Is cybersecurity a meme?

Is cybersecurity a meme? I had a "security specialist" say I can't use Linux, even in a VM for development and if I want to explore it I need management approval with a note stating they are responsible if I violate security policy. I don't see how it's more likely to violate policy or cause a breach than the locked down Windows we have to use.

Unattended Children Pitbull Club Shirt $21.68

Yakub: World's Greatest Dad Shirt $21.68

Unattended Children Pitbull Club Shirt $21.68

  1. 1 month ago
    Anonymous

    >company has policy
    >can I do thing against policy
    >no
    >uhhh wtf I wanna

    Welcome to Cybersec, it's half knowing the tech to do the job and half knowing how to align your company policies and implement them to adhere to insurance and possible local government policies. Just because you "can" do something doesn't mean it aligns with what the company can allow.

    • 1 month ago
      Anonymous

      There is no Linux policy but they balk at anything Linux related because nobody knows how to use it besides devs

      • 1 month ago
        Anonymous

        If there is no Linux policy, then that is even more reason for there to not be any Linux at all in the environment. Write the Linux policy and spearhead the adoption if you really need it.

      • 1 month ago
        Anonymous

        Good. Having VM's out there on personal devices from helpdesk tier wannabes is something that should be blocked, policy control for end users is amazingly done via GPO and helps with compliance across all users. Generally you don't give users more power than they need for a reason because they are bound to frick it up.

        Just because YOU can run linux in a VM doesn't mean your position can justify it's use case or doesn't cause more risk than any reward. At my work we have very strict VM policies that unless you are in DevOps or Systems you're not getting a VM. period. What could you possibly need it on your device for work?

        • 1 month ago
          Anonymous

          anything kubernetes/docker related is much easier to use and install on Linux

          • 1 month ago
            Anonymous

            Okay if that's your job why not go through your system policy to request a linux machine? Docker/Kubernetes works just fine with the latest Hyper-V or anything post 2019. Same with ESXI/Xenserver.

            Why can't you just ask and provide a business use case for it? You do have a use case for it in a business purpose right? If your job title and position has you working with those techs to provide proper business functions then not sure the issue you are having.

            >"it's easier for me"
            That's great but it takes about 2 hours studying how to get that set up in any cloud provider that doesn't need a *nix host unless you're just copy n' pasting how to docs for it.

            Again CyberSec isn't just about knowing tech it's about creating policies to align with what is needed to keep the business safe.

          • 1 month ago
            Anonymous

            I usually use a cloud VM for development tasks outside the network. My concern is being asked to get a declaration that my superiors are responsible for any violations involving WSL which would essentially label me as a threat and force them to tell me to not use it which is awkward. Usually they just deny requests but this response is a bit strange

          • 1 month ago
            Anonymous

            >I usually use a cloud VM for development tasks outside the network.
            Why.... This is super fricking risky? Why aren't you using your companies resources to do the dev tasks for them?
            >My concern is being asked to get a declaration that my superiors are responsible for any violations involving WSL which would essentially label me as a threat and force them to tell me to not use it which is awkward
            Yes generally circumventing security policies to bring in uncontrolled variables into an environment going against employment guidelines would do that. Something tells me you've already given them reasons to wonder what you are doing. GJ being a moron.
            >. Usually they just deny requests but this response is a bit strange
            Probably because "I wanna run my own network on your guys network cuz.... stuff" was out of left field. Again, if you're doing work why aren't you just using what's provided to you the way they want it done?

            Anon, you're probably thinking about Linux desktop. Anon here is talking about Linux servers.
            Muh CVE. The problem is not how much CVE a software has, it's how much dangerous these CVE are and the time it takes to patch it.
            Normally any enterprise Linux take around 1 o 2 days and the vulnerabilities are related to the 3rd party software.

            Aside from the company anon works for has no idea what anon is running. Again if I was a CSO for the company anon was working for and came to me about running random VM's that are out of management scope while having IT skills to be dangerous that would be a HUGE red flag.

