CyberSecurity – What are some things that get a bad rap, but are actually quite secure?
Cybersecurity is an important issue for everyone, from individuals to large organizations. There are many things that get a bad rap when it comes to cybersecurity, but that doesn’t mean they’re not secure. For example, PGP (Pretty Good Privacy) is a method of encrypting emails that is considered to be very secure. However, it can be difficult to set up and use. Another example is using very long passwords that are actually a sentence. This may seem like a security risk, but it’s actually more secure than a shorter password because it’s more difficult for hackers to guess. Additionally, changing the default port for certain services like databases can help to prevent hacking. Unplugging the ethernet cable may also seem like a security risk, but it’s actually one of the most effective ways to prevent data breaches. Finally, browser password managers are often considered to be insecure, but they’re actually quite secure if used properly. Cybersecurity is an important issue, and there are many things that can be done to help prevent hacking and data breaches.
There are a lot of CyberSecurity myths out there. People think that X, Y, and Z are the most secure way to do things when in reality, they are the least secure. The biggest myth is that PGP is unbreakable. PGP has been broken many times and is not a reliable form of CyberSecurity. Another myth is that very long passwords are secure. The problem with very long passwords is that they are difficult to remember and often get written down somewhere. If a hacker gets ahold of your password, they can easily access your account. The best way to prevent CyberSecurity breaches is to use MFA, OAuth, and two-step verification whenever possible. These methods make it much more difficult for hackers to gain access to your accounts. While they may not be foolproof, they are the best CyberSecurity measure available.
As a protocol, PGP is surprising simple. Here is what happens if you want to use it to securely send a message to someone:
You get from them a PGP identity (public key). How you do that is entirely up to you.
Your PGP program uses that identity to perform a single public key encryption of a message key.
Then the message key is used to encrypt the message which is added to the encrypted message key to make the encrypted message.
Your correspondent does the opposite operations to get the message.
If you want to sign your message then you:
Hash the message.
Do a public key signature operation on the hash and attach the result to the message.
Your correspondent checks the signature from your PGP identity, which they have acquired somehow.
The simple key handling is where the minimalism comes from. It is why PGP can be used in so many non-email contexts.
As a contrast, consider the Signal Protocol for instant messaging. I will not attempt to describe Signal in any detail as I would get parts of it wrong. It would also make for a pointlessly long article. There is a high level description of the Signal protocol here. None of the following comments are intended to be critical, they are intended to give an idea of the level of complexity of the protocol in total:
Signal has at least 2 systems for creating forward secrecy. Each system requires a system to deal with loss of synchronization.
A Signal session requires the storage and maintenance of a lot of state information.
Signal normally uses a server based “prekey” system to deal with the case where a client is offline and thus is unable to negotiate.
Signal achieves partial deniability with a triple Diffie-Hellman key exchange. OpenPGP achieves complete deniability by not signing the message in the first place.
Supporting the Signal protocol in practice requires a separate system to store and protect past messages1). Since this is at odds with forward secrecy such a system will end up with a system to delete old messages.
The Signal Protocol is built on ideas from the Off the Record (OTR) protocol. Interestingly enough, OTR was intended to improve PGP by adding extra functionality. Signal adds functionality on top of the OTR functionality. So Signal could be considered the result of an attempt to improve something by making it more complex.
Get 20% off Google Google Workspace (Google Meet) Standard Plan with the following codes: 96DRHDRA9J7GTN6 Get 20% off Google Workspace (Google Meet) Business Plan (AMERICAS): M9HNXHX3WC9H7YE (Email us for more codes)
I believe that reliability and security are best achieved with simple systems. OpenPGP is a standard that describes such a system.
2- Very long passwords that are actually a sentence
It could be bad if you just came up with it and forget it, and people think it’s bad if it only has lowercase and no numbers or punctuation. But a 5-6 word sentence could be quite secure, especially if it’s a bit weird. “Lemons make a delicious snack in my house.”
