|
Thanks Ants posted:The moment you start trying to cover your tracks is when things get infinitely worse You might want to delete this post.
|
#
?
Jan 9, 2024 19:32
|
|
|
|
| # ? Jun 9, 2024 10:50 |
|
|
itsdereksmifz posted:Looking to learn more about GRC, and primarily the Governance portion. Anyone have any good reads/videos/etc? https://secureframe.com/hub/grc
|
|
#
?
Jan 9, 2024 19:36
|
|
|
I will never advocate for any employee reimburse their company for anything that isn't fraud. Broken laptop? Don't give a gently caress. Unless you find a video of me using it for a skateboard in 4k and even then, i feel like you are going to have to take me to court. Break a laptop every year? drat that sucks, but nah not paying you a dime this is the cost of doing business. Ever since I have seen behind the veil of executive spending, all issues of morality has gone out of the window. As having a partner who works in education, the topic of wage theft and first had experience with shady rear end poo poo they try to pull I will not bend, i will not break. Want me to use company security keys? Sure send me one. Want me send it back to you in the mail, i might find time to put it in with my laptop but probably not. Companies should see them for what they are, costs that can't be recouped. They are cheaper than a compromise. And they are also like keyboard and mice, they are probably going to be gross and nobody wants you to send back your gross keyboard anymore.
|
|
#
?
Jan 9, 2024 19:48
|
|
|
Diva Cupcake posted:I've poked around Secureframe's GRC Hub for their self-led learning modules. It's decent enough to get you started. Thank you!
|
|
#
?
Jan 9, 2024 19:48
|
|
|
Sickening posted:There are still people who put confidence in brave? I'd love to hear of an alternative to block ads on a non-rooted Android phone... A PiHole only works while you're on a home network, and browsing anything while on mobile data would see me getting bombarded with compromised ad popups at least once per day. I've recently done a pass on my account and password manager security. Namely, I changed from 1Password to BitWarden because I'm still pissed off that they killed my self-hosted perpetual license in favour of SaaS. But more to the point, I've been hearing about FIDO passkeys and I much prefer the idea of ditching passwords (however unique/randomized) in favour of public key authentication. But storing passkeys inside a password manager, then using a password for that password manager feels like it defeats the purpose. Similarly, using timed 2FA codes but then backing them up to the same password manager also defeats the concept of 2FA. I think the responsible thing to do here would be to get some yubikeys, and use that as a master password instead? What's some good general guidance, based on the discussion just last page, I'd say one nano permanently installed on my personal workstation, and one to carry around on a keychain?
|
|
#
?
Jan 9, 2024 20:31
|
|
|
Jan posted:I'd love to hear of an alternative to block ads on a non-rooted Android phone... A PiHole only works while you're on a home network, and browsing anything while on mobile data would see me getting bombarded with compromised ad popups at least once per day. You could set up a Wireguard server on your router and just be constantly connected through that to take advantage of on-the-go PiHole coverage. Obviously that'll depend on your router. Easier than setting up PiHole though is NextDNS. They've got a pretty generous free tier but even at $20/yr it's a nice and easy way to get DNS-based ad blocking to every device.
|
|
#
?
Jan 9, 2024 20:33
|
|
|
You probably don't want to collect Yubikeys off departing members of staff either, you have no way to verify the integrity of that device
|
|
#
?
Jan 9, 2024 20:34
|
|
|
Jan posted:I'd love to hear of an alternative to block ads on a non-rooted Android phone... A PiHole only works while you're on a home network, and browsing anything while on mobile data would see me getting bombarded with compromised ad popups at least once per day. If browsers are your concern, Firefox Android allows uBlock Origin, Samsung Internet is basically just "Chrome that Samsung built adblockers for." If you're thinking phone-wide, I think Blokada is still a thing.
|
|
#
?
Jan 9, 2024 20:41
|
|
|
Blurb3947 posted:Easier than setting up PiHole though is NextDNS. They've got a pretty generous free tier but even at $20/yr it's a nice and easy way to get DNS-based ad blocking to every device. QFT. My NextDNS account runs whole house on my UniFi, and on my androids and iPhones via an app. Easy to toggle on and off. It’s honestly “just works” level of awesomeness. The random FireTV apps my wife watches no longer show interstitial commercials.
|
|
#
?
