I have a simple rule: Does this account have any way to get to my money? if yes, apply 2FA.
I feel that in 2019 services like Google or Microsoft, that have a payment method attached to it and more or less are our digital identity holders, should encourage 2FA to the point of rewarding it.
Just on point 👌
Being an ex-hacker myself, I would say that my job would require 70% of social engineering skills, and the rest is tech skills.
Aside from that, the likelihood of performing any attack (esp. on a big company) with only tech skills is just soooooo low.
a friend of mine bugged me to chip in on a kickstarter for an open-source yubikey alternative, and it has turned out to be one of the best purchases i've ever made. no longer am i held hostage to the whims of my own stupidity when it comes to poor infosec - though i suppose i might change my opinion if i ever happen to wake up after a particularly celebratory night to discover i lost my keys and keychain :P
it works very well for me as i am not a very organized person, and i think maintaining a centralized password app requires a degree of discipline. alongside that is my personal experience with dashlane - which might rival firefox's "allow notifications?" as one of the most downright annoying things i've ever had to put up with on a desktop. like alot of folks i know, i keep my keys - and my usb 2fa - on a caribiner, so (knock on wood) it's pretty convenient on top of the physical layer of security it provides. despite it not being widely accepted yet, it does work with google, and that's all i need to access alot of my services thanks to SSO logins and whatnot.
Oh nice, the Yubikey is awesome! I really want one but honestly, I'm ditsy AF sometimes and would probably lose it.
that's why you should get two :D one that travels with you and one in a safe place at home
Loved this post, congratulations! However I think there is maybe a small paragraph missing about in person social engineering. Many companies have been compromised in the past by having a hacker simply pose as a janitor and access a terminal in the company or simply see the logins written on post-it notes on the screen.
Good point! Thanks for the comment. May update the article later to write a bit on that.
Looking forward to it! Keep up the good work I need to find the time to write more articles on security as well.
I love made up words! Another really great post. I have not heard of CUPP before i'm going to have to check that out! I'm always curious about phishing email trends. I always encourage people, no matter what their job is, to share with the IT/Security team the common themes or trends they are seeing. Trying to keep an open communication channel is so important for spotting, detecting, mitigating and preventing phishing.
Thanks for your comment Spencer! And you're absolutely right. Earlier this year I worked for a company here in Australia that's known for having a great security culture. They have multiple teams dedicated to educating employees within the company on security trends, especially phishing, and they always encourage employees to send fishy looking stuff to these teams. It works really well.
Sweet post! Your website looks cool too, gonna check out the articles later. I'd like to scan my network, but not sure where to start. Any advice?
Awesome question! If you're cool waiting about a week I can make my next post on that?
Wow that'd be sweet, I'll look out for it!
Wonderful, I’ll check it out. Thanks!!
So interesting, love this article. People need to realize that the reason most scam mails are poorly written is because they're very smartly targeted at a particular demographic.
Once the scammers come for you, they're going to put as much effort into tailoring the messaging for you!
Btw maybe you could also mention using a Password Manager? Solves the issue of leaking pet names and private information etc.
Thanks for your comment! :))
I did mention password managers in the automation section. Personally, I love them, but I didn't want to make it a key focus because a lot of people work for companies where password managers aren't allowed (which I think is stupid, but that's another issue entirely).
Vishing? I had never heard of the term? I thought the actual term was phreaking.
I come to live rather than keep careful.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.