3- Writing passwords down.
I tell all my old relatives to write their passwords down in a little notebook. As long as there isn’t someone there regularly I don’t trust, it is much better than using same password and if their physical security at their house is compromised, there are bigger concerns than a notebook of banking passwords.
We write down all the passwords to our most secure systems – but then we rip them in half and put them in 2 separate safes.
Did I say passwords? I meant encryption keys.
4- Changing default ports for certain services like dbs
Most of the gangs out there use tools that don’t do a full search, so they go through the default port list
Takes 60 seconds to set up, and an additional 5s each time you use it, but can save you hours if not days of manual recovery efforts with support to regain access to a compromised account. Yet people don’t like the idea.
If you are using TOTP for your MFA, you can even put it right in the browser with a plug-in. I use this approach for work. It’s very convenient.
If you use a password manager that supports TOTP and auto type (e.g. KeePassXC) then you don’t even need to mess with it once you have it set up.
6- Oauth for 3rd party apps.
Those “sign into our app with your (Google, Microsoft, etc) account” things. As long as you trust the ID provider and the app, it’s usually secure. More so, considering it prevents password reuse, and you aren’t exposed if any of those 3rd party apps have a breach.
Yes it’s annoying to need two devices every time you want to log into your most precious accounts, but trust me, I’d rather take the extra 10 seconds to authorize a login than go through the hell of having my account breached.
8-Biometric Authentication.
The argument is that ‘you can’t change your face/finger’ but it is actually more secure than other ‘magic link’ providers.
Let me be clear, there are some providers that are still iffy on security. But there are also some that have device native authentication (you need the device to auth), they don’t store passwords or password hashes, and only has public keys.
One example of this is https://passage.id/ which is about as secure as you can get.
9- Zoom.
Yes, they had a bunch of issues at the start, but they fixed them. I would much rather work with a company that had security assessments and fixed the problems rather than a company which has never been assessed.
10- Unplugging the ethernet cable.
11- Browser password managers?
Rant moment: reasons cybersecurity fails
<Rant>
People don’t see value of putting effort in cybersecurity because they don’t see any material gains from it. The best thing they can see is nothing bad happening.
No news isn’t good enough of a good news. This is enough to mostly ignore all cybersecurity advice altogether.
This is similar to people not taking care of themselves health-wise, because the best things they can see is not getting sick.
</Rant>
Why do cyber attackers commonly use social engineering attacks?
Hackers commonly use social engineering attacks because they can be very effective. By using social engineering, hackers can take advantage of people’s trusting nature and willingness to help others. They can also exploit the fact that people are often not well-informed about security and privacy issues. For example, a hacker might pose as a customer service representative and ask for someone’s password. Or, they might send an email that looks like it is from a trusted source, such as a bank or government agency, and ask the recipient to click on a link or download an attachment. If the person falls for the deception, the hacker can gain access to their accounts or infect their computer with malware. That is why it is important to be aware of these types of attacks and know how to protect yourself.
Cyber attackers commonly use social engineering attacks for a number of reasons. First, hacking into a person’s or organization’s computer systems is becoming increasingly difficult as security measures become more sophisticated. Second, even if a hacker is able to gain access to a system, they are likely to be discovered and caught before they can do any significant damage. Third, social engineering attacks allow hackers to bypass security measures and obtain sensitive information without being detected. Finally, social media platforms have made it easier for cyber attackers to obtain personal information about their targets and to carry out attacks. As a result, social engineering attacks are an attractive option for many cyber attackers.
To conclude:
Cybersecurity is often thought of as a complex and technical field, but there are actually many simple things that everyone can do to help stay safe online. For example, one way to protect your online communications is to use PGP encryption. This type of encryption is incredibly difficult for even the most skilled hacker to break, but it’s also easy to use. Another way to improve your cybersecurity is to use very long passwords that are actually a sentence. This may seem daunting, but using a phrase as your password makes it much harder for hackers to guess. Additionally, changing the default ports for certain services can help prevent unauthorized access. And finally, unplugging the ethernet cable when you’re not using it is a great way to physically block hackers from accessing your device. By following these simple tips, you can dramatically improve your cybersecurity and protect your privacy.
