Language:
switch to room list switch to menu My folders
Go to page: First ... 4 5 6 7 [8]
[#] Wed Apr 18 2018 16:54:50 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

I'm amused that this is still around:

http://igopolis.myminicity.com/

(If y'all click on the link, IGopolis will get larger.)



[#] Thu Apr 19 2018 09:49:19 EDT from fleeb

[Reply] [ReplyQuoted] [Headers] [Print]


"Your flash player is outdated."

Gads.

[#] Wed May 30 2018 09:48:26 EDT from mo

[Reply] [ReplyQuoted] [Headers] [Print]

 

Thu Apr 19 2018 09:49:19 EDT from fleeb

"Your flash player is outdated."

Gads.

How did you know? Yikes!!



[#] Wed May 30 2018 09:54:53 EDT from fleeb

[Reply] [ReplyQuoted] [Headers] [Print]


Heh... the hint is in the word 'flash'.

The cool kids these days use 'HTML5'. Because it's all caps, not pronouncable, and isn't owned by anybody.

[#] Thu May 31 2018 00:52:32 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

This week I had to go complete a "mandatory security training" crapfest. I always just skip the presentations and fly through the test, since it's all pretty old and/or obvious stuff.

But ironically, to complete an evaluation on data security, I had to disable two security features of my browser: popup blocking and Flash blocking.
\

[#] Thu May 31 2018 06:52:37 EDT from Ragnar Danneskjold

[Reply] [ReplyQuoted] [Headers] [Print]

2018-05-31 00:52 from IGnatius T Foobar
This week I had to go complete a "mandatory security training"
crapfest. I always just skip the presentations and fly through the
test, since it's all pretty old and/or obvious stuff.

But ironically, to complete an evaluation on data security, I had to

disable two security features of my browser: popup blocking and Flash

blocking.
\



There's a person in my company who argues we need mandatory security training, and that for people who don't take it, it should be a "compensation limiting event".

I've decided to create a company drinking game. GDPR and "compensation limiting event" are two of my favorites.

[#] Thu May 31 2018 08:34:04 EDT from fleeb

[Reply] [ReplyQuoted] [Headers] [Print]


Heh... security...

Most people say 'training' and mean 'sit at a boring set of web pages or video and press shiny buttons at statements you'll just as quickly forget.'

Few people mean 'have the security team attempt to break into their own networks through phishing schemes or other pentesting techniques and drag the folks who enabled any found breaches into a brief training session that demonstrates just what the fuck happened so it becomes real to them.'

Becuase the latter involves real, serious effort, while the former is just a bandaid to a larger problem.

[#] Thu May 31 2018 09:35:26 EDT from wizard of aahz

[Reply] [ReplyQuoted] [Headers] [Print]

Ragnar - I think I'll play that drinking game remotely. Of course I'd be drunk by 9 am. (Okay, I'm a lightweight, but I'd be drinking a lot)

fleeb - being made an example of is always a life lesson.

[#] Thu May 31 2018 10:15:40 EDT from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]

There's a person in my company who argues we need mandatory security

training, and that for people who don't take it, it should be a
"compensation limiting event".

I've decided to create a company drinking game. GDPR and
"compensation limiting event" are two of my favorites.

I don't know about "compensation limiting event", but we now have a formal GDPR training class which is being referred to as "mandatory." This covers things like what is PII, how to handle it and how not to handle it. "Mandatory", I assume to mean a career-limiting event rather than a compensation-limiting event.

This is not to be confused with security training. Nobody understands security in this industry, even if they've been trained on it.

[#] Thu May 31 2018 10:18:06 EDT from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]

fleeb - being made an example of is always a life lesson.

See, there's always another bug. So busting heads and trying to make examples just gets you ignored.

[#] Thu May 31 2018 11:27:10 EDT from fleeb

[Reply] [ReplyQuoted] [Headers] [Print]


I wasn't so much thinking that the folks would be paraded around and laughed at as much as some shadowy and mildly scary component of the company approaches you with Very Bad News that might act as a kind of built-in incentive not to repeat mistakes.

'cause folks make mistakes, and you tend to learn best from those mistakes, so let's find them.

LS is right, though. It's frightening how ignorant even the folks trained in cyber security really are about cyber security.

I get the impression that, for hackers, the current state of affairs is a bit like shooting fish in a barrel.

To be fair, I don't consider myself to be especially great at it, either.
I've done port scans, used meterpreter to break into unpatched flavors of Windows, and even broken into a ridiculously old Linux machine, but they were all scripted, composed environments built for education, not live situations in the real world (because, y'know, I'm not interested in jail time, and I'm more interested in helping people learn about this stuff).

But when I see folks earning an income as a cyber security expert, yet can't even work out how to find the user's within a Windows operating system (or Linux, for that matter), or other basic sysadmin tasks, I wonder what exactly *is* a cyber security expert.

We hire interns who know more than these alleged cyber security experts.

(Hint: when will the bubble burst in this brave new field, and who will find themselves still standing?)

[#] Fri Jun 01 2018 12:52:28 EDT from Ragnar Danneskjold

[Reply] [ReplyQuoted] [Headers] [Print]

I think there's a difference between people who know policy and procedure and those who deal with network and machine level stuff.....

Too many people in "security" are nothing more than auditors who have taken some courses.


[#] Sun Jun 10 2018 22:27:19 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Most people say 'training' and mean 'sit at a boring set of web pages

or video and press shiny buttons at statements you'll just as quickly

forget.'

You have to understand their objective.

It isn't "train people to use technology in a secure way."

Rather, it is "check the box that shows we did security training, so we can't be held negligent for lack of training if there's a breach."

[#] Thu Jun 14 2018 07:35:04 EDT from fleeb

[Reply] [ReplyQuoted] [Headers] [Print]


Yeah, that's the impression I have.

Until the industry standard changes such that the quality of that training is part of accountability, nobody will actually care.

This will likely require a successful lawsuit.

[#] Thu Jun 21 2018 10:41:38 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]


Here's a fun little story of domain hijacking.

Phishing? Forgery? Breaking into the registry?

Nope ... just break into the owner's home and rob the domain at gunpoint.

[ https://www.bleepingcomputer.com/news/legal/dude-gets-20-years-in-the-slammer-for-attempting-to-hijack-domain-at-gunpoint/ ]

Go to page: First ... 4 5 6 7 [8]