ITT: Ask a cyber-security consultant anything

Stop fuding black people. Pretty much every black person I've ever met has been sound.

salary?

At first I was going to ask why it bothers you, but remembered that it first bothered me too. So much of what I do seemed like common sense.

But then there's so many other applications of that skillset. Think about organisations that need to rehearse an objective incident response exercise and don't have the internal resources or skillset. Think of organisations (mostly government) which are targeted by APT's and need to determine what happened, particularly through forensics. Think about organisations with complex risk management frameworks / systems and a delineation of IT and OT / SCADA systems (such as critical infrastructure), who are adopting frameworks like NIST and NERC concurrently. There's so much complex work that really, in pursuit of due dilligence; requires objective oversight and consultation to ensure best business outcomes are achieved.

Yes, of course.

I am a computer programmer. Can I make the jump to computer security or is knowledge of programming not really useful in this field?

safety of network isolated vms in qubes for key generation?

Is it safe to keep your cryptos on an exchange with 2fa?

$80k aud

>they're only useful if you're in a competitive market like in the US or EU
so you're in a third world country? why do you think anyone cares what you have to say?

the majority of cyber security "consultants" are literally IT staff for private corporations and your security suggestions are all from /g/

how does the virus get onto your machine from a website?

It depends on what avenue you want to take. My advice is to be wary of pigeonholing yourself into purely technical domains. When I started, I wanted to really dive into penetration testing and vulnerability assessments. But I quickly realised that GRC (Governance / Risk Controls) was the way to go.

It offers a wider breadth of more interesting work, it offers better pay / conditions / work-life balance, and opens up so many more opportunities.

With that knowledge, and to answer your question more directly; yes - you can make the jump. Your technical proficiency will help you understand what's going on. But the bigger lessons to be learned are around risk in general. It's always so hard when the following happens:
>penetration tester performs a pen test
>they find that a database is SQLi vulnerable
>they scream and shout about the "critical" and "extreme" nature of the risk
>the business doesn't really care though, because that database contains outdated and 12-year old contractor information, such as first names / last names / company names
>but muh SQLi

Learn to translate technical vulnerabilities into risks, and then understand their business impact. Ask "So what?" repeatedly, over and over; until you can broil down a finding into a single, impact-full, meaningful statement. Here's an example
>SCADA system for a steam turbine uses default credentials (So what?)
>that SCADA system can be remotely accessed by a malicious entity (So what?)
>that SCADA system can be made to do unauthorised things by a threat actor (So what?)
>that SCADA system can be made to operate its underlying processes in dangerous ways (So what?)
>there's an increased likelihood that safety parameters will be exceeded (So what?)
>people might die
All of a sudden, some stupid default credential technical-thingy (this is how execs and boards perceive this) turns into the most important risk of all: health and safety.

This is a connection that many tech guys fail to make.

is this legit?

Well, it's better than no 2FA

Can't see what security risks you're trying to mitigate here. Are you an intelligence agency? If not; I would suggest a simpler solution (maybe something as simple as a hardened mint environment).

I can confirm that neither of your suppositions are true. /g/ is the embodiment of all that is wrong with technical professions these days:
>the size of your technical dick is all that matters
>hurr durr I'm smarter than you
It's pathetic

There's a couple of ways. In layman's terms; a hacker can hack a website and host viruses on it. They can also imbed viruses within legitimate files you download (like Kaspersky when their anti-virus software got loaded with malware, and thousands of users downloaded infected anti-virus software). Additionally, deliberately malicious websites can trick you and your browser into activating certain features that allow malware to make its way onto your computer.

In technical terms:
>iFrames through persistent XSS
>java drive-by's
>mismatch in file hashes (uh-oh!)

I have an informations systems bachelors and am currently working my first IT/data job, next step I want to do is either SYstems analyst or get into the security side for the healthcare industry. Any suggestions on which route and how to make the leap from an entry level position that is basically just me teaching myself everything I need to know to do my job?

I am actually good at dumbing shit down for people or relating with people at their level so this could be a possibility. I will think about it thanks.

>i save lives by telling my boss not to use the default login information

Daily reminder that Mt.Gox had 2fa

One other question. Regarding your "so what" point. Are you not allowed to fix things unless your clients can demonstrate that if the issue isn't resolved serious damage may occur?

This is more common than you think

You'd be surprised how many business routers have a default login.

