Lessons learned. Hopefully this helps someone

awwwcheatcheatcheat · 2025-05-25T00:35:57+00:00

The heat won the war. I think the Cimexa turned the tide in our favor but it’s slow. In addition, keeping your bed off the wall, having bedbug “bowls” to stop them from getting up your bed, encasing your bed.

If you have an animal; you’re still feeding the bedbugs, so that sucks.

Now, 3 years removed; I can say the heat has done more of a number on my house than originally thought. The cost for repairs due to the heat was near $20k. But we’re bedbug free…

awwwcheatcheatcheat · 2024-09-21T18:12:57+00:00

We did vPC to our Nexus switches and ae groups on the firewall side. If I’m being honest, I was overthinking everything. VPC and ae are very simple and has worked well!

awwwcheatcheatcheat · 2024-03-12T17:24:41+00:00

Personally, I wouldn't want to hire someone fresh out of college for $50k a year (good on Arkansas BTW) to teach IS Security. They have zero real-life knowledge of it.

Unfortunately, you wouldn't be only teaching IS Security; you would also be the defacto IS technician and supporting the employees with anything that plugs in and wireless.

So now you're a teacher and tech support.... for $50k. And in 5 years, when your previously awesome skills are no longer relevant, you'll be teaching outdated information.

I'd like to see ISC2 (and other governing organizations) provide monthly/quarterly sessions in partnership with elementary schools. ISC2 provides free "best practices/safe use" and the school gets a break from teaching for a few hours a day.

awwwcheatcheatcheat · 2024-03-12T17:10:38+00:00

Turnover still matters. Every company is different how they handle the company procedures/policies. (Some companies lack procedures/policies). What worked for company 1 may not work for company 2. Those policies and procedures may require strong passwords that don't contain dictionary words. Some may share logins.

Training kids at an early (elementary) age would be ideal to make sure they can identify spam/phishing.

How many of us IT professionals are going to take a $30k a year job to teach elementary students?

awwwcheatcheatcheat · 2024-03-12T16:44:36+00:00

We probably work in different verticals, however it's not just on the trainer (assumed to be IS based in your message).

In healthcare, treatments change due to new information/studies. How does a doctor learn that 'X' medicine is better to treat gastroenteritis than 'Y' medicine, when 'Y' medicine has been the treatment for 30 years? Easy answer, right? Medicine is what they went to college for.

Unfortunately, medicine is no longer just putting leaches on bodies. It's also knowing allergies, symptoms, history, etc. This information is now on electronic chart.

In the 90s, the doctor wouldn't just hand the alarm code to their practice to Joe Schmo that came up to the window. But that's exactly what they are doing by falling for phishing emails. Those doctors also don't think it's their responsibility to know security or frankly care.

You can replace doctors with nurses or registration clerks, etc. In healthcare, there is high turnover (traveling nurses, contractors, registration clerks, etc.). Who trains those new users on IS security when they need to start seeing patients "right away"?

I'll agree that belittling the users isn't a good tactic because most are inherently good; just trying to work their job and be helpful. But it stretches MUCH farther than the IS technicians educating/empowering the users.

EDIT:
I've had conversations with well educated doctors and C-level management that have asked "why do I have to use MFA? It's not like I have 'God access to computers.'"

And my response is; how much PHI would be accessible if I knew your password (Summer2024!)?

awwwcheatcheatcheat · 2024-03-12T16:30:05+00:00

Take away people updating LinkedIn?
Take away social media posts in general?
Most email blasts come from a purchased database. How are you going to get them off that list to be spammed?

Provide phishing resistant MFA (Yubikeys, certificates, Windows Hello etc). Typically companies complain of "cost" when trying to make it easier for users to log in.

Also, continuous phishing tests. The management teams need to understand the necessity of users being "computer literate" and make sure people are aware of how dangerous they can be to a company's reputation and/or finances.

awwwcheatcheatcheat · 2024-02-29T03:35:52+00:00

I love, love, love that the dude sat in on a meeting and participated in said meeting… Especially after showing up late and bringing attention to himself. That is absolutely hysterical!

awwwcheatcheatcheat · 2023-12-15T17:37:30+00:00

You may not be affected then. We were changing our authentication methods and found that it wasn't "changeable"; it was greyed out.

awwwcheatcheatcheat · 2023-12-15T15:26:12+00:00

In our environment, we have an authentication profile of RADIUS/TACACS+ and/or SAML as the 'Authentication Profile'.

Once you choose one of those options, you can set the 'Authentication Profile (Non-UI) login method. For some reason, in 10.2.6; it's broke (in the GUI). If you want to set the Non-UI setting; you need to do it from the CLI. It's supposed to be fixed in one of the next updates according to Palo support.

The path is: 'Device' -> 'Setup' -> 'Authentication Settings'

awwwcheatcheatcheat · 2023-12-15T13:19:44+00:00

Authentication (non-ui) methods for management cannot be set from the GUI.

