Jump to content
OpenSecurity.global

Michael D

Members
  • Content Count

    26
  • Joined

  • Last visited

  • Days Won

    1
  • Invited by

    Matthew Broke

Michael D last won the day on August 11 2019

Michael D had the most liked content!

Community Reputation

11 Good

Personal Information

  • Bio
    @LonerVamp - terminal23.net

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I've used Ubuntu since version 6 as my main desktop system (non-gaming). I haven't really had huge reasons to use much else, but I think if I ever were to divorce from Ubuntu (which may happen next time I upgrade, since Ubuntu isn't what it used to be, imo) I'll be giving Mint a try.
  2. Been in IT/security since 2002. Few years tech support/desktop support, many years sysadmin. Been involved in security both on personal time as well as within day-job duties since then as well. I have deep interests in both red and blue sides (and even dfir). I love being hands-on-keyboard technical, but also don't mind discussing security at higher levels or managing projects. Full time, life-long learner. I tend to gravitate a bit to the things I haven't done yet (so lately it's cloud-based security) or want to get even better with (appsecdev). Do some video games, tabletop games, and D&D on the side. OSCP a few years ago; CISSP many years ago. I bounce around. 🙂 <--Find me on Twitter there. Find me on LinkedIn if you feel like giving that a go (it's not too hard). Edited to add: Iowa, US.
  3. That right there! (My only problem is that not every shop has that easy capability to utilize the API or run scripts to play with the export, but honestly, this is why so many people find success if they just learn a little bit of both of those. You immediately jump to "senior" levels in a SOC at that point.) And too many people get stuck trying to get that magical "single pane of glass" and just never even coming close to being happy. Anyway, I could go on... 🙂
  4. You know, sometimes the answer stares you in the face. We use Tenable.io, and I could use what they call Recast or Accept to essentially rescore those vulns out of my reporting. My main problem is that reporting in these vuln scanning tools isn't pretty. It's easy to get a list of systems missing patches, but they don't necessarily answer, "Am I patched?" It's like someone wanting a view of all the permissions in a file server and you get handed an acls dump. "Gee, thanks, Excel maxed out."
  5. How do you show patch management in your organization? In simpler days, WSUS would be the best bet as it not only allowed you to select all and approve, but it would quickly let you see which ones are still pending or errored. You could relatively easily hit all of those servers with a vulnerability scan to do one-off manual chasing and verification. These days, how do you folks get the question about patch level into something like a value or chart? To say something like 90% of our Windows systems are fully up to date. Do you handle one-offs like Spectre/Meltdown microprocessor patches that go beyond the deploy/reboot/done cycle? I suppose those could fall into the "temporarily accepted" exceptions list... This can be limited to Microsoft patches or even further to just Windows OS patches. (This can be deceptively difficult as many products just report missing KBs and don't distinguish between a critical OS patch and something from 2009 in the Visual Studio C++ Redistributable.) This is a basic cybersec question, and I hate how this seems to be an entirely different Rube Goldberg process for every organization. Maybe I've missed something simple... 🙂
  6. Using AWS more extensively like that is definitely tempting me as well. I doubt I'll get away from using my home lab entirely, but it still has that old feel where if you screw something up, you're spending x days to rebuild. At least with virualization, you don't rebuild your host *that* often like the days before virtualization where you're reformatting disks and setting up dual boots again and waiting and waiting and waiting... Infrastructure as code has its benefits when your time in life is precious.
  7. I have an array of systems. My work one is surprisingly not worth talking about; Win 10, 8GB Thinkpad. Other than my gaming system and my ESX box (Intel Nuc), all of my stuff was either free or charity-purchased from decomissioned stock at the places I've worked. My main laptop is a Thinkpad X230 with 16GB RAM and an SSD. I make it look sexier than normal with a Mobile Pixels attachable second monitor. The X230 has a fairly small screen for today's standards, so the second monitor really helps me get further value out of a relatively excellent laptop. One of these days I need to get my wiki back up and keep track of my parts/pieces/systems again... "some day..."
  8. This makes sense when you look at cloud orchestration or virtualization automation. But you still have to maintain those systems and do work inside those systems and get initial images set up. That's also a different set than anyone maintaining endpoint systems for end users, which won't go away any time soon or even later. And by the time that 'sysadmin' is being really threatened, that's when our centralized-decentralized-centralized cycle will come back around to decentralized again. You know, like mainframes to PCs to virtualization/cloud to...neural?
  9. Interesting food for thought. Yeah, CVSS has issues, but I'd rather use it and everything that scores via it, than do all of that on my own. There's a lotta busywork involved in the job of vulnerability management, and I prefer to move forward. Besides, CVSS is *usually* a decent indicator, and in those edge cases that it falls over, usually can be handle by analysts case-by-case. Typically as an analyst chases down system owners and they all discuss argue discuss dealing with it. Totally agree, too. EOL software that has 0 open vulnerabilities just has that risk that one will be found eventually. I get that most of the time, EOL software is EOL for a reason (and almost always has security issues latent), but, obviously there are exceptions. 🙂
