CyberSecurity – What are some things that get a bad rap, but are actually quite secure?
Cybersecurity is an important issue for everyone, from individuals to large organizations. There are many things that get a bad rap when it comes to cybersecurity, but that doesn’t mean they’re not secure. For example, PGP (Pretty Good Privacy) is a method of encrypting emails that is considered to be very secure. However, it can be difficult to set up and use. Another example is using very long passwords that are actually a sentence. This may seem like a security risk, but it’s actually more secure than a shorter password because it’s more difficult for hackers to guess. Additionally, changing the default port for certain services like databases can help to prevent hacking. Unplugging the ethernet cable may also seem like a security risk, but it’s actually one of the most effective ways to prevent data breaches. Finally, browser password managers are often considered to be insecure, but they’re actually quite secure if used properly. Cybersecurity is an important issue, and there are many things that can be done to help prevent hacking and data breaches.
There are a lot of CyberSecurity myths out there. People think that X, Y, and Z are the most secure way to do things when in reality, they are the least secure. The biggest myth is that PGP is unbreakable. PGP has been broken many times and is not a reliable form of CyberSecurity. Another myth is that very long passwords are secure. The problem with very long passwords is that they are difficult to remember and often get written down somewhere. If a hacker gets ahold of your password, they can easily access your account. The best way to prevent CyberSecurity breaches is to use MFA, OAuth, and two-step verification whenever possible. These methods make it much more difficult for hackers to gain access to your accounts. While they may not be foolproof, they are the best CyberSecurity measure available.
As a protocol, PGP is surprising simple. Here is what happens if you want to use it to securely send a message to someone:
- You get from them a PGP identity (public key). How you do that is entirely up to you.
- Your PGP program uses that identity to perform a single public key encryption of a message key.
- Then the message key is used to encrypt the message which is added to the encrypted message key to make the encrypted message.
- Your correspondent does the opposite operations to get the message.
If you want to sign your message then you:
- Hash the message.
- Do a public key signature operation on the hash and attach the result to the message.
- Your correspondent checks the signature from your PGP identity, which they have acquired somehow.
The simple key handling is where the minimalism comes from. It is why PGP can be used in so many non-email contexts.
As a contrast, consider the Signal Protocol for instant messaging. I will not attempt to describe Signal in any detail as I would get parts of it wrong. It would also make for a pointlessly long article. There is a high level description of the Signal protocol here. None of the following comments are intended to be critical, they are intended to give an idea of the level of complexity of the protocol in total:
- Signal has at least 2 systems for creating forward secrecy. Each system requires a system to deal with loss of synchronization.
- A Signal session requires the storage and maintenance of a lot of state information.
- Signal normally uses a server based “prekey” system to deal with the case where a client is offline and thus is unable to negotiate.
The Signal Protocol is built on ideas from the Off the Record (OTR) protocol. Interestingly enough, OTR was intended to improve PGP by adding extra functionality. Signal adds functionality on top of the OTR functionality. So Signal could be considered the result of an attempt to improve something by making it more complex.
I believe that reliability and security are best achieved with simple systems. OpenPGP is a standard that describes such a system.
2- Very long passwords that are actually a sentence
It could be bad if you just came up with it and forget it, and people think it’s bad if it only has lowercase and no numbers or punctuation. But a 5-6 word sentence could be quite secure, especially if it’s a bit weird. “Lemons make a delicious snack in my house.”
3- Writing passwords down.
I tell all my old relatives to write their passwords down in a little notebook. As long as there isn’t someone there regularly I don’t trust, it is much better than using same password and if their physical security at their house is compromised, there are bigger concerns than a notebook of banking passwords.
We write down all the passwords to our most secure systems – but then we rip them in half and put them in 2 separate safes.
Did I say passwords? I meant encryption keys.
4- Changing default ports for certain services like dbs
Most of the gangs out there use tools that don’t do a full search, so they go through the default port list
5- MFA in general.