          • 1 month ago
            Anonymous

            >VM's that are out of management scope while having IT skills to be dangerous that would be a HUGE red flag
            Just give him a VM from the server under your control with managed sudo.
            Our work is provide security and productive environment.
            We provide solutions. This sounds more IT skill issue. Most of IT admins are scare of Linux. Sadly, as sysadmin I have to tell this, most of us are just jeet tier.
            Unless your legal gay team tells you otherwise(cyber insurance).

          • 1 month ago
            Anonymous

            Given how OP is posting I doubt he's really doing all that much in SysOp's or DevOp's; I am going to go out on a limb here but I am pretty sure he's helpdesk tier and has no purpose going for those resources. If OP had a good reason and work purpose for running some VM's then I doubt he would have gotten a bigger backlash than what he got. I could be wrong but most companies who have some cyber or network sec team generally have a process or policy on requesting such machines.

          • 1 month ago
            Anonymous

            >but most companies who have some cyber or network sec team generally have a process or policy on requesting such machines.
            Yeah, but not all, sadly. I work for mediocre bosses who were scare of Linux and avoid it(skill issue and vendors) and who didn't care what the frick you use and didn't care what policy says.

        • 1 month ago
          Anonymous

          obnoxious corpogay

    • 1 month ago
      Anonymous

      Real cyber security work is 90% documentation and paper work.The rest is watching some nation state nuke all of your hard work in minutes with backdoor placed by China that none of the cheap as frick manufacturers bothered to check for.
      Then you get fired as the sacrificial lamb.

      • 1 month ago
        Anonymous

        >Backdoor
        More like Dave from the mailroom executing arbitrary code in an email.

      • 1 month ago
        Anonymous

        >Then you get fired as the sacrificial lamb.
        Nah SecOps are generally sacked during budget cuts because they are expensive and an MSP can walk in any day of the week with a vowel in it and show how it can be "cheaper" to hire them or said employee.

        SecOps and Backup guys are always the first ones cut

  2. 1 month ago
    Anonymous

    Just fill out of the paperwork. If there's a business need, then you will be provisioned. Compliance and Risk requires every box be set up for telemetry and audit.

  3. 1 month ago
    Anonymous

    >I had a "security specialist" say I can't use Linux
    these stories always lack context, like the other anon said. It's a headache introducing more variables, oh no company didn't approve my hecking ubuntu VM, they're so stoopid amiright g bros?

  4. 1 month ago
    Anonymous

    Is WSL allowed at least?

    • 1 month ago
      Anonymous

      That's what was denied

  5. 1 month ago
    Anonymous

    >I don't see how it's more likely to violate
    Your average GNU/Linux distro is plagued by a multitude of CVEs. Literally just look it up. It's a swiss cheese. The concept that Linux is safer than Windows is a myth from the 90s (back when Linux still had near 0 marketshare and thus no known vulnerabilities since there was no incentive to even look for any) that still survives because your average freetard has never done enterprise vulnerability management.

    • 1 month ago
      Anonymous

      Anon, you're probably thinking about Linux desktop. Anon here is talking about Linux servers.
      Muh CVE. The problem is not how much CVE a software has, it's how much dangerous these CVE are and the time it takes to patch it.
      Normally any enterprise Linux take around 1 o 2 days and the vulnerabilities are related to the 3rd party software.

      • 1 month ago
        Anonymous

        homie, I just had to remediate a >9 on the v3 score in freaking zlib at work. Don't you try to lecture me on security.

    • 1 month ago
      Anonymous

      This, I run vuln scans across probably 20,000 devices and the majority of the found CVE's are on linux devices. Granted most of these are appliance type devices, but that is even worse that they are out in the wild by the millions or billions and largely never properly updated.

  6. 1 month ago
    Anonymous

    Yes. It's where they put diversity hires and "women in tech".

  7. 1 month ago
    Anonymous

    IT security is filled with streetshitters and barely deserve to be called tech workers, let alone security, we make a game out of evading their scans for sport
    >t. product security

  8. 1 month ago
    Anonymous

    I say this as a security analyst but my job is literally IT tard wrangling. that includes people in IT as well.

