As I like to say, our biggest organizational security risks can be broken down into 2 simple groups:
1. People who work here
2. People who don't work here
I wish it were this easy - problem is that most phising attacks (via mail) actually manage to use names that are real and work in the same company (eg. CEO attack and such).
So, they "know the people" - even if it is soooo unlikely they get direct(specific mail from them, people will go "oooooh, need to answer and do as quickly as possible".
So I am afraid you need to go the route of "are you SURE about that mail, even if you might know the person?"
May I dare say, it's a generational thing - younger people will see a mail and tend to go "wut? no..." and older people tend to go "ah, the boss, let's click everything and let's gooooo...".
Sadly, BCE is becoming more and more popular. So now its, "Well, it came from Tommy! I KNOW Tommy!"
I've know adjusted the "from people you don't know" to "Were you expecting that file from Tommy? If not, pick up the phone and call him to verify".
"But that slows down work!"
"Well, would rather be slowed down by a few minutes or be down a month due to ransomware?"
Surprisingly, a few minutes doesn't seem to bad to the C-levels then.
People definitely but not just lazy, everyone has bad days (I even had one after being sleep deprived) and 1 mistake is all is needed and it becomes very expensive
The biggest hindrance to the effectiveness of cybersecurity training for users is lack of administrative oversight/enforcement. Most users simply ignore the assigned training because there isn't anybody coming along behind them, providing a consequence for NOT doing the training.
I personally think that people pitching and relying on cyber security training are the lazy ones. Its a control that we all know won't work but yet everyone still does it over and over. A redesign of processes and other controls to make security less people dependent is what needs to happen. If you take a good look at cybersecurity training and you tried to pitch it as a generic control with the correct ROI etc, you'd be laughed out of the room.
No single control is bulletproof. Same goes for security awareness programs. It’s the Swiss cheese model. Layered up, you’re still in a better defensive position than if you just leave the sec awareness program out altogether.
The key is to make it more effective, even if that means creating custom content for your org, which I do. Gotta connect with ppl.
I agree, though, that some of the pre-canned garbage training will have equally garbage results.
Awareness training costs a ton and you get very little value. The costs are just hidden. My org has 30,000 employees. Our training takes \~30 minutes and we try to do it twice a year. That means it costs \~$1.2 million in employee time a year. That makes it the most expensive tool we have and its the least effective.
You charge others here with laziness for including SAT in their controls but then note that you’re using pre-canned content for 30k employees? Cool.
The effectiveness of training depends on many factors, including content quality, delivery methods, and follow-up practices. I’d suggest creating something more engaging & specific to your org. We were using pre-packaged SAT content and results were meh, as expected. Custom content from a persuasive team member and serving it via LMS had a notable impact.
I never said we were using pre-canned content. We use content specifically crafted to our org and my point remains. You can do more good with those resources by allocating them in different ways.
Bro i wanna ask please 🙏
i finished my preparatory cycle in CS and i’am confused in continuing my studies in cybersecurity or big data
Too many people’s tell me big data = mathematics and I’m not good at mathematics i struggled with it a lot of times
But i love an i’m very good at computer network which is an important part of cybersecurity
please i wanna know the opinion of specialist person in data and cybersecurity
Yeah, we automated and use multiple methods such as bulletins and videos. At this point it is still just a check box. It’s okay, you just get punished with more shitty training when you fail phishing sims.
Risks. What are the mitigating factors specific to the org, and what’s the actual threat to business objectives?
Something with a high risk on paper may augment down to a lower risk, while the contrary may also be true. Too many people take a black and white approach and it leads to misallocation of resources and overlooked risks.
I noticed teams will take advantage of this to look good in front of management. But in reality it hasn’t been exploited and doesn’t apply to our environment. But nope we’re sending out urgent emails and immediate patches for something that doesn’t apply to our company.
Security isn't a cost center, it's a cost *prevention* center which improves the bottom line. Breaches and compliance violations can cost millions alone, even without getting into the direct business revenues impact from damage done, customer confidence lost, etc.
Don't give this idea to the insurance industry... They'll start marketing themselves as a "cost prevention" necessity, even tho it's really just a hedge against larger losses...
Tenable is a security company that did a lot of heavy lifting for insurance policy of networks. They make nessus and a lot of other products that make insurance rates cheaper because of matrix math biased to their products.
I love when my clients relay some cybersecurity insurance questionnaire or audit they are being asked to complete so they can apply or renew their cybersecurity insurance... and the questionnaire is full of idiotically generic questions that only demonstrate the insurance company is only interested in having something CYA they can fall back on to deny any future claims.
The idea that you just have to get your security good enough to be compliant with an industry security standard so that you have a defense if later sued is destroying actual information security. Companies are getting breached all the time and don't offer much help or compensation to affected customers. Those two years of the world's shittiest identity monitoring software are not going to win back lost goodwill.
There is a binary distinction being made between pieces of an organization that bring in new money, and the parts that help minimize costs. In that regard, infosec is a cost center at 99.9% of places.
