MSgtRedFox

cross-posted from: https://infosec.pub/post/6671372

I'm not a vendor, I'm just curious what experience people have with implementing security control frameworks?

DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?

To what degree is your organization using any of these?

Are they enforced? Monitored?

Using any vendor solutions that don't suck?

Does anyone care except you (hopefully 😉)

Let's talk about root certificate management and the EU proposed QWACs.

Steve Gibson of the security now podcast weighed in with opposition to the EUs proposed QWACs certs and cited a few other prominent figures also expressing opposition.

Paragraphing their concerns, they proposed that mandating a bunch of new CAs introduced more risk and greater opportunity for abuse or compromise. Steve favors less CAs also being in favor pruning out most, but 6 or 7.

At the moment, I don't care for browsers having their own certificate stores, as I would rather use the OS which I would use group policy for windows or use an automation tool for Linux.

I am also in favor of pruning out certs, though I've never tested that in an enterprise.

Does your organization allow non OS certificate stores?

Does your organization prune out default root certs?

How do you feel about the proposed QWACs?

cross-posted from: https://infosec.pub/post/6911236

Is anyone running saltstack, and if so, are you doing gitfs for your repo?

Do you have your pillar data in the repo? Or some other external?

Are you doing one top file in base? Or top in each branch/environment?

Is there a better way to do managed repo for salt?

Is anyone running saltstack, and if so, are you doing gitfs for your repo?

Do you have your pillar data in the repo? Or some other external?

Are you doing one top file in base? Or top in each branch/environment?

Is there a better way to do managed repo for salt?

I'm not a vendor, I'm just curious what experience people have with implementing security control frameworks?

DOD uses DISA STIGs. Else uses CIS benchmarks, or self developed based of NIST CSF?

To what degree is your organization using any of these?

Are they enforced? Monitored?

Using any vendor solutions that don't suck?

Does anyone care except you (hopefully 😉)

I'm curious what tools, SaaS, or other solutions are being used for vulnerability assessments?

DOD calls it ACAS, which is just an acronym for required assessment program of record they currently fullfil with Nessus scanner and related vender solutions.

Anyone have Nessus experience that can compare to another vendor? Good, bad, etc?

Has anyone heard significant criticism of Indiana's road?

I have. I'm wondering if there's merit to it, or we everyone thinks the roads where they live are bad.

I've driven out west and northwest where the composition of roads is different, loader like concrete, but they might not have temperature swings, use salt, or plow.

Marion County usually has bad roads compared to the suburbs, but that's a whole thing of its own

Thoughts?

Pure curiosity:

If you left reddit or another corporate platform under the banner of not being censored by their views or beliefs, what was that?

Wait. Before we open this can of worms, I'm not at all curious about an in-depth explanation of unpopular views or opinions that are generally extremist or that most reasonable people consider extreme. More of:

• I left reddit or some other because they censor...?
• The lemmy community is more for me because?
• I reasons my instance policies or moderators are better than the other platform is?
• The other platform restricted opinions or views regarding...?

If you feel like sharing, just summarize the general idea, please no indoctrination speeches.

Oh boy...

Question for the masses because I'm curious:

What do you think social media would be like if there was no anonymity?

Is it fair to say some people behave differently online because of anonymity?

Would it be good or bad if everything you posted could be tied back to you by your friends, family, employer, etc?

Some obvious concerns people express:

• personal safety
• freedom to express views contrary to community, government, etc without retaliation
• fear of stigmas related to support, education, etc for stigma topics like mental health, sexuality, etc

What reasons do you have for not wanting to own your online identity other than being able to talk trash without being identified? Some people are public and still talk a lot of trash, looking at you Twitter.

You you got doxed, what do you think the impact would be just related to social media conduct?

Edit: With the introduction of online protections for minors, how does that affect the question?

Not from a political standpoint but from a technology one, how do you see that even working?

Im interested in thoughts for a scenario where you want to do small-scale multi-site activities, with site-to-site connectivity.

Here's a couple of constraints:

• you're not going to pay the money to get an assignment, you'll just have ISP global.

• your two or more sites will have different ISPs.

• You're doing VPN between sites instead of provider managed. The sites might be running some normal enterprise services like active directory, or other internal corporate norms.

• you might have the need for a backup Internet connection. Load balancing would not be required.

With the fact that the globals could change at a site, would you consider using ULA? Or just stick with global and update DNS in the event of change. I know there's a preference problem with ipv4 being chosen over ULA, so the ULA thing wouldn't be very easy unless you went straight v6.

If ULA, would you pattern/convention match the global in each site or create one organization wide ULA and assign it something like /48 per site?

What precautions do you take on gateways to ensure globals aren't used outside of the tunnel? ULA prevents this, but so does proper configuration I assume.

How would you do this?

I keep asking about ULA because I heard/read enough articles where the author says don't do it, but they seem to be geared at large enterprise or hosting where they would definitely get dedicated blocks, peering, etc. I'm interested in the little guy.

The Internet and email is old at this point.

It can be reasonably argued that email links are a significant threat vector right now.

So far, we just keep trying to sandbox links or scan attachments, but it's still not stopping the threat.

My questions for comment:

• Would removing anonymity from email reduce or remove this threat? If business blocked all uncertified email senders, would this threat be gone?
• Why can't we do PKI well after a few decades?
• Does anyone believe PKI could apply to individuals? In the context of identity for email, accounts, etc?

I see services like id.me and others and wonder why we can't get digital identity right and if we could, would it eliminate some of the major threats?

Image credit: https://www.office1.com/blog/topic/email

Edit, post not related to the site or any service, just image credit.

I'm curious how much people are interested in using this? I see posts are fewer, especially if compared to reddit.

Maybe it doesn't help that there isn't one production mobile app, but a few personal/opensource ones out there?

Everyone here still over in r/homelab a lot?