|
BonHair posted:I still believe that GDPR was written by people who knew how loving wild it was, but passed the political layer without anyone noticing. And they're rolling out NIS2 for critical infrastructure (including subprocessors) and DORA for banking, it's gonna be fun to see the fallout of those too. What's even worse is that US lobbying that took place before the GDPR proposal was made public, so while the people who originally wrote it might have had the best of intentions, the US government still got their say. Fixed the link for you. Also, this is just the latest article in a long conversation that's been ongoing in parts of the IT industry, about how every single other installation technician has to go through some kind of training and certification process - and will face fines et cetera, if they gently caress up. Contrast this with IT, where it's not just possible but quite likely that a computer toucher can end up having their software be an integral part of a large system with a security threat that it was never meant to stand up against.
|
#
?
Apr 17, 2024 18:17
|
|
|
|
| # ? May 1, 2024 19:53 |
|
|
Wibla posted:Do you have a link to more info about this? https://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/
|
|
#
?
Apr 17, 2024 21:52
|
|
|
some kinda jackal posted:Congrats and sorry in advance, I don't think this thread counts toward a CPE :[ we’re getting to the point in the yospos secfuck thread where it’s starting to feel like it should count, from the WebPKI content alone
|
|
#
?
Apr 17, 2024 22:24
|
|
|
Subjunctive posted:yospos secfuck thread gently caress, why isn't that in my bookmarks!
|
|
#
?
Apr 18, 2024 02:03
|
|
|
it's been absolute gold lately too
|
|
#
?
Apr 18, 2024 02:13
|
|
|
we got Amir!
|
|
#
?
Apr 18, 2024 02:23
|
|
|
Subjunctive posted:we got Amir! 
|
|
#
?
Apr 18, 2024 12:29
|
|
|
Subjunctive posted:we got Amir!  We're all cheering for the man.
|
|
#
?
Apr 18, 2024 17:07
|
|
|
Who's Amir?
|
|
#
?
Apr 18, 2024 23:01
|
|
|
Amir is everyone.
|
|
#
?
Apr 18, 2024 23:10
|
|
|
(Amir is a guy at Google—I think?—who is involved in the WebPKI root programs and is asking tough questions in Entrust’s root program compliance incident reports.) https://open.substack.com/pub/webpki/p/entrust-considered-harmful-part-1
|
|
#
?
Apr 18, 2024 23:13
|
|
|
some kinda jackal posted:gently caress, why isn't that in my bookmarks! SECFUCKTHREAD
|
|
#
?
Apr 19, 2024 00:19
|
|
|
Subjunctive posted:(Amir is a guy at Google—I think?—who is involved in the WebPKI root programs and is asking tough questions in Entrust’s root program compliance incident reports.) God drat it, we just got couple expensive signing certificates from Entrust.
|
|
#
?
Apr 19, 2024 00:50
|
|
|
welcome to my world I have a whole mess of entrust issued OV certs
|
|
#
?
Apr 19, 2024 01:36
|
|
|
Sounds like things are getting bad out there with the Palo exploit. RIP to all the IR teams
|
|
#
?
Apr 19, 2024 01:41
|
|
|
RIP to my mailbox. Why the gently caress did I sign up for Palo Alto updates? I don't even have a PAN.
|
|
#
?
Apr 19, 2024 02:13
|
|
|
rafikki posted:Sounds like things are getting bad out there with the Palo exploit. RIP to all the IR teams   
|
|
#
?
Apr 19, 2024 04:30
|
|
|
Our network security guys are in the middle of upgrading from 10.1 on our old PA VPN boxes and have been high fiving each other every day they hadn't finished the upgrade to an affected version yet
|
|
#
?
Apr 19, 2024 05:46
|
|
|
Rust Martialis posted:Our network security guys are in the middle of upgrading from 10.1 on our old PA VPN boxes and have been high fiving each other every day they hadn't finished the upgrade to an affected version yet When I notified our network team about the PA vuln, the response I got back was essentially “We’re on 10.1  ”
|
|
#
?
Apr 19, 2024 16:33
|
|
|
I wrote a python script that monitors the ASA VPN logs for "Rejected" AAA sessions that then can issue shun commands once they exceed a threshold. Debating using it. Currently seeing a mess of IPaddr with very round numbers of Rejected attempts daily (exactly 1000 for example). Also reporting them to Talos. No user fat fingers their VPN session THAT often. Thinking 50 is a massive overkill threshold.
|
|
#
?
Apr 19, 2024 16:50
|
|
|
MustardFacial posted:When I notified our network team about the PA vuln, the response I got back was essentially That's the same basic response I sent my director who's been getting on my rear end about not upgrading to 10.2 yet.
|
|
#
?
Apr 19, 2024 17:24
|
|
|
Earlier today I had an admin try to tell me that the dev environment they manage didn't need a documented security baseline because putting it behind VDI desktops was enough of a mitigation. Yes, I'm sure that's what the CMMC auditors will agree with when they ask why this node of our in-scope systems has no documented baselines. I'd wish that all the mouthbreathing, knuckle-dragging, lazy-as-gently caress admins would just get paid to stay home but then we'd have like 1/25th of the staff needed to do anything.
|
|
#
?
