Post ARgKRhtlCM2HTNV3WS by Kyrouz@mastodon.social
(DIR) More posts by Kyrouz@mastodon.social
(DIR) Post #ARfmdZzx031u0KswCW by seb@ioc.exchange
2023-01-15T16:37:38Z
0 likes, 0 repeats
To all 1-person #Infosec teams: How do you decide what to do next?
(DIR) Post #ARfmloAYCEXeGtlbWq by chris@mastodon.chriswiegman.com
2023-01-15T16:39:06Z
0 likes, 0 repeats
@seb While my title was never explicitly infosec, it was absolutely my responsibility as a department of one. The decision was always easy though... in supporting 450+ users I just had to sniff for the smoke and go to wherever the next fire was starting (and hope it was not underway yet)
(DIR) Post #ARfn8eRAXtCIkUQs1Q by seb@ioc.exchange
2023-01-15T16:43:14Z
0 likes, 0 repeats
@chris Makes sense. Did you also have a roadmap of some sort?
(DIR) Post #ARfnQ7KuLwglIgpf7Y by chris@mastodon.chriswiegman.com
2023-01-15T16:46:23Z
0 likes, 0 repeats
@seb I wish I could say I did but, it was rare. There was just too much else. I was doing everything from web dev to server admin to desktop support to maintenance flights for aircraft... planning out anything was a rare luxury
(DIR) Post #ARfoYwZbq2VITqTu9w by GossiTheDog@cyberplace.social
2023-01-15T16:59:01Z
0 likes, 0 repeats
@seb it depends how bad or good the IT environment is that you're responsible for.
(DIR) Post #ARfph3wGRCXLavVsUC by seb@ioc.exchange
2023-01-15T17:11:52Z
0 likes, 0 repeats
@GossiTheDog Is it about the quality of the IT tech that is in place or the quality of the IT team?
(DIR) Post #ARfrX5jz5DaICC8tuK by GossiTheDog@cyberplace.social
2023-01-15T17:32:22Z
0 likes, 0 repeats
@seb usually the team (which can also come down to investment)
(DIR) Post #ARfruoFhkwPEuGHzRA by CoachKahnsef@infosec.exchange
2023-01-15T17:36:45Z
0 likes, 0 repeats
@seb prioritize business needs always. A one-person infosec team still is a team member of the business.
(DIR) Post #ARfsJJJRvSxsBkivfE by 74rku5@infosec.exchange
2023-01-15T17:41:11Z
0 likes, 0 repeats
@seb I list All The Things and have my direct manager prioritize it.
(DIR) Post #ARfsbEY4NTnQcp6nCK by r000t@infosec.exchange
2023-01-15T17:44:25Z
0 likes, 0 repeats
@seb smoke until I'm paranoid about something.
(DIR) Post #ARfsuAwnzT9WxVi7kG by secminded@infosec.exchange
2023-01-15T17:47:50Z
0 likes, 0 repeats
@seb usually when the alert triggers fight or flight I spend 10-15 mins hunting through logs until I discover that it was yet another nothingburger from an ad network to a mobile device on a guest network and then I take a paper bag into the bathroom for a couple of minutes or until my hr is under 130 so I'm ready for the next alert flood
(DIR) Post #ARft8C1oliVUMhjtho by SecureOwl@infosec.exchange
2023-01-15T17:50:22Z
0 likes, 0 repeats
@seb what one thing can I do that’ll take the biggest dent out of the overall risk to the business in a way that makes life easier for everyone else so they are more likely to help me?Good examples of this are:- single sign on with MFA (which often leads to better user experiences through nicer IAM processes). - Logging standards that work well for both security and app/sre teams.- Deploying a WAF to take the burden of implementing things like rate limits from app teams.But before you do those please complete this 250 question security questionnaire from a prospect
(DIR) Post #ARfu0BZYgBE0aaGbTc by gws@functional.cafe
2023-01-15T18:00:07Z
0 likes, 0 repeats
@sebI used the security4startups controls checklist (at a non-profit), filled out what we had, and worked on things at the intersection of business priority and what would be doable quickly and also deliver value based on threats as I understood them (or past/present fires).https://www.security4startups.com/controls-checklistAlso was influenced by the SOC2 Starting Seven but heeded the disclaimers about applicability.https://latacora.micro.blog/2020/03/12/the-soc-starting.html
(DIR) Post #ARfvKmQlS200eGXOF6 by alaric@ioc.exchange
2023-01-15T18:15:04Z
0 likes, 0 repeats
@seb the IT tech (environment) as well as the team that you are working with makes a big differenc, imo..but both of those require an investment of time and resources....
(DIR) Post #ARfwnaXqowuo8b9Xvc by eingfoan@infosec.exchange
2023-01-15T18:31:26Z
0 likes, 0 repeats
@seb talk with other infosec what they do and why. +Check on infosec landscape which areas are „underdeveloped“. Reflect if this makes sense in my env. If yes talk with „my team“ what they think has prio amongst those points. Do the thing that comes out there.
(DIR) Post #ARfx4ahtTJDVYxxRui by seb@ioc.exchange
2023-01-15T18:34:34Z
0 likes, 0 repeats
@eingfoan Who do you refer to with “my team”? The IT team? All of IT (BizApps + Infra) or just Infra?
(DIR) Post #ARfxp12HuhaUXddNGi by pauliehedron@infosec.exchange
2023-01-15T18:42:56Z
0 likes, 0 repeats
@seb Network documentation, there is plenty to do and most of it is pretty poor/out of date.- Network diagrams- Listing of all the public IPs exposed on the internet, and the associated FW rules if any are inbound- Listing all the VLANS and all the IPs associated with them, including the subnet gateway IPs.- DNS/DHCP servers servicing clients
(DIR) Post #ARg0V7qLC6W5j0Fl0S by crh@infosec.exchange
2023-01-15T19:12:57Z
0 likes, 0 repeats
@seb Biggest impact for least amount of effort.
