cybersecurity

The original post: /r/cybersecurity by /u/LemonHaze420_ on 2024-11-20 21:17:52.

Hope this is the right flair, english isnt my main language. I have a question about high security USB devices from the company kingston, exspecially the modells IronKey D500s and IronKey S1000. How secure are they really, If i choose a really valid password? Is it possible for someone, If he gets the devices, to get and read the encrypted informations in the device withkut having the password? They say IT IS protected against bruteforce attacks, but does anyone know how good they really are? Or could someone recommend some high security USB devices? Thanks

The original post: /r/cybersecurity by /u/elifcybersec on 2024-11-20 19:51:11.

Hey y’all, long time lurker, first time poster. I want to get into cybersecurity (SOC Analyst) but am currently a senior help desk tech. The MSP I work for uses a vulnerability scanner, and occasionally I get to review alerts and mitigate/resolve issues. I have enjoyed this every time I’ve gotten the chance to do it. I would like to help others in my own time with vulnerability scans/vulnerability management, but am unsure the best way to do that. The only thing I can think of so far is going to a school/business and asking if they need that service. I would really like to use this as an opportunity to boost my resume/practical skills, as well as improve the security for my community, and hey if I can make a little money that would be awesome. Does anyone have experience in this area?

(I also use practice sites like tryhackme and let’s defend, and am studying for Sec+. This is not me looking at a couple of alerts thinking I can solve the world’s problems, more so helping people by doing something I enjoy.)

Thank you

The original post: /r/cybersecurity by /u/Several_Print4633 on 2024-11-20 18:37:12.

The original post: /r/cybersecurity by /u/LegitFoShizzle on 2024-11-20 18:18:44.

Hello All,

I am heading into my kids school tomorrow morning to present to two groups of 3rd Graders, 30-minutes for each session and I need to teach them about Cybersecurity as a whole, the career of Cybersecurity, etc., does anyone have any ideas to share, slides they have used, places for research, etc?

Thank you in advance for any advice or guidance you can provide.

Cheers

The original post: /r/cybersecurity by /u/okzaf on 2024-11-20 18:17:39.

Hi everyone,

I know this type of post is probably oversaturated, but I genuinely have nowhere else to turn at this point.

I’m currently a Data Modeller with 2.5 years of experience, but my role is primarily data administration. I’m passionate about transitioning into cybersecurity and have been working hard to break into the field.

Here’s a bit about my background:

• Earned my CompTIA Security+ certification earlier this year.
• Actively building practical skills on TryHackMe and LetsDefend, including SOC-focused exercises.
• Working towards SC-900 and AZ-900 to strengthen my cloud and security fundamentals.
• Experience with tools like JIRA, data analysis, and some exposure to Python and HTML/CSS (beginner level).
• Strong transferable skills, like root cause analysis, issue resolution, and collaborating with senior clients on projects.

I’ve tailored my CV to highlight my IT and cybersecurity-related skills, and focus on my tech proficiencies. Despite applying for close to 1000 roles, ranging from SOC Analyst to entry-level IT help desk jobs, I haven’t landed a single interview (except for one InfoSec Analyst role where I made it to the final interview stage, but the position ultimately went to a candidate with more direct work experience).

I’m confident I interview well when given the chance, but I’m stuck at the application stage. I’m wondering:

• Are there red flags I might be missing in my CV?
• Should I pivot my approach—network more, focus on different certs, or something else?
• Would it be wise to focus on specific tools or niche skills for my first role?

I’m open to any advice, insights, or critiques you might have. I’m genuinely going crazy and i'm about to tweak out fr, any help is appreciated.

Thanks so much for your time and input!

The original post: /r/cybersecurity by /u/arqf_ on 2024-11-20 17:48:32.

The original post: /r/cybersecurity by /u/gurugabrielpradipaka on 2024-11-20 17:00:37.

The original post: /r/cybersecurity by /u/gurugabrielpradipaka on 2024-11-20 15:39:31.

The original post: /r/cybersecurity by /u/gurugabrielpradipaka on 2024-11-20 15:34:47.

The original post: /r/cybersecurity by /u/sachin1118 on 2024-11-20 15:26:07.

I’m all for using randomly generated passwords, but one thing I’ve noticed about Apple’s auto-generated passwords is they always come in some format like this.

pwnqlv-ahf5Ab-owpnvp

It always follows this exact format. A 20 character password, with three chunks of 6 alphanumeric characters, divided by 2 hyphens. There’s always only one capital letter, and one number in the password.

Wouldn’t it make much more sense to just throw in a random assortment of lowercase, uppercase, numbers and symbols?

The original post: /r/cybersecurity by /u/wiredmagazine on 2024-11-20 14:44:39.

The original post: /r/cybersecurity by /u/PsychologicalFee3536 on 2024-11-20 14:02:22.