Takes 60 seconds to set up, and an additional 5s each time you use it, but can save you hours if not days of manual recovery efforts with support to regain access to a compromised account. Yet people don’t like the idea.
If you are using TOTP for your MFA, you can even put it right in the browser with a plug-in. I use this approach for work. It’s very convenient.
If you use a password manager that supports TOTP and auto type (e.g. KeePassXC) then you don’t even need to mess with it once you have it set up.
6- Oauth for 3rd party apps.
Those “sign into our app with your (Google, Microsoft, etc) account” things. As long as you trust the ID provider and the app, it’s usually secure. More so, considering it prevents password reuse, and you aren’t exposed if any of those 3rd party apps have a breach.
7- Two-step verification.
Yes it’s annoying to need two devices every time you want to log into your most precious accounts, but trust me, I’d rather take the extra 10 seconds to authorize a login than go through the hell of having my account breached.
The argument is that ‘you can’t change your face/finger’ but it is actually more secure than other ‘magic link’ providers.
Let me be clear, there are some providers that are still iffy on security. But there are also some that have device native authentication (you need the device to auth), they don’t store passwords or password hashes, and only has public keys.
One example of this is https://passage.id/ which is about as secure as you can get.
Yes, they had a bunch of issues at the start, but they fixed them. I would much rather work with a company that had security assessments and fixed the problems rather than a company which has never been assessed.
10- Unplugging the ethernet cable.
11- Browser password managers?
Rant moment: reasons cybersecurity fails
People don’t see value of putting effort in cybersecurity because they don’t see any material gains from it. The best thing they can see is nothing bad happening.
No news isn’t good enough of a good news. This is enough to mostly ignore all cybersecurity advice altogether.
This is similar to people not taking care of themselves health-wise, because the best things they can see is not getting sick.
Why do cyber attackers commonly use social engineering attacks?
Hackers commonly use social engineering attacks because they can be very effective. By using social engineering, hackers can take advantage of people’s trusting nature and willingness to help others. They can also exploit the fact that people are often not well-informed about security and privacy issues. For example, a hacker might pose as a customer service representative and ask for someone’s password. Or, they might send an email that looks like it is from a trusted source, such as a bank or government agency, and ask the recipient to click on a link or download an attachment. If the person falls for the deception, the hacker can gain access to their accounts or infect their computer with malware. That is why it is important to be aware of these types of attacks and know how to protect yourself.
Cyber attackers commonly use social engineering attacks for a number of reasons. First, hacking into a person’s or organization’s computer systems is becoming increasingly difficult as security measures become more sophisticated. Second, even if a hacker is able to gain access to a system, they are likely to be discovered and caught before they can do any significant damage. Third, social engineering attacks allow hackers to bypass security measures and obtain sensitive information without being detected. Finally, social media platforms have made it easier for cyber attackers to obtain personal information about their targets and to carry out attacks. As a result, social engineering attacks are an attractive option for many cyber attackers.
Cybersecurity is often thought of as a complex and technical field, but there are actually many simple things that everyone can do to help stay safe online. For example, one way to protect your online communications is to use PGP encryption. This type of encryption is incredibly difficult for even the most skilled hacker to break, but it’s also easy to use. Another way to improve your cybersecurity is to use very long passwords that are actually a sentence. This may seem daunting, but using a phrase as your password makes it much harder for hackers to guess. Additionally, changing the default ports for certain services can help prevent unauthorized access. And finally, unplugging the ethernet cable when you’re not using it is a great way to physically block hackers from accessing your device. By following these simple tips, you can dramatically improve your cybersecurity and protect your privacy.