    • 1 month ago
      Anonymous

      “Oh, I’m not supposed to provide the JWT secret for the whole app over HTTP to anyone who asks for it? Do you have a source for that? Let’s have an hour-long meeting next week.”

      FML. Tired of being the cyber jizz mopper ‘cuz my company cheapens out on talent.

      • 1 month ago
        Anonymous

        >FML. Tired of being the cyber jizz mopper ‘cuz my company cheapens out on talent.
        Anon you sound like helpdesk wanna be dev given your posts lol. You got told no about running your VM shit to do something you still can't even justify to us for work so instantly call the guy who told you no a moron. Yes, it's generally a bad security practice to let end users do frick all for work on their end devices vs. that of a controlled, backed up, and managed environment. For all anyone knows you want to boot up Kali run some port scans and send every network monitor off because you just wanna test something.

        • 1 month ago
          Anonymous

          Nah, I don’t ask anymore. GRC are morons.

      • 1 month ago
        Anonymous

        I'm currently doing an audit of close to 800 user/admin accounts because we moved from on prem AD to azure and they for some fricking reason (they were lazy/dumb) just kept all the accounts active even though we cut over. its such a pain in the ass reaching out to people to figure out if admin accounts still need to be active locally or not.

        • 1 month ago
          Anonymous

          800 admin accounts? Damn…

          • 1 month ago
            Anonymous

            yeah it fricking blows, its partially due to us being an MSP and having several domains within our datacenter for clients.

          • 1 month ago
            Anonymous

            Which is why you generally need to be tight in an org if you are working netsec or the like. If you give a single user an inch before you know if they've somehow gotten to the moon.

      • 1 month ago
        Anonymous

        >Tired of being the cyber jizz mopper ‘cuz my company cheapens out on talent.
        Yup, your company is shit for hiring someone who doesn't care about security (i.e., (You)) just because other people are responsible for it

  9. 1 month ago
    Anonymous

    homie if you haven't gotten traffic shaped yet you did now lol

  10. 1 month ago
    Anonymous

    last june I dealt with my first active attack. I was the first responder and If I hadn't just happen to dig deaper on a certain alert on a friday right before close, we would have suffered a massive ransomware attack.

    its kind of odd thinking about it in reterospect that me being autistic and my spidy sense tingling saved us millions of dollars.

    • 1 month ago
      Anonymous

      how many of those millions of dollars saved are you seeing personally?

      • 1 month ago
        Anonymous

        I got a $500 Amazon card and an excellence award from my company for it which was more than I was expecting.

  11. 1 month ago
    Anonymous

    what are your cybersec horror stories with your workplace?

    • 1 month ago
      Anonymous

      We’ve been changing from usernames/passwords on WiFi to EAP-TLS and certificates. Everyone b***hed and moaned about it, even though MDM took care of almost all of it. We forgot about the videoconference systems, so we had some outsourced take care of it. They loaded the same private key and certificate on every endpoint. About 6000 of them.

    • 1 month ago
      Anonymous

      >company hires indians for night hours due to us being 24/7
      >for some fricking reason they give them access to our cisco firewall despite them only being service techs
      >some indian blocks an IP they shouldn't have that was important to a client
      >they don't document this change at all so there is like 6 hours of downtime due to the rest of the overnight techs being moronic and when normal people wake up they can't find any change history
      >now I have to fully document and do everything in change requests including ip reputation, activity seen in siem, etc, where previously I could just make a list of IP's I blocked and it was fine.

      I fricking hate you so much kumar. shit used to be easy

    • 1 month ago
      Anonymous

      >work for a fairly large company
      >it's a school
      >old IT+Staff never disabled any AD account
      >was because they had some post grad "help program for dem keeedz"
      >this meant everyone still had their basic passwords set from whatever highschoolers set it to
      >O365 kept every account active
      >this has been going on since 2013
      >only found it out last year
      >~75k accounts all spreading spam 24/7
      >want to disable the accounts
      >"b-but what about the kids who need it! Some kids can't afford aol accounts"
      mfw when I have no face, email isn't some paid thing.