Apr 23, 2024 18:25
|
|
|
Had to explain to a "Senior Security Devops Engineer" today how private IP space works, jfc
|
|
#
?
Apr 23, 2024 18:35
|
|
|
tadashi posted:Earlier today I had an admin try to tell me that the dev environment they manage didn't need a documented security baseline because putting it behind VDI desktops was enough of a mitigation. I feel this and I hear you.
|
|
#
?
Apr 23, 2024 18:43
|
|
|
Sirotan posted:Had to explain to a "Senior Security Devops Engineer" today how private IP space works, jfc These titles are loving killing me. I don't even know what this person would even loving do.
|
|
#
?
Apr 23, 2024 18:47
|
|
|
I didn't get a job in "IT Security" until 3 years ago because... 14 years ago, when IT security started being buzz word and companies started rolling out CISSP paper mills, I figured these the engineer/admin field and "security" field was about merge. I was doing "IT Security" (automating audit alerts, writing SOPs, writing POA&Ms for my boss because he wanted to see what big issues were out there and when I'd have them fixed) becuase otherwise I got to spend entire weekends rebuilding environments. I was not just wrong. I was what I now refer to as "gently caress-me-in-the goat-rear end" wrong. Now, I have to defend why someone should hire me instead of someone who's been a "security analyst" for 5 years but can't make a network diagram or someone who's got a CISSP but can't or won't run an incident response exercise. Get your CISSP or some high level security cert yesterday, folks. I mean some places now have rolled toward DevSecOps, but good luck finding them. tadashi fucked around with this message at 19:16 on Apr 23, 2024 |
|
#
?
Apr 23, 2024 19:14
|
|
|
tadashi posted:Get your CISSP or some high level security cert yesterday, folks.
|
|
#
?
Apr 23, 2024 19:25
|
|
|
I’m in a CISSP boot camp this week. We’re currently on slide 208/709 
|
|
#
?
Apr 23, 2024 19:39
|
|
|
Diva Cupcake posted:A few of us have been preaching that for years. Yes, CISSP is mostly bullshit surface level questioning that anyone could knock out in a couple months. challenge: beat my exam time 55 minutes (I passed)
|
|
#
?
Apr 23, 2024 19:42
|
|
|
Sickening posted:These titles are loving killing me. I don't even know what this person would even loving do. He sends me vuln scan reports. 
|
|
#
?
Apr 23, 2024 19:48
|
|
|
rafikki posted:I’m in a CISSP boot camp this week. We’re currently on slide 208/709 I am sure others will disagree, but this stupid exam is just loving trivia. It deserves nothing more of your time than a phone app with practice tests to practice on. Even with the dynamic rigging they try to throw at you, there is nothing hard about this stupid test. The "value" is the gatekeeping.
|
|
#
?
Apr 23, 2024 20:59
|
|
|
So it's the MBA of IT qualifications then
|
|
#
?
Apr 23, 2024 21:42
|
|
|
Probably a similar impact without the 2 year commitment.
|
|
#
?
Apr 23, 2024 21:45
|
|
|
The CISSP is good for managers that want to pretend they're technical. By itself, that's literally all it's good for.
|
|
#
?
Apr 23, 2024 21:47
|
|
|
Defenestrategy posted:I feel this and I hear you. for those of us religiously reading secfuck at the moment, I think we all flinched at reading this
|
|
#
?
Apr 23, 2024 22:01
|
|
|
Sirotan posted:Had to explain to a "Senior Security Devops Engineer" today how private IP space works, jfc DevOps and SRE types seem to have more developer experience, which usually means next to no actual network and infrastructure experience. I've also had to explain this multiple times to SREs/DevOps, shockingly these guys want to deploy their own infrastructure as code, yet don't know the first thing about it.
|
|
#
?
Apr 23, 2024 22:20
|
|
|
I was going to start on a path to take the CISSP, but I hear it just changed / is changing? I'm assuming any material out there for it now is out of date?
|
|
#
?
Apr 23, 2024 22:35
|
|
|
Sickening posted:I am sure others will disagree, but this stupid exam is just loving trivia. It deserves nothing more of your time than a phone app with practice tests to practice on. Even with the dynamic rigging they try to throw at you, there is nothing hard about this stupid test. So far, it's mostly trivia. I'm sorta surprised by how much I already know, but I guess I shouldn't be. I'm also a little surprised by how poor of a grasp some of the other people in the course have on PKI, but again I know I shouldn't be. Dog Faced JoJo posted:I was going to start on a path to take the CISSP, but I hear it just changed / is changing? I'm assuming any material out there for it now is out of date? It changed last week, extremely minor modification to the weighting of two sections apparently. Literally one section is weighted 1% more, the other 1% less.
|
|
#
?
Apr 23, 2024 23:19
|
|
|
Raymond T. Racing posted:for those of us religiously reading secfuck at the moment, I think we all flinched at reading this We share this understanding.
|
|
#
?
Apr 23, 2024 23:50
|
|
|
|
| # ? May 1, 2024 19:53 |
|
|
digitalist posted:We share this understanding. We have been posting for 20 years and advocating for a healthier posting ecosystem, but we consider this an exceptional circumstance and have decided not to delete our posts.
|
|
#
?
Apr 23, 2024 23:52
|
|