I change the DNS servers and bam, pwned

I agree with about half of these. Only a third of those that I agree with actually address security risks. Here's the best chunks from that for the average, every-day user who simply doesn't want to get viruses (in order of priority)

>Install reasonable security program
(two points on this: (1) the term "security program" makes me doubt this person works in cyber security, along with the term "DFIR". (2) ESET (particularly ESET-Nod32 is great for post-incident response; i.e. when your machine got rekt by malware - but for regular anti-virus it's average)
>Install a password manager of choice. Keepass, 1password etc.
(Keepass is great. In addition to this; leverage platforms like mailinator and mytemp.email. Use these and random-generated passwords from keepass to sign up / register for services you're unlikely to use often. Re-used passwords are really one of the most common ways people get pwned nowadays, because data breaches are so damn common)

That's it. The rest is really nonsense for average users, overkill, privacy-focused to the point of introducing vulnerabilities / inconvenience which outweighs benefit; and is not reasonable.

thanks for the reply

Antivirus of choice?

Teaching yourself is genuinely one of the most productive ways to get into the industry if done correctly. I started off (after discovering my love for hacking shit) by ETHICALLY AND RESPONSIBLY reporting vulnerabilities in government (military, police, aerospace etc.) websites to my federal CERT. Be fucking delicate as fuck with this and really, I wouldn't recommend it unless you're confident in understanding the grey-areas. I also reported vulnerabilities to companies. Ironically, I reported an xss vulnerability to Mt. Gox before they got pwned. Got a thank-you email from their vice president. Wish I still had it, it would be historic. Eventually this lead to thank-you calls, recognition and even a hand-signed letter encouraging me to find employment in info-sec from the executive director of our federal CERT. I put this on my resume, and got to work on my own cyber security consulting business when I was in uni. I got experience with clients and gained an understanding of the nature of consulting.

This culmination of self-driven learning is what I think got me hired. I would encourage you to pursue or consider the same; particularly with your IT skillset and qualifications behind you.

Look at getting real security experience before diving into CISSP, CISA, CISM etc. etc. qualifications. Consider whether you want an internal role (like a SIEM analyst) or an external-facing, consulting role. I know I am thankful I took the consulting route and will now never be able to do internal work. I turned down 2 job offers from intelligence agencies because I value this work so much, and it's so enjoyable.

do you prefer ollydbg or x64dbg

Your client will only care (i.e. will only consider) fixing something if you can demonstrate that it's a risk. Otherwise, 'why should we care?' is the response; which leads to the original point. You've asked a very good question which so many technical / security-focused guys fail to ask.

Ironically, this: I watched a 30-billion energy trading company crumble, literally implode due to default credentials.

Also, I'm a consultant; I tell other-people's bosses to not use default login information.

Something to consider (which is also a cool thing) for those looking to get into cyber security consulting: your core customer will be the board. You'll be directly reporting to the client company's board of directors, or CEO, or C-suites in general. At the very lowest level, you'll be reporting to an audit or risk committee on the board.

Avira is probably the best free option in my experience. But it has to be coupled with anti-malware and ideally a good firewall solution too. For anti malware, there's really no better option than Malwarebytes Anti Malware. For personal-use firewalls, look at comodo.
>reminder: these only work as concomitants of each other. simply implementing one of these WILL result in you getting rekt some day.

It amazes me that you are copypastaing my post from yesterday. Good job user, keep up the good work

The last time I touched any debuggers was in university. But for dump file analysis anyway, it hardly matters if you use x86 or x64.

>Can't see what security risks you're trying to mitigate here. Are you an intelligence agency? If not; I would suggest a simpler solution (maybe something as simple as a hardened mint environment).
yeah fair enough, i wasn't very specific. I want my private crypto keys as safe as possible. my current protocol is:
>'airgapped' debian vm in qubesos
>generate private keys
>encrypt into veracrypt container using 30+ character password, PID and multiple algos
>move to networked vm and upload to various servers for global access
when i want to make a transaction i create an online watch-only wallet vm and another 'airgapped' vm for a signing wallet so the private keys theoretically never touch a system connected with the outside world.
i understand if this process is needlessly complex and autistic but i enjoy it.
can you see any glaring flaws?

should I change my degree in cyber security if i don't enjoy it at all?

Like most overly complex systems you can disable by a few passwords, it suffers from a rubber hose attack.

