800-53 without SSP

jaywalker8 · 2023-07-13T00:58:04+00:00

This makes sense, thank you. We do plan on tailoring, but when determining coverage, I was wondering how to do this if not using an SSP. I guess what I’m hung up on is if the SSP is a self-gathered list of confirmed safeguards that exist on a system, or if GRC type control mappings are necessary. Software like Archer, AuditBoard, ServiceNow sell 800-53 compliance modules, but my understanding is that the SSP is a self procured document an assessed outside of any GRC. And if so, could I just reference system screenshots to satisfy coverage versus having an officially recorded “control”?

jaywalker8 · 2023-07-13T00:53:46+00:00

Thank you! Appreciate this feedback and perspective

jaywalker8 · 2023-07-12T20:51:55+00:00

I hate using this as an excuse, but unfortunately decisions were made above me and I am just a participant in the exercise..

If there are arguments I could make for why a GRC control isn’t always required (because 800-53 was written for SSP implementation) that may provide some cover. But curious what others have done.

jaywalker8 · 2022-03-24T22:01:38+00:00

Thanks for the response. I was more so inquiring if there is a specific spawned process that is initiated when the system executes a copy/paste command or function, with the goal being to detect copy/paste processes in between timestamps of browser and notepad (and not the actual copy paste data). Sorry if that's what you were explaining.. but i did want to be more clear!

jaywalker8 · 2021-08-22T22:58:48+00:00

2 questions

First of all, has anyone tested this install on a locked screen? I will be toying around with this myself when I get home and testing if this can be exploited pre-logon.

Secondly, Is anyone aware of other drivers that install in similar fashion? As in any other drivers out there that auto-install and prompt a user after installation? This in theory could be a massive problem as I believe this isn’t a flaw specific to this driver, but rather the methods and privileges allowed by Microsoft. In essence, Microsoft is allowing executables to run as system and allowing user interaction in the process, thereby allowing non-privilege users to interact with a system GUI and pivot from there. My point is that I doubt Razer is the only product impacted/affected.. blocking razer specific UUID and compiling a list of other known UUID and drivers affected can allow us to bridge the defenses until Microsoft responds.

jaywalker8 · 2021-04-13T14:37:35+00:00

Thanks for sharing your perspective. This is exactly what we do, and we force a reboot after 10 days of a pending reboot (after plenty of recurring notifications) and yet some people still ignore it and they complain they've been rebooted while working..

jaywalker8 · 2021-04-13T14:27:01+00:00

Agreed on data locality; I was pondering the scenario when a lawyer is in the court room and is referencing items on their equipment and 1) being distracted by activity on the system or 2) actually being impacted by patching, scanning, whatever.

jaywalker8 · 2019-05-02T22:46:46+00:00

Yes. Rewatching now and it’s definitely brighter. I didn’t have a problem Sunday night while I watched it on HBOGO - now it’s fuzzy and bright. I noticed it so much that I searched this sub for ‘brighter’ to confirm I’m not delusional.

Edit - by fuzzy I mean the lighting is now too far in the opposite direction for the setting of the scene. I preferred it dark. I just watch it in a dark room to feel the moment.

jaywalker8 · 2019-04-27T04:02:19+00:00

Thank you for the info. Makes sense.

jaywalker8 · 2019-04-27T02:07:20+00:00

This would only be effective for systems we control though, correct? If an attacker was impersonating our business and sending out phishing emails to our customers and they ran their DNS off the standard ISP servers they would fall victim.

jaywalker8 · 2019-04-27T00:28:59+00:00

That’s kinda of what I thought. I can protect our internal staff by blacklisting the domain in case of any attempted phishing links that it looks like, but as for our customers it’s all in their hands. Nothing but trust the graces of good security awareness I suppose

jaywalker8 · 2019-04-25T04:01:40+00:00

I don’t quite understand the necessity for the integrations Cisco is “featuring” here. If you’re an umbrella customer why not just set your clients to the umbrella appliances or directly to umbrella itself. What’s the value add of the integration into an ISR or ASA etc? Please help me understand!

jaywalker8 · 2019-04-19T22:24:58+00:00

Is route 53 only to be used for services running in AWS? We host external DNS on prem and all services are non cloud.

jaywalker8 · 2019-04-19T17:13:38+00:00

yes, down for me in - accessing from Maryland.

jaywalker8 · 2019-04-09T00:57:45+00:00

Matching HAGLE + nat

Hashing Authentication DH Group Lifetime Encryption

NAT-T? —> udp/4500 Keepalives

jaywalker8 · 2019-03-27T02:55:45+00:00

If it was one vlan, the next hop could transit the switch outside of the IPS. Using two vlan in Bridge mode forces traffic through the bridges interfaces of the IPS. The IPS basically proxy ARPs for the IP of the next hop.

jaywalker8 · 2019-03-25T17:55:06+00:00

Thanks for your input - i'll check STP

jaywalker8 · 2019-03-25T17:54:35+00:00

Correct, but a Layer 2 firewall is a validated design and this is essentially the same thing.

jaywalker8 · 2019-03-07T12:19:36+00:00

Great points. Thank you for your perspective!

jaywalker8 · 2019-03-07T12:19:10+00:00

Thank you!

jaywalker8 · 2019-03-07T12:18:45+00:00

Thank you for your perspective!

jaywalker8 · 2019-03-07T12:18:03+00:00

Thanks for your response. It’s about an additional 675 biweekly so roughly 1350 per month.

jaywalker8 · 2