Видео

Thank you

Great tips!!

sans undertale?!?!?!?!

Well, technically social engineering is the practice of INFLUENCING others to take a course of action. This can be deceptive, or it can be straightforward. But just as the term 'hacking' has been misrepresented and confused by popular media over the years, the same is happening with SE, sadly. Also, I'm just curious... the advice given for 'defending' against such attacks has been pretty consistent for years - actually, decades - now. So, why are these types of attacks still so successful so much of the time? Because the targets and the timing are both very carefully chosen by attackers to be most effective, and when taking advantage of near-universal human weaknesses, education and training don't really seem to make that big of a difference in the moment when faced with such threats. This is why, although social engineering attacks have gotten more and more sophisticated over the years, the defenses have progressed only minimally. How do we do better, I ask?

Just a small remark: mr Zdrnja is correct that the Dutch government released an "assessment tool" to see if you as a company need to comply with NIS2. And what's really important is that the number of employees in your company is not the only factor. The other condition, apart from being in either a critical or important sector of course, is your revenue and balance. It is not an AND condition, it's an OR. So you can find yourself with 40 employees but still hitting 10 million in revenue and therefor have NIS2 apply to you. In addition, there are a couple of companies which don't fit the employee or revenue criteria but are still in scope of NIS2 because of the critical services they deliver.

Can't finish it, way too much of a star wars groupie.

Thanks for the advice.

Tanya is awesome. As a non-dev, I appreciate the way she plainly and clearly illustrates appsec basics and explains helpful ways to step-by-step mature through appsec. Great guest on a great podcast.

Can’t believe sans did this after the pacifist timeline

10:36 - Classic Stephen Sims.

Sans

This is very good material and well presented thanks

Thanks

I am diving deep into Human Risk Management

Great conversation

This is the best show ever. SANS Institute is awesome! 💚

Great dialogue with your guest, here, @JerichBeason

Love it. He indeed gave really good real-world examples.

This guy is talking to us like a kindergarten teacher lol

What most experts fail to discuss in detail is the fact that the bad guys also have AI and can use it for even more effective attacks.

first

same here, cybersecurity certificateion salary dropdown like anything now. window admin getting better then this.

I am GRC Consultant with a cyber background. I made sure I studied AI in conjunction with my expertise.

Great Vid

"Cyber Rosetta Stone": a useful idea, supported by a great analysis work. The standards comparison and categorisation is awesome, and throws light into how complex our industry is becoming.

Excellent

Undertale reference

Great Job Rich!

Thanks a lot for this talk Chris, it's very valuable to learn about an actual day-to-day workflow of a CTI analyst/engineer

Megalovania moment

enjoyed this webinar any links to resources or the slide deck?

Excellent as always. Thank you!

32:06 This was published in 1984. That’s 30 years ago. And yet we are where we are. What happened? Sheer stupidity doesn’t provide a credible explanation given that there are enough people who are intelligent enough to understand. The only other possible explanation points to ill intent. The same with this cloud stupid madness. Even if I could create something-anything, I won’t. Ever. One has to be utterly irresponsible to put anything in the hands of criminals even if they are disguised as defenders. Do you understand?

This is one course I plan to take!

I would argue that recovery has no place within blue teams . The cyber incident management being referred to here involving recovery is training for ISOs and business continuity. At a certain scale nist 80061 is absolutely essential to sec im and keeps an official record solid for regulatory proof . While I see where you are coming from this becomes mom and pop vs large enterprise reality .

Amazing video!! Love the content!

Threat Vectors

45:20 Listen. You seem to be a decent man and a very good teacher, however… If their stupid incompetence affects me, I can’t be chilled about it, can I? If I were just an external consultant, it would be probably easier. But if my job in that company is at risk and/or if my data is at risk because an idiot up there can’t be bothered…Huston, we have a big problem. And, by the way, this typical Western type of mentality is one of the main causes for the demise of the West.

The best one purple teaming explanation on youtube But not the best explanation

This is so appalling that I had to come back to it. I have a question. Do the candidates know that they are subjected to a psychometric test? Presumably not. How does it fit then with Data Protection/ GDPR and other ethical considerations? (Not that anyone is bothered by law or ethics. I am an idiot, I know). It’s hacking into their minds. Listen. I don’t know who the hell you are and why you are doing this, but if you put my account on a RUclips clone, have the minimal decency to, actually, do a fucking proper job and throw a reply to my comments now and then (hopefully with something intelligent and useful). Morons.

35:35 Thanks for the tip. If I will ever take this test that is obscenely expensive (who can afford it in their first five years of IT work?) and run by robots (because these days humans are unable to think and exercise sound judgement), I will read some Marcus Aurelius in the morning to get in the appropriate mood. I had a look at some questions on a IT website and the first one was ‘Which factor is the most important item when it comes to ensuring security is successful in an organization?’ to which, at least according to this seemingly reputable website, the correct answer is ‘Senior management support’ instead of the common sense one which is ‘Security awareness by all employees’. Not even the highly dubious excuse that this is a ‘research question’ would be good enough for me. Why? Because any test should primarily be about teaching the candidates and improving their practice. Even if they fail, they will know more. But no. This overhyped test not only that confuses them with the so- called ‘research questions’, it, also, deprives them of the opportunity of pondering on relevant issues (because it stops when the bot decides so) and doesn’t provide them with at least an indication as to why their answers were wrong. It doesn’t help their professional development and can have a devastating impact on their self- esteem. All the administrators want is for the bot to tell them who is worthy of having this certification. Its very purpose is selfish and counterproductive. It is rubbish. How did it get to have this aura of excellence is beyond me 😃

30:10 I think you may be a little bit economical with the truth here. Are you sure that the questions with the obviously wrong possible answers do not test something else (such as resilience when faced with frustration/cognitive dissonance and suchlike)?

Great overview. I regularly have the 'IM or IR' question raised to me, and this sums up the answer perfectly. Having also attended LDR553, I can say it's an awesome course.

Can you publish the slides used here?

Really wanted to work on my GCIH cert. Unfortunately, the price isnt something I can afford as a student.

I did SEC-401 in 2022 and it really helped me to get much more than just a security overview!

There's 2 types of people. Grateful people with a positive mindset, who are willing to learn and who will pass the CISSP. Then there are people who complain about microphones which are of adequate quality for the purpose, whilst people were working from home during a global pandemic.

*megalovania*

Expensive but worth it. Whilst saving moneys I am walking through the syllabus and preparing myself with the topics provided. Quite nice course.