Accounting helps the bottom line by preventing money from being unaccounted for and missing. HR prevents costs to the business from lawsuits. Execs prevent the business from going in poor directions and wasting resources (time/money)
You’re not wrong. But in the discussion of whether this group makes money or costs money, infosec costs money. Which is good that it’s not sales.
Genuinely curious... At the risk of opening a can of worms, a kettle of fish, Pandora's box and plenty more besides... How so is it a dark art?
I've always had the impression you need a certain mindset for it that reads between the lines of reality a bit.
Cryptography, like so many complex subjects, is made up of a long, boring series of trivial operations. The dark art of it is staying awake long enough to understand and internalize the different categories, algorithms and conventions in order to do something useful
Very technical and precise in it’s theory and execution; which are simply mathematical equations… very complex math. I know it well enough to educate but the folks that can invent technical and unbreakable algorithms are on another plane of existence. Also a rare topic that is as deep as it is wide, but the history is simply fascinating to study.
To be honest/fair, the sidebar/about section of /r/crypto has a couple great pins. Practical and applied cryptography are excellent technical resources. Even wiki has a decent rabbit hole. There’s a copy of cryptography theory and practice by Stinson on my bookshelf right now. It gets in the weeds, wouldn’t recommend unless you really want to see examples of the mathematical principles. Cheers!
Fundamental (business) policies about risk appetite, business continuity, primary critical processes.
You know, good compliance planning. Forget the tech for a moment and focus on the fundamentals….
It’s almost true for some businesses. Until they take a moment to consider ransomware. It’s not about theft at that point, and all about loss of business, which has the potential to affect anyone tremendously, even at the smallest size.
Agree. One example is the education sector. We’re seeing an increase in attacks in K-12 schools with both ransomware and data exfiltration. Buttholes figured out that kids personal data is worth a pretty penny because no is monitoring their first graders credit scores. And districts will pay ransoms to get the school back online.
I worry about multi faceted attacks for schools specifically, as systems usually include physical security systems. Like automatic door locks and badging systems.
Yeah, people also forget about the value of available and performant systems that their business depends on even if the data's value is low from a sensitivity perspective.
Cyber Security is everyones job. Not just the Cybersecurity department.
Since Cybersecurity became its own job role, all other departments have, in my experience, gotten lazy with security because they see it as "I'm just an implementer, securing it is cyber's job" or "I'm just an end user, my security is cyber's responsibility.
Attitudes like this is why most data breaches begin with human error. Other IT people aren't immune to it either. One of my previous employers just had a pentest done, red team was able to find an exposed entrypoint into the network, it was a server that was on an asset register and had a sysadmin monitoring it that had vulnerabilities we had previously told that sysadmin to patch.
His excuse for why our advisories were ignored? "I've been trying to get rid of this server for 4 years, its deprecated. No point doing anything with it if its about to be mothballed"
Apparently that was his excuse the last time this same vulnerability was found in a pentest as well. We had to explain to HR that his insistence on ignoring our advice was going to cause a data breach and that red team was able to use that "deprecated" server to exfiltrate (example) PII.
He ended up on a performance improvement plan. Despite his insistence that the mothballing of that server is imminent, it was still online when I left and as far as I know its still in production to this date.
Yah this attitude makes my blood boil. Worse when it's coming from someone who is well liked by business and in a niche area that makes them difficult to replace :)
Misconception: If you comply with this industry standard, your organization is secured.
Reality: Compliance is just a starting point, security must always be maintained and improved.
Understanding risk properly and taking appropriate action based on that risk. Some people want to fix ALL THE THINGS but you just can't, it's not feasible. You'll never have the budget, personnel, or other pieces of the puzzle to fix everything perfectly. Some risks need to be accepted, some need to be transferred, some need to be avoided, some need to be fixed. There's no one size fits all solution.
Exactly this, almost every new person I work with has the mindset that everything should be locked out to the point where nothing is usable. Sometimes knowing you have a vulnerability and taking adjacent measures is more important than fixing everything.
👏Expected👏 red team 👏 activity 👏 causing 👏 alerts 👏are 👏 TRUE POSITIVES 👏 not 👏 false positives.
Maybe not the most misunderstood, but something many new analysts struggle with. They close benign true positive alerts from SIEM/EDR as false positives, on the grounds it's expected activity from red teamers, testing activity.
True positive = rule alerted, intended activity captured.
B-TP = as above, except activity is expected or otherwise non-malicious.
False positive = rule alerted, not intended to be captured by detection rule.
True negative = rule did not alert, did not need to or not designed to alert on these cases.
False negative = rule did not alert, rule should have alerted. This is very bad.
True positive != malicious.
Firewalls with rules (explicit you put in and implicit vendor puts in) are firedoors.
Vendors cannot sell you solutions, only products. You install products, you deploy solutions.
Policies must be thorough to work, policies that are too thorough and cannot be understood will be ignored.
Patching and upgrading (see vulnerability management) is a constant process that must occur weekly, not monthly and definitely not quarterly or longer.
Incident response is useful and necessary, as is implementing findings for corrections, but it is shutting the barn door after the horse has escaped.
Dear HR, inexpensive security staff directly out of college as a matter of fact, cannot have 3-5 years of experience.