If you're implying that my response here ( ) was copypasted, I don't know how you got that idea seeing as I literally typed that there and then. Maybe copy-paste and google my response and see if you find any hits, then claim that I've managed to copy-paste a response to a screenshot about a particular topic that may have been discussed yesterday on another thread on probably another board.

>>avira
>>malwarebytes anti malware
>>comodo firewall with heuristics
>>keep a copy of SAS for when you suspect something
>>scan everything you download with virustotal
>>back up everything in hardcopy; or if you use a cloud service like dropbox; DO NOT map it locally
>>apply updates
>>god mode: upgrade from win 7. it won't be supported from 2020 onwards and is increasingly vulnerable
stopped reading here

If you want to be poor

well that's my current dilemma. do i work in a job i hate all my life or do something that i enjoy with less pay.

>rubber hose attack.
>In cryptography, rubber-hose cryptanalysis is a euphemism for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture[1][2]—such as beating that person with a rubber hose

wait what?

you're not wrong
i think a coming trend will be home invasions of known crypto hodlers for their ledger seeds and whatnot.

retard confirmed

He's a spammer

Should I create a different mail and password for every single thing I sign up to?
-What's the safest mail?
-What's the safest password+username combination?

Will written passwords be a thing of the past and soon we'll only need confirmations based on IP, location, computer name, phone number, SMS code, etc?

Thanks for the info, I have 0 confidence in my vulnerability testing skills and suck at programming so learning on my own by trying to breach companies sounds like a bad idea.
>sir you broke several laws and put a lot of our data at risk
>I-I-it was a prank bro! Just trying to teach myself! Pls gib job!
I’d like to get into a more administrative/ social role I genuinely think I have good leadership skills which is why I was leaning towards systems analyst I like working and interacting with people as opposed to sitting in front of a screen in a cubicle all day writing code(I think I’m shy a few IQ points to be a good programmer I had to work wayyyy harder and longer on coding assignments in uni than the kids who were just naturals at it). Am I too much of a brainlet to be the boss of the code monkeys? Or can I get buy as long as I get them producing the results needed for upper management?

Yes, most definitely man. If you're not liking it, don't study it. You'll probably hate it.

But there were a lot of aspects to my degree which I didn't enjoy, particularly the needlessly technical aspects. I get most satisfaction out of broader GRC stuff, so if you're really motivated to get into the industry; stick with it with the knowing that you'll be able to apply GRC skillsets in consulting or info-sec management.

But the fact that you're not enjoying it is not a good sign.

>any glaring flaws
You could go into the details of the fact that airgapping won't do a thing if those servers get pwned. In fact, I would say that if you're managing those servers yourself, there's probably a higher chance that your keys are vulnerable. All it takes is one RAT.

You could go into considerations around the very service you use to sign into your wallets getting pwned and thereby mitigating any controls you have in place, but there's little to do about that anyway aside from trusting your chosen platform.

The only glaring "flaw" I see is inconvenience (and continuity - what happens if you die, or if the machine your qubesos instance is on gets destroyed by water when a fire alarm goes off? Or if the roof caves in in bad weather?).

But if the inconvenience is something you enjoy (I can relate), then by all means; 10/10 for being two-steps ahead of the rest of the game.

My last job was at a multi billion dollar company. We got hacked by the Chinese who got into some of our software. The only way we knew they got in was because the hackers also hacked my personal bank account.

Moral of the story is your work network might not be safe.

could you rate anonymity level of spectrecoin?

Great, care to justify how anything I said doesn't align with better practice for the standard user? Are you really suggesting that using an outdated OS is a safe approach to security regardless of your risk posture? Also, /g/ confirmed

/g/ confirmed

Yes, absolutely. I do, and it's so simple with Keepass. Back up your .kdbx file offline for continuity. Use the longest password the service will support, and use high ASCII characters. The key is the LENGTH of the password, not the complexity.
>"sometimes I wish mommy would gimme milky, nice and tasty please be hasty"
^^This is a better password than:
>"R8aBBKaH8"

where should one start, if I want your job?

hacking games?

If i have a comp sci degree but no knowledge of cycber security, what steps should i take to get into the industry? just read a lot of cyber sec books until i feel confident enough? or any courses i should consider?

Also; for free email services, for most users the most secure and convenient balance will be gmail with 2FA enabled.

For better practice, use something like protonmail.

