lonervamp

SEC 588 (Cloud Penetration Testing) looks super cool. I wants it.

Pentesters: What things do you wish clients would provide/ask for as part of a test? What test activities/allowances set you up to give the best value? Initial access? Info? Access to analyst? Mature environment w/ no low fruit?

(2/2) Of course, on the flip side, we should practice patience and ability to gently gauge and read others as part of the two-way dialogue process.

One thing vexing about the industry is when one security pro talks down to another one prior to establishing technical standing. Comes across as liking to hear yourself talk... "Compliance isn't security." No shit, I knew that in 2003. (1/2)

I used to love blog commenting, but a) blogs are fewer in number these days, and b) they all require login to comment, and fuck that. I hate Slack/Mattermost threading, but I'll deal with it. Much prefer Discord, IRC, forums. Easy to consume. Easy to plug in/out. Also listservs.

"You don't post enough to Twitter." I know. I don't like discussions with char limitations. Find me in a discord, IRC (man, I should get back there), forum, slack, reddit, HTB, or elsewhere for real talk. Or over beer/bourbon/latte. I don't really hide.

I've made some learning plans and goals for 2020. Highlights: AWS Security Specialty, AWAE or SLAE, maybe CISSP-ISSAP or CCSP, and lastly less formal training and more "free" time fillers with smaller tutorials, courses, and labs. Working on the backlog! https://www.terminal23.net/2020/01/02/learning-and-training-goals-for-2020/ …

An example of the quality I've come to accept as normal for @CNN these days: "'Star Wars' has reached a creative crosswords..."

One last accomplishment for 2019: Passed AWS-SAA on Friday. Next (after a break with Fallen Order): AWS Security Specialty. Shoring up a gap in my knowledge of today's env.

Neither work hours nor holidays stop the latest infosec twitter crusade...

Again, as I make some learning and career plans for 2020, there are just too many things I want to know, learn, play with.

Security is not done in meetings. Decisions and planning and design are done in meetings. Security itself is performed outside of those meetings.

If you exude confidence, but have the wrong answer, you're not doing your infosec posture any favors. In fact, probably the opposite.

Having a high Twitter count to watch snarky comments, and having liked tweets is not necessarily a good measure of lack of unknown ignorance. Be skeptical of self-measures.

(3/3) This is also an imposter syndrome influencer: When do you become wise enough to know what you don't know? Or know that you know enough? (PS: Lifelong learning is also about pacing with technology changes/environment, and liking it, too!)

(2/3) Controls testing, feedback loops, constant learning, healthy skepticism, attacker mindset, less ego, detail oriented, effective communication, etc. Embrace these on more than a superficial level.

Lifelong learning in infosec isn't just because you like it. It's the only way to combat one of our worst industry issues: unknown (primary) ignorance. We must learn so that we stop making wrong assertions; reduce thinking we're effective/correct when we're really not. (1/3)

I don't think restricting offensive tools is much of an answer. Does it give attackers capabilities? Sure, no one argues that. It's just also not the hill to die upon. Posting ad nauseum won't change my mind on that. Make another NSA elsewhere and hoard...