|
I currently have the CISSP. Its always bit a poo poo exam that I wish would die but it just hasn't. The cert provider also has enough fake bullshit with it so that probably isn't happening. I was curious because i am out of date of what is a good resources for new folks.
|
#
?
Nov 29, 2023 20:21
|
|
|
|
| # ? May 26, 2024 00:36 |
|
|
The study materials I found to be useful were the following: Sybex Official Study Guide 9th Edition LearnZapp CISSP Exam Cram (8 hour video) - https://www.youtube.com/@InsideCloudAndSecurity Think Like A Manager video - https://www.youtube.com/@GwenBettwyTSI I read a lot of study plans on r/CISSP and after taking the exam I sort of felt like they're focusing on the wrong things mostly. They were doing very technical deep dives and writing all these bizarre questions, but mostly it felt like the exam was a test of whether you had a basic understanding of all the technologies, understood why you would use one technology as opposed to another technology, and whether you were capable of reading a question and finding the question they are actually asking. Also understanding that if there are 4 answers on a question all 4 might be right, but one might be more right. The book is good because it covers everything, LearnZapp is good not because the questions are anything like the ones on the exam but because they'll point out what technologies you don't understand, the 8 hour video is good to have some 'mind map' stuff, and the Gwen Bettwy channel is good for getting into the mindset of how ISC2 actually asks their questions.
|
|
#
?
Nov 29, 2023 20:38
|
|
|
Secure Boot conntinues to be a joke https://www.theregister.com/2023/12/01/uefi_image_parser_flaws/
|
|
#
?
Dec 1, 2023 21:50
|
|
|
The thing I'm learning about IT Security so far is how much frustration other IT people view Security with. Which was weird because I always got along with the security people when the shoe was on the other foot. It's hard to convince people their vulnerabilities are important or even real
|
|
#
?
Dec 4, 2023 19:04
|
|
|
From the IT side, I'm perfectly happy to partner with Security. Let's be friends! But if you're the type to heave poo poo over the fence at my team without talking to us, and treat us like idiots who need to be told what to do while running rough shod over our area of expertise (while demonstrating a lack of said expertise), we are going to have static. (Not calling out anyone here, but I worked for half a decade with EntSec who'd send engineering "solutions" instead of calling up to discuss how to fix a problem cooperatively. That is not the way.)
|
|
#
?
Dec 4, 2023 19:48
|
|
|
There are a lot of Security teams who view their job as "no", and occasionally "explain this Qualys report to me". The role of a Security team should be helping development and infrastructure teams to make the right choices, and understanding how to make secure decisions. But so many, like project managers and HR folks, are just bad at their jobs.
|
|
#
?
Dec 4, 2023 19:51
|
|
|
Where I've seen high friction between IT and security has usually been in organizations where IT was underfunded and understaffed where they're too stressed to just keep the lights on then to worry about TLS 1.2 vs TLS 1.3. Basically it's a management issue.
|
|
#
?
Dec 4, 2023 20:05
|
|
|
A good Security team partners with IT to solve issues. A bad one chucks the issues over the wall and plays the blame game.
|
|
#
?
Dec 4, 2023 20:10
|
|
|
treating it as "partner vs throw over a wall" misses the point. if all a team is doing is handing off scans and saying "please fix," and the receiving team doesn't have the headcount to staff that, then...that's not really on either team directly. it's on the management structure that apparently wants their security team to do nothing but send emails with PDFs attached, and on the management structure that can't figure out how to prioritize, what to drop to remediate vulnerabilities, etc. it's pretty dumb to expect the security team to hold a partner team's hand and teach them how to drop other work to pick up remediation work (where the vulnerability is critical enough for that to make sense). there's some lead somewhere that needs to figure out what gets dropped. if the business really can't support remediation, then it seems pretty unlikely that the security team is actually focusing on the most important threats if all they're doing is sending emails into an unschedule-able void rather than actually addressing the organization's biggest risks by e.g. performing the remediation work themselves
|
|
#
?
Dec 4, 2023 22:30
|
|
|
What does everyone use for a Windows & iOS VPN? I've been on Nord since Lowtax or Jeff had a discount code years ago, but wondering if I should re-up with them...
|
|
#
?
Dec 4, 2023 23:24
|
|
|
i don't use a vpn
|
|
#
?
Dec 4, 2023 23:26
|
|
|
public vpns don't give you anywhere near the amount of protection most people think they're getting and unless you have some very specific use cases you're just signing up for extra hassle and no benefit
|
|
#
?