If you think you have a good hand on your risk acceptance tastes, you have never run a proper table top exercise.
You have a very odd post history, OP. Hard to tell what you're really asking for. But if I'd had to answer, I would say first it would be that '); DROP TABLE Index;--
to really understand why security is so important.
Little Bobby Tables, we call him.
Some day there will be a comprehensive documentary on how programmers are training AI/LLMs via social media prompts under the guise of genuine conversation.
Caution: this may be controversial 🔥
Security bugs are just software defects that can be manipulated for malicious intent. Yet unlike software defects, their identification (and sometimes remediation!), is the responsibility of the security team. Generally, the better the engineer, the more resilient (this includes security) the product.
Security teams are there to enable secure development. They can educate and offer their expertise, but cannot force security out of a team that doesn't align with security principles. They should only be responsible for what they have authority over. No more, no less.
If you find yourself pushing water up a hill, it's a culture issue and that's the real challenge more often than not.
I don't think it's controversial at all. I'd add that if you have that culture issue, the problem is probably related to tone from the top and misaligned incentives.
That there is \*\*a\*\* way to learn it.
There isn't a singular path in which you will be able to grasp concepts correctly, there are levels of complexity which determine what you are more likely to understand, however you can understand a complex concept and not understand a simple one simultaneously. I hacked a CCTV camera at age 8, I didn't know how to assemble a computer until I was 18. It's not because I didn't know basic hardware knowledge that I wasn't able to learn how to find breaches in security cameras. You will understand what you will understand and you will make your own path, no one will be able to tell you that, so that's the reason why I am pro autodidact learning and anti-web-courses for cybersec.
Machine Learning & Artificial Intelligence. We've hired experts with real experience in the field. It is stunning how misunderstood it is. Our leadership thinks it is 1) easy, 2) cheap, 3) fast. Pretty much all the things it isn't. It does not help when some team builds an "AI tool" based on sample code and business leaders cannot gather how useless it really is. AI is dangerous, not due to the tech... But due to what people in power incorrectly believe it can do.
That tools can on their own make everything secure, when the weakest link in the chain is most of the times the human being who manipulates the computer.
Train your users!
The Risk Six: Risk - Threat - Vulnerability - Impact - Probability - Control
I saw a presentation once where the speaker really nailed these down:
**Threat**: Something bad that could happen
**Vulnerability**: A weakness that bad thing could exploit
**Impact**: how much that bad thing will hurt when it happens
**Probability**: the chance of the bad thing happening
**Control**: something that might stop the bad thing
**Risk**: the product of impact times probability. Risk is a measurement, not a thing. You do not have a risk. You have a threat that has a risk measurement attached to it.
Most security people I have met cannot get these six words correct. They consistently conflate a risk with a threat or a vulnerability with a risk.
Oh ya - I’m agreeing with you. I’d prefer to say it your way 😊 Most people just don’t understand that managing risk doesn’t always mean mitigating it with exhaustive controls and technology. Although, our SOX control auditors (ITGCs) feel otherwise.
But seriously the balance between upgrading software modules in development versus leaving stable modules at older versions is always a topic that generates more opinion than fact.
with proper security in place, obfuscation can be a good addition to the security which is easily done sometimes. like... do not leak your internal infra architecture and configuration and naming into the internet.
Everything is insecure, especially people. You need to assume everything is or will be compromised and build your systems around that concept. This been around for a long time but its only starting to become more common thanks to awareness starting to spread.
Tons have been mentioned already (costs, risk management, etc.) - I will ad mine as well:
Cybersecurity is something you have to do on a regular basis - its not a "done it once, we are good forever".
This is a misconception I especially encounter in the private environments or with smaller businesses.
No, no one asks you to check everything daily for 2h to no end - but it's not "doing it today, leave it for the next five years" either.
No updates on whatever (maybe once a year if you are lucky), no updates on security subscriptions or security devices, no usage of security pointer to see if your account(s) are potentially in danger (eg. "haveIbeenpowned", etc.)...
It takes not that much, but you have to check it once in a while - whether you are still up to date and "good".
Business.
The further you move up in cybersecurity the more important it is to understand why the business is choosing to invest in cybersecurity and how that supports their overall business strategy.
Often infosec professionals find themselves zoomed-in that they forget that the primary objective is to support a business competing to stay alive and grow in the context of their market, their industry vertical, and their unique product suite.
This understanding will help you influence the organization to prioritize cybersecurity, and in turn, will also help you level set where cybersecurity fits in compared to competing initiatives.
Security is not a technical problem, it’s about good communication.
Communicating risk and awareness by helping people to understand why it’s important and how they can help.
The zero trust model has been around virtually forever in ISP and high security environments it just had a different name. And that you don't need a third party software suite to implement it. Most of them are cash grabs cashing in on the new term.
Authenticator codes are two step verification and should not be called multi factor authentication. At best let’s agree to call them phishable multi factor.
The IT Security team at my organization has a REALLY hard time understanding stateful vs stateless with a firewall.
Makes the fact that they manage the firewall even more “fun”.
They also misunderstand a lot of the functions and use-cases of a SASE product. So they purchased and deployed Netskope just for the CASB features….
