cybersecurity

The original post: /r/cybersecurity by /u/abc647rn on 2024-09-25 14:56:06.

I’m designing a project for my business that will store sensitive data, and I’ve been thinking a lot about security. With all the news about data breaches—even big companies handling highly sensitive personal data (like medical centers or specialized software)—it makes me wonder: Is it impossible to build a secure website that meets industry standards, or is it actually manageable with modern technology?

My business focuses on online psychotherapy, and I’m building a system to securely store data and conduct video sessions. I follow data protection laws in my country, but like many guidelines, they provide more direction on how to handle data rather than solid technical advice.

I’m not using third-party software because none fully meet my requirements. I have a computer science degree and have designed some projects before, though I’m not deeply experienced in cybersecurity.

Currently, my tech stack includes Next.js, NextAuth for authentication, MongoDB for data storage, and getStream for video communication, all hosted on Vercel. For protection, I’m using:

1. Https url
2. AES-256 GCM encryption for all sensitive data in MongoDB
3. 2FA for MongoDB and Vercel, with strong passwords
4. Secrets and API keys stored in Vercel
5. Role-based access control
6. Password attempt limits
7. IP whitelisting, ensuring only people accessing my website can interact with MongoDB
8. Log
9. Use of general WAF, like cloudflare

If I implement everything correctly (e.g., NextAuth), is this enough to protect my site? I understand that “correctly” is vague, because it can often make the difference between being secure or not, but I am curious about a border strategy, like what common strategy can I use to improve the security level? Like client-side encryption?

The original post: /r/cybersecurity by /u/Strange_Plant_3876 on 2024-09-25 14:24:58.

My boss wants me to take the lead on this transition. I have taken a look at NIST and understand the basics of the security framework. It’s my understanding is I’ll have to evaluate each potential client individually then offer them a package based on their needs.

I’m wandering if there’s a relevant cert I can attain while working on this transition, I’ve heard good and bad things about Sec+.

Does anyone have any advice on how to tackle this task? Also is there good cert that will give me a better understanding of enterprise cybersecurity so I sound more confident when talking with clients?

The original post: /r/cybersecurity by /u/bitslammer on 2024-09-25 13:28:06.

Seeing the constant posts about GRC on the sub has me wondering how many orgs have either an actual team with "GRC" in their name or staff with "GRC" in their title.

For context I'm in a large (~45K employee, ~50 countries) org that has neither a GRC dept/team nor anyone with that in their title. We're an 'old' org that's almost 150yrs old and do about €70Bn in revenue. Risk is pretty much at the core of our business and we have what I'd call a large and mature approach to that both cyber and non-cyber.

To me GRC, as the name implies, is a concept of how the 3 functions (governance, risk & compliance) intertwine. It's not a specific function, team or job title unit itself. In our org those functions are spread across multiple teams such as legal, audit, integrated risk management, underwriting, IT security etc.

I suppose I could see how a smaller org (say less then 500) might see value in pulling people into a single team, but how many out there actually handle the G the R and the C on a day to day or at least frequent part of their core duties.

I ask this mainly because when I see all the posts saying "I want to get into GRC" I'm guessing people are out there actively searching for "GRC" on job boards and such. As I said if you did that on my company's site you'd get zero hits even though there may be dozens of jobs actually listed in roles that are related to one or more of those functions.

The original post: /r/cybersecurity by /u/The_Phenom_15 on 2024-09-25 13:02:30.

I need your recommendations on where to find resources on SOC and IR playbooks or how to build those playbooks. Your input would be highly appreciated. Thanks!

The original post: /r/cybersecurity by /u/OppaBoi on 2024-09-25 12:39:34.

What the title ssays

The original post: /r/cybersecurity by /u/xaoker on 2024-09-25 12:20:26.

We were having this discussion internally about whether to adopt a Centralized Secret Management tool to manage different environments’ secrets in one place. One of the devs had a strong stance against this and called it a “good recipe for disaster”

What ya’ll think about this? Several platforms provide this as a service, are they operating against any cybersecurity standards?

The original post: /r/cybersecurity by /u/Security-Ninja on 2024-09-25 12:18:58.

Worth a read!

Also fantastic they’re offering many capabilities for free.

https://blog.cloudflare.com/a-safer-internet-with-cloudflare/

The original post: /r/cybersecurity by /u/Notelbaxy on 2024-09-25 12:12:46.

