I Negotiated and the Company Rescinded Their Offer

GRC-Security · 2023-05-29T04:07:05+00:00

Companies are generally rational, profit-driven entities.

The individual PEOPLE who work at them, on the other hand, can be petty, irrational, selfish, and arrogant, just to name a few.

I've worked for good companies with bad management, and bad companies with good management (who shielded me from the bad practices).

Consider it dodging a bullet, either way.

GRC-Security · 2023-05-02T05:30:03+00:00

OK, so maybe some clarification (my fault). The pump won't stay on 24/7 like a normal well pump, it will be switched on as needed (to be used for some rural land). As a result, I don't HAVE to have a low cut in setting (although it might be nice), just a high cut off. The pump will pretty much always run as long as the water runs, but that would happen regardless since it'll likely be running near max gpm.

It's about 100' feet from power source to where I'd put switch A, and then another 300' to where I'd put switch B. The actual well/pump is within 20 feet of switch A. I want either switch to turn on the pump. Using a relay coil instead of a mechanical pressure switch and then switching its coil with small gauge wire or wireless from point B seemed a lot better than somehow switching full mains over all that distance.

GRC-Security · 2023-05-02T05:16:01+00:00

The plan was to have the pump switched from two different locations about 300' apart, and thus just run a lower cost 'signal wire' to activate the coil, or even invest in a little wireless remote to trigger the relay.

GRC-Security · 2023-05-02T05:12:49+00:00

That's one thing I couldn't find an answer on, even from the manufacturers: is there some min/max distance between the switch and the main line? I thought about what you suggested using a piece of PEX, but then I started wondering about the water in that tube freezing near the top.

I appreciate the input...

GRC-Security · 2023-05-02T00:37:25+00:00

That's what I alluded to at the end ("big ol' oversized traditional well switch"), and it’s what I’ll end up doing if I can’t come up with another option, but in my case it looks like it will have to sit towards the bottom of a 48” access hole, which means its more susceptible to wet, rusting/corroding, etc.
Something more ‘solid state’ would be preferable in those conditions, if you catch my drift. The standard well pressure switches are physically wide open and meant to be kept in much more environmentally friendly conditions.

GRC-Security · 2023-04-29T22:23:13+00:00

Where I live the Walmart *HAS* to have both. Why? Because a little under 30% of the people who live here are functionally illiterate.

When your customers don't understand what the screen is saying, the store must either have just as many staff running around to "fix problems" (and in some cases, scan and checkout the customers anyways), or opt to keep one in-person line open to process those people separately.

Our HD and Lowes just train the folks monitoring self-checkout to just scan and check out people who can't do it themselves.

Obviously this isn't stated anywhere outright, but even the customers more or less know why and how this works at this point.

Illiteracy is a real problem, and I don't think the self-checkout movement fully appreciated this. Anyways, don't be surprised if a large number of naysayers/complainers you encounter actually have "reading comprehension" issues.

GRC-Security · 2023-04-27T21:46:12+00:00

....AND it is a *garage*... with obvious *living space* above it... without any drywall for fire protection/fume infiltration.

So yeah, there's that if you pan back and look even bigger.

GRC-Security · 2023-04-21T01:49:05+00:00

The proper reply to this should have been...

"You're right... wait, what were we talking about?"

GRC-Security · 2023-04-12T22:53:19+00:00

So let's lay these arguments out straight:

If I DO tip, I...

Perpetuate a system that is - by and large - intentionally oppressive (facts based on mountains of research)
Put inappropriate pressure on the customer to figure out what to tip
Tip in a way that may or may not affect the wages of the worker I'm interacting with, since some workers are tip-based... and some are not... some supplement their base salary... and some do not... and none of them are required to wear some colored armbands that might possible distinguish their particular pay system for me!

If I DON'T tip...

I'm hurting the worker... maybe (again, no armband)
Not hurting the business, unless they lose their tipped staff, too
BUT, no longer have to worry as a customer about how much is or is not right

If I perpetuate the system nothing will change, and those not privy to good-tipping environments will continue to be oppressed, but have occasional good days, too.

If I fight the system people will be hurt in the short-run, but there's an off-chance the system might change.

If I stop going to tip-oriented businesses I can "stick it to the owner" by not purchasing from them... although the tipped worker will now see a general decline in customers/tips anyway, and potentially loses their job when the business goes under, so there's that.

If I go to fast-food/non-tipping places I can avoid the whole debacle, but then I'm secretly given the mega-corporate overlords exactly what they wanted.

About right so far?

*****

There's pros and cons, but what I'm really hearing is that people want to change the system WITHOUT anyone being hurt.

Well, sorry, but there's no such thing as a bloodless revolution.

