Long thread but serious talk.

Seeing a massive problem in the security industry today. We have brand new candidates lacking "hands on" experience coming into the workforce and finding it extremely difficult to find a job. 1/10 We talk about skills shortages everywhere in cyber security - but almost 99% of the job postings I see are for already experienced individuals.

We have a skills shortage because we are not hiring new security folks into this industry. 2/10

A friend sent me a pic of mandatory/required in-person training they are required to do and one of the topics was cybersecurity.

Of course, it was a black hoodie-looking hacker, and the course was about as dry as it could possibly be.

It was good to get his perspective (1/4) He learned absolutely nothing.

It was more on scare tactics of what hackers could do to spy on you and the company.

It wasn't exciting and wasn't about what's happening and what you can do to protect the company and your own personal assets.

(2/4)

Ditch the diet.

95% of diets fail.

(psychologytoday.com/us/blog/change…)

It's simple, calories in vs. calories out.

If you control your calories, you control your body.

It starts with eating.

Losing weight == less calories. Some tools can help, mostly short term such as intermittent fasting, keto, etc. These are great things for fast or short term..some can do it long term but is rare.

Once coming out of these "diets", you need a program to keep the weight off.

Count those calories.

Let's go #Cavs Zion

I wanted to clarify some complex topics regarding the Exchange / ProxyLogon discussions that happened since the dust has settled.

1. I'm concerned generally about the negativity against security researchers releasing code as I view this as taking steps back not forward.

1/10 2. I think researchers should be mindful of when a PoC drops. In the ProxyLogon event, I was against dropping early to give companies time to patch. In stating that, there should be no hindrance as to when a researcher publishes code, especially after a patch is released.

2/10

Last week, made a comment about how I wasn't a huge fan of Sentinel overall. Got to dive a bit deeper into it with my team over at Binary and has definitely changed my perspective a bit.

Sentinel is not easy by any stretch but there is a lot to it.

https://twitter.com/HackingDave/status/1364978812832907268?s=20

If you have the right data going into it (which isn't easy), and you have a team behind you to build up the detections, Sentinel is extremely powerful.

With jupyter and KQL foundation is super powerful to build what you need to off of it.

Hey all, I'll be on CNBC here at 2:10PM ET-ish talking about the Hafnium / Exchange hack.

Suit on the top, gym shorts on the bottom. Running couple mins behind, probably more like 2:20

Unpopular opinion: The more I dive into Azure Sentinel, the less I'm impressed. For SMBs it's OK for commodity alarms due to the simplicity of O365 logs and others, but customized alarms, threat hunting, etc. is very difficult.

I do like KQL, but it's not even close to others. Using Sentinel as a method for increasing coverage and effectiveness of TTPs would be difficult for an organization other than commodity attacks.

Interesting...

https://twitter.com/offsectraining/status/1321074270987034627

Looks like an in between to OSCP and OSCE

Us: In network for a month without detection.

Client: Why didn't nextgen EDR pick any of this up?

Us: Detection is more than just an EDR, it requires an understanding of your network.

Client: Can you get on phone with the vendor to share all of your TTPs so they can detect? We're working with the customer to help educate and shore up the deficiencies, but it's just rough because of the over-reliance on security tools versus baselining and doing the work for your own environment.

Here we go

One thing that I’ve learned from my nutritionist / planner is to screw fad diets (keto as an example) and focus on your body. Start counting calories, and focus on primarily protein intake and balance the rest. Workout days for me 2300 calories, 200g of protein and mix fat/carbs. If you are going to do long term fitness for life, you need something that you can sustain yourself on.

Non workout days 2100 calories.

For tough working days I stack more carbs, for less workout days, I stack less.

I count every calorie I put in my body religiously.

I've heard that there are a few folks that were "annoyed" or "upset" from the #redteamfit posts in INFOSEC.

The intent is not to point out people that aren't doing this but to have a motivational group of people (anyone is welcome) that shares in a common goal for better health This is a very easy hashtag to mute or ignore if it doesn't interest you.

Fitness isn't for everyone and certainly wasn't for me. I never want to go back to big 317lb Dave - where I was struggling health-wise, had heart surgery due to weight, and wouldn't be around for my kids.

Today a year ago was our final #DerbyCon.

A con that changed my life and others and still to this day raised more for charity than any other security conference.

I miss you all and thank you for making an awesome community that made a real impact in peoples lives. 😢

Hiking time! #RedTeamFit

Well hello there. Some more pics

Today I had a call with someone who randomly reached out to me asking for advice. I didn't know setting up the call to help him, but a few years ago I donated to help with health issues and he made it through and is now healthy.

"Saved my life" was mentioned.

Wow.

1/4 This person wanted some advice on what to do next.

Already has a degree in INFOSEC.

The passion, drive, and desire are there and it was a refreshing talk to hear that he is so driven to break into the industry. 2/4

I *kind of* agree with @taviso.

The discussion is limited to security-minded individuals that use unique passwords, complex, and rotations. 2FA can still be an added benefit.

SMS 2FA is substantially better for orgs with non-security-minded folks (100% of all organizations).

https://twitter.com/taviso/status/1288526048351551488

There's no argument that using tokens like U2F is a *better* option and should be explored for orgs versus SMS 2FA, but most attacks against users are high commodity attacks and SMS 2FA is sufficient.

There is a lot of data to support this.

microsoft.com/security/blog/…

Great breakdown from @briankrebs on potential people involved and timeline to Wednesday’s Twitter hack: krebsonsecurity.com/2020/07/whos-b… “In the days leading up to Wednesday’s attack on Twitter”

“a user named “Chaewon” advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.”

I’ve largely stayed out of social media “debates” on INFOSEC as of late. The issue is folks forget that there is a human on the other side with different experiences.

Experiences they believe strongly in.

It isn’t to say that the experiences are right or wrong. 1/3 I have yet to see someone explain a complex subject on social media where it changed someone’s perspective.

Usually it turns to anger and frustration.

Usually has the opposite effect and in many cases solidifies stances versus providing a solid platform for debate. 2/3

Intermittent fasting coupled with modified keto (limit as much carbs as possible) and an every other day cardio + lifting routine is doing well.

Down 10 pounds with substantial muscle growth.

Hoping to keep this up as a lifestyle change and for the future. Modifying cooking techniques also - switching to more Texas style smoking meats versus others which is far less sauce driven and more salts and peppers has helped.

Today made an apricot - soy pork chops with rice and carrots. I had small portion of carrots and chips only.