For better practice, and a more professional look, buy your own domain and use your own mailserver (BUT MAKE SURE AS FUCK it is updated regularly, patched, and if you're using O365; activate advanced threat protection and strict filtering).

>safest password+username combination
I've detailed password security already here: but out of information for usernames, I do the following:
>use mailinator or mytemp.email for services I'll never use again and don't contain any identifiable information
>I'll make my usernames random character mashes, like "AWRfoerljgf3a"

I used to (with my own business) do background checks, fraud investigations and OSINT. This is all small trails in the OSINT breadcrumb which you can break, and it serves a few key purposes:
>firstly, makes it harder to identify you and pwn your shit through re-used passwords and emails. when I used to be an edg3lord blackhat, it'd be so easy to pwn people through already pwned databases
>their user+pass would be [email protected]:iloveapples123timtam130662
>you could tell that the password is simply two passwords put together
>try login to hotmail with "[email protected]" and "iloveapples123"
>doesn't work
>"[email protected]" and "timtam130662"
>bingo
>see linked services
>don't even have to reset their password, just use "iloveapples123"
>bingo again
etc. etc.
additionally, it serves to obfuscate your use of consistent (or variations of) usernames and behaviour.

>Great, care to justify how anything I said doesn't align with better practice for the standard user?
yes. first of all, nobody cares about "standard user's" porn/hitler folders. so all that bloatware you've suggested is a complete waste of space/resource.

second, even if you have 1 milion in crypto, that's still an overkill for a standard user. here's how to stay comfy and secure:
>get windows 10
>keep updates always on
>keep windows defender and don't install meme antivirus bloatware
>don't open shady site
>don't download viruses
>backup important stuff on physical drives/cloud
>use different passwords and 2fa authentication
>backup your shitcoin's wallet seed on paper and in cloud

and that's it, you are 100% safe. if you can't remember different passwords than choose a short password, concatenate the websites name and do SHA1 or MD5 of it and use the first 10 chars as password

No, not with any confidence as I've never looked into spectrecoin at all

>set up test environments and pwn them
>get metasploitable2, and run through it
>look at CTF "capture the flag" challenges
>read a fuck-tonne, and I mean every day (I think you genuinely have to love it to be driven enough to learn it thoroughly)
>play around with things like Kali or mercenary (mercenary is not recommendable though as it's not the best)
>familiarise yourself with the standard attack methods, and exercise them in test environments (SQLi, XSS [persistent / reflective / DOM-based etc.], RFI / LFI, buffer-overflow if you're more into programming)
>learn about the concepts of information-security (Confidentiality, Integrity, Availability)

There's so much to teach yourself; it's excellent. There's no shortage of places to start. Make sure you're confident you love it, and dive headfirst into it. Good luck and have fun!

For career choices, particularly in consulting; you really need a technical degree. Doesn't necessarily have to be IT security specifically, but at least computer science.

See above reply, and also: and and I can't stress how important it is to grasp and be able to apply these concepts of risk. It's the steepest learning curve I faced.

thank you very much appreciate everything you posted

>first of all, nobody cares about "standard user's"
Well actually, standard users should care about that. You'll find it's well over 90% of computer users in general.

>keep windows defender and don't install meme antivirus bloatware
At this point, I realised this was bait. I must commend you though, as even though I know this, simply reading this line frustrated me and made me cringe. I'll let you have this win.

No problem; best of luck!

Thanks for this post OP, you give this helpdesk-jockey vision.

You're gonna make it breh

>>first of all, nobody cares about "standard user's"
i said "nobody cares about "standard user's" porn/hitler folders" and guess what: nobody does

>At this point, I realised this was bait. I must commend you though, as even though I know this, simply reading this line frustrated me and made me cringe. I'll let you have this win.
good, because you don't even need an antivirus if you don't go on .cc websites downloading keygens and cracks

>b-b-but somebody might write a custom exploit and hack me!
no, nobody will because nobody cares about your shitcoins.

on the bright side i've read your posts and i agree with them if we talk about security for a big firm/corporation

