shellsharks @ shellsharks @infosec.pub

Infosec researcher | writes @ https://shellsharks.com/

---

Read more

Posts

292

Comments

266

Joined

3 yr. ago

Moderating

---

My favorite classic Nintendo games - https://shellsharks.com/notes/2011/07/07/favorite-nintendo-games

Not listed there are gameboy games. I mostly just played the various Pokémon games and Final Fantasy Legends.

CIS Critical Security Controls and/or NIST CSF as frameworks to help put you in the right mindset. But so much of what you should do first depends on some variables imo.

• What is your budget?
• What already exists security-wise at your company?
• What level of executive support do you have? Can you enact real change?
• What is most important to the company? i.e. "Crown Jewels"
• What does the network/infrastructure/endpoint environment look like?

Once you answer these questions then you can get a better idea of where to spend the limited time/money you have. The CSC will likely tell you to tap into an inventory and do some form of Vulnerability Management. This is a decent idea as you need to know what you are trying to protect and also catch low-hanging fruit via vuln scanning. Instrumenting endpoints (EDR) or gaining visibility into your infra is also important but which do you pick first? Crowdstrike is awesome but expensive. No one solution is a silver bullet.

Have a plan, create a reasonable roadmap, figure out your companies risk threshold, ask for more resources depending on what level of risk they're willing to accept and how quickly they want things implemented.

Oh cool. I've been thinking of getting one too. But I already have too many projects and too much work and not enough time 😩 (not that that's ever stopped me from buying stuff before...). Where do you write?

Another part of my Lemmy <--> Mastodon experimentation. The Fediverse is cool but it is also a little confusing 😅

What are you normally up to?

I haven't been looking so I can't speak with first-hand xp. From others accounts on socials it seems like it's kinda rough but everyone has different experiences. Good to hear some potentially optimistic news for a change though so I'll take it.

Be young. Young folk never sore

Complaints are more than welcome. and omg yes I've seen this happen before. Typically a result from ONE bad interaction with ONE engineer/analyst who messed something up and now everyone has to be babied 🙄.

On one hand, the market is such that it might be too much work / too depressing to passively hunt for a plan B. On the other, it's probably good to have an idea of what a plan B could be...

Im not sure if your situation is "normal", but it may be less rare than you think. Chaos can be a ladder, but it can also result in you just being overworked and making no real progress technically or professionally. Given the situation I would probably just look for what else you can find and jump on anything that seems promising, but in the mean time keep your head down and get your job done and try to make the best of the situation. Do you feel your situation is stable in terms of job security?

This. https://lobste.rs/

Honestly that's pretty much all I used. In aCloud they link to some AWS-native resources, best-practices guides, etc... but I winged it from there.

Careful though. Maybe not as "private" as you may think... a thread from @sc00bz@infosec.exchange - https://infosec.exchange/@sc00bz/111966928032512918

Careful though. Maybe not as "private" as you may think... a thread from @sc00bz@infosec.exchange - https://infosec.exchange/@sc00bz/111966928032512918

Yes. Bring back blogrolls!

Ah cool. I found it relatively challenging when I did it. I used aCloudGuru to prep.

niiiiice!

Yikes. Well hopefully you can get that sorted out. Best of luck!!

I'm taking a bit more literal interpretation of "de-platform", which I agree is not the way it has been traditionally used. In my case, if a platform takes you down, you were just de-platformed =). As for the question of "what is a nazi?", 100% agree in terms of "where is the line". Yes, there are some very obvious cases that I think 100% of people would identify in the same way, but there is undoubtedly that pesky ol' gray area (which as your bulleted list makes clear is a non-trivially large area) where things start to get a little more subjective. Sure, it'd be great if companies (like CloudFlare) smell-tested things in the same way I do haha but outside of that, it is no doubt difficult to define.

I just posted a thread to Mastodon about using Lunr.js on a Jekyll site. Might be useful to others too! https://mastodon.social/@sass/111823958149402801