The original post: /r/cybersecurity by /u/Ellis-Cook89 on 2024-09-25 08:40:07.

The original post: /r/cybersecurity by /u/arunsivadasan on 2024-09-25 07:59:56.

Hi friends,

I’ve been working with the NIST Cybersecurity Framework (CSF) at my current company for nearly two years now, and I’ve created a maturity assessment template that is easy to use.

You can find the template and a detailed guide on how to use it here:

https://allaboutgrc.com/nist-csf-2-0-maturity-assessment/

A caveat that I also mentioned in the post: NIST recommends developing an organizational profile and then using that to analyze the gaps and then developing a plan of action to close the gaps. If your organization is required to follow this approach then this template is not suited to you. But for everyone else this should be useful.

Thanks !

The original post: /r/cybersecurity by /u/sloppyredditor on 2024-09-24 19:10:58.

(Posting by request.)

Burnout and Impostor Syndrome will happen several times in a security career. While many ask about how to overcome it, the real question is why does this happen?

IMO, the main reason is we have very demotivational work in a misunderstood field. Our field is powered by negativity, justified with skepticism, and influenced by those who don't work with us on a daily basis.

We stop bad things from happening. An exciting day at work usually involves a crime, e.g., the organization we've been tasked with defending was attacked. A good day usually means our designs worked, but nobody noticed because they were able to do their jobs.

Breaches are happening everywhere and nobody seems to get punished effectively for it. In fact, some get jobs - by the very government asking us to defend better - because of it.

Tech is evolving faster than any other field, innovative companies are trying to adopt it a few months after initial release, and we need to be at least 3 months ahead of it, which means researching beta releases and conceiving the guardrails for something that may not even be a thing.

On a personal relations level, we're not a fun group to work with. People don't like dealing with password changes, MFA, firewall rules that block them from uploading files to customers, mandatory email encryption, etc. because we get in their way.

Audits ain't fun: It's not what you did, it's what you can prove you did. You have to back up every claim with documentation, logs, etc., that you typically don't think about unless you've failed an audit before. The auditors rarely know the ins and outs of how much effort it takes to meet compliance (regardless of what some will say, it is not easy) and they've got the ear of the BoD.

Finally, there's the cost. Breaches are expensive, so we're expensive. It's not difficult to see why the CFO scrutinizes our expenses when there's not any revenue coming in from the cyber folks. As messed up as it sounds in this forum, it makes financial sense to weigh "how much would the ransom cost?" vs. "how much do these 4 technologies to mitigate ransomware risk cost?"

When we get out of our rhythm and look at our own situation it's easy to stare off and ask "why do I bother doing this?" ...and that's when the burnout starts.

So how do we counteract the above? By remembering the reason we wanted to do this in the first place. FIND YOUR WHY (supporting your family? being on the edge of tech? protecting people?), print it, and use it for motivation.

And, for the love of all things holy, have a sense of humor about it. Laugh or you'll cry.

The Simpsons did exactly that in "And Maggie Makes Three."

The original post: /r/cybersecurity by /u/SuperRecover2693 on 2024-09-25 04:37:59.

Hi all,

I am trying to find platform necessarily free or open source that simulates real world security attacks or incident response simulation. More for illustration purpose for critical work sectors, like bank employees. As there are various attacks types. Something which can help present the aftereffects of Ransomware or can also be a guide of steps to take to restore the system. Necessarily, for illustration about, what can be the possible protection measures for ransomware and impact on the system like data loss, encryption of files, etc.

I am trying to research more such platforms which are free or open source. Any help or guidance in the right direction will be of immense help and greatly appreciated.

Thankyou.

The original post: /r/cybersecurity by /u/Lux_JoeStar on 2024-09-25 03:11:45.

a) What specific roles commonly have night shift hours? topic is the title, can you guys list off the most prevalent ones? Either through your experience noticing a pattern, or maybe you work cybersecurity on the night shift yourself.

All levels of experience, in your opinion which roles are seen more in active night shift hours.

b) Which roles do you never or hardly ever see active on the night shift?

In contrast.

The original post: /r/cybersecurity by /u/Maximasantana on 2024-09-25 00:46:32.

Is it possible to prepare for GCCC exam without taking SEC566 training?

The original post: /r/cybersecurity by /u/lowkib on 2024-09-24 22:39:55.

So due to a recent structure change at my company the security team is switching and im moving more towards the Product/Application security side of the business.