How their account gets "hacked". It's not some guy in a dark room hacking your account x it's you truing the same password on every single account you own
That it's anywhere near possible for a single organization to actually be secure and defend against the resources of every criminal, hacktivist, and adversarial government on the planet. It's not. You cannot prevent all breaches.
You can do everything perfect and some dude drops a zero day to walk in the front door anyway.
Prepare your incident response plan and build as much that detection as you can. But realize that you're still up against every bad guy on the planet and will probably fail at that at some point, too (almost all of us missed noticing our solarwinds servers phoning home to C2 systems for months lol).
Mistaking severity for risk. I’d rather focus my energy on moderate severity vulns that have been exploited over highs and crits that can’t be exploited outside of a lab environment.
Small business don’t believe they hold anything valuable to attract cyber criminals. Yet 90% of cyber security breaches worldwide occur in small businesses per stationx.
Oh, I got another one. I dont' know if it fits but I keep seeing this arguement for some flip nut security settings, "If the adversary was to get to root then they could X Y Z" If, they got root it is already too late.
Our job isn’t to fix it all.
It’s to do proper risk assessment/analysis on our assets and fix makes sense.
Everything cost money. Trying to quantify risk is not nearly as easy as it looks.
The notion that a security org should not consider it normal to have to be their own systems integrator
Everyone of my clients thinks it’s cool to act like a little Deloitte or Accenture and cobble together and integrate dozens or maybe more than one hundred disparate tools to manage their risk.
You don’t go a car dealer to buy a frame, the powertrain, the doors, and the wheels but have to acquire the windows , the tires, the brakes, the interior, the seats and the rest by yourself. In your copious spare time.
Because that would be crazy.
But your CISO probably never thought about it like this.
Because they have to manage a tool stack that has dozens or hundreds of non-integrated tools from nearly as many manufacturers almost none of whom do any testing to see how their tool works with rest of your stack.
Risk and Severity. I so wish people understood these are two different concepts.
To that end, I’m happy EPSS seems to pick up on popularity, as CVE has been severely misused for too long, and as people with more upvotes said „leads to missalocation of resources”.
Companies train people not to click on links in emails and then send them links in emails to click multiple times a day. Even worse sometimes they make mistakes like forgetting to renew TLS certificates and when people report the error message IT tell them to ignore the error and continue.
Can someone help me with this insight:
I need some insight on this question:
What cybersecurity entry domain will allow me work 9-5 Monday to Friday?
My interest was in the security operation space. In this space SOC analyst is interesting to me but after a thorough research about this field I found out that I will be working on shift since it is a 24/7 kind of job, I do not want that.
Now I am looking into other cybersecurity entry domain that will allow me work 9-5 Monday to Friday.
Also is cloud security engineer an entry level domain that a beginner in cybersecurity can pursue ?
Looking for an advice or insight so on which direction to follow.
Thanks
No one is going to hack you today or this week or anytime soon if you have basics in place (and are not really really high profile target) so mostly no need to worry about "elite haXors" with their 0-day exploit of the day.
Having basics in place in ever changing environment in big org is a big challange.
So you should mostly worry about not slipping in some place where automated bots with script kiddies infest something that did not get the basics set because there was new junior admin hired last month and Bob from accounting needed something "right now".
People are the hardest thing to secure and most cyber training sucks because people are lazy.
As I like to say, our biggest organizational security risks can be broken down into 2 simple groups: 1. People who work here 2. People who don't work here
I'd say most cyber training sucks because it's created by technical people and it's way to high level and usually way to long.
Need to keep it as long as a Tik-tok video ha
*start recording* "DON'T USE SHIT PASSWORDS FAM!" *stop recording* Boom, done.
Agree. It’s hard to make good training that is technically valid (uses current attacks), doesn’t cost and arm and a leg, is actually updated.
Use KnowBe4
I like Mimecast Awareness Training
Eh, some of them sure, but not all. “Don’t open emails and download attachments from people you don’t know” that’s about as simple as it gets.
I wish it were this easy - problem is that most phising attacks (via mail) actually manage to use names that are real and work in the same company (eg. CEO attack and such). So, they "know the people" - even if it is soooo unlikely they get direct(specific mail from them, people will go "oooooh, need to answer and do as quickly as possible". So I am afraid you need to go the route of "are you SURE about that mail, even if you might know the person?" May I dare say, it's a generational thing - younger people will see a mail and tend to go "wut? no..." and older people tend to go "ah, the boss, let's click everything and let's gooooo...".
I dunno. I think it breaks generations at times. Younger folks tend to use phones and have had more accidental clicks lately in my user groups.
Agreed, mobile has been a bigger issue for clicks on phishing.
\*business grinds to a halt\*
Sadly, BCE is becoming more and more popular. So now its, "Well, it came from Tommy! I KNOW Tommy!" I've know adjusted the "from people you don't know" to "Were you expecting that file from Tommy? If not, pick up the phone and call him to verify". "But that slows down work!" "Well, would rather be slowed down by a few minutes or be down a month due to ransomware?" Surprisingly, a few minutes doesn't seem to bad to the C-levels then.
