I have tried to read up on Virtual Smart Cards but from my understanding this technology will die off since Microsoft is about to sunset support for it in favor of Windows Hello for Business and their FIDO2-support. This would mean that as the key length requirements increases (for example BSI recommends 3K RSA keys after new year), the VSC-technology is expected to die off since no current supplier seems to support anything longer than 2K keys. Why is this the case, VSC seems to be a perfectly viable use case for soft tokens and there is no reason why providers (or Microsoft) would go on to support it with longer keys, or is there? submitted by /u/mingusrude [link] [comments]

submitted by /u/Definition470 [link] [comments]

An extension that we have released to one of our past posts, focuses on how to understand better and analyze Okta Audit logs to identify different types of threats, including those that may have happened in the MGM Incident or others.https://www.rezonate.io/blog/okta-threat-hunting-auditing-okta-logs-part-2/?utm_source=reddit submitted by /u/Or1rez [link] [comments]

submitted by /u/Xadartt [link] [comments]

Hello, Can someone please provide any guidance as to what exactly needs to be implemented from a technical Dev Ops/Coding systems point of view to meet SOC 2 (Type II) and ISO 27001 requirements? Would implementing a SaaS product using OWASP security guidance fulfill all the needs for ISO 27001 and SOC 2 Type II? OWASP seems like a ton of work by itself. I am well aware that documentation and policies requires a brunt of the work as well. Also, any thoughts on skipping SOC 2 Type I? submitted by /u/Ok-Pen-8450 [link] [comments]

submitted by /u/NoPermit9887 [link] [comments]

submitted by /u/kaishinoske1 [link] [comments]

I trying to find some HLD documentation examples for setting up a SOC, could you point me in the right direction, I so far only found the «classic sales documentation» from SiEM & SOAR vendors submitted by /u/celzo1776 [link] [comments]

Hi, we MUST implement MFA at our org but we can't force our employees use their cell phones as the that 2nd factor... so we are exploring other options. I had made the suggestion of using smart cards because, I assumed, they were relatively inexpensive. I am the security officer, and the IT director and the SYS ADMs don't have a clue but told me to find some vendors and get some quotes. I can find vendors, probably, but I don't want to be upsold for something I don't need. MFA software we are planning to use: Duo (in the staging phase) Our industry: human services Our critical data: PII Number of employees that will need cards: +/- 800 our chosen framework: NIST RMF ​ Questions: Should I actually contact a vendor, like an MSP, or should I work directly with the manufacturer? We have smart card readers; are all "modern" readers relatively the same? (our computers are 1-3 years old, so nothing EoL). Can anyone recommend a good solution that would satisfy the controls of NIST 800-53 / 800-63B? ​ Thank you ​ submitted by /u/BallOk6712 [link] [comments]

What are your top tips for getting up to speed with the major platforms (AWS, Azure, GCP) in a way that we can find the most practical ways to secure it? As a start going with NIST CSF and SOC 2 has helped with principles to focus on. Though we would like to be more helpful in our advice to devs than just “make sure there’s least privilege access”. The “how” is often tricky. As an example when we tried to utilise AWS CIS benchmarks, the instructions for AWS Config/Security Hub conformance packs were a bit overwhelming. How can we upskill? Any good online resources welcomed. For context: startup fewer than 90 people, small security team submitted by /u/StealthyNoise [link] [comments]

Title, and how did you find out? submitted by /u/Recent_End964 [link] [comments]

Hey everyone, throwaway account as my network are keen redditors. I’ve been in this field for about seven years, social science background and found my way to infosec/privacy (more focused on GRC, third party risks, second line assurance, PCI and SOC 2). Got the CRISC, CISM, CISSP, CIPT creds. I don’t always know stuff but I’ve learned on the job and enjoying learning. Not a developer by trade though I’ve found success in my roles with the help of folks who really know their stuff or the business. Always got positive feedback with the softer skills like collaboration and pragmatism. That said there’s always the lurking sense that my lack of technicality holds me back and I’m the dumbest person in the room. Does anyone experience that too? On a more constructive note I would love to hear your top tips on being more “technical”. Brush up on AWS? Learn to code? Stop having imposter syndrome? Bonus q: what are some company green flags that security is taken seriously? submitted by /u/parchedapple [link] [comments]