Jan 9, 2024 20:45
|
|
|
Jan posted:I'd love to hear of an alternative to block ads on a non-rooted Android phone... Firefox + uBlock works great, as far as I can tell I worked at a company that had “IT vending machines” with cables, power supplies, phone chargers, headphones, USB keys, keyboards, mice, monitor wipes, etc. The prices were listed, because it made people more thoughtful about what they grabbed, but the employee didn’t pay. They just swiped their badge and the management chain got a roll-up of it as part of the spend reporting every month. I once had IT reach out to me and someone I managed because they got like 20 phone chargers out of a handful of machines on the same day, but she was setting up a test device station so it was legit. Never heard a peep otherwise, and man the amount of time it saved IT… These days I work for an all-remote company, and we pay for monitor, webcam, keyboard, key lights, microphone/headset, etc. Only thing we ask to get back is the laptop, for security reasons mostly.
|
|
#
?
Jan 9, 2024 20:49
|
|
|
Hed posted:Thanks, we are going to do a nano for every machine and a keychain for home for everyone. Definitely want to make it as slick as possible. 💯 quote:I will make sure the new key thing should be trivial--are you saying no scrutiny whatsoever if someone loses like 5 of em? Just trying to figure out what the bad incentive is (other than having to use access passes). I'd say no scrutiny at time-of-issuance, but if you want to keep track of how many people are getting and say "wtf" if they make off with too many, that makes sense. If somebody is, like, taking a bunch and selling them on ebay or something, that's just straight theft of company property. I don't think you really need to predict a problem of people-are-using-too-many-yubikeys unless you observe that there really is such a problem. quote:Any tips on how to have our helpdesk verify people to hand out a Temporary Access Pass? We have an MSP and even now they don't really scrutinize folks who move to a new phone and need to re-set up Microsoft Authenticator (which will go away). They should have an idea to be better but I'd love to show them what high-functioning looks like. Can't really think of much other than pre-shared keys (distribution would be a problem) or verify calls some way, which is exactly why I disabled SMS/phone verification for MFA. Require either in-person or video verification, or photo-based challenge-response - eg 'hold up three fingers and a piece of paper with "I like poodles" and today's date written on it or something. Everything except final verification and clicking "accept and provision" could be automated.
|
|
#
?
Jan 9, 2024 22:11
|
|
|
Jan posted:I'd love to hear of an alternative to block ads on a non-rooted Android phone... A PiHole only works while you're on a home network, and browsing anything while on mobile data would see me getting bombarded with compromised ad popups at least once per day. Settings->Network & Internet->Private DNS, use dns.adguard-dns.com, boom done. That'll get you 95% of the way there, Firefox has some custom filtering lists to get rid of paywalls and such. This is what I do, works great.
|
|
#
?
Jan 10, 2024 02:05
|
|
|
Subjunctive posted:I worked at a company that had “IT vending machines” with cables, power supplies, phone chargers, headphones, USB keys, keyboards, mice, monitor wipes, etc. The prices were listed, because it made people more thoughtful about what they grabbed, but the employee didn’t pay. They just swiped their badge and the management chain got a roll-up of it as part of the spend reporting every month. I once had IT reach out to me and someone I managed because they got like 20 phone chargers out of a handful of machines on the same day, but she was setting up a test device station so it was legit. Never heard a peep otherwise, and man the amount of time it saved IT… We have vending machines too, they're incredibly convenient. We do have a couple of tickets open with the vendor,. They made some small changes to lane speed, and now if you buy an Apple Magic Keyboard it vends seven and only charges for one. My manager posted in chat that it was a good thing we hire honest, decent people. I didn't have the heart to tell him that we also hire smart people who can figure out what swiping their badge means in this situation.
|
|
#
?
Jan 10, 2024 02:20
|
|
|
|
|
#
?
Jan 10, 2024 16:16
|
|
|
Lol
|
|
#
?
Jan 10, 2024 16:51
|
|
|
Ransomware? In my wrench? Its more likely than you think!
|
|
#
?
Jan 10, 2024 17:12
|
|
|
How about a torque wrench... but on the internet? It's gold, Jerry.
|
|
#
?
Jan 10, 2024 17:16
|
|
|
I struggle, because tying your tools into data collection is probably "good" from a QC perspective in that you know poo poo is being torqued right and such when things roll off the line, and you have a record in case something happens -- but then like.... wifi iot torque wrench with hardcoded credentials and multiple high severity CVEs is such a 2020s thing that I get a headache thinking about it.
|
|
#
?