(DIR) Post #ARg21xdYGI4za5UZQ8 by grumpybozo@toad.social
2023-01-15T19:30:05Z
0 likes, 0 repeats
@seb ADHD has its uses.
(DIR) Post #ARg2gno3iSxExtsiKO by hydrox@defcon.social
2023-01-15T19:37:16Z
0 likes, 0 repeats
@seb I keep a prioritized list of items based on input from auditors, business needs, my team leads, and my own insight.
(DIR) Post #ARg2mpqT356b1fsv0S by Name_Too_Long@infosec.exchange
2023-01-15T19:38:33Z
0 likes, 0 repeats
@seb First is business need. If it's something that needs to be done or the company is out of compliance and gets shut down/fined into oblivion, that's going to get priority. Even if it's of dubious security value.After that, we go to Security ROI. "Given the current state of things, what gives me the biggest improvement in security for the time/money/effort/political clout required to implement?" That's my next thing.Once you get some foundational basics in place you can start roadmapping bigger, "end goal", projects. Break them up into smaller steps, account for dependencies and then do the ROI thing to prioritize branches.
(DIR) Post #ARg2yJtxdkxRQgzlIm by cjc@mastodon.sdf.org
2023-01-15T19:40:39Z
0 likes, 0 repeats
@seb biggest fire.
(DIR) Post #ARg6UWbeEw0JxfTfYO by hamisec@infosec.exchange
2023-01-15T20:20:05Z
0 likes, 0 repeats
@seb how long have you been a one person info sec team? Any hint that the org plans on increasing your team?
(DIR) Post #ARg7tszgExJuaaNKwS by seb@ioc.exchange
2023-01-15T20:35:53Z
0 likes, 0 repeats
@hamisec I recently switched jobs. Going from a 30+ infosec org to a new infosec org. Was hired to build the infosec program. It has been 3 months so far.
(DIR) Post #ARg8eqQxZlo4GAWj6u by based@defcon.social
2023-01-15T20:44:08Z
0 likes, 0 repeats
@seb me whiskey in hand and I'm ready to traverse the open seas of cyber.
(DIR) Post #ARgAAxB68XAoOgywzI by tab2space@mastodon.social
2023-01-15T21:01:22Z
0 likes, 0 repeats
@sebWhen I was one, I started at "squirrel!" and transitioned to attempting FAIR https://www.fairinstitute.org/fair-risk-management@jerry
(DIR) Post #ARgAdQ902DE8LIZhGC by hamisec@infosec.exchange
2023-01-15T20:26:58Z
0 likes, 0 repeats
@seb to consider what to do next, we would need to know what you have already done. But if you haven't done these, consider one of: run a pen test. If you don't have pen test budget, do some basic scanning yourself or sign up for shodan. Run a demo for your IT team to show them how easily putty.exe can be backdoored with malware. Create or approve a risk scoring system. Create a risk register with likelihood, impact, remediation plan, remediation owner, etc. Run a phishing campaign with gophish and then an awareness roadshow, and then another phishing campaign to show the improvement. Take a look at the cyber defence matrix and use it to map out the gaps in your coverage.
(DIR) Post #ARgAow0rt4y8MqGHiK by seb@ioc.exchange
2023-01-15T21:08:36Z
0 likes, 0 repeats
@tab2space @jerry Did anyone ever succeed in using fair?
(DIR) Post #ARgBNQ3yfTonPc9xOC by jerry@infosec.exchange
2023-01-15T21:14:48Z
0 likes, 0 repeats
@seb @tab2space Not in a one person security team
(DIR) Post #ARgCxFRPjnHYqcloS8 by eingfoan@infosec.exchange
2023-01-15T21:32:30Z
0 likes, 0 repeats
@seb depending on your maturity as 1 sec Shop I would start including it infra , then it apps then business
(DIR) Post #ARgHgPfMy2J3PN5bfM by PeterDodemont@infosec.exchange
2023-01-15T22:25:28Z
0 likes, 0 repeats
@seb I would generally focus on items were I could improve the user experience while also uplifting the security posture.And/or where there is a lot of manual maintenance needed.Email filtering is one that usually hit both these.
(DIR) Post #ARgIUbuth7p5siHwvI by QuatermassTools@infosec.exchange
2023-01-15T22:34:33Z
0 likes, 0 repeats
@seb just follow my usual step. Updates weekly or sooner, no exceptions, reboots included. And always try and think of a new diagnostic or metric that might let you know how things are running.
(DIR) Post #ARgKRhtlCM2HTNV3WS by Kyrouz@mastodon.social
2023-01-15T22:56:27Z
0 likes, 0 repeats
@seb (was one person until recently). Draft a roadmap, grouping project by quarter. Then maintain a personal task board to focus on day to day.
(DIR) Post #ARgLetCMb1OwEp3E80 by hamisec@infosec.exchange
2023-01-15T23:10:01Z
0 likes, 0 repeats
@seb you know what you're doing then
(DIR) Post #ARgSmoEVdm7kplmJuK by seb@ioc.exchange
2023-01-16T00:29:54Z
0 likes, 0 repeats
@hamisec Trying to improve my game. Some good suggestions in this thread.
(DIR) Post #ARgZUzNu8kKXt1cfPE by phenidone@mstdn.social
2023-01-16T01:45:06Z
0 likes, 0 repeats
@seb look in the risk register
(DIR) Post #ARsZxSnchYYl7VkVfs by BazzaOomph@infosec.exchange
2023-01-21T20:46:47Z
0 likes, 0 repeats
@seb I look at my risk register.