, and we don’t care if we would agree with the change. That was important to make clear so that we got more consistent evaluation, and to guide candidates on how to prepare. hell yes this is the way
|
|
#
?
Aug 23, 2023 02:52
|
|
|
Darchangel posted:Jesus Christ, don't get me started. Usually because most companies won't spring for Just In Time access for local admin, so they just give everyone admin. Even then, you should have an 'escalation' account for getting local admin that isn't the default logged in account.
|
|
#
?
Aug 23, 2023 03:31
|
|
|
Darchangel posted:Jesus Christ, don't get me started. Since you mentioned AAD and intune, there are two items i would suggest to show to your manager 1. Windows LAPS https://cloudinfra.net/how-to-implement-windows-laps-using-intune/ Meaning that if a user needs admin rights, he can get the password sent and it will auto reset after a interval of time to be chosen by the admins, free and integrated in intune and aad 2. Intune Endpoint Privileges manager https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview which is a JIT admin tool but it's paid so it might not be accepted.
|
|
#
?
Aug 23, 2023 06:33
|
|
|
Darchangel posted:Jesus Christ, don't get me started. If you give people the ability to have temporary admin access on demand, then not having local admin is an inconvenience for users with few (not zero) tangible security benefits. Someone determined to install bad software will be able to do so, and anyone who phishes credentials can just lie to your IT team about what they want to install. So you say “okay we need a video call”, to which I say “have you seen what AI impersonators can do?”. If you’re not remote then an in person visit is hard to beat, and this calculus changes. But that’s a very expensive policy to implement. Regardless, if a single compromised user device can compromise your whole company, you have bigger concerns. Conditional access policies, segregated admin accounts for highly privileged users, and just in time permissions models will significantly mitigate the risk here. Users who would haphazardly install malicious extensions but wouldn’t bother with the admin access request to do so will be deterred, but if those users are who determine if you get cryptolockered or not you have much bigger flaws. There’s admittedly a small benefit here! But I think it is not worth the large costs in time and goodwill you will lose. I also think you’re vastly overestimating the ability of your security or IT team to add and maintain the vast array of self service software your engineers will demand. You’re also going to find that applications will not be updated as frequently because half the time you need admin rights to do so. Finally, at the end of the day, if I can run docker containers and have root there, or access literally any VM with root credentials anywhere, what the gently caress is even the point? If you don’t give people temporary local admin, lol, lmao. Enjoy the entire organization hating you. If you’re working on special access programs or think you have the secret to fusion energy, maybe you can justify this, but honestly at this point just give people virtual desktops and hardware tokens for access. I’d focus your efforts on deploying EDR tooling everywhere and aggressively tuning its filters to your environment. Similarly, you should be in the business of helping your users implement better security practices in their day to day work, which is mostly going to mean MFA, zero trust/identity based authentication to your services, actually implementing proper RBAC and automation for access approvals, anomalous access pattern detection, and most importantly CI/CD so users can’t make changes to secure environments from their laptops with personal access credentials at all, with peer review/SAST/DAST to do so with automation. if getting a single local laptop compromised is the difference between compromise or not, you have failed as a security practitioner. You work for a company, your first job is to make the business money. You do have an ethical obligation to your customers, and your customers probably won’t come back if you get hacked frequently (see: lastpass). You make the business money by ensuring you ship secure code, don’t suffer embarrassing compromises, and incur significant reputation damage as a result. Removing local admin will not achieve that. I recommend you instead pursue the difficult engineering that will actually ensure that you are protected from compromise rather than half measures that infuriate your users, destroy goodwill, and leave holes in your security posture wide enough to drive an insider threat (or phished account!) through. You need to consider the negative impact that comes from overzealous security policy. I strongly recommend you talk to your users, and actually ask them where they see security holes, and then fix those before you come in taking away people’s toys. Edit: LAPS is a great tool and you should use it whether or not your users have local admin rights. Just because users have access doesn’t mean you should use the same credentials everywhere. The Iron Rose fucked around with this message at 07:43 on Aug 23, 2023 |
|
#
?
Aug 23, 2023 07:09
|
|
Cat Army 
|
One time I fought with my company's IT department because I was trying to run an "unknown" program that wanted to listen for network connections. My job was to program the networking code for a PC game.
|
|
#
?
Aug 23, 2023 07:30
|
|
|
Thank y’all for the advice. It helped me calm down and recover from my doom spiral.
|
|
#
?
Aug 23, 2023 11:05
|
|
|
GrunkleStalin posted:Thank y’all for the advice. It helped me calm down and recover from my doom spiral. The fact that you're worried means you'll more than likely be fine.
|
|
#
?