Jan 10, 2024 17:47
|
|
|
some kinda jackal posted:I struggle, because tying your tools into data collection is probably "good" from a QC perspective in that you know poo poo is being torqued right and such when things roll off the line, and you have a record in case something happens -- Yeah it should be treated like any SCADA/ICS device and on a segregated network, but you also have to assume like those same devices that the security is utter garbage or non-existent
|
|
#
?
Jan 10, 2024 17:58
|
|
|
I don't know why I had higher expectations from a Bosch company vs some rando Aliexpress digital wrench manufacturer. That one's on me 
|
|
#
?
Jan 10, 2024 18:01
|
|
|
CommieGIR posted:Yeah it should be treated like any SCADA/ICS device and on a segregated network, but you also have to assume like those same devices that the security is utter garbage or non-existent The isolation/segregation of shitbox devices like this is so stressful. People that use them just want them to work and hate all the hoops. They have to be treated as being radioactive because of the wild bullshit that comes out of nowhere. There are no alternatives because these niche things all have embarrassing issues. Each vendor is a special snowflake that actively makes their shitboxes less likely to work in restrictive environments. Everyone losses.
|
|
#
?
Jan 10, 2024 18:30
|
|
|
A promotion came in - moving from government helldesk to government cybersecurity in a few weeks, just waiting for someone to start in 2 weeks to backfill me. No paperwork signed yet, hoping I can negotiate a pay bump.
|
|
#
?
Jan 10, 2024 18:39
|
|
|
Local, state or federal government? Most government orgs have pretty set pay bands in my experience. They may be able to start you up a level or two higher but then youre on a set pay raise increase with each step/year of experience. Also congratulations! I really enjoyed my time in government work and got to get hands on experience in a lot of different areas. It really set me up well for the future when I pivoted back to the private sector. Make sure you stick around long enough to qualify for any pensions.
|
|
#
?
Jan 10, 2024 19:04
|
|
|
Sickening posted:The isolation/segregation of shitbox devices like this is so stressful. People that use them just want them to work and hate all the hoops. They have to be treated as being radioactive because of the wild bullshit that comes out of nowhere. There are no alternatives because these niche things all have embarrassing issues. Each vendor is a special snowflake that actively makes their shitboxes less likely to work in restrictive environments. Everyone losses. Yup. And despite some movement, there hasn't been a real push to actually establish a working security implementation that would make this less necessary
|
|
#
?
Jan 10, 2024 19:11
|
|
|
Poking around this a bit more, that screenshot is from a POC from a security company, rather than a factory getting owned. I would have to assume BMW don't have Internet access on their assembly line networks but wouldn't put money on it.
|
|
#
?
Jan 10, 2024 19:42
|
|
|
BaseballPCHiker posted:Local, state or federal government? Most government orgs have pretty set pay bands in my experience. They may be able to start you up a level or two higher but then youre on a set pay raise increase with each step/year of experience. Contractor on an USAF base, so I don't get the nice pay bands. Instead I get the minimum they can pay to keep people in the job. Turnover is unsurprisingly high due to EVERY other cybersecurity job that exists paying 25-30% more at a minimum.
|
|
#
?
Jan 10, 2024 20:16
|
|
|
chin up everything sucks posted:Contractor on an USAF base, so I don't get the nice pay bands. Instead I get the minimum they can pay to keep people in the job. Turnover is unsurprisingly high due to EVERY other cybersecurity job that exists paying 25-30% more at a minimum. At least you know what you’re working towards!
|
|
#
?
Jan 10, 2024 20:17
|
|
|
chin up everything sucks posted:Contractor on an USAF base, so I don't get the nice pay bands. Instead I get the minimum they can pay to keep people in the job. Turnover is unsurprisingly high due to EVERY other cybersecurity job that exists paying 25-30% more at a minimum. Time to negotiate getting a jet or attack chopper for your daily commuter.
|
|
#
?
Jan 10, 2024 20:21
|
|
|
chin up everything sucks posted:Contractor on an USAF base, so I don't get the nice pay bands. Instead I get the minimum they can pay to keep people in the job. Turnover is unsurprisingly high due to EVERY other cybersecurity job that exists paying 25-30% more at a minimum. Try to angle for a clearance, so you can giggle as the pay differential goes the other way. Local TS computer toucher jobs on base are 20-35k more than equivalent private sector gigs.
|
|
#
?