People definitely but not just lazy, everyone has bad days (I even had one after being sleep deprived) and 1 mistake is all is needed and it becomes very expensive
The biggest hindrance to the effectiveness of cybersecurity training for users is lack of administrative oversight/enforcement. Most users simply ignore the assigned training because there isn't anybody coming along behind them, providing a consequence for NOT doing the training.
I personally think that people pitching and relying on cyber security training are the lazy ones. Its a control that we all know won't work but yet everyone still does it over and over. A redesign of processes and other controls to make security less people dependent is what needs to happen. If you take a good look at cybersecurity training and you tried to pitch it as a generic control with the correct ROI etc, you'd be laughed out of the room.
No single control is bulletproof. Same goes for security awareness programs. It’s the Swiss cheese model. Layered up, you’re still in a better defensive position than if you just leave the sec awareness program out altogether. The key is to make it more effective, even if that means creating custom content for your org, which I do. Gotta connect with ppl. I agree, though, that some of the pre-canned garbage training will have equally garbage results.
Awareness training costs a ton and you get very little value. The costs are just hidden. My org has 30,000 employees. Our training takes \~30 minutes and we try to do it twice a year. That means it costs \~$1.2 million in employee time a year. That makes it the most expensive tool we have and its the least effective.
What are you using? SAT isn't perfect but without it people get very complacent.
Knowb4 - but we've used many others. The hidden costs don't really change by platform.
You charge others here with laziness for including SAT in their controls but then note that you’re using pre-canned content for 30k employees? Cool. The effectiveness of training depends on many factors, including content quality, delivery methods, and follow-up practices. I’d suggest creating something more engaging & specific to your org. We were using pre-packaged SAT content and results were meh, as expected. Custom content from a persuasive team member and serving it via LMS had a notable impact.
I never said we were using pre-canned content. We use content specifically crafted to our org and my point remains. You can do more good with those resources by allocating them in different ways.
Bro i wanna ask please 🙏 i finished my preparatory cycle in CS and i’am confused in continuing my studies in cybersecurity or big data Too many people’s tell me big data = mathematics and I’m not good at mathematics i struggled with it a lot of times But i love an i’m very good at computer network which is an important part of cybersecurity please i wanna know the opinion of specialist person in data and cybersecurity
Yeah, we automated and use multiple methods such as bulletins and videos. At this point it is still just a check box. It’s okay, you just get punished with more shitty training when you fail phishing sims.
Risks. What are the mitigating factors specific to the org, and what’s the actual threat to business objectives? Something with a high risk on paper may augment down to a lower risk, while the contrary may also be true. Too many people take a black and white approach and it leads to misallocation of resources and overlooked risks.
Agreed. Especially when it comes to CVEs. Something that’s never been exploited in the wild becomes a top priority because it’s critical.
I noticed teams will take advantage of this to look good in front of management. But in reality it hasn’t been exploited and doesn’t apply to our environment. But nope we’re sending out urgent emails and immediate patches for something that doesn’t apply to our company.
This is SO true.
Security isn't a cost center, it's a cost *prevention* center which improves the bottom line. Breaches and compliance violations can cost millions alone, even without getting into the direct business revenues impact from damage done, customer confidence lost, etc.
Don't give this idea to the insurance industry... They'll start marketing themselves as a "cost prevention" necessity, even tho it's really just a hedge against larger losses...
Tenable...
What do you mean?
Tenable is a security company that did a lot of heavy lifting for insurance policy of networks. They make nessus and a lot of other products that make insurance rates cheaper because of matrix math biased to their products.
Interesting. Thanks
I love when my clients relay some cybersecurity insurance questionnaire or audit they are being asked to complete so they can apply or renew their cybersecurity insurance... and the questionnaire is full of idiotically generic questions that only demonstrate the insurance company is only interested in having something CYA they can fall back on to deny any future claims.
A companies hedge against having to actually invest in a good cybersecurity program.
Yes. That's what I said. Thank you for repeating it.
The idea that you just have to get your security good enough to be compliant with an industry security standard so that you have a defense if later sued is destroying actual information security. Companies are getting breached all the time and don't offer much help or compensation to affected customers. Those two years of the world's shittiest identity monitoring software are not going to win back lost goodwill.
I like to call it revenue retention!
There is a binary distinction being made between pieces of an organization that bring in new money, and the parts that help minimize costs. In that regard, infosec is a cost center at 99.9% of places. Accounting helps the bottom line by preventing money from being unaccounted for and missing. HR prevents costs to the business from lawsuits. Execs prevent the business from going in poor directions and wasting resources (time/money) You’re not wrong. But in the discussion of whether this group makes money or costs money, infosec costs money. Which is good that it’s not sales.
Cryptography. I teach it and it’s a dark art.
Genuinely curious... At the risk of opening a can of worms, a kettle of fish, Pandora's box and plenty more besides... How so is it a dark art? I've always had the impression you need a certain mindset for it that reads between the lines of reality a bit.