    • 1 month ago
      Anonymous

      >have client send us a ticket about phishing email they got with excel document entitled "2023 census"
      >sender claims they didn't send it to that person
      >sandbox the excel attachment
      >its their entire list of employees and salaries including all of their SSN's in fricking plaintext and they sent this to me unencrypted over fricking email
      >this is a fricking healthcare company so they should have compliance to adhere to and know better
      >user actually really did send it and was just moronic

      it was fricking surreal

  12. 1 month ago
    Anonymous

    It's actually more laid back and comfy than I thought.
    >t. cybersec engineer in subcontracting role

  13. 1 month ago
    Anonymous

    you sound like a moron and as a manager of developers who fricking hates his cybersec colleagues, who does everything he can to protect his devs and goes into fight for them to get the right tools for the job and withstand the bullshit beauracracy so that they can get shit done, I would give you exactly five minutes to think about how much of a fricking moron you are and if you didn't concede on all points I'd begin the process of managing you out of the business citing incompetency.

    you're a fricking liability. get a brain c**t.
    >"hurr hurr its no more dangerous than the other hurr hurr HURR we have"
    >what is an attack surface
    >what is completely missing the point
    >what is completely oblivious to the most basic safety, automatic and supposed-to-be ingrained security practices any developer of the last 20 years should have

    • 1 month ago
      Anonymous

      ubuntu is opensource and more secure than windows is. If you know what you're doing you don't need to worry and I do. Company policies only slow your pc down and you can't run LVM or QEMU to do work better.

      • 1 month ago
        Anonymous

        here's your (You), best of luck on another team, don't ask me for a recommendation.

    • 1 month ago
      Anonymous

      ok boss sorry for asking to use Linux

  14. 1 month ago
    Anonymous

    is the CISSP actually that hard or am I getting memed? the material doesn't seem that hard even though there is like 4 exams worth of content in it

    • 1 month ago
      Anonymous

      The CISSP got me where I am today

    • 1 month ago
      Anonymous

      It’s not. It’s just a long-assed test. I passed the test, but when I found out ISC(2) wanted a resume and references, I noped out of there. It wasn’t that worth it, not for compliance.

      • 1 month ago
        Anonymous

        I got fired at my first job (retaliated against) and I always wondered if that would come back to hurt me if I had to go through the cissp references part

        basically they lied about my promotion and when I professionally voiced concern they fired me after 2.5 years

        • 1 month ago
          Anonymous

          I don’t think they really check. Or if they do, it’s completely random. Like a LinkedIn search — “good to go!”

          • 1 month ago
            Anonymous

            Credit check will generally bring up your last job and what your exit was. I doubt they go back father than that unless your resume is like
            >1yr IT Director
            >2.4yr Systems Admin
            >6mo IT staff

            and looks like you just can't hold onto a job

        • 1 month ago
          Anonymous

          Don’t worry, company HR will ONLY confirm your title and time of employment, NOTHING else. If the new employer require more than that they’ll ask you to provide a personal reference.

    • 1 month ago
      Anonymous

      CISSP is hard if
      You've only worked technical for the past X years and never been on the management side
      You've never needed to read and build policies that affect thing on a company wide spectrum
      You have no idea or thought process of chargeback(yeah it does help)

      The biggest filter is people not thinking like a manager and like a technical person like OP who goes "well I can do it cuz it's technically possible". CISSP is a mindset exam which is why there is a years of exp requirement.

    • 1 month ago
      Anonymous

      I passed it on my first try and I honestly didn’t study much. But, I’ve been in governance-audit for many years with a networking background so I had a big head-start. Also I’m substantially above IQfy‘s average IQ so I don’t want to say that it’ll be a snap for everyone else. Honestly though if you study enough you should be able to swing it on the first attempt.

      • 1 month ago
        Anonymous

        thanks anon, any other general tips?