>i said "nobody cares about "standard user's" porn/hitler folders" and guess what: nobody does
What about those standard user's (i.e., your) bank account details? Or Government log-ins? Or saved tax / income details? Or health records (the most valuable type of identity information to threat actors)? Or work emails? Or insurance details? Or invoices?
Or blackmail-material, such as those very porn/hitler folders you've mentioned? It's fine to say that nobody cares about that, but there is a multi-trillion dollar industry and *literally* hundreds of millions of incidents and people which concertedly undermine your argument. Think about the pajeets, user, think about the pajeets who move mountains for a couple hundred dollars. It must be at least three to five times a week that friends, family and acquaintanances desperately ask for help. Literally 4 out of those times, that help wouldn't have needed to be asked if the steps I've outlined were followed. I understand your reasoning and respect your point of view because I used to, a long time ago, kind of thing slightly similar things. And I know through bitter experience that a lot of people operate on the same assumptions as you do, and make the same decisions as you recommend. And that's fine - if you've determined your risk appetite, thought about your approach to security and *truly* determined that it's the best approach for you? Fine - there's nothing I can do (no matter how much professional experience, skillset or convincing skills I have) that will convince you otherwise. I just implore others reading this to think twice, and objectively consider:
>how much risk will you accept?
If the answer is "nigger idgaf lol", then whatever - follow this user's advice then. If the answer is anything equal to or greater than "I don't want to get hacked", then ignore his advice.

>good, because you don't even need an antivirus
I PUSH MY FINGERS IN MY EYESSSSS

Good luck man

>What about those standard user's (i.e., your) bank account details?
every decent bank gives you 2fa with a physical thingy, so there is no way to hack it unless you steal it from my house

>Or Government log-ins?
yeah, every "standard user" does those, sure

>Or saved tax / income details?
again, who cares?

>Or health records (the most valuable type of identity information to threat actors)?
yeah, the typical "standard user actors"

>Or work emails? Or insurance details? Or invoices?
nobody cares about the last 2. work stuff should be handled on a different work pc, where stuff you said is actually necessary

>Or blackmail-material, such as those very porn/hitler folders you've mentioned?
yeah, because blackmailing poor wagecucks is the most lucrative thing a pajeet can do

>It must be at least three to five times a week that friends, family and acquaintanances desperately ask for help. Literally 4 out of those times, that help wouldn't have needed to be asked if the steps I've outlined were followed.
that help would've been needed even if they've followed the steps i've listed.
90% of normies gets hacked by clicking on malicious link, and that's it. just don't click on shady stuff on the internet and don't reply to phishing mails.

>how much risk will you accept?
by following my steps there risk of your hdd breaking or your house getting on fire is way higher than that of getting hacked by a pajeet

>I PUSH MY FINGERS IN MY EYESSSSS
there is no need for antiviruses if you don't go online searching for them and keep your system updated. windows defender is more than good enough

is a combination of malaware and windows defender decent enough if you think of yourself as reasonably savvy enough not to download too much crap?

No, unfortunately. Defender has been repeatedly, demonstrably vulnerable to Windows exploits. These are the same kind of exploits which digital wildfires like Wannacry and NotPetya leverage. Anti-virus solutions have signatures informed through global, real-time threat intelligence which Defender simply can't match. Additionally, the heuristics native to standalone anti-virus solutions have never been rivaled by windows defender. It's not even considered a reasonable anti-virus solution by governing security bodies, and isn't even tested against by Virustotal for these reasons. Having antimalware / antispyware will help too, but not having antivirus is just simply not justifiable in most (and I mean 99%) of circumstances (the exception being completely unusual, exceptional circumstances by which I can almost guarantee don't apply to you or me or any of you anons reading this).

Just get free antivirus like avira. It's free, quick and the benefits FAR outweigh the disadvantages.

Alright, chief. Thanks for the advice.

Absolute noob here just starting out. How long can I rely on a trezor hardware wallet for, before moving onto more advanced security protocols? Don't have much at stake for now

i work for the cyber police. my name is Chet. do we know each other?

What are you thought on avast antivirus and vpn?

Also why has windows 10 brought my computer to a screeching halt since November?

No sir mr policeman sir

Hardware wallets are not *necessarily* any more secure than a well-protected computer with appropriate controls to mitigate risks of malware, or hacking.

In fact, a hardware wallet presents more risks concerning its loss or misplacement. Same for paper wallets.

As long as you take care of it and don't share it, you'll be safe with a hardware wallet.

Hey OP I started a cyber security focused company with a secure cloud storage product and wanted to know what's the best way to get into GRC? Certifications? Or learning on your own?