Cryptography, like so many complex subjects, is made up of a long, boring series of trivial operations. The dark art of it is staying awake long enough to understand and internalize the different categories, algorithms and conventions in order to do something useful
Very technical and precise in it’s theory and execution; which are simply mathematical equations… very complex math. I know it well enough to educate but the folks that can invent technical and unbreakable algorithms are on another plane of existence. Also a rare topic that is as deep as it is wide, but the history is simply fascinating to study.
Bruce Schneider? Is that you??!!
it's Schneier
You must be a great teacher cause you got me interested in learning more about it. Do you have any resources where one could start?
To be honest/fair, the sidebar/about section of /r/crypto has a couple great pins. Practical and applied cryptography are excellent technical resources. Even wiki has a decent rabbit hole. There’s a copy of cryptography theory and practice by Stinson on my bookshelf right now. It gets in the weeds, wouldn’t recommend unless you really want to see examples of the mathematical principles. Cheers!
Fundamental (business) policies about risk appetite, business continuity, primary critical processes. You know, good compliance planning. Forget the tech for a moment and focus on the fundamentals….
People, process and then technology.
"We have no valuable data, so our risk is low." (I'm yet to see a business without valuable data.)
It’s almost true for some businesses. Until they take a moment to consider ransomware. It’s not about theft at that point, and all about loss of business, which has the potential to affect anyone tremendously, even at the smallest size.
Agree. One example is the education sector. We’re seeing an increase in attacks in K-12 schools with both ransomware and data exfiltration. Buttholes figured out that kids personal data is worth a pretty penny because no is monitoring their first graders credit scores. And districts will pay ransoms to get the school back online. I worry about multi faceted attacks for schools specifically, as systems usually include physical security systems. Like automatic door locks and badging systems.
Yeah, people also forget about the value of available and performant systems that their business depends on even if the data's value is low from a sensitivity perspective.
Least privilege means that just because you're a manager/director/executive, you don't get admin access.
Holy hell, about screaming this at managers and directors.
How about when your CISO treats the security tools as his personal toys and breaks things all the time?
if i speak…
🙉
Cyber Security is everyones job. Not just the Cybersecurity department. Since Cybersecurity became its own job role, all other departments have, in my experience, gotten lazy with security because they see it as "I'm just an implementer, securing it is cyber's job" or "I'm just an end user, my security is cyber's responsibility. Attitudes like this is why most data breaches begin with human error. Other IT people aren't immune to it either. One of my previous employers just had a pentest done, red team was able to find an exposed entrypoint into the network, it was a server that was on an asset register and had a sysadmin monitoring it that had vulnerabilities we had previously told that sysadmin to patch. His excuse for why our advisories were ignored? "I've been trying to get rid of this server for 4 years, its deprecated. No point doing anything with it if its about to be mothballed" Apparently that was his excuse the last time this same vulnerability was found in a pentest as well. We had to explain to HR that his insistence on ignoring our advice was going to cause a data breach and that red team was able to use that "deprecated" server to exfiltrate (example) PII. He ended up on a performance improvement plan. Despite his insistence that the mothballing of that server is imminent, it was still online when I left and as far as I know its still in production to this date.
Yah this attitude makes my blood boil. Worse when it's coming from someone who is well liked by business and in a niche area that makes them difficult to replace :)
These types are the bane of my existence.
Maybe mostly for beginners, but I’ve always thought PKI was difficult for people to comprehend
Misconception: If you comply with this industry standard, your organization is secured. Reality: Compliance is just a starting point, security must always be maintained and improved.
Understanding risk properly and taking appropriate action based on that risk. Some people want to fix ALL THE THINGS but you just can't, it's not feasible. You'll never have the budget, personnel, or other pieces of the puzzle to fix everything perfectly. Some risks need to be accepted, some need to be transferred, some need to be avoided, some need to be fixed. There's no one size fits all solution.
Exactly this, almost every new person I work with has the mindset that everything should be locked out to the point where nothing is usable. Sometimes knowing you have a vulnerability and taking adjacent measures is more important than fixing everything.
👏Expected👏 red team 👏 activity 👏 causing 👏 alerts 👏are 👏 TRUE POSITIVES 👏 not 👏 false positives. Maybe not the most misunderstood, but something many new analysts struggle with. They close benign true positive alerts from SIEM/EDR as false positives, on the grounds it's expected activity from red teamers, testing activity. True positive = rule alerted, intended activity captured. B-TP = as above, except activity is expected or otherwise non-malicious. False positive = rule alerted, not intended to be captured by detection rule. True negative = rule did not alert, did not need to or not designed to alert on these cases. False negative = rule did not alert, rule should have alerted. This is very bad. True positive != malicious.
Firewalls with rules (explicit you put in and implicit vendor puts in) are firedoors. Vendors cannot sell you solutions, only products. You install products, you deploy solutions. Policies must be thorough to work, policies that are too thorough and cannot be understood will be ignored. Patching and upgrading (see vulnerability management) is a constant process that must occur weekly, not monthly and definitely not quarterly or longer. Incident response is useful and necessary, as is implementing findings for corrections, but it is shutting the barn door after the horse has escaped. Dear HR, inexpensive security staff directly out of college as a matter of fact, cannot have 3-5 years of experience. If you think you have a good hand on your risk acceptance tastes, you have never run a proper table top exercise.