My background is around 3 years of Security Engineer/Analyst role. My focus has neve really been on Product/Application Security although it has come up at work.

My questions is to any Product Security or Application Security Engineer's out there what do you think would be some good fundamentals into implementing a good product/application security posture? Is their any certifications you reccomend? Are there any best practise procedures you suggest.

Thanks

The original post: /r/cybersecurity by /u/Strict-Marsupial6141 on 2024-09-24 20:49:34.

The original post: /r/cybersecurity by /u/techw1z on 2024-09-24 20:21:20.

Telegram Agrees to Share User Data With Authorities for Criminal Investigations (thehackernews.com)

The original post: /r/cybersecurity by /u/MitchellTOSS on 2024-09-24 19:55:31.

I saw some pretty interesting discussion from this Reddit thread about, "Kaspersky deletes itself, installs UltraAV antivirus without warning."

What I am wondering is why Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia was allowed to do business in the US in the first place?

If someone wants to point me to somewhere that I can educate myself more on this or have a nice clean answer I would appreciate it. I am sure other people would as well.

I'm not trying to get into the discussion about why federal agencies installed it, unless it's somehow connected to this, because that's a separate discussion - and the fact that US agencies in the past were reckless enough to do that is mind boggling.

The original post: /r/cybersecurity by /u/ofirpress on 2024-09-24 19:32:57.

Hi!

Today we put out a new, open source AI agent that can successfully complete CTF challenges. It uses GPT-4 or Claude to iteratively try to complete challenges.

https://enigma-agent.github.io/

We'd love to hear your feedback, comments and questions.

This work was completed by a team with researchers from Princeton, NYU and Tel-Aviv University.

The original post: /r/cybersecurity by /u/theowni on 2024-09-24 19:31:15.

The original post: /r/cybersecurity by /u/SnapJackolPOP on 2024-09-24 19:16:31.

For assessing large companies examples such as Microsoft, UPS, LastPass, Google, Amazon, etc. How does one determine if a questionnaire is an appropriate or effective approach. I believe it might be more effective for smaller companies but am curious about how to determine if it makes sense to send one. Do most people with experience in this determine this based on the initial level of cooperation received? Microsoft seems some what obvious in that a questionnaire wouldn’t get far but curious how one would determine this at a glance.

The original post: /r/cybersecurity by /u/Redneck_IT_Guy on 2024-09-24 17:58:27.

Take security teams down to Skeleton crews?

That was something that was mentioned in the Splunk call when discussing AI in Security. They compared Security AI to self-driving cars, You still need someone there but It will keep you on the road. The way they talked about it AI can take on many of the Level One Responsibilities. I am not in a SOC anymore, But I was for several years. I worry about those entry-level Positions getting taken up by AI. Where will new Security Engineers get their start when all the basics are automated?

The original post: /r/cybersecurity by /u/Greedy-Fun3197 on 2024-09-24 17:38:37.

If you work in cybersecurity, what is your enneagram type?

I am a type 7 wing 8 and considering switching careers because I feel like I don’t fit in. I have been in IT for 10 cyber for 5.

The original post: /r/cybersecurity by /u/plutusismysavior on 2024-09-24 15:23:23.

Recently I discovered a popular brand of Chinese Simulation Racing Peripherals ( https://en.simagic.com/ ) that are heavily advertised in popular video games like iRacing. In doing research on security audits of the firmware I posted to the r/simracing subreddit where my post was immediatley removed, upon further review I found that they have arule against "witch hunts". I hardly believe one could classify independent audits as witch hunts. Based on your experience, what would be the most effective way of requesting an independent audit.

The original post: /r/cybersecurity by /u/Kasual__ on 2024-09-24 14:55:16.

I know in this industry networking is very important especially if you are interested in moving up the ladder. I’m 6 months in my current, first cyber role and I decided to contact the sr. dir. of SecOps(through a recommendation) to probe what skills and tools my organization’s SOC utilizes (I’m in GRC, not my speed and I’m aiming to switch to a SOC or IR role in ~6 months or so). Well he responded with good feedback and recommended me to speak to the more direct lead of that team by cc’ing him AND the deputy CISO in his email response. Naturally I start freaking out a bit because I am very critical of my skills and presentation and carry a lot of anxiety when trying to prove myself to seniors.

How did you get more comfortable with interacting with sr. Managers and directors in your careers especially when requesting advice about joining their team?