- Virtual Smart Cardsby /u/mingusrude (cybersecurity) on November 30, 2023 at 10:42 am
I have tried to read up on Virtual Smart Cards but from my understanding this technology will die off since Microsoft is about to sunset support for it in favor of Windows Hello for Business and their FIDO2-support. This would mean that as the key length requirements increases (for example BSI recommends 3K RSA keys after new year), the VSC-technology is expected to die off since no current supplier seems to support anything longer than 2K keys. Why is this the case, VSC seems to be a perfectly viable use case for soft tokens and there is no reason why providers (or Microsoft) would go on to support it with longer keys, or is there? submitted by /u/mingusrude [link] [comments]
- BLUFFS is the new Bluetooth flawby /u/Definition470 (cybersecurity) on November 30, 2023 at 8:54 am
submitted by /u/Definition470 [link] [comments]
- Okta Threat Hunting Guide - Part 2by /u/Or1rez (cybersecurity) on November 30, 2023 at 7:19 am
An extension that we have released to one of our past posts, focuses on how to understand better and analyze Okta Audit logs to identify different types of threats, including those that may have happened in the MGM Incident or others.https://www.rezonate.io/blog/okta-threat-hunting-auditing-okta-logs-part-2/?utm_source=reddit submitted by /u/Or1rez [link] [comments]
- Cyberattack – November 2023 — blender.orgby /u/Xadartt (cybersecurity) on November 30, 2023 at 6:26 am
submitted by /u/Xadartt [link] [comments]
- SaaS SOC 2 and ISO 27001by /u/Ok-Pen-8450 (cybersecurity) on November 30, 2023 at 6:15 am
Hello, Can someone please provide any guidance as to what exactly needs to be implemented from a technical Dev Ops/Coding systems point of view to meet SOC 2 (Type II) and ISO 27001 requirements? Would implementing a SaaS product using OWASP security guidance fulfill all the needs for ISO 27001 and SOC 2 Type II? OWASP seems like a ton of work by itself. I am well aware that documentation and policies requires a brunt of the work as well. Also, any thoughts on skipping SOC 2 Type I? submitted by /u/Ok-Pen-8450 [link] [comments]
- Potential Dataleak Alert: Google starts mass deleting old Gmail & Drive accounts in 2 days, but will they also recycle unused email addresses？by /u/NoPermit9887 (cybersecurity) on November 30, 2023 at 3:52 am
submitted by /u/NoPermit9887 [link] [comments]
- Ransomware attack on hospital chain causes chaosby /u/kaishinoske1 (cybersecurity) on November 30, 2023 at 3:41 am
submitted by /u/kaishinoske1 [link] [comments]
- HLD documentation for SOCby /u/celzo1776 (cybersecurity) on November 30, 2023 at 3:36 am
I trying to find some HLD documentation examples for setting up a SOC, could you point me in the right direction, I so far only found the «classic sales documentation» from SiEM & SOAR vendors submitted by /u/celzo1776 [link] [comments]
- Smart Cards and Smart Readers for US-Based "Human Services" Org - Recommendations requestedby /u/BallOk6712 (cybersecurity) on November 30, 2023 at 1:53 am
Hi, we MUST implement MFA at our org but we can't force our employees use their cell phones as the that 2nd factor... so we are exploring other options. I had made the suggestion of using smart cards because, I assumed, they were relatively inexpensive. I am the security officer, and the IT director and the SYS ADMs don't have a clue but told me to find some vendors and get some quotes. I can find vendors, probably, but I don't want to be upsold for something I don't need. MFA software we are planning to use: Duo (in the staging phase) Our industry: human services Our critical data: PII Number of employees that will need cards: +/- 800 our chosen framework: NIST RMF Questions: Should I actually contact a vendor, like an MSP, or should I work directly with the manufacturer? We have smart card readers; are all "modern" readers relatively the same? (our computers are 1-3 years old, so nothing EoL). Can anyone recommend a good solution that would satisfy the controls of NIST 800-53 / 800-63B? Thank you submitted by /u/BallOk6712 [link] [comments]
- Tips for securing infrastructure (small company)by /u/StealthyNoise (cybersecurity) on November 30, 2023 at 12:49 am