Hello! I was doing some searching on LinkedIN and got to wondering: I wonder how other people search for jobs? (Yes; I use other sites...just seeing what happens on LI.) Do you only search for titles? Do you use titles that could be interchangeable depending on the organization? Have you ever searched by certifications? I am sure the people who already have jobs could give some suggestions; it's always great to see what the new people are doing! submitted by /u/Critical-Property-44 [link] [comments]
In today’s digital age, where we’re constantly connected to the internet, ensuring the security and privacy of our online activities has…Continue reading on Medium »
Este artigo tem como intuito apresentar algumas dicas básicas para a segurança das aplicações. As dicas servem de uma forma geral, não se…Continue reading on Medium »
Este artigo tem como intuito apresentar algumas dicas básicas para a segurança das aplicações. As dicas servem de uma forma geral, não se…Continue reading on Medium »
I’ve worked in security for seven years and have had certain elements really worn me down over time. I don’t know what happened, but over the past year the following have really made me feel dissatisfaction with this work: •The feeling of not really creating anything with my labor. •Being a cost center to the business and having budget constantly scrutinized/not getting enough to adequately cover a security program. •Having documented security risk constantly dismissed by leadership or stakeholders. Constantly occuring despite tangibly showing them in multiple ways and communication styles. •Generally being disliked by other parts of the parts of the organization and the typically antisocial nature of technical workers at my org makes the job very lonely. •Constant, reactive firefighting. Nobody cares about what security does unless something negative is happening. I think security is interesting and was able to shrug most of this stuff off early on. But with the market contracting and companies trying to outsource or downsize a cost center, it makes the field less attractive for the long run. Has anyone found skills they picked up in security transferred well to other industries? I was looking at industrial hygiene and safety a while back and it seems like it would be more personally meaningful since there’s a human safety element. Hoping to hear if anyone was able to make moves out of a seemingly niche field. submitted by /u/Longjumping-Pin5976 [link] [comments]
hello everyone. So basically im currently between 2 offers, i've been working as a software developer for 2 years now and i've been studying to pivot my career into cybersecurity. i've been interviewing and i have 2 offers on the table, one is for a GRC focused role that pays more than the other offer (basically the same that i currently get payed), and i prefer a more technical role, and the other one is for a trainee position of soc analyst of 12 months after witch i would be integrated in the company full time, but for the first year i would take a significant pay cut from what i currently get payed. The company that offered me the GRC role has said that they facilitate changes in positions internally, so with some training and formations maybe i could go to a soc analyst position there, without having to suffer a pay cut for a year, but still, could take some time. what would you guys do in this position? submitted by /u/Organic-Clue773 [link] [comments]
Ever heard of having to take an cybersecurity scenario assessment after an interview? I have my first cybersecurity interview coming up and hearing that just threw me off. I have an hour interview panel and then an assessment afterwards that’ll take an hour as well. Thanks for any advice provided. submitted by /u/Little-Armadillo2686 [link] [comments]
Como ya hemos mencionado una enormidad de veces, la ingeniería social es uno de los métodos más usuales por parte de los ciberdelincuentes…Continue reading on Medium »
https://github.com/positive-intentions/chat im not sure if this is for this subreddit so let me know and i will remove the post. im working on an open source project. id like to ask if somone would be interested in contributing a security audit for my project. id like to publish it to my docs (credited). i recieved advice that a good start would be to create a threat-model for my project. i have made a start, but i think it's enough to most of "how it works". id appriciate any advice on what i can update to make it more clear. https://positive-intentions.com/docs/research/threat-model it is of course LLM generated, but i think it is a good start and i hope we can improve it together. to explain the app a little bit, it is a decentralized p2p chat app. it is created as a webapp but i think it works in a unique way. a high-level explination of my app can be seen here. the authentication sequence is described here. generally the docs on the project are not good, but feel free to ask me for clarity on any details and i hope to take the opportunity to update the docs accordingly. submitted by /u/Accurate-Screen8774 [link] [comments]