        I am currently at 4 years as an analyst and already have my
        sec+
        net+
        cloud+
        cysa+
        and sc-200
        and I've never failed an exam.

        seems like a lot of overlap on some of the domains compared to my previous exams but some of the "adaptive" testing is making me a bit worried since the test adapts with you and you can fail if you fail one domain

        • 1 month ago
          Anonymous

          I didn’t notice anything specific about adaptive testing like question getting super hard or especially in-depth. Since you have a lot of overlapping background I think you’ll grasp it easily, the only thing you should do is pay attention to CISSP-specific concepts and make sure you memorize those. Also pay attention to the stuff regarding the different kinds of assessments / failure analysis trees etc, there’s academic crap in there you won’t deal with in the real world but try and memorize the key points. If you do that your background should be enough to let everything else fall into place for you naturally. I was also told repeatedly how hard it was and how everyone fails on their first attempt but I didn’t find it crazy-difficult with complex problems to solve. As the other anon said it just seemed like a long test.

          • 1 month ago
            Anonymous

            Thanks for the help. Planning to take it later this year hopefully since my job pays the cost for exams

  15. 1 month ago
    Anonymous

    Cyber security is literally the dumbest gorilla Black person bullshit in the world. All the garbage they install even on Windows just makes the system more insecure at worst and an annoyance at best.

    • 1 month ago
      Anonymous

      >W-Windows is insecure
      T. someone who's never worked security, it's probably the easiest damn thing to secure on a company scale given the availability of OS's out there to end users.

      *nix is insanely task intensive to provision and manage business operations with unless you are PXE booting everything which is it's own set of problems
      Mac OS is laughable
      ChromeOS makes me want to die
      Thinclients/Zeroclients were a laughably bad idea long term
      Windows with the amount of products out there and GPO's to help align everything who is semi competent force compliance.

      For all the shit windows gets if you spend time actually configuring the master image and policies form the start there is nothing out there better scalable.

      • 1 month ago
        Anonymous

        Windows by itself is fine. It's endpoint security garbage that isn't.

        • 1 month ago
          Anonymous

          Depends how much your company needs end point security, how much they are willing to spend, and how you negotiate for it to be implemented. If you aren't getting the VAR to install and do the basic configurations to your corporate WDS/MDT image, dunno what to tell you.

  16. 1 month ago
    Anonymous

    To this day I regret leaving the job where I had total IT freedom and didn't have to answer to security morons. It was truly glorious having a full blown NixOS work laptop with no spyware bullshit and being able to do all the things winchuds think Linux users can't do.

    Sadly I now live in a land where I have to play games with specific processes as confused deputies to get around the insanely moronic global dll hooking malware IT inflicts on every machine at my current job. Also thanks Visual Studio.

  17. 1 month ago
    Anonymous

    Infosec is like the HR of IT. They don't actually give a flying frick about security. They just wanna check every box so they can prevent the company from getting sued when there's a breach. The old "There's nothing we could have done to prevent this sort of attack" trick to protect the top brass from litigation due to incompetence.

    The people that go into infosec are generally the ones who couldn't make it as a Developer or DevOps.

    • 1 month ago
      Anonymous

      I kek when my first internship I basically had to show nothing more than some architecture diagram of my intern project to a security wagie.
      I then kekd (while muted) when I had to do the same thing, 10 years later, for software I literally don't own or understand.

      This is exactly what it's like.
      I also remember informing these worthless Black folk about the log4j bullshit while I was proactively scanning jars and fixing it myself, all in code I also, do not have the source. I waited very patiently for guidance and eventually 3 days later these dipshits release a response.

    • 1 month ago
      Anonymous

      >The people that go into infosec are generally the ones who couldn't make it as a Developer or DevOps.
      90% of devs are actual fricking drolling morons outside their nice code and products. The fact a zoomie out of highschool can troubleshoot any computer issue better than them is astounding.

      • 1 month ago
        Anonymous

        Yet infosec catches the lowest of the devs. Infosec is the Special Ed of the tech industry.

  18. 1 month ago
    Anonymous

    It's definitely a meme and this field is full of charlatans, actual morons, systems like pic related and also autists that have exchanged their powers of evil for reduced sentences and massive paychecks

    and nobody hiring can tell who is who

  19. 1 month ago
    Anonymous

    its kind of amusing seeing people on IQfy talk shit about cybersecurity without knowing why its really important to companies

    • 1 month ago
      Anonymous

      It's because boomers don't know and are scared about up and coming tech so they want to gate keep via their glass ceiling of afraid of new thing. They are afraid of things like users having opensource secure desktops because they can't justify their positions to run shitty antivirus software and tell the business how many "viruses" or "dangerous websites" were on the net. If they let users actually have freedom on their devices helpdesk tickets would go away and they'd lose their job that's why they are also pulling everyone back into the office because they need the boomer logic to justify their jobs.

      • 1 month ago
        Anonymous

        Holy based. The best part of all this shit too is everyone literally always works around all the measures anyhow.
        Someone was telling me on the shopfloor they need dual networks to interface with the shopfloor machine network and also the corp network but IT wrote some shitware that prevents multiple interfaces from working, so they just bought some unmanaged hardware to do their job instead.
        They don't listen, they're worthless scum and don't know what they're doing.

  20. 1 month ago
    Anonymous

    As a 15-year veteran I can confirm that it’s a meme. It was real back in the 90s but continually lost relevance throughout the 00s and by the early 10s it was basically just a meme. A hype marketing pipeline based on the fear of corporate leadership of being hurt by hackers. The system did mature past just hype into an interlocking system of compliance frameworks. Originally pushed by governments to secure infrastructure it became a way to force companies to maintain compliance programs via laws which, handily, makes you check the compliance of all your partners / suppliers — making the huge expense of funding the industry an obligation to doing business at all.

    In reality it’s all worthless or just enshrining existing common sene things like “do background checks” and “have a formal traceable process”. Bad actors are stopped by a somewhat competently-managed firewall. Modern AV stops all the client-level things like phishing besides viruses. All the stuff done in a SOC is useless make-work that exists simply because companies have to do it in order to do business. SaaS got big because companies could just offload all the BS to someone else while ticking all the compliance checkboxes. I don’t know why exactly the security job market is such trash but I suspect it’s a combination of SaaS and the usual over-saturation of everyone and their uncle believing infosec is their ticket to a highly-paid desk job playing with computer. SOC analyst is a desk job alright but it’s brain-dead make-work for low pay. Pen-testing can be a “fun” gig if you can find a position for that, but all you’ll be doing is running some tools and building a report based on credentialed inside attacks which are ridiculously unrealistic but the way you show “value” lol, ie, illustrating how they need to update their software which they otherwise wouldn’t bother with because it’s essentially impossible to get at the system without admins actively assisting.

    • 1 month ago
      Anonymous

      As someone with zero experience in the industry, I suspected all these things and went a different direction. Thanks for confirming my suspicion

  21. 1 month ago
    Anonymous

    >its another episode of IQfy posters expose themselves by talking about a topic they don't actually know shit about and trying to shit on it

  22. 1 month ago
    Anonymous

    Cybersecurity is boring as frick

  23. 1 month ago
    Anonymous

    cybersecurity is more about management than anything

    i laff at the kids who thing getting into the field is doing hackerman stuff and end up doing hipaa/sox/pci-dss compliance lmao

    • 1 month ago
      Anonymous

      >hey boss I got my CEH
      >okay cool anon but we have our SOC2 starting next month I need you go gather all this evidence for our security posture so that we can keep our attestation

    • 1 month ago
      Anonymous

      >hackerman stuff

      isnt that what a pen tester does

      • 1 month ago
        Anonymous

        pen testers are kind of like the cybersecurity equivelent of a girl wanting to do handcuff play
        its not the real thing by any strech most of the time.

  24. 1 month ago
    Anonymous

    This is why I did not choose a cybersecurity major. I have no interest working in a "zero-trust" environment, protecting those who ought to be exposed.

    • 1 month ago
      Anonymous

      there really isn't any reason to get it as a major anyway. 90% of roles will just ask for a computer science degree and not something specific, certs are more what they care about

Your email address will not be published. Required fields are marked *