What are your top tips for getting up to speed with the major platforms (AWS, Azure, GCP) in a way that we can find the most practical ways to secure it? As a start going with NIST CSF and SOC 2 has helped with principles to focus on. Though we would like to be more helpful in our advice to devs than just “make sure there’s least privilege access”. The “how” is often tricky. As an example when we tried to utilise AWS CIS benchmarks, the instructions for AWS Config/Security Hub conformance packs were a bit overwhelming. How can we upskill? Any good online resources welcomed. For context: startup fewer than 90 people, small security team submitted by /u/StealthyNoise [link] [comments]
- Have you ever used a tool that was infected with malware before?by /u/Recent_End964 (cybersecurity) on November 29, 2023 at 11:22 pm
Title, and how did you find out? submitted by /u/Recent_End964 [link] [comments]
- The “I’m not technical” imposter syndromeby /u/parchedapple (cybersecurity) on November 29, 2023 at 10:47 pm
Hey everyone, throwaway account as my network are keen redditors. I’ve been in this field for about seven years, social science background and found my way to infosec/privacy (more focused on GRC, third party risks, second line assurance, PCI and SOC 2). Got the CRISC, CISM, CISSP, CIPT creds. I don’t always know stuff but I’ve learned on the job and enjoying learning. Not a developer by trade though I’ve found success in my roles with the help of folks who really know their stuff or the business. Always got positive feedback with the softer skills like collaboration and pragmatism. That said there’s always the lurking sense that my lack of technicality holds me back and I’m the dumbest person in the room. Does anyone experience that too? On a more constructive note I would love to hear your top tips on being more “technical”. Brush up on AWS? Learn to code? Stop having imposter syndrome? Bonus q: what are some company green flags that security is taken seriously? submitted by /u/parchedapple [link] [comments]
- What is actually exposure management?by /u/SSilverScent (cybersecurity) on November 29, 2023 at 9:40 pm
I’m confused what this terms actually means. I don’t see a difference between this and just risk management. The way I see it exposure management just gives you the ability to visualise your risks and threat landscape? Maybe I’m not getting something. Please let me know. I would appreciate if someone could explain this to me in simple terms. submitted by /u/SSilverScent [link] [comments]
- Blue team or Red team pathby /u/Federal-Ad5137 (cybersecurity) on November 29, 2023 at 7:59 pm
I’m struggling between which path choose, Blue team or Red team. I’m currently working as detection analyst. I like to do research when an incident happens but this doesn’t occur every day. The day-to-day is kind of boring (full excels). In other part there is the red team, I’m very curious about what day-to-day life is like and the tasks that are carried out. I have a CS degree that’s why I think that I’m not applying much of what I learned in the career when in red team I feel that I could (a more technical profile is needed I guess). Please someone that are working in those team could share their opinion. submitted by /u/Federal-Ad5137 [link] [comments]
- How hard is OSCP ?by /u/Jade_Emperor (cybersecurity) on November 29, 2023 at 7:56 pm
Hello ! I'm still in an apprenticeship, but would like to work towards OSCP. How hard are the OSCP Exam compared to HackTheBox boxes ? Considering I'd rather already know "everything" before I start following the course, which difficulty should I be able to easily clear to be "good enough" for the OSCP ? (That's the only metric I really have, sadly) On a side note, i'm in the EU and my only current certification is the CCNA, is there any free-or-less-expensive certification that would be relevant ? submitted by /u/Jade_Emperor [link] [comments]
- Update on job interview…by /u/ApokatastasisComes (cybersecurity) on November 29, 2023 at 5:21 pm
Interviewed 2 weeks ago for information security compliance analyst position. They emailed me back yesterday to say that they are working on a few things and will get back to me soon…. Is this a good sign??? submitted by /u/ApokatastasisComes [link] [comments]