I’m confused what this terms actually means. I don’t see a difference between this and just risk management. The way I see it exposure management just gives you the ability to visualise your risks and threat landscape? Maybe I’m not getting something. Please let me know. I would appreciate if someone could explain this to me in simple terms. submitted by /u/SSilverScent [link] [comments]

I’m struggling between which path choose, Blue team or Red team. I’m currently working as detection analyst. I like to do research when an incident happens but this doesn’t occur every day. The day-to-day is kind of boring (full excels). In other part there is the red team, I’m very curious about what day-to-day life is like and the tasks that are carried out. I have a CS degree that’s why I think that I’m not applying much of what I learned in the career when in red team I feel that I could (a more technical profile is needed I guess). Please someone that are working in those team could share their opinion. submitted by /u/Federal-Ad5137 [link] [comments]

Hello ! I'm still in an apprenticeship, but would like to work towards OSCP. How hard are the OSCP Exam compared to HackTheBox boxes ? Considering I'd rather already know "everything" before I start following the course, which difficulty should I be able to easily clear to be "good enough" for the OSCP ? (That's the only metric I really have, sadly) On a side note, i'm in the EU and my only current certification is the CCNA, is there any free-or-less-expensive certification that would be relevant ? submitted by /u/Jade_Emperor [link] [comments]

Interviewed 2 weeks ago for information security compliance analyst position. They emailed me back yesterday to say that they are working on a few things and will get back to me soon…. Is this a good sign??? submitted by /u/ApokatastasisComes [link] [comments]

Hoping for some general feedback here. I'm taking over as a CISO for a medium size company (new department entirely) and one of my first decisions to make is a security training and awareness provider, after fairly harsh criticism of the existing program (run by IT/HR). We have Proofpoint for email protection, so it seems like Proofpoint training/phishing sim/awareness makes perfect sense, but it seems the last few years they've gone with KnowBe4. I've used KnowBe4 and it's fine...but is there any reason I shouldn't be pushing to get back to Proofpoint to keep it all bundled / easier to manage? Mainly need yearly training, phishing sim, and general awareness docs/materials, so I'm not sure there is going to be a big difference between the two anyway. Thoughts from others who've chosen between these two? Thanks all. submitted by /u/No-Department-Here [link] [comments]

More specifically, once you gave your audit over and done everything in due diligence, do you care if anything is done with that audit and they actually fix their shit? I have seen a lot of people complaining about nothing being done after they hand in audits and how angry, dissatisfied and disillusioned they are because of it. Personally I really don't care as a normal employee, maybe as a stakeholder or boss I would but if the company loses money after I pointed out something multiple times and nothing gets done I just don't care especially since I have paper trail proving I did everything right submitted by /u/crablemet111 [link] [comments]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that it's responding to a cyber attack that involved the active exploitation of Unitronics programmable logic controllers (PLCs) to target the Municipal Water Authority of Aliquippa in western Pennsylvania. The attack has been attributed to an Iranian-backed hacktivist collective known as Cyber Av3ngers. "Cyber threat actors are targeting PLCs associated with [Water and Wastewater Systems] facilities, including an identified Unitronics PLC, at a U.S. water facility," the agency said. "In response, the affected municipality's water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality's drinking water or water supply." According to news reports quoted by the Water Information Sharing & Analysis Center (WaterISAC), CyberAv3ngers is alleged to have seized control of the booster station that monitors and regulates pressure for Raccoon and Potter Townships. With PLCs being used in the WWS sector to monitor various stages and processes of water and wastewater treatment, disruptive attacks attempting to compromise the integrity of such critical processes can have adverse impacts, preventing WWS facilities from providing access to clean, potable water. To mitigate such attacks, CISA is recommending that organizations change the Unitronics PLC default password, enforce multi-factor authentication (MFA), disconnect the PLC from the internet, back up the logic and configurations on any Unitronics PLCs to enable fast recovery, and apply latest updates. Cyber Av3ngers has a history of targeting the critical infrastructure sector, claiming to have infiltrated as many as 10 water treatment stations in Israel. Last month, the group also claimed responsibility for a major cyber assault on Orpak Systems, a prominent provider of gas station solutions in the country. "Every Equipment 'Made In Israel' Is Cyber Av3ngers Legal Target," the group claimed in a message posted on its Telegram channel on November 26, 2023. submitted by /u/CyberReaper80 [link] [comments]