Jan 11, 2024 07:28
|
|
|
Methylethylaldehyde posted:Try to angle for a clearance, so you can giggle as the pay differential goes the other way. Local TS computer toucher jobs on base are 20-35k more than equivalent private sector gigs. They put me in for Secret clearance just to have me on base for helpdesk. My official clearance came through the same day I was told about the promotion.
|
|
#
?
Jan 11, 2024 13:11
|
|
|
Subjunctive posted:I worked at a company that had “IT vending machines” with cables, power supplies, phone chargers, headphones, USB keys, keyboards, mice, monitor wipes, etc. The prices were listed, because it made people more thoughtful about what they grabbed, but the employee didn’t pay. They just swiped their badge and the management chain got a roll-up of it as part of the spend reporting every month. I once had IT reach out to me and someone I managed because they got like 20 phone chargers out of a handful of machines on the same day, but she was setting up a test device station so it was legit. Never heard a peep otherwise, and man the amount of time it saved IT…
|
|
#
?
Jan 11, 2024 16:29
|
|
|
Subjunctive posted:Firefox + uBlock works great, as far as I can tell Did we work for the same company because I worked for one that did the same thing. Treated it like it was a PPE vending machine.
|
|
#
?
Jan 11, 2024 16:48
|
|
|
YubiKey trial update: multiple users in the test group are hitting their nanos and dumping the keyboard OTP token into things. I'm just using these as FIDO2 tokens, so don't need this feature. But the Yubikey app to configure it requires admin rights. Is there another way to configure this short of pre-configuring YubiKeys? I'd rather give people sealed fresh packages. So far the best I have is having people run a shell command that disables the fast-touch
|
|
#
?
Jan 11, 2024 18:28
|
|
|
disabling fast touch should be enough to fix it, in my experience. we have a Slack bot that responds to a yubifart with a private message linking to instructions like that
|
|
#
?
Jan 11, 2024 18:32
|
|
|
You could considering packaging something up that you deploy that runs the customisation with the CLI config tool https://developers.yubico.com/yubikey-manager/
|
|
#
?
Jan 11, 2024 19:13
|
|
|
Sickening posted:I will never advocate for any employee reimburse their company for anything that isn't fraud. Broken laptop? Don't give a gently caress. Unless you find a video of me using it for a skateboard in 4k and even then, i feel like you are going to have to take me to court. Break a laptop every year? drat that sucks, but nah not paying you a dime this is the cost of doing business. Ever since I have seen behind the veil of executive spending, all issues of morality has gone out of the window. As having a partner who works in education, the topic of wage theft and first had experience with shady rear end poo poo they try to pull I will not bend, i will not break. You sound insufferable
|
|
#
?
Jan 13, 2024 19:32
|
|
|
I mean, he is, but he is also right
|
|
#
?
Jan 13, 2024 19:36
|
|
|
Nitr0 posted:You sound insufferable Turn on your monitor.
|
|
#
?
Jan 13, 2024 19:47
|
|
|
The Fool posted:he is also right I was also kind of uptight about being a steward for proper spending and blahblahblah, but then my IT department found out that some execs where spending something like 700$ every week for three years to rent a conference room in the hotel next door because they gave them "free" booze at the hotel bar. Mind you we spent tens of thousands in equipment, contractors, and manhours on three highspeed conference rooms. Now I really just don't care.
|
|
#
?
Jan 13, 2024 20:02
|
|
|
|
| # ? Jun 9, 2024 10:50 |
|
|
Defenestrategy posted:I was also kind of uptight about being a steward for proper spending and blahblahblah, but then my IT department found out that some execs where spending something like 700$ every week for three years to rent a conference room in the hotel next door because they gave them "free" booze at the hotel bar. Mind you we spent tens of thousands in equipment, contractors, and manhours on three highspeed conference rooms. Now I really just don't care. Bingo. Execs are want fund their personal life on company funds. Execs are going to make a video from home demanding people come back to the office. Anyone parroting that working bees need to reimburse the company for anything, especially other worker bees, need to be heckled at every turn.
|
|
#
?
Jan 13, 2024 20:16
|
|