- Security Awareness and Training Provider - KnowBe4 vs Proofpointby /u/No-Department-Here (cybersecurity) on November 29, 2023 at 3:59 pm
Hoping for some general feedback here. I'm taking over as a CISO for a medium size company (new department entirely) and one of my first decisions to make is a security training and awareness provider, after fairly harsh criticism of the existing program (run by IT/HR). We have Proofpoint for email protection, so it seems like Proofpoint training/phishing sim/awareness makes perfect sense, but it seems the last few years they've gone with KnowBe4. I've used KnowBe4 and it's fine...but is there any reason I shouldn't be pushing to get back to Proofpoint to keep it all bundled / easier to manage? Mainly need yearly training, phishing sim, and general awareness docs/materials, so I'm not sure there is going to be a big difference between the two anyway. Thoughts from others who've chosen between these two? Thanks all. submitted by /u/No-Department-Here [link] [comments]
- Do you actually care about protecting your org?by /u/crablemet111 (cybersecurity) on November 29, 2023 at 2:59 pm
More specifically, once you gave your audit over and done everything in due diligence, do you care if anything is done with that audit and they actually fix their shit? I have seen a lot of people complaining about nothing being done after they hand in audits and how angry, dissatisfied and disillusioned they are because of it. Personally I really don't care as a normal employee, maybe as a stakeholder or boss I would but if the company loses money after I pointed out something multiple times and nothing gets done I just don't care especially since I have paper trail proving I did everything right submitted by /u/crablemet111 [link] [comments]
- Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S.by /u/CyberReaper80 (cybersecurity) on November 29, 2023 at 2:05 pm
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that it's responding to a cyber attack that involved the active exploitation of Unitronics programmable logic controllers (PLCs) to target the Municipal Water Authority of Aliquippa in western Pennsylvania. The attack has been attributed to an Iranian-backed hacktivist collective known as Cyber Av3ngers. "Cyber threat actors are targeting PLCs associated with [Water and Wastewater Systems] facilities, including an identified Unitronics PLC, at a U.S. water facility," the agency said. "In response, the affected municipality's water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality's drinking water or water supply." According to news reports quoted by the Water Information Sharing & Analysis Center (WaterISAC), CyberAv3ngers is alleged to have seized control of the booster station that monitors and regulates pressure for Raccoon and Potter Townships. With PLCs being used in the WWS sector to monitor various stages and processes of water and wastewater treatment, disruptive attacks attempting to compromise the integrity of such critical processes can have adverse impacts, preventing WWS facilities from providing access to clean, potable water. To mitigate such attacks, CISA is recommending that organizations change the Unitronics PLC default password, enforce multi-factor authentication (MFA), disconnect the PLC from the internet, back up the logic and configurations on any Unitronics PLCs to enable fast recovery, and apply latest updates. Cyber Av3ngers has a history of targeting the critical infrastructure sector, claiming to have infiltrated as many as 10 water treatment stations in Israel. Last month, the group also claimed responsibility for a major cyber assault on Orpak Systems, a prominent provider of gas station solutions in the country. "Every Equipment 'Made In Israel' Is Cyber Av3ngers Legal Target," the group claimed in a message posted on its Telegram channel on November 26, 2023. submitted by /u/CyberReaper80 [link] [comments]
- Data Science in the Cybersecurity domainby /u/Any-Badger23 (cybersecurity) on November 29, 2023 at 1:35 pm