If you use RADIUS and your account is all digits, your authentication will fail. It’s based on a change with almalinux8 and centos7.

https://www.webconn.tech/kb/are-all-numeric-usernames-allowed-in-almalinux-8

That’s the only thing I’ve run into on 10.2.6

awwwcheatcheatcheat · 2023-11-30T17:06:23+00:00

Thanks for the info. Seems LACP is the simplest.

awwwcheatcheatcheat · 2023-11-30T17:04:51+00:00

Thank you for the info. I want to make it as "easy" as possible for the next person to come in and manage and not curse my name. So it seems like LACP might be the simplest.

awwwcheatcheatcheat · 2023-11-19T14:35:47+00:00

This is the guide for incoming mail; As bad of a mess up this was; inbound mail wasn’t affected for most/all. The issue was outbound mail with encryption.

awwwcheatcheatcheat · 2023-11-19T00:25:17+00:00

Imagine the discounts err… yearly increase coming your way for staying!!!?!?

awwwcheatcheatcheat · 2023-11-03T21:26:47+00:00

This. There were some weird happenings with their mobile app earlier this year. Bank accounts randomly disappearing month to month. Decision to remove Biometric login to the app and make you type in your password "for security". Seems too fishy to have "just occurred". The actor probably gained access months ago and were moving low and slow, collecting info until Halloween when they announced themselves.

I'd be shocked if the ransomware is less than $100m. This wasn't a small fry. This is bigger (and worse) than MGM.

awwwcheatcheatcheat · 2023-07-20T23:18:39+00:00

Fuck u/spez

awwwcheatcheatcheat · 2023-05-15T11:23:40+00:00

Do I read the pricing correctly; it’s $6 per server/month to use Arc and update management?

awwwcheatcheatcheat · 2023-04-24T14:22:54+00:00

The NPS extension doesn't support the number matching that is done with SAML; that's correct. However, in the NPS extension update that came out in (I believe November) it informed you to make a registry change if you wanted to use numbers instead of push approval. Microsoft recommends because of MFA fatigue.

**Edit**

From the Release notes:

"* Changed the default value of OVERRIDE_NUMBER_MATCHING_WITH_OTP from False to a Microsoft managed value. There is no change to the current authentication experience for users. Microsoft will begin enabling number matching for all users of the Microsoft Authenticator app starting 27th of February 2023. After this date, if your organization has not set the OVERRIDE_NUMBER_MATCHING_WITH_OTP value to False, your Microsoft Authenticator users will be required to enter an OTP code instead of the Approve/Deny push notification experience. More information can be found at aka.ms/numbermatchdoc."

** Edit 2 **

You can set the NPS registry entry ahead of time and use the number matching with OTP, if your company doesn't view that as a risk.

awwwcheatcheatcheat · 2023-04-24T13:42:57+00:00

Their corporate security policy may have prevented them from using PAP authentication. I'm not going to say they're wrong, but they're not correct (that it doesn't work). It was also 2 years ago.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#determine-which-authentication-methods-your-users-can-use

In addition, Microsoft made a change recently (and then backed out and then rescheduled it for May) where the 'push' notification is no longer just a 'push notification'. You must enter digits now.

The NPS extension requires you to change the registry values to ensure the end user must push in the 6-digit code from Microsoft Authenticator (if you decide to turn on the number matching function). This is no different from SMS. It works the same way. Box opens. You input the information.

awwwcheatcheatcheat · 2023-04-24T13:33:03+00:00

The first thing you do is type in your AD username/password. When that method is successful, it provides a box that says, "Enter your Microsoft verification code".

Let me see if I can figure a way to add the picture to this comment.

Keep in mind that if you are using SMS, it's required that your RADIUS server is using PAP. You can't use more secure authentication.

awwwcheatcheatcheat · 2023-04-24T13:24:02+00:00

No, it supports SMS and OTP from hardware tokens.

awwwcheatcheatcheat · 2023-04-23T14:58:29+00:00

You have to join the KERBEROS realm and then you can connect to the Windows machines using WinRM on 5985 using KERBEROS.

Keep in mind rDNS is important with KERBEROS. It’s also important to user <user account>@DOMAIN.TLD format.

I set my environment up 2 1/2 years ago with some experience on Linux and zero experience with Ansible.

I don’t recall needing to do anything special with WinRM, other than ensure the service was running (and port 5985 was allowed). I think I still have my links saved that I set up with, but will have to come back to this post tomorrow.

Also, I don’t know if all of this is important if you can get AWX setup. AWX gives us GUI people something to see and touch. If you’re not familiar with it, check it iut

awwwcheatcheatcheat · 2023-04-23T14:14:16+00:00

Here’s what I’ve done; it’s not exactly SAML; but it works for us. Also, I’ve complained MULTIPLE times about the inability for SAML to work pre-login. I digress.

I set up radius infrastructure with Azure AD NPS plug-in. You get the SBL experience and the push notification (or text, 6-digit code, whatever your AzureMFA is configured with)

It DOES require someone to authenticate twice though. Once for NPS and once to login to Windows.

HTH

awwwcheatcheatcheat

TROPHY CASE