If you had one FTE with a Data Engineering/ Data Science background available in your team today, which would be the some of the areas where you can see the most value generated for your organization? Be it automating tasks with Python or training models on log data. I know that for some things there are better out-of-the-box solutions out there, and you cannot expect a one-man army to reinvent the wheel. Ofc the size of your organization and Cybersecurity department plays a significant role, so I was curious about hearing some ideas in your personal situation? submitted by /u/Any-Badger23 [link] [comments]

submitted by /u/zoobegso [link] [comments]

submitted by /u/GreenLaser7 [link] [comments]

As the title says…. Who are fun to watch. PS: you feel relaxed when you watch YouTube videos not overwhelmed submitted by /u/Existing_Talk_6552 [link] [comments]

This is the same breach from October where they said only 1% of their customers were impacted. Now they say investigation revealed it was all of them. submitted by /u/VulnerableU [link] [comments]

Oh no — pwned! This password has been seen 9,659,365 times before Can anyone get a higher score? https://haveibeenpwned.com/Passwords submitted by /u/xakepnz [link] [comments]

Supporting hundreds if not thousands of people with a small security staff seems to be a daunting task, but these security professionals have done it (or are currently doing it). They’re all ready to answer your questions of pulling it off, dealing with the stress, and managing growth pains. Henry Canivel (/u/hcbomb), security engineer, Commerce Fabric (Team of 2 supporting an organization of 300 w/ 150 of them engineers.) Chance Daniels (/u/CDVCP), vCISO, Cybercide Network Solutions (Was a one-man shop. Built to 9 supporting 400. Another with a team of 3 that grew to 8 supporting 2,500.) Steve Gentry (/u/Gullible_Ad5121), former CSO/advisor, Clari (Was a team of 2 that grew to 27 supporting 800. Did this two other times.) Howard Holton (/u/CxO-analyst), CTO, GigaOm (Was a team of 2 supporting 300 users and many others.) Jacob Jasser (/u/redcl0udsec), security architect, Cisco (Was at Fivetran with a team of 3. Company grew from 350-1300 employees.) Jeff Moss (/u/Illustrious_Push5587), sr. director of InfoSec for Incode (Was a 2-person team supporting 300+ users.) Dan Newbart (/u/Generic_CyberSecDude), manager, IT security and business continuity, Harper College (Started w/ 2-person team. Now have a third supporting 14,000 students and staff.) Billy Norwood (/u/justacyberguyinsd), CISO, FFF Enterprises (Former fraction CISO running 1-2 person security teams and currently FTE CISO running a 2 person team soon to be 4) Jake Schroeder (/u/JakeSec), head of InfoSec, Route (Currently 3 people supporting 350 users. 1 person grew to 3 people.) Proof photos This AMA will run all week from 11-26-23 to 12-02-23. All AMA participants were chosen by David Spark (/u/dspark) the producer of CISO Series (/r/CISOSeries), a media network for security professionals. Check out their programs and events at cisoseries.com. submitted by /u/AutoModerator [link] [comments]

This is the weekly thread for career and education questions and advice. There are no stupid questions; so, what do you want to know about certs/degrees, job requirements, and any other general cybersecurity career questions? Ask away! Interested in what other people are asking, or think your question has been asked before? Have a look through prior weeks of content - though we're working on making this more easily searchable for the future. submitted by /u/AutoModerator [link] [comments]