Au in Id
I'm a forklift driver on 150k aud
Ama

Avast isn't bad, though I remember making lots of metamorphic malware back in the day and avast wouldn't even blink at it. It's not high up on heuristic detection / false-positive ratio. I would recommend Avira over avast.

A VPN is only as good as its quality against intended use. If you're looking to bypass government surveillance because you're doing some seriously shift shit, then a commercial VPN is probably not going to cut it - as they can be subpoena'd just as any other company can. You should be looking at underground / bulletproof hosted VPN's for that kind of stuff.

If you're looking at circumventing censoring and preserving privacy in general, then yeah an average VPN is fine. In terms of eliminating your online footprint, there's better more immediate steps to take; such as:
>using separate email accounts for separate services
>using random character-mash ("asfo3w4efrs") or completely randomly chosen usernames
>N E V E R reusing passwords

Most privacy (specifically anti-dox) tips are centred on being consistently conscious of what you post online.
>for example, a screenshot of an error code you've posted on a technical forum
If it's not cropped, and even if it is; from this I can gather: (cont)

>what OS you're using
>what timezone you're in and therefore where you are in the world
>what applications you run, and therefore what to target
>filenames, and therefore how to target things specifically (for example, filenames like "client payroll.txt" or "PNL 2016.pdf" could indicate what line of work you're in)
>your general technical proficiency, and therefore how best to target you
>your interests (i.e. hunting video games or first-person shooters or steam application)
>your communication channels (i.e. is skype visible on your application tray?)
>your first-spoken language
>further technical system information, which can lead to the layout of your folder structures (which gives away more person information: C:\Users\AaronExampleton\)
The above could lead to knowing
>Aaron Exampleton
>Ontario
>Works in accounting
>interested in fishing games (can extrapolate to interest in fishing)
>has skype
>uses adobe (.pdf's on desktop)
>uses ms office (.docx's on desktop)
I would then look for you on lsocial media, including linkedin. Could find out what company you work for and therefore a work email address. If I found you on facebook, I could determine a username and would use a site like graph.tips (check it out) to determine what bars you visit, what music you like and what food you eat. I could then determine:
>Aaron visits the 'Wave Bar'
>Listens to 'Autismo Pride', a local band
>loves pizza

From there, I would send your work email an email titled something like "Aaron - Free Pizza + Tickets to Autismo Pride at Wave Bar!" with a .pdf containing tickets. It would be infected with a polymorphic RAT, or another trojan which exploits outdated adobe versions.

If that didn't work, I'd pivot. With a username, I would iterate variations till I found you on skype, would resolve the IP from that & social engineer my way into your user account on your ISP (this is trivial- it's how that 15 year old got the CIA & FBI director's email accounts)

cont...

With access to your ISP account I could extract billing information and linked accounts. I would iterate from your recovery email address (if I hadn't already from social media) to find your personal email address. From there, I would send targeted emails with titles like "Hey Aaron, keen on fishing next weekend?" with text saying something like "found this place not far out from Ontario, what do you think?" with an infected .docx attachment. Or, I could send something like "Steam Promo! Free 'FishingProv2' Today Only!". There'd be an infected .jpg file with the "promo code" inside it.

From there you're pwned. If it doesn't work the first time, I'd try and try again until it does.

A VPN wouldn't help that at all. But simple consideration of what information you share, and basic security steps (such as good antivirus) does help. Consider the benefits vs the cost. Good luck!

>also, ironically; that windows update issue is due to an updated version of windows defender.

Best way is through real experience. It depends on how you want to apply it. If you want to consult in GRC, then get experience and if you need to, get a CISM certification or even CISA cert.

If you're looking at demonstrating your company's understanding of GRC, then look towards adopting frameworks like NIST CSF or NIST 800-53. If you want to really demonstrate your commitment, look at getting an ISO27001 or ISO2003 accreditation.

Protip:
>many organisations claim to be ISO27001 certified, and this is loved by clients
>they don't know that ANYTHING can be in-scope for ISO certification
>you can get a desk-chair ISO27001 certified, and then claim to be ISO27001 accredited
>it's still expensive as fuck though and requires an independent audit (with a lead auditor involved in certifying)

I said "ISO2003", I mean to say "ISO3001". Alternatively, and more appropriately for cloud solutions; you could look at ISO/IEC27017 accreditation.

Whats your opinions on black mirror? DO you think some of the developments on it could happen in reality any time soon?

Black mirror is cool (latest season was pure dog shit though).