Aug 23, 2023 11:14
|
|
|
This seems.......... bad.ultrabindu posted:https://twitter.com/jsrailton/status/1694009058452181494
|
|
#
?
Aug 23, 2023 13:42
|
|
|
Takes No Damage posted:This seems.......... bad. like it's poo poo but it's not giving them additional powers that ripa didn't already do
|
|
#
?
Aug 23, 2023 14:56
|
|
|
I has been suggested to me by the IT Director that he would like to see me be the SME for M365 cybersecurity. I am less enthused about this.
|
|
#
?
Aug 23, 2023 17:25
|
|
|
It should be suggested to the IT Director by you that you would like to see all the required Microsoft training in your calendar.
|
|
#
?
Aug 23, 2023 17:33
|
|
|
has anyone had to deal with clients using AI transcription services on Zoom? there's no notice or warning, just an AI attendee with the clients name uploading a recording to an unknown service with no known NDA. is there a way to block connections with this plugin activated? how tf do you govern this?
|
|
#
?
Aug 23, 2023 21:00
|
|
|
Make it your client's problem if they are under NDA with you - it's no different to them running the session through OBS and capturing the whole thing.
|
|
#
?
Aug 23, 2023 21:12
|
|
|
Thanks Ants posted:Make it your client's problem if they are under NDA with you - it's no different to them running the session through OBS and capturing the whole thing. yeah, I'm just not so sure on the enforcement. we have thousands of clients and hundreds of account managements. I don't trust them to report this client behavior.
|
|
#
?
Aug 23, 2023 21:29
|
|
|
Famethrowa posted:has anyone had to deal with clients using AI transcription services on Zoom? there's no notice or warning, just an AI attendee with the clients name uploading a recording to an unknown service with no known NDA. is it related to that or a third-party service? either way i wouldn't be trusting zoom to the level of anything needing a nda or confidentiality
|
|
#
?
Aug 23, 2023 21:48
|
|
|
some kinda jackal posted:It should be suggested to the IT Director by you that you would like to see all the required Microsoft training in your calendar. I want the cool training in my calendar. I hate M365 and as someone who is extremely privacy conscious I do not like the idea of MS's push into AI services like CoPilot and Bing Chat Enterprise.
|
|
#
?
Aug 23, 2023 22:22
|
|
|
Wiggly Wayne DDS posted:zoom were trying to force ai training on everything but backed down after a few days: https://blog.zoom.us/zooms-term-service-ai/ it's a third party service. zoom will at least pop up a consent form. in this instance, our customer service person joined a call, saw the customers name in attendance, and started talking to them but noticed they weren't responding. emailed the customer, and they said "oops! we forgot can we reschedule?" so it's not opt in, there's no notification, and it masqueraded as the customer contact. we don't even know what tool it was. who knows who got the beginning of that call and what their data usage policy is. gently caress AI.
|
|
#
?
Aug 23, 2023 23:02
|
|
|
But why do you care? Isn't it better when you can see the eavesdropper, instead of it being completely hidden from you?
|
|
#
?
Aug 24, 2023 00:04
|
|
|
Yeah they can do recordings on their end anyway, and I doubt the AI is anything other than Amazon’s speech-to-text API. it’s the account manager’s problem, IMO
|
|
#
?
Aug 24, 2023 01:00
|
|
|
My dealings with a couple heavily regulated/paranoid companies basically they wouldn't allow any video/chat app except for the ones they approved and controlled/locked down. As you can guess it was a poo poo show for that company employees. "nooo, let me run the meeting, it's just easier.." They also bought for the major vendors so that if you did use their non-regular (teams) system - basically they were locked out. 
|
|
#
?
Aug 24, 2023 01:22
|
|
|
|
| # ? May 24, 2024 07:40 |
|
|
Saukkis posted:But why do you care? Isn't it better when you can see the eavesdropper, instead of it being completely hidden from you? PII is often discussed on these calls and we'd like to know if it is going into some fly by night AI transcription companies DB. many of them store the entire call (video, audio, screenshare) for some vaguely handwaved length of time. Subjunctive posted:Yeah they can do recordings on their end anyway, and I doubt the AI is anything other than Amazon’s speech-to-text API. it’s the account manager’s problem, IMO sure, but we have NDA with client, but maybe not their third party. https://fathom.video/ is one of our problem AIs that we've found and it's not Amazon API as far as I can tell e. I guess the plus is that the pii at least isn't ours and hopefully we can point to it not being our leak, but still not great for proprietary info that is ours. Famethrowa fucked around with this message at 02:24 on Aug 24, 2023 |
|
#
?
Aug 24, 2023 02:04
|
|