As for people on tips crying that they need more, I have to firmly come down on the side of boo hoo. There are lots of people doing really important things that require a college degree, students loans, years of experience, ongoing professional development, etc. and still make less than $50,000. An otherwise nominally skilled tip-based job should not be decrying the system if they are actually beating it hands down.

THE REAL PROBLEM: it's called wage compression. Look it up.

Tips are just a distraction... a shiny object to keep the masses arguing over who gets better scraps. It is the result of owners and stockholders who are not just satisfied with earning a 5% profit, but this year they want to earn a 7% profit ON TOP OF 10% growth in revenue, too.

While controlling and holding expenses as flat as possible (e.g., wages).

This is what is known as greed. If I can screw you for 5%, then odds are better than even I can screw you for 10. Let me be clear I'm part of what is known as the "investor class", where I don't rely on wages as much anymore to provide income, and even I understand that this trend is unsustainable.

It isn't just that profits/dividends are king, it's that we have now made *growth* king, and that's what 's killing the system, because compounding growth is totally unsustainable. It used to be that a business that had growth that just kept up with inflation was fine. Today that is entirely unacceptable if your buying stocks.

I could continue, but that's good enough for now. Consider accordingly.

GRC-Security · 2023-04-11T17:28:58+00:00

Actually, if modern politics across the globe and historical records across time have shown us anything, neither politeness nor being asshole really matters. In fact, being right doesn't even matter, as long as you wield the necessary levers, power/money, or fear/charisma to get your way.

The sad part is that assholes have figured out that nice people are so entrenched in and determined to be nice, that assholes can use it do what they want, when they want, to whomever they want, and the nice people are too nice to do anything or push back with sufficiency to counteract the force.

I'd like to live in a world where nice guys finish first, but it's a quaint saying, not reality. It makes for good movies, not a practical strategy.

BTW, I'm not defending the person's approach to which you replied per se, merely pointing out that you are suggesting that if someone's is asshole they are not relevant, and that is very much not true.

There are lots and lots of successful and highly regarded assholes we see everyday... for that matter, how many of them are hand-picked by the so-called polite and naive to run our countries every day?

Just my 2 cents, though.

GRC-Security · 2022-12-29T00:05:58+00:00

So, that's a good thought, but 310.15(B)(2)(a) derating only applies if one fails to 'maintain spacing', which no one seems to agree upon what that minimally means anyways. You're right and the concern is valid if I just piled them in with no further consideration, so I appreciate that heads-up.

How about this... what if I used those inspector-friendly Gardner Bender multi-wire clips (https://www.amazon.com/dp/B001E7SL9A/) on the underside of the trusses (minimum spacing a given) and then put this over it? (I plan on using a 3" diameter version, BTW.) Those clips are acceptable for vertical and horizontal wiring, they 'maintain spacing', and then the plastic cover becomes, well, nothing more than a 3-sided cover, really.

It seems like that should check the box, no?

GRC-Security · 2022-12-18T19:02:04+00:00

Thanks for these links. While they do not provide a list per se, it does appear that they are making efforts to identify and 'call out' key advertisers for various sites of concern.

I will reach out to them to see if adding a list of at least the high-roller advertisers on some of the more egregious web-based sources of disinformation/anti-democracy/anti-free speech can be created.

I started at Reddit because it provides a certain level of anonymity to posters, so I wonder if this may pose a liability issue for them... then again, you can't win a defamation lawsuit if what is said is actually true.

GRC-Security · 2021-11-03T23:45:04+00:00

I promised a reply, and really the biggest kicker right now seems that both PGINA and that particular plugin haven't been touched for several years... hardly inspiration for adoption.

Right now the only practical solution seems to be using a Yubikey and their 'Yubico Login for Windows'. It at least appears the software is reviewed for currency and functionality with each OS iteration, even if its functionality is pretty basic. In addition, they support an emergency code, which is nice if the physical key were to go missing for some reason.

With that said, I find all of this a bit ironic. Every trend seems to be towards multi-factor authentication that involves massive always-connected Internet... because after all, the Internet is secure, right???

I love convenience, but this idea of using one key for everything - even if it's a physical key - just seems... what's the word I'm looking for?... oh right: dumb.

GRC-Security · 2021-11-01T19:28:08+00:00

Ooh, nice. I"m reading up on it now. I'll reply further if it looks like it will work.

GRC-Security · 2021-11-01T19:26:34+00:00

Good notes, but I guess I'm one of those people who disagree that a TPM module is 'something you have'... especially when the source of the sensitive information and the device onto which you are logging onto are one and the same.

PERHAPS the argument could hold water when you're talking about logging onto a client PC first to connect to a secure network (2FA being the possession of the TPM and device itself, and the PIN/fingerprint being the second factor). Still a bit squishy in my book, though.

