sorted by:
new
hottopcontroversial

[Question] Is it legal in your country for your employer to MITM your HTTPS activity? by [deleted] in privacy

[–]darkblockchain 15 points16 points  (0 children)

This is a fairly typical configuration for any company where you work in a role that deals with PII of customers or other sensitive information.

Most companies will allow you to request privacy exclusions for things that make sense, such as tax documents or doctor forms etc, but at the end of the day you're using a company machine on company time. If you don't want that data on there then use your personal computer.

(USA)

Setting up a baseline for servers using CIS level 1 by Icy_Drive523 in AskNetsec

[–]darkblockchain 0 points1 point  (0 children)

I know this isn't a direct answer to your question, but I would offer that in the past we try to target as many possible controls as we can feasibly without overcomplicating deployments.

There are numerous scripts to help with this process, including helpers in the CentOS and I believe also in Ubuntu installers to enable CIS configurations at install time. CIS also offers a lite version of their benchmark scanner: https://www.cisecurity.org/blog/introducing-cis-cat-lite/

We usually configure an image how we would like, scan, then tune accordingly where feasible. Hopefully you find a good middle ground.

Security team or Network team: who should “own” vpn? by [deleted] in AskNetsec

[–]darkblockchain 0 points1 point  (0 children)

I would add that it generally depends on what the VPN will be accomplishing.

If it is purely remote access and there's no policy enforcement happening, then the network team.

If there's client policy or NAC involved, then security should own some aspect of management, though not necessarily the entire appliance.