I think there's some interesting though processes behind it and, while perhaps not particularly accurate, gets people thinking about future consequences of rapid IT developments. Here's some I can conceive of being reasonably feasible.

>Automated hacking AI which, of its own discretion and choosing; circumvents security, plants itself 'advanced persistent threat' style across billions of devices, and then waits for commands.
Imagine, suddenly; your phone explodes because it's been overclocked to dangerous levels. At the same time, every device you can think of starts melting due to overheating, and breaks. Think of things like Stuxnet and Wannacry. Recently, there was malware discovered on Government systems that had been lurking, evolving and maintaining persistence on its own since around 2008. That's incredible. Imagine you wake up one day and all the lights are out, telephones don't work, traffic lights are non-functional, police dispatch is out, building alarms are nonfunctional - pure panic would ensue.

>broadcast of malicious instructions to machine chip-sets in cars, via standard radio station broadcasts
This has been demonstrated. I actually wrote a kind of thesis on this. Imagine that, instantaneously; hundreds of thousands of cars in a single city simultaneously deploy their airbags, lock the doors and accelerate 100% with brakes disabled. This has already been demonstrated as possible; and all it takes is one hacked radio tower or GSM station to work against modern cars (most post 2013 models). There would be hell and probably some of your friends and family, or you, could die.

>simultaneous corruption of CAT-III ILS'
Imagine that, at one; all automated-landing-systems in airports within a country tell aircraft computers that they're actually way too high; way too fast - a hundred feet off the runway. Planes would plummet, and thousands would perish.

Longer term, here's some wider societal implications.

>3d printing
3d printing is taking off. We've been able to 3d-print organs. In the next few hundred years, we'll be able to de-atomise most matter and construct whatever we want.

What happens when we can 'print' diamonds, gold and oil? What do we do when we can 'print' the most expensive materials and substances on earth? What happens when existing 3d printers at the time can print all the required parts to develop a 3d printer which can print anything?

Furthermore, what happens when AI overtakes the capacity of the brain? Already we have machines which are all-in-one lawyers which you speak to. Next will be doctors. What happens when machines are able to do your taxes, police streets, clean rubbish, build houses, move furniture, cook food and write smarter code than we could ever conceive? What happens when machines can answer the questions we never had any hope of even dreaming of?

When everything's working for us and we can achieve anything we want, what becomes our goal? What happens when poverty is eliminated, disease becomes extinct, and our energy stores are unlimited?

Natural thinking says we head to the stars. But why? If machines can go there faster than us and learn more, more accurately; what could we hope to achieve? If all the value we can really gain is nice scenery; what's the point? If there's no struggle to drive, or challenge to overcome, what's the purpose that underpins us as an existing, sentient collective of beings?

Anyway, that's a tangent and a half.

And THAT'S why this country will collapse. When the absolute most retarded scumbag morons I have ever encountered are earning $200k+ per year in the mines digging holes, that's when you know things aren't adding up.

I need a gig before I start studying in september.
Only have experience with 1st and 2nd level support. How long does it take me to read up and experiment with getting into a cyber security that a company would want to hire me /possibly even while I study - ART-?
Not joking

Probably not going to happen if you can only work part time, with no prior cyber security experience.

However, for general career advice, see the following posts:

Unfortunately all-too-common. Particularly with complex and serious cyber security incidents, organisations take months to discover they're even hacked. By this point, often logs are wiped, evidence is destroyed and it's too late to really do anything about it.

Tell your company to look into the four phases of incident response
>Planning
Risk-based approach to determine what incidents your organisation is most likely to experience; and the most effective way to deal with them
>Detection & Analysis
Where, from your risk-based approach, you implement detective controls to know when an incident is occurring, and analysis procedures to understand exactly what's happening.
>Containment (1/3)
Where, with you understanding of what's happening, you stop it spreading and immediately minimise impact
>Eradication (2/3)
Where you halt the incident and eradicate the vulnerabilities that let it happen
>Recovery (3/3)
Where your business services are able to be delivered as per a normal state
>Post-Incident Analysis
SO IMPORTANT and so overlooked. Drilling into lessons-learnt to identify how the incident happened, what it did, what worked to resolve it, and what went wrong. This then feeds back into the first phase, Planning, to better respond next time.

You're cool, appreciate the honesty. Thanks.

No problem, good luck!

It's late, I'm off. Thanks for the good discussion guys

OP out