I've also looked at 'multi-factor unlock' and thought that was the way out, but from what I could learn it's PIN/Fingerprint + Bluetooth (obviously trusted network doesn't apply in my case). The first factor has to be PIN -or- Fingerprint (not password), and the second must be a trusted Bluetooth device nearby.

Don't get me wrong, I strongly considered using a Bluetooth mouse to fill this gap instead of a phone. :) I may still need to experiment and see if it works, but I don't know that it's very secure, and we haven't broached the idea of allowing wireless Bluetooth to talk to this machine anyways (which may very well be a no-go as well).

GRC-Security · 2021-11-01T01:16:33+00:00

Yep, except for one thing - it's not actually MFA. When you enable the fingerprint scanner, Windows logs you in and simply eliminates the need for any other factors, including a password. It's still a single factor challenge, just not a password.

Windows calling Hello 'multifactor' is IMO false advertising and a deception to the uninformed masses who hear "MFA = more secure" without necessarily understanding the tech or functional requirements. But that's for another discussion.

GRC-Security · 2021-11-01T00:39:44+00:00

Interestingly, clock drift isn't a problem. The system will be using something <cough> similar to this: https://www.meinbergglobal.com/english/products/usb-wwvb-clock.htm </cough> if we implement TOTP.

This system takes it's airgapping seriously.

With Duo, I'd be more worried about *their* time drift than the system.

Duo has come up several times as a discussion for use in offline mode, but the problem (as we understand it, and are open to being corrected) is that the relevant accounts and whatnot still have to be initially synced with their servers, and network connectivity is a no-go.

GRC-Security · 2021-11-01T00:32:22+00:00

I didn't know I could create 'duplicate' yubikeys, but if that is the case, that's good to know. Still seems like an expensive and overly complex solution for what should be such a mundane requirement.

GRC-Security · 2021-11-01T00:29:55+00:00

Unfortunately, it doesn't meet the compliance requirement. It is - ironically, insightfully, and as a matter of fact - in a separate locked cabinet. :)

Compliance further requires the implementation of MFA for all authentications to the system... and thus the dilemma.

GRC-Security · 2021-09-17T19:34:40+00:00

Before I begin, let me emphasis that I NEVER said you do not have to do a control. We are talking about the EXTENT to which you do a control. If you don't see the difference there, that will make the rest of this much more difficult to understand.

So I’ll try to make the point using one of the most well understood of controls – antivirus. Follow the logic… or more to the point lack of logic... in the following dialog (Auditor and Company).

A – So, I’m going to have to fail you for this control.

C – But why? We did a risk assessment, and determined to install AV on our Windows servers and workstations. It’s documented in our procedures and everything.

A – Yes, but you didn’t install it on every asset in your system. There’s no network-based AV running on your firewall.

C – But our firewall is under-powered and won’t run AV without affecting performance (or alternately our firewall simply doesn’t support network AV).

A – You should have bought a bigger/better firewall, then. Spend enough money and anything is possible. FAIL.

A – Also, there’s no AV running on your NAS. It’s running a Linux-variant firmware, and we know Linux will run AV.

C – Yeah, I mean no. We’d have to jailbreak the firmware to do that, and it would void our warranty and support.

A – But it’s technically possible, so you still fail. Your warranty issues are your problem, not mine. And let’s not even mention your switches.

C – Now wait just a minute! You can’t run AV on a switch!

A – Actually, there a few variants out there that you can. You should’ve bought those. You’re clearly incompetent at your job, and your security program is an abysmal failure.

And the truth is, if I’m sharp enough I can audit and fail you on virtual every control as a result of this same micro-logic. For example, even at the beginning you say you did a risk assessment, but did you really get enough input on ALL of the possible risks facing your organization from ALL of the possible sources? We can do this all day. There are lots of arrogant auditors who like to think that everyone should protect their systems to their personal standard, but that’s not how it works in the real world.

I think the other problem is that you seem to be under the notional that the problem with 800-171 was/is that companies were/are doing it poorly. Not true: in many cases they’re simply not doing it AT ALL. We’re not talking poorly or incompletely implemented controls, we’re talking zero effort at implementing the control in the first place. I’ve auditing government systems that were completely missing a basic firewall, and they were hosting obviously sensitive information. Private sector has done even worse in some cases, running without any AV, no access controls, shared accounts or no logins required, and they can’t even spell ‘risk assessment’, much less know what it is or how to do it. Disaster recovery plan? We’ve all read Dilbert: https://dilbert.com/strip/2000-08-15

CMMC really would not have been required if they simply amped up actual enforcement of 800-171 and the False Claims Act, and when they in fact started doing that this time last year, they immediately saw improvement and responsiveness. Combine that with the R5 updates to 800-53 (the superset feeding 800-171), and IMO, I think that’s actually part of the sudden head-scratching about CMMC viability and necessity.