Dec 4, 2023 23:28
|
|
|
Haptical Sales Slut posted:What does everyone use for a Windows & iOS VPN? I've been on Nord since Lowtax or Jeff had a discount code years ago, but wondering if I should re-up with them... ProtonVPN is what I use.
|
|
#
?
Dec 4, 2023 23:28
|
|
|
The Fool posted:public vpns don't give you anywhere near the amount of protection most people think they're getting and unless you have some very specific use cases you're just signing up for extra hassle and no benefit username does not match post content
|
|
#
?
Dec 4, 2023 23:30
|
|
|
They're good for either moving the burden of trust from websites you visit to them instead if your ISP or mobile carrier and it also helps with changing your location of most apps. Reddit has a spreadsheet of the better VPNs out there and quite a few like Surfshark you can get multiple years of service for under $100.
|
|
#
?
Dec 4, 2023 23:34
|
|
|
The Fool posted:public vpns don't give you anywhere near the amount of protection most people think they're getting and unless you have some very specific use cases you're just signing up for extra hassle and no benefit This is sort of what I've been assuming....I just use it to look at naughty material and when aimlessly browsing on PC and don't wanna leave a ton of easily identifiable cookies for advertisers, but idk if a VPN would even help in that situation lol. CommieGIR posted:ProtonVPN is what I use. This is what I was considering going to. I know a guy that like mailed money to someone in an envelope to a different country and got a login via the snail mail like 3 weeks later. I assume outfits like that might be less likely to share data with law enforcement or governemnts, but who the F knows?
|
|
#
?
Dec 4, 2023 23:34
|
|
|
I'll second ProtonVPN, I've been using their VPN and Mail for years without issue. They're based out of Switzerland, and have gone through multiple external audits. Very privacy friendly, no VPN logging, E2E mail, etc.
|
|
#
?
Dec 5, 2023 00:16
|
|
|
Kicking off my security+ learning, and have just found out there's a new exam as of last month, 701. All the materials I have are 601 and new 701 stuff is pricey to buy rn. Reckon I can just go with all the good 601 material I have and see how I go, or does anyone know if there's major changes that this will lead to loving up?
|
|
#
?
Dec 5, 2023 01:49
|
|
|
The main value of a VPN is having a remote device act like it's local to a network. I use a VPN to access my data or devices when I'm not home. Using a public VPN is typically valuable in two situations: You don't trust the local network you're connecting to, or you need to appear to be somewhere else. It's generally a cat-and-mouse game between the VPNs rotating IPs and the streaming services blocking them. Some have started integrating DNS-level ad blocking, which is a decent slice of the pie. But a VPN alone isn't going to save you from nearly as much as they promise. And you functionality have to trust that they're logging as little as they say they're logging.
|
|
#
?
Dec 5, 2023 10:09
|
|
|
Haptical Sales Slut posted:This is sort of what I've been assuming....I just use it to look at naughty material and when aimlessly browsing on PC and don't wanna leave a ton of easily identifiable cookies for advertisers, but idk if a VPN would even help in that situation lol. Mullvad is Swedish and takes cash by mail for more complete anonymity.
|
|
#
?
Dec 5, 2023 13:17
|
|
|
Yeah VPNs are not the safety that they pretend they are and are really only good for a few things - secure tunnel on untrusted networks, masking your location, piracy, and viewing sites with region locks.
|
|
#
?
Dec 5, 2023 13:46
|
|
|
eonwe posted:The thing I'm learning about IT Security so far is how much frustration other IT people view Security with. Which was weird because I always got along with the security people when the shoe was on the other foot. It's hard to convince people their vulnerabilities are important or even real Every security person I work with is a dumbass that makes my job harder and knows less about security than I do all while being smug as gently caress about it. So I don’t like them.
|
|
#
?
Dec 5, 2023 14:54
|
|
|
I toss a few bucks to the Mozilla foundation for the VPN and Relay. It's not the perfect solution but it ain't bad and helps keep a second browser tech alive, which is noble. Too much poo poo is chromium.
|
|
#
?
Dec 5, 2023 14:59
|
|
|
Mozilla's VPN is just Mullvad. Pay for Mullvad instead.
|
|
#
?
Dec 5, 2023 16:14
|
|
|
Internet Old One posted:Every security person I work with is a dumbass that makes my job harder and knows less about security than I do all while being smug as gently caress about it. So I don’t like them. Security people like this piss me off and makes it really hard to work in the field. I've honestly had to chew quite a few out in my 15 years of doing Security because they openly make it harder to secure things by pissing off the infra or app teams or actively pushing them away and creating strong scenarios for shadow IT.
|
|
#
?