Campaigns against this vulnerability are now live.

The original post: /r/cybersecurity by /u/PriorPuzzleheaded880 on 2024-11-20 13:52:37.

Hi all,

I wanted to share with the community our latest security research. We crawled exposed code for most domains of Fortune 1000 (excl. Meta, Google, Amazon..) and CAC 40 (French largest orgs). It allowed us to discover 30,784 exposed APIs (some were logical to discover, but some for sure not - like 3,945 development APIs and 3,001 staging). We wanted to test them for vulnerabilities, so the main challenge was to generate specs to start scanning. We found some of the API specs that were exposed, but we managed to generate approx 29k specs programmatically. We tackled this by parsing the Abstract Syntax Tree (AST) from the code.

Once we ran scans on 30k exposed APIs with these specs, we found 100k vulnerabilities, 1,830 highs (ex. APIs vulnerable to BOLA, SQL injections etc..) and 1,806 accessible secrets. 

You can read more about our methodology and some of the key findings here.

The original post: /r/cybersecurity by /u/wewewawa on 2024-11-20 13:38:13.

The original post: /r/cybersecurity by /u/TechInformed on 2024-11-20 12:53:48.

The original post: /r/cybersecurity by /u/ramraiderqtx on 2024-11-20 08:56:26.

When does it make sense to run CIS and NIST?

The original post: /r/cybersecurity by /u/MinusEXP on 2024-11-19 17:36:11.

Is 22 years old too late to get into this field?

The original post: /r/cybersecurity by /u/chum1ng0 on 2024-11-19 17:19:23.

The original post: /r/cybersecurity by /u/CYRISMA_Buddy on 2024-11-19 17:01:40.

The original post: /r/cybersecurity by /u/MushiSaad on 2024-11-19 15:42:16.

As the title states, what do you guys think?

The original post: /r/cybersecurity by /u/Snowfish52 on 2024-11-19 15:35:21.

The original post: /r/cybersecurity by /u/Beginning_Run_7442 on 2024-11-19 15:32:46.

Hey everyone,

At a previous job, I was introduced to role-based security policies, and I found them incredibly effective. These policies followed a clear structure like:

{Role} {Modal Verb} {Requirement}

For example:

• “The Information Security Officer MUST conduct an annual review of all security policies and standards.”
• “System Administrators MUST ensure that all server patches are applied within 30 days of release.”

This format was precise, made responsibilities clear, and was easy to audit.

However, at most other companies I’ve worked at since, policies seem to use a descriptive/narrative approach, such as:

• “All servers must have patches applied within 30 days to mitigate security risks. (...)”

While this approach provides context and background and reads more like a narrative story, it sometimes feels less actionable and harder to tie to specific roles or compliance efforts. Especially because you have text blocks including multiple controls.

My questions for you all:

1. Which approach do you prefer in your organization – role-based or descriptive?
2. Do you think one is inherently better for ensuring clarity and accountability?
3. Does anyone know the origin or framework behind the role-based format?

Thx! I'm looking forward to hearing your thoughts.

The original post: /r/cybersecurity by /u/Any_Molasses_798 on 2024-11-19 14:58:11.

Hello,

I work for a small business with only 2 IT professionals including myself. My coworker only holds a Security+ Cert with no Bachelor's Degree and myself with a Bachelor's Degree in CS, Security+, and recently acquired CISSP.

Our issue is needing to be compliant with the DoD 8140's DCWF roles and the cert requirements. I was informed that my CISSP, though great, didn't meet many of the roles requirements as it covers a wide breadth of knowledge but not depth enough for many of the roles.

Based on this information, does anyone have recommendations on what certs myself and my coworker should be pursing to meet as many of the roles as possible? I was considering CASP+ or GICSP, but they seem like they still don't carry a large footprint in the sheer number roles the DCWF covers.

Also, any advise to maybe circumvent requirements by asking a higher authority for approval that CISSP will meet lower level requirements would be much appreciated. Maybe my understanding of the 8140 requirements is flawed as well.

The original post: /r/cybersecurity by /u/Raniero_71 on 2024-11-19 14:50:14.

What are the cybersecurity standards for a company regarding the secure storage of passwords for the numerous services it uses?

I understand that as an individual I can rely on any password manager, but what are the best practices for a company—specifically a small-to-medium-sized business with limited resources— to securely manage its passwords?

Specifically, our comany use a popular cloud service that within its suite has also a password manager, but we'ree not sure if it's secure to use that all around our company.

The original post: /r/cybersecurity by /u/bcdefense on 2024-11-19 14:22:31.

Just wanted to share the infosec news account on bluesky as I’ve seen lots of chatter about the platform’s growth recently:

https://bsky.app/profile/infosecnews.bsky.social