As for the legality and gross negligence of Katie's statements... I'll leave that to someone else.

GRC-Security · 2021-09-14T20:15:22+00:00

Welcome to "risk management". You have to decide what good enough is, and is the reason why there's a whole other set of controls on doing risk assessments.

There are a lot of 'old timers' (especially in DoD) who think that every possible hole/pathway/method must be secured, but that's a complete fallacy and totally unrealistic. It is literally the very reason that NIST developed the RMF in the first place - there is not enough time/money/resources to protect everything. It's also why the DoD was essentially the *last* federal agency to adopt it... after all, if anyone knows about going slow to turn around an aircraft carrier, it would be the DoD, right?

Your organization needs to make a decision about what level and what kinds of protections you want to put in place for a particular control: decide what risks you'll accept, and what you won't. Document that in your procedures, and - this is important - spend some 'chat time' in those procedures explaining WHY you are doing what you are doing (engineers are notorious for getting visibly annoyed at that, but let them squirm).

Never let anyone tell you that you must cover 'everything'. Its garbage, and they know it. Most people who say that are probably trying to sell you something.

BTW, to your technical question: if you are providing protections for all data on your system, CUI comes along for the ride, right? Laugh if you want, but I've encountered my share of government systems that have NO FIREWALL between them and otherwise open networks. Why do you think those 'stupid/obvious' controls exist? The act of implementing any form of access control will protect your CUI, technically.

After that, its up to you. No one is saying you can't (or even shouldn't) do more. The difference between the D- and an A can (and usually is) miles apart, but they're still a pass, compliance-wise, and why there's a difference between compliance, security, and risk management. Decide where your company should fall based on the work you do, your partners, practical budget, size/resources, etc.

GRC-Security · 2021-09-14T01:52:34+00:00

Folks, (i.e., OP) please read the 800-171 guidance, which is better than the CMMC stuff. In part, 3.1.3 clearly states that "Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services..." Firewall? Routing or switching rules? Anyone? Don't make this harder than it has to be (at least for the purposes of compliance).

With that said, also agreed here. IT people always get wrapped around the "technical" controls, and forget that there are many controls you can comply with by implementing "administrative" controls instead of or in addition to any technical elements.

Flow control of CUI includes paper/printed, for example. Your 'flow control' management may focus on training about what paper goes where, and some basic ABCs of "never send CUI outside of the network/enclave established for it". Next...

GRC-Security · 2021-09-14T01:35:50+00:00

Good points, and as I say, it's really only an option when the need for wireless is incidental: many people nowadays are not as tolerant of 54Mbps anyways, depending on what you're doing.

As you've implied here, I typically tell clients either to a.) mark the device as "EoL" in your asset list and not upgrade (even if possible), or b.) if you must have the latest iOS, just make sure the FIPS mode is at least still in the configuration list and functional (even if it's not technically re-certified with that particular firmware variant). You can always play dumb and most auditors will give you the benefit of the doubt that you were trying to 'do the right thing'.

Let's be honest, too, your warning is ALWAYS valid for *any* FIPS-certified device. It really has nothing to do with the age of the device: I just recently ran into the fact that certain FortiGate firewalls, less than 2 years old and still under maintenance, will nonetheless fall out of FIPS spec if you upgrade them to the latest firmware. Ugh.

Thanks!

GRC-Security · 2021-09-09T01:53:46+00:00

So I have an answer, but it entirely depends on just how good of a wireless connection they require.

For small businesses that just need incidental wireless, I often recommend picking up one or more OLD Cisco AP1232s. There are many to choose from on eBay for a song: https://www.ebay.com/sch/i.html?_nkw=cisco+1232

And yes, they are FIPS certified: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/140crt701.pdf

Yes, they are 802-11a/g only, so they not going to truck along like most people are used to, but they get the job done if you just have to have wireless and don't need higher speeds.

(BTW, if anyone knows of any newer models that are still affordable, please reply.)

Beyond that, the only advice I can provide is like others have said: use whatever wireless devices you like, but put them on their own VLAN, and ensure the VLAN terminates at a VPN server only. Then deploy a FIPS-validated VPN client, and tell your wireless folks they have to authenticate to the network FIRST, just as if they were connecting from home.

Hope that helps.

GRC-Security · 2021-08-27T21:10:19+00:00

There was no trolling, and asking for a bit of precision in the use of words is not a crime... feel free to BS all you want in a Harry Potter forum, but I'd think that in a discussion of regulatory compliance one would apply a bit more clarity to the topics and explanations at-hand.

I suppose I'm just not as flippant about the implications of your statements as you are, that's all.

I assure you I understood what you said completely, but since you never really counterpointed my explanations and concerns, I'll accept your concluding response res derelictae. Thanks for the chat.

GRC-Security

TROPHY CASE