I have some apps hosted in AWS that I want to secure using a Zero Trust solution. I looked at Cloudflare Access but their free plan doesn't allow storing logs and I can't use multi level subdomains. AWS has AWS Verified Access but that is insanely expensive. Anyone have any recommendations for any other solutions? Either cloud offerings or hosting something open-source on AWS itself. submitted by /u/Big_Phone_3620 [link] [comments]
Little background info: I have about 3 years of work experience as a Cybersecurity Analyst (1.5 officially with the title the other 1.5 just doing the work with my IT Analyst title until they finally gave me the new Cybersecurity Analyst title). I have 4 years of IT experience in general. I recently left my job looking for a new one. I'm not getting many interviews as I suspect I don't have much education, as I only have a GED. Concerns: I don't feel like I need the Security+ cert as I have the basic concepts and knowledge. I would rather work on getting my CySA+, as I feel it has more relevant knowledge and more focused on the job I'm looking to do. HOWEVER, I have NEVER seen any job application postings asking for CySA+, even on Cybersecurity Analyst positions posted. They only ask for either CISSP, CISM, GIAC, SEC+, or other related certs. Questions: What I'd like to know, is if I get the CySA+ cert if it would help me with job interviews? Is the CySA+ cert industry recognized and will help me with interviews? Or if I should get the Sec+ instead, if the CySA+ is not an industry recognized cert? submitted by /u/theunknownlives [link] [comments]
Hello once again! In our latest blog post, we introduce coverage-guided fuzzing with a brief description of fundamentals and a demonstration of how modifying program instrumentation can be used to more easily track down the source of vulnerabilities and identify interesting fuzzing paths. https://blog.includesecurity.com/2024/04/coverage-guided-fuzzing-extending-instrumentation/ submitted by /u/IncludeSec [link] [comments]
I am planning to make a website for my medical business. I'm currently thinking about using GoDaddy or WIX to start off. Are there anything I should be aware of to make my business more secure? Any steps I should be aware of when running my website? Are Domain Protection worth it? I am planning to have patients enter in their information through my website. submitted by /u/Successful-Music-768 [link] [comments]
TL;DR Based off current market and technology trends it seems Tier I & II Analyst positions are becoming obsolete. Having trouble finding analyst work, even with 1.5yrs analyst exp, 3.5yrs total IT exp. Thinking of honing skills more in the engineering side of the house. What areas of security would y'all recommend to focus on developing skills/education in? I'm curious to know everyone's thought's on this, I certainly have my opinions based off my observations of the current climate of the job market. I am looking for a job and have been looking into analyst II position's, and recently have been looking at analyst 1 positions as well because I haven't had too much luck with the former. I should add that my current gig is a level 1 analyst, I can honestly say that I love the work I do, have been in the role for a year and a half now, and have been working IT for 3 and a half years now. It seems the way the market is trending, and with the direction the technology is heading, companies would rather just hire a few people as a one size fits all engineer/analyst, and maybe hire one or two Tier III analysts to catch anything that slips through the cracks. I guess I'm a little frustrated at this point because even the Tier I position's I don't seem to be qualified for even though I have 1.5yrs experience of Analyst & IR work, 3 total yrs of IT. Aside from that, besides having a degree, I've shown my willigness to continue my education, having obtained Net+, Sec+, and CySA+ all in the past couple years. Wondering if at this point I should just focus on a degree and maybe narrow down on skills related to SOAR and engineering. submitted by /u/sudochief [link] [comments]
You never know how hackers and other cybercriminals can intrude into your phone, especially if it is unprotected. The best proactive…Continue reading on Medium »