Dec 5, 2023 16:49
|
|
|
Cup Runneth Over posted:Mozilla's VPN is just Mullvad. Pay for Mullvad instead. Also keep in mind Mullvad doesn't do port forwarding if you are interested in piracy.
|
|
#
?
Dec 5, 2023 17:53
|
|
|
Some of my colleagues investigated weird lockups of trains and found evidence of undocumented DRM that triggered if the trains were serviced by 3rd parties and not the manufacturer. There will be a talk about this at CCC later this year. Cool train hacking 
|
|
#
?
Dec 5, 2023 20:01
|
|
|
omeg posted:Some of my colleagues investigated weird lockups of trains and found evidence of undocumented DRM that triggered if the trains were serviced by 3rd parties and not the manufacturer. There will be a talk about this at CCC later this year. That's awesome. Related to the father and son who got arrested in Poland earlier this year for loving up trains? E: having read the posts, not related at all it seems.
|
|
#
?
Dec 5, 2023 20:06
|
|
|
Isn't that "the government fucks you up" levels of illegal?
|
|
#
?
Dec 5, 2023 20:10
|
|
|
omeg posted:Some of my colleagues investigated weird lockups of trains and found evidence of undocumented DRM that triggered if the trains were serviced by 3rd parties and not the manufacturer. There will be a talk about this at CCC later this year.
|
|
#
?
Dec 5, 2023 20:12
|
|
|
Thanks Ants posted:Isn't that "the government fucks you up" levels of illegal? Yeah, they let the appropriate orgs know but we'll see if anything serious happens.
|
|
#
?
Dec 5, 2023 20:32
|
|
|
Bald Stalin posted:Kicking off my security+ learning, and have just found out there's a new exam as of last month, 701. All the materials I have are 601 and new 701 stuff is pricey to buy rn. Reckon I can just go with all the good 601 material I have and see how I go, or does anyone know if there's major changes that this will lead to loving up? My understanding is that the 701 is actually pretty different. That being said, the best resource for a Security+ IMO is Professor Messer's series on YouTube which is free. Also, I got my endorsement approved for my CISSP today so now I have to work on those CPEs --- Also, as far as my earlier post goes about the tension between IT security and IT operations goes, my current job is just my first time fully in security, so its just culture shock I guess. I'm used to being the one that fixed stuff, rather than working with people to explain findings that may need to be fixed. I'm learning a lot so far though. eonwe fucked around with this message at 22:11 on Dec 5, 2023 |
|
#
?
Dec 5, 2023 21:52
|
|
|
Welp, someone has called out the CISO again in a public channel for.. checks notes.. monitoring web browsing activity on their computer issued laptop. Is this something new the company is doing? No. Does company policies communicate it and support it? Yes. Who is this super important person who believes they have any authority at all? A developer. I don't expect fireworks like last time but maybe some folks just want to be fired before christmas.
|
|
#
?
Dec 6, 2023 00:12
|
|
|
I'll never understand how people getting paid decent money would make the decision not to have a personal computer for personal stuff.
|
|
#
?
Dec 6, 2023 00:16
|
|
|
It’s always a developer
|
|
#
?
Dec 6, 2023 00:54
|
|
|
Its like all the idiots that install games or browse porn on their company laptop and are aghast that they get called out for it. What exactly did you think was going to happen?
|
|
#
?
Dec 6, 2023 00:54
|
|
|
post hole digger posted:It’s always a developer In like 2017 we fired one who put a bitcoin miner into a development instance, which was of course elastic so that we didn't pay for poo poo while all the devs are sleeping. There were not great controls on how much it could grow, though it did at least fortunately alarm as the dev instance ballooned to enormous proportions so I hard stopped it at like 10pm. He was shocked and extremely upset that he was fired the next day after we figured out what the hell happened.
|
|
#
?
Dec 6, 2023 00:57
|
|
|
Thanks Ants posted:I'll never understand how people getting paid decent money would make the decision not to have a personal computer for personal stuff. That was actually part of the mental gymnastics. “Some people aren’t going to have personal computers”. Okay tech bro, let me feel sorry for you.
|
|
#
?
Dec 6, 2023 00:58
|
|
|
Sickening posted:That was actually part of the mental gymnastics. “Some people aren’t going to have personal computers”. Okay tech bro, let me feel sorry for you. Not to mention - Holy poo poo you can get a laptop cheap, just how poor are you, developer-kun?
|
|
#
?
Dec 6, 2023 01:30
|
|
|
|
| # ? May 26, 2024 00:36 |
|
|
Thanks Ants posted:I'll never understand how people getting paid decent money would make the decision not to have a personal computer for personal stuff. I just run a work VM on my personal machine. 
|
|
#
?
Dec 6, 2023 01:33
|
|
