126
11
submitted 1 year ago by [email protected] to c/[email protected]
127
27
submitted 1 year ago by [email protected] to c/[email protected]
128
23
submitted 1 year ago by [email protected] to c/[email protected]
129
8
submitted 1 year ago by [email protected] to c/[email protected]

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

130
40
submitted 1 year ago by [email protected] to c/[email protected]
131
7
submitted 1 year ago by [email protected] to c/[email protected]
132
5
submitted 1 year ago by [email protected] to c/[email protected]
133
10
submitted 1 year ago by [email protected] to c/[email protected]

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

134
5
submitted 1 year ago by [email protected] to c/[email protected]
135
62
submitted 1 year ago by [email protected] to c/[email protected]
136
9
submitted 1 year ago by [email protected] to c/[email protected]

For anyone interested in compliance and hardening, here's some links to the DOD/US GOV standards for information systems. This information is available to the public.

Security Technical Implementation Guides (STIGs)

This is a document that has recommended settings, methods, etc to make a product the most secure it can reasonably be. STIGs break things or turn off features people might be accustomed to. You have to do testing and figure out how to either make something work with STIG settings applied, or do exceptions. These are similar to Internet Security (CIS) Benchmarks.

STIG Viewer

The STIG viewer is a Java app that basically makes the list into a checklist where you can track applying settings.

SCAP

Going farther with automation, Security Content Automation Protocol (SCAP) can be used to conduct automated checked against systems to determine compliance with a setting. Install the SCAP tool, load the automated checks into it, and then take the results from SCAP tool and import them into the STIG viewer. It will knock out anything that could be checked automatically. The remaining checks would be things that are manually checked.

Compare

Here's a good article that compares STIGs and CIS benchmarks: https://nira.com/stig-vs-cis/#:~:text=The%20Center%20for%20Internet%20Security%20offers%20a%20tool%20similar%20to,robust%20than%20the%20STIG%20tool.

Download STIGs for products: https://public.cyber.mil/stigs/downloads/

STIG Viewer: https://public.cyber.mil/stigs/srg-stig-tools/

Security Content Automation Protocol (SCAP) content: https://public.cyber.mil/stigs/scap/

https://public.cyber.mil/stigs/supplemental-automation-content/

137
10
submitted 1 year ago by [email protected] to c/[email protected]

For anyone who's interested in pen. testing, there's a business from MN that does a podcast where the host and business owner, Brian, talks about doing tests, tells stories, and is generally goofy.

Brian made a podcast intro song, kinda funny. He talks about testing successes, tips for security, personal things, and running the business. They do live streaming where they sometimes get into the weeds and teach some techniques.

(I am not affiliated with 7 Minute Security, just enjoy the podcast/learning)

138
15
submitted 1 year ago by [email protected] to c/[email protected]

One of the vulnerabilities (identified as CVE-2024-27198) has a near-maximum severity CVSS rating of 9.8 out of 10 and is an authentication bypass issue in TeamCity's Web component. Researchers from Rapid7 who discovered the vulnerability and reported it to JetBrains have described it as enabling a remote unauthenticated attacker to execute arbitrary code to take complete control of affected instances.

139
4
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]

cross-posted from: https://infosec.pub/post/9382315

I have had no problem using VOIP over #protonVPN until recently. Connections happen but there is no audio. Anyone notice this?

I wondered if maybe they decided to make VOIP a non-free feature, but their premium plans do not list VOIP as an extra feature.

140
11
Open Source IDS - Security Onion 2.4 (securityonionsolutions.com)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]

For anyone who's interested in IDS, this is a product that's open source, with support.

It can be run as a single standalone, but it's meant to be run tiered, where you can deploy sensors doing packet capture, analysis, which gets sent to a central manager, and then can be retained in search nodes.

It's incredibly powerful, just have to be willing to learn how to tune it.

https://docs.securityonion.net/en/2.4/ https://blog.securityonion.net/

I am not affiliated with the product, just a user of it. I like it.

141
8
submitted 1 year ago by [email protected] to c/[email protected]

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

142
33
submitted 1 year ago by [email protected] to c/[email protected]

How is this legal? This has to be the most insecure login method I’ve ever seen. They removed the password from my account without consent and have no way to go back to requiring a password. Literally all an attacker has to do it gain control of either my phone/email and brute force a 4 digit pin. I’m going to have to change banks because of this.

Oh also I posted this on the bad version of Lemmy and the mod tried to claim that this method of auth is actually more secure than a password, posted a Wikipedia article about passkeys, and then locked the post… In no reality is it at all possible that this is more secure than a password.

So stay away from One Finance if you value your money

143
29
submitted 1 year ago by [email protected] to c/[email protected]
144
13
submitted 1 year ago by [email protected] to c/[email protected]
145
8
submitted 1 year ago by [email protected] to c/[email protected]
146
16
submitted 1 year ago by [email protected] to c/[email protected]
147
51
submitted 1 year ago by [email protected] to c/[email protected]
148
19
submitted 1 year ago by [email protected] to c/[email protected]
149
4
submitted 1 year ago by [email protected] to c/[email protected]

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

150
36
submitted 1 year ago by [email protected] to c/[email protected]
view more: ‹ prev next ›

cybersecurity

4413 readers
7 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 2 years ago
MODERATORS