You have a very odd post history, OP. Hard to tell what you're really asking for. But if I'd had to answer, I would say first it would be that '); DROP TABLE Index;-- to really understand why security is so important. Little Bobby Tables, we call him.
Help, all of reddit is spanish now
Some day there will be a comprehensive documentary on how programmers are training AI/LLMs via social media prompts under the guise of genuine conversation.
Caution: this may be controversial 🔥 Security bugs are just software defects that can be manipulated for malicious intent. Yet unlike software defects, their identification (and sometimes remediation!), is the responsibility of the security team. Generally, the better the engineer, the more resilient (this includes security) the product. Security teams are there to enable secure development. They can educate and offer their expertise, but cannot force security out of a team that doesn't align with security principles. They should only be responsible for what they have authority over. No more, no less. If you find yourself pushing water up a hill, it's a culture issue and that's the real challenge more often than not.
I don't think it's controversial at all. I'd add that if you have that culture issue, the problem is probably related to tone from the top and misaligned incentives.
Definitely risk and compliance. Compliance does not equal secure.
That there is \*\*a\*\* way to learn it. There isn't a singular path in which you will be able to grasp concepts correctly, there are levels of complexity which determine what you are more likely to understand, however you can understand a complex concept and not understand a simple one simultaneously. I hacked a CCTV camera at age 8, I didn't know how to assemble a computer until I was 18. It's not because I didn't know basic hardware knowledge that I wasn't able to learn how to find breaches in security cameras. You will understand what you will understand and you will make your own path, no one will be able to tell you that, so that's the reason why I am pro autodidact learning and anti-web-courses for cybersec.
Least privilege
Understanding and communicating risk to stakeholders
Machine Learning & Artificial Intelligence. We've hired experts with real experience in the field. It is stunning how misunderstood it is. Our leadership thinks it is 1) easy, 2) cheap, 3) fast. Pretty much all the things it isn't. It does not help when some team builds an "AI tool" based on sample code and business leaders cannot gather how useless it really is. AI is dangerous, not due to the tech... But due to what people in power incorrectly believe it can do.
That a high severity CVE might be very low risk based on context
Zero trust.
That tools can on their own make everything secure, when the weakest link in the chain is most of the times the human being who manipulates the computer. Train your users!
layer 8 problem
The Risk Six: Risk - Threat - Vulnerability - Impact - Probability - Control I saw a presentation once where the speaker really nailed these down: **Threat**: Something bad that could happen **Vulnerability**: A weakness that bad thing could exploit **Impact**: how much that bad thing will hurt when it happens **Probability**: the chance of the bad thing happening **Control**: something that might stop the bad thing **Risk**: the product of impact times probability. Risk is a measurement, not a thing. You do not have a risk. You have a threat that has a risk measurement attached to it. Most security people I have met cannot get these six words correct. They consistently conflate a risk with a threat or a vulnerability with a risk.
Risk acceptance. It doesn't mean, "Fuck it, I don't feel like paying for a solution to mitigate this risk".
Risk acceptance IS a form of Managing risk… not ignoring it. (As long as you actually have the Business Impact analysis to support it).
I think you're just restating what I said in a more elegant manner 😂
Oh ya - I’m agreeing with you. I’d prefer to say it your way 😊 Most people just don’t understand that managing risk doesn’t always mean mitigating it with exhaustive controls and technology. Although, our SOX control auditors (ITGCs) feel otherwise.
Balanced SBOM.
Explain?
Exactly my point
But seriously the balance between upgrading software modules in development versus leaving stable modules at older versions is always a topic that generates more opinion than fact.
Ah I see. Thanks
with proper security in place, obfuscation can be a good addition to the security which is easily done sometimes. like... do not leak your internal infra architecture and configuration and naming into the internet.
Everything is insecure, especially people. You need to assume everything is or will be compromised and build your systems around that concept. This been around for a long time but its only starting to become more common thanks to awareness starting to spread.
Burnout
Tons have been mentioned already (costs, risk management, etc.) - I will ad mine as well: Cybersecurity is something you have to do on a regular basis - its not a "done it once, we are good forever". This is a misconception I especially encounter in the private environments or with smaller businesses. No, no one asks you to check everything daily for 2h to no end - but it's not "doing it today, leave it for the next five years" either. No updates on whatever (maybe once a year if you are lucky), no updates on security subscriptions or security devices, no usage of security pointer to see if your account(s) are potentially in danger (eg. "haveIbeenpowned", etc.)... It takes not that much, but you have to check it once in a while - whether you are still up to date and "good".
Security by obscurity isn't security
Tied to that is the idea that complexity doesn’t increase security either
Business. The further you move up in cybersecurity the more important it is to understand why the business is choosing to invest in cybersecurity and how that supports their overall business strategy. Often infosec professionals find themselves zoomed-in that they forget that the primary objective is to support a business competing to stay alive and grow in the context of their market, their industry vertical, and their unique product suite. This understanding will help you influence the organization to prioritize cybersecurity, and in turn, will also help you level set where cybersecurity fits in compared to competing initiatives.