What are your thoughts around the technicalities of banning a service such as Tiktok? Will the company be dissolved completely or will there be pressure put on Apple/Google app stores to remove the app, or even a DNS level block? Just using Tiktok as an example here but curious about the technicalities of blocking a website/service. submitted by /u/no_shit_dude2 [link] [comments]
Anyone in cyber security think they're being used just to fill a blank hole and mark off a checkbox that your org needs to show they have a ft cybersecurity employee on-hand? submitted by /u/I_said_watch_Clark_ [link] [comments]
I’ve been seeing a lot of buzz around ISO 42001 and NIST AI RMF lately and it seems these frameworks are gaining traction across industries. Have any of you considered adopting these frameworks for your organization this year? Or maybe your CISO has mentioned them? submitted by /u/CyberSavvy2901 [link] [comments]
Hello all, I am sure you may have seen a post like this a handful of times, last few I have found were a few years old. I am looking for opinions and experience on these 3 Vulnerability scanners. ( Our main goal was to get some info on EOL software / os ) Currently using Nexpose which seems to be decent, most use friendly / easy to navigate. Trialing Qualys and Nessus at the same time currently also. Qualys seems to be the most detailed out of the 3. Nessus seems easier to use and I like the on demand remediation scan. Qualys & Nexpose agents both report back after x amount of time where Nessus agent only works on a daily scan. Qualys and Nessus seem to be finding more 3rd party application Vulnerabilities then Nexpose. Any pros and cons or experience with these long term that you could provide? submitted by /u/Exciting_Passenger39 [link] [comments]
Hi, was told to post here, hope that's ok. The company I work for has a small IT team and they ask us all for passwords. If we change them, they ask us again for the updated password. This can't be right, can it? We are ISO 2701 and 9001 acredited which must mean something when it comes to security? I don't want to talk to IT for fear of recriminations, what can I do? Among some of the documents we work with are folks' medical records. submitted by /u/Freshwater_Salmon556 [link] [comments]
I have an interview with Amazon in a few weeks for a senior security intel engineer position. I have the STAR(R) format down, and I am pouring over leadership principles, but one small issue has me a bit concerned. The interview will have a coding test, in Python and SQL. I have used both, mostly for my own data analysis projects which were primarily ingest several thousand CSV's of netflow, do analytic stuff, and then output tables and charts. I am not a developer. In past roles, I used enough Python and SQL to get my immediate task/automation done, and then that's it, move on to my investigative work. My work the past year has been pure detection engineering, and I haven't touched either language. How much coding do I really need to demonstrate? I have a few weeks to prepare, and I can "relearn" general purpose Python and SQL, which I will probably do anyway, but how deep do I need to get into more general software development topics? submitted by /u/Ok-Echo-Blue [link] [comments]
Need a way to get privileged access management for our environment. I need it to include, database access (we have multiple), server access (mostly ssh and some rdp), vault and kubernetes. If it also has a way to connect Azure to it and provision the roles there, that would be very helpful as well. We used Thycotic secret server at my old company, and I don’t want to do that again since it was a pain to configure and deploy. I think they are still working on getting things working a year in now. submitted by /u/flakimbocbocu [link] [comments]
This is the weekly thread for career and education questions and advice. There are no stupid questions; so, what do you want to know about certs/degrees, job requirements, and any other general cybersecurity career questions? Ask away! Interested in what other people are asking, or think your question has been asked before? Have a look through prior weeks of content - though we're working on making this more easily searchable for the future. submitted by /u/AutoModerator [link] [comments]
submitted by /u/euronews-english [link] [comments]
Today I Learned (TIL) You learn something new every day; what did you learn today? Submit interesting and specific facts about something that you just found out here.
Reddit Science This community is a place to share and discuss new scientific research. Read about the latest advances in astronomy, biology, medicine, physics, social science, and more. Find and submit new publications and popular science coverage of current research.