If you had one FTE with a Data Engineering/ Data Science background available in your team today, which would be the some of the areas where you can see the most value generated for your organization? Be it automating tasks with Python or training models on log data. I know that for some things there are better out-of-the-box solutions out there, and you cannot expect a one-man army to reinvent the wheel. Ofc the size of your organization and Cybersecurity department plays a significant role, so I was curious about hearing some ideas in your personal situation? submitted by /u/Any-Badger23 [link] [comments]
- Okta says hackers stole data for all customer support users in cyber breachby /u/zoobegso (cybersecurity) on November 29, 2023 at 12:57 pm
submitted by /u/zoobegso [link] [comments]
- Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerabilityby /u/GreenLaser7 (cybersecurity) on November 29, 2023 at 12:07 pm
submitted by /u/GreenLaser7 [link] [comments]
- So name the best cybersecurity YouTubers that are FUN to watchby /u/Existing_Talk_6552 (cybersecurity) on November 29, 2023 at 6:03 am
As the title says…. Who are fun to watch. PS: you feel relaxed when you watch YouTube videos not overwhelmed submitted by /u/Existing_Talk_6552 [link] [comments]
- Okta Says Hackers Stole Data for All Customer Support Usersby /u/VulnerableU (cybersecurity) on November 29, 2023 at 5:34 am
This is the same breach from October where they said only 1% of their customers were impacted. Now they say investigation revealed it was all of them. submitted by /u/VulnerableU [link] [comments]
- Best high score of leaked password?by /u/xakepnz (cybersecurity) on November 28, 2023 at 10:21 pm
Oh no — pwned! This password has been seen 9,659,365 times before Can anyone get a higher score? https://haveibeenpwned.com/Passwords submitted by /u/xakepnz [link] [comments]
- AMA: I’m a security professional leading a 1-3 person security team, Ask Me Anything.by /u/AutoModerator (cybersecurity) on November 27, 2023 at 12:02 am
Supporting hundreds if not thousands of people with a small security staff seems to be a daunting task, but these security professionals have done it (or are currently doing it). They’re all ready to answer your questions of pulling it off, dealing with the stress, and managing growth pains. Henry Canivel (/u/hcbomb), security engineer, Commerce Fabric (Team of 2 supporting an organization of 300 w/ 150 of them engineers.) Chance Daniels (/u/CDVCP), vCISO, Cybercide Network Solutions (Was a one-man shop. Built to 9 supporting 400. Another with a team of 3 that grew to 8 supporting 2,500.) Steve Gentry (/u/Gullible_Ad5121), former CSO/advisor, Clari (Was a team of 2 that grew to 27 supporting 800. Did this two other times.) Howard Holton (/u/CxO-analyst), CTO, GigaOm (Was a team of 2 supporting 300 users and many others.) Jacob Jasser (/u/redcl0udsec), security architect, Cisco (Was at Fivetran with a team of 3. Company grew from 350-1300 employees.) Jeff Moss (/u/Illustrious_Push5587), sr. director of InfoSec for Incode (Was a 2-person team supporting 300+ users.) Dan Newbart (/u/Generic_CyberSecDude), manager, IT security and business continuity, Harper College (Started w/ 2-person team. Now have a third supporting 14,000 students and staff.) Billy Norwood (/u/justacyberguyinsd), CISO, FFF Enterprises (Former fraction CISO running 1-2 person security teams and currently FTE CISO running a 2 person team soon to be 4) Jake Schroeder (/u/JakeSec), head of InfoSec, Route (Currently 3 people supporting 350 users. 1 person grew to 3 people.) Proof photos This AMA will run all week from 11-26-23 to 12-02-23. All AMA participants were chosen by David Spark (/u/dspark) the producer of CISO Series (/r/CISOSeries), a media network for security professionals. Check out their programs and events at cisoseries.com. submitted by /u/AutoModerator [link] [comments]
- Mentorship Monday - Post All Career, Education and Job questions here!by /u/AutoModerator (cybersecurity) on November 27, 2023 at 12:00 am
This is the weekly thread for career and education questions and advice. There are no stupid questions; so, what do you want to know about certs/degrees, job requirements, and any other general cybersecurity career questions? Ask away! Interested in what other people are asking, or think your question has been asked before? Have a look through prior weeks of content - though we're working on making this more easily searchable for the future. submitted by /u/AutoModerator [link] [comments]