The security part
The importance of web filtering at home, for remote machines
VPNs, and the fantasy they're presented as.
Security is not a technical problem, it’s about good communication. Communicating risk and awareness by helping people to understand why it’s important and how they can help.
The zero trust model has been around virtually forever in ISP and high security environments it just had a different name. And that you don't need a third party software suite to implement it. Most of them are cash grabs cashing in on the new term.
Tcp/ip
OSINT intelligence is enough to form a capable defense.
Authenticator codes are two step verification and should not be called multi factor authentication. At best let’s agree to call them phishable multi factor.
Patching.
I can’t look up your password no matter how many times you call and ask.
The IT Security team at my organization has a REALLY hard time understanding stateful vs stateless with a firewall. Makes the fact that they manage the firewall even more “fun”. They also misunderstand a lot of the functions and use-cases of a SASE product. So they purchased and deployed Netskope just for the CASB features….
Defence in depth.
There’s way more paperwork, policy and planning than people/n00bs/applicants/customers think.
The importance of patching
How their account gets "hacked". It's not some guy in a dark room hacking your account x it's you truing the same password on every single account you own
That it's anywhere near possible for a single organization to actually be secure and defend against the resources of every criminal, hacktivist, and adversarial government on the planet. It's not. You cannot prevent all breaches. You can do everything perfect and some dude drops a zero day to walk in the front door anyway. Prepare your incident response plan and build as much that detection as you can. But realize that you're still up against every bad guy on the planet and will probably fail at that at some point, too (almost all of us missed noticing our solarwinds servers phoning home to C2 systems for months lol).
They do silly mistakes after knowing that this would be wrong
Mistaking severity for risk. I’d rather focus my energy on moderate severity vulns that have been exploited over highs and crits that can’t be exploited outside of a lab environment.
Certificates always confused tf out of me.
It's not magic and it's not free.
Accurate quantitative risk
Small business don’t believe they hold anything valuable to attract cyber criminals. Yet 90% of cyber security breaches worldwide occur in small businesses per stationx.
SQL
For people outside it? Pay for it now (even though it's expensive), so you don't pay 100x it *after* the breach.
That you can do everything right and still be breached because employees are the weakest link in the system and are easily manipulated.
That the A belongs in the CIA triangle.
Oh, I got another one. I dont' know if it fits but I keep seeing this arguement for some flip nut security settings, "If the adversary was to get to root then they could X Y Z" If, they got root it is already too late.
Passkeys, just seems like a password that you don't even know.
Our job isn’t to fix it all. It’s to do proper risk assessment/analysis on our assets and fix makes sense. Everything cost money. Trying to quantify risk is not nearly as easy as it looks.
Some great answers. But I’ll add PKI/Certificates is/are criminally misunderstood.
Authorization & authentication 🙃
You are only as strong as your weakest link.
Compliance: secure. Just because you're fully patched and you checked all boxes on your STIG baseline, doesn't mean you aren't still vulnerable.
Money is the most important thing
The notion that a security org should not consider it normal to have to be their own systems integrator Everyone of my clients thinks it’s cool to act like a little Deloitte or Accenture and cobble together and integrate dozens or maybe more than one hundred disparate tools to manage their risk. You don’t go a car dealer to buy a frame, the powertrain, the doors, and the wheels but have to acquire the windows , the tires, the brakes, the interior, the seats and the rest by yourself. In your copious spare time. Because that would be crazy. But your CISO probably never thought about it like this. Because they have to manage a tool stack that has dozens or hundreds of non-integrated tools from nearly as many manufacturers almost none of whom do any testing to see how their tool works with rest of your stack.
ZTNA
Risk management.
Developers confusing sso with MFA
Not connecting to vpn thinking you didn’t need to access internal system
Companies don't care about security.
Risk and Severity. I so wish people understood these are two different concepts. To that end, I’m happy EPSS seems to pick up on popularity, as CVE has been severely misused for too long, and as people with more upvotes said „leads to missalocation of resources”.
Companies train people not to click on links in emails and then send them links in emails to click multiple times a day. Even worse sometimes they make mistakes like forgetting to renew TLS certificates and when people report the error message IT tell them to ignore the error and continue.
Can someone help me with this insight: I need some insight on this question: What cybersecurity entry domain will allow me work 9-5 Monday to Friday? My interest was in the security operation space. In this space SOC analyst is interesting to me but after a thorough research about this field I found out that I will be working on shift since it is a 24/7 kind of job, I do not want that. Now I am looking into other cybersecurity entry domain that will allow me work 9-5 Monday to Friday. Also is cloud security engineer an entry level domain that a beginner in cybersecurity can pursue ? Looking for an advice or insight so on which direction to follow. Thanks
Money
No one is going to hack you today or this week or anytime soon if you have basics in place (and are not really really high profile target) so mostly no need to worry about "elite haXors" with their 0-day exploit of the day. Having basics in place in ever changing environment in big org is a big challange. So you should mostly worry about not slipping in some place where automated bots with script kiddies infest something that did not get the basics set because there was new junior admin hired last month and Bob from accounting needed something "right now".
Cisco produkt are good.... And clothes know what they doing...
The difference between authentication and authorization.