  10. We largely do the same. For confirmed phishing attempts, we'll look to see if others received email with the same subject lines. Links and attachments get analyzed using various tools. If there is a link, we look to see if the user has hit it in our proxy logs. We'll also see if anyone else hit it or has hit it in the last whatever months. We then add that link to our blocklist in the proxy. if there is an attachment, we blocklist it in our EDR solution for client systems. Typically, though, we get this automatically by the time we've scanned it and added it. (Our vendor not only has EDR and email security tools, but automated malware/file/URL analysis that feeds those.) If the email looks somewhat legit and comes from someone we as a business have worked with in the past, we'll do a little digging to see if they've maybe just suffered a breach/BEC and this email has been compromised. This comes in pretty regularly as we deal with law firms and small businesses and insurance agencies. We encourage the end user to contact them to verify the email legitimacy. If things still look legit, we'll let the user know things look ok. This usually comes with some extra questions like whether they usually get emails like this, or they know the sender, etc. Sort of hunting for that, "Oh, yeah, this isn't totally unsolicited." For spam, we largely just drop it when it comes in the same way that we get phishes reported. The email team drops lots of spam, has their own spam button (which just submits to Cisco), and even has an "Unsubscribe" button on things that look like marketing. Full disclosure: I don't think that Unsubscribe part is a good idea, but I can't say I've seen it be detrimental. Despite the Spam button, we still get people reporting spam as phishing due to convenience or being unaware of the differences. Our training isn't that great (yet). One thing I wanted to make note of, and I was reminded about it from your point about being friendly. I want people to talk to the security team. In fact, one of my bigger metrics when we do quarterly phish testing is tracking those people who fail the test, but still report the email. Those people are my gold star people. I want them to not fail. But to also still involve security? Please, more.
  11. Good stuff. Sometimes you have what some call those gatekeepers because they're just always on the forum/community. Maybe they have an incentive to inflate post-counts, but sometimes it's just that they have the free mental cycles to read and post. Some of those same people see the same questions/comments every day, and everyone at some point hits their limit of patience. And, of course, there's definitely that distance where you don't have to personally deal with someone else face-to-face, kinda similar to people in their cars acting certain way to others in their metal cages, separated by a little space and barriers (basically like anonymity, but that's really not the entire thing; nice people are nice when anonymous, too). Some of it is also elitism, trying to build themselves up, but at least online I don't always feel it's like that. Some people just don't deal with social distance well; ya know, the ones talking about my mom in Call of Duty. In cases of Twitter, it's hard to convey nuance of tone in 280-chars or less. And by hard, I really kinda mean impossible. This is partly why some people don't talk, because you can say words and 10 people read it differently; some respond with positive comments, others with negative, others read more into what you said, others assume you're a newbie or making some general statement about security that we've been saying for 35 years. It can be dog eat dog. Like the wrong thing someone said that you didn't know was a pariah to others and suddenly you're swept up in someone else's drama. But yeah, it's that vocal core that set the tone of a community. Helpful, welcoming, nice, engaged, active. I think it's also about realizing no one knows everything; every person here knows at least 10 things I don't, and more, and I probably know 10 things no one else here does. And also that secuirty has no real answers that match everyone's situation beyond the very basics. I always get back to an anecdote I have where you could present a security problem to a room of 20 security professionals and you'll get 25 different answers, with only about 8 of them actually good answers, but only 5 people in the room could tell you which answers were in those 8, and so on. Respect, honesty, open-mindedness, empathy...skills that work in person still should operate in cyberspace. 🙂 I think some also get into the place of thinking you need to have built something or contributed something like nmap or ethereal to the community. I mean, that's a very easy way in (discover a vuln of varying degree or contribute a tool/brand new knowledge of varying popularity), but the rest of the community has to scrabble for that acceptance, quite often.
  12. For what it's worth, I like the invite-only process for now. For longevity, it all comes down to, imo, two things. Continued advertisement of existence, and a core group that drives content.
  13. Reddit has actually been pretty good these days as a standard, which is strange to say (and definitely will depend on which subs you peruse!). As someone who's also managed and been part of plenty of communities over the past 25 years, +1 to Glenn for saying: "... rather than simple expulsion, battle lines get drawn on grey issues, factions form, moderators are soon seen as enforcers, police, censors..." This always eventually happens over some tangential topic. This is the part of user-supplied content that gets every community eventually (and at scale, is dogging current large social media sites). To me, the best way to stave that off is, kinda like Reddit, having a tight enough control on the scope and topic of your community. If we shouldn't be talking about politics here, for example, then that gets removed. That's where a place like this has potential, as we're probably going to 95% of the time be talking about infosec-related topics and not "re-tweeting" politics or other charged news stories like Twitter. And in some Clubs that are offtopic, they still have a particular topic, which satisfies that as well. So, that's what I mean by moderation: staying on topic, and cutting off the topics that shouldn't be around. And people can pick fights or post garbage whether they use real names or not (just look at the Facebook groups in the past year outed for their harassment and grossness). I'd just like to make sure good security folks aren't left out because a) they want to use a name they're recognized with here, or b) have an interest in not being stalked, or c) not want their opinions necessarily tied to/with/influence-by an employer. Thankfully this isn't a scale like other places that try this, like Google+ (let's save it, they have a financial interest in knowing your real persona). If there's ever a group that should appreciate a little opsec or anonmity online, it should be infosec. Just also want to say, thank you for the respectful, open discussion, which is all I intend my pieces to be as well. 🙂
  14. Who is doing the verifying that people are using their real name and not John Doe? What is the reasoning for having a real name policy? It matters to some of us, especially for the tone of "open" security. With proper moderation, it shouldn't matter what names people use.
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy