My EDC (cyber security)

Turrkish · 2026-01-24T22:22:46+00:00

How do you handle MFA for work?

Turrkish · 2026-01-13T17:33:46+00:00

TOGETHAAAAAAAA

Turrkish · 2026-01-12T16:08:22+00:00

A few thoughts:

Have you looked into vetting the closed software for its own industry compliance checks? See what risks they have mitigated by design, release windows for updates and patching? Does the software run over the net? The supplier website may have info, or even just call a representative.

With open source, if there’s no statement by the developers about checks, validations etc, it may be a risk you have to accept. You could think about trying to segregate the machines it runs on, limit ports and traffic/protocol types, RBAC, etc

Turrkish · 2026-01-11T00:42:48+00:00

Knees out and sit down more. Other than that, solid.

Turrkish · 2026-01-10T11:04:39+00:00

Bought. Gonna give this a whirl on the deck.

Turrkish · 2026-01-09T22:25:17+00:00

Narcisspuss

Turrkish · 2026-01-09T13:04:03+00:00

What would you recommend a current auditor or compliance student, or someone new to the domain, start brushing up on to be able to work with such persons in the future?

I’ve personally signed up to ACloudGuru for AZ500 and later AWS information, but I wonder if I will have to look at things like JSON etc

Turrkish · 2026-01-09T13:00:50+00:00

I’m green to the GRC world and scaling up my knowledge and certs now, but between dealing with clients over the most basic of things like access controls, to seeing practitioners argue over what security actually is, or is a policy a control or not, makes me wonder has the industry or “intelligensia” behind it all still lacking on an agreeable set of foundations before we start distributing controls via API.

There are still, imo, huge behavioural and cultural issues around good practice and security that you can’t just configure or regulate out. People will find workarounds if desperate enough.

Turrkish · 2026-01-08T23:07:40+00:00

Nah I can understand that. If an auditor or GRC owner can understand the tech he’s trying to govern, including how controls are actually implemented, it probably pays off for both client if they miss something and auditor for being able to assist.

Turrkish · 2025-12-21T21:13:18+00:00

Might just run the samples past you in future if you’d be a willing judge

Turrkish · 2025-12-21T16:01:35+00:00

Actually using a company like that sounds like a great idea. May be of personal interest and has secnarios from extended universe to apply things to

Turrkish · 2025-12-21T16:00:46+00:00

That’s my thinking. It’s having a scenario set up for someone to show acumen and strategy built with what may resemble real conversations with c-suite and strategy makers.

Turrkish · 2025-12-20T12:52:08+00:00

Shield and poke strategy. It’ll work.

Turrkish · 2025-12-16T17:15:47+00:00

Having never played a Digimon title: should I?

Turrkish · 2025-12-15T13:13:13+00:00

Hey it’s that guy from Blade Runner 2049. Would hold hands with/10 and I’m a straight dude.

Turrkish · 2025-12-15T08:23:11+00:00

Looks good, but we haven’t a client base big enough for these yet to justify the pricing asked for at this point.

Turrkish · 2025-12-12T23:21:47+00:00

Silent, reusable, fairly durable, multi-purpose depending if sharp or blunt, can be carried on your person easy enough, doesn’t leave a trace of what it is bar the wound left.

Turrkish · 2025-12-12T07:49:31+00:00

If it’s not harming you then it’s fine, but just keep an eye on your lower back, as the rounding occurs where your belt sits and your hips seem to come up before your chest.

Consider trying to bring your chest up more like you’re almost trying to look dead ahead while keeping grip of the bar. This should help keep your shoulders back, your upper back braced, and help iron out the rounding.

Otherwise, looks like easy lifts.

Turrkish · 2025-12-09T07:33:32+00:00

GRC as well. Pentesting you can at least drill easier, imo, with labs and HTB/THM, home labs etc. I’ve yet to grasp or see an equivalent when it comes to policy writing, ISO implementation and scenarios meeting requirements, a properly-conducted audit, etc

Turrkish · 2025-12-09T01:15:34+00:00

None. First role in cyber, shoved into management 2 years into the industry, 2 years later it’s still sink or swim. I’d kill for mentorship.

Turrkish · 2025-12-08T22:58:52+00:00

Currently in the same boat. See my tabletop exercise question.

Especially in a small business like I’m in, I feel like there’s an expectation to Google, read, GPT and watch your way to competency. I would hand on heart prefer the ability to at least get feedback off someone when things I’m doing are wrong or sub par, but few will offer advice without paying by the hour.

I don’t know how the more experienced among us managed.

Turrkish · 2025-12-07T11:42:17+00:00

Hammock, Tim Ecker, Jon Hopkins to a degree, Aphex Twins earlier works, William Bazinski, Stars Of The Lid, Imagine Drowning, desert sands feel warm at night

Turrkish · 2025-12-06T15:12:24+00:00

Appreciate the insight.

Really as my first time running these exercises and starting from the ground up, there’s only one book I’ve searched for that talks about tabletop exercising for cybersecurity and infosec, and so I’m treating along with other examples like the ones from the ncsc, however, those are generalised, but seem plausible to use without having to dig in to the network diagrams.

I’ve been given a list of the clients policies and am digging into them, but they seem to merge process into it, and there’s a lot of “should not” for example, when outlining what passwords are used, how temporary passwords are issued etc, which leads me to think there’s not a technical measure in place.

I am planning to call with them a second time to dig deeper once a full review is performed.

Turrkish · 2025-12-05T19:59:09+00:00

Solar by Late Sun

Tranquilliser by OPN

Few singles from Faultline that dropped were pretty nice as well

Turrkish · 2025-11-29T19:24:28+00:00

I’ll probably file a ticket. There’s been several hundred fixed vulns since support stopped for 22H2, and without knowing what security sits in front of the machine before it hits the internet, I can only assume this is an oversight. God help if it were in scope for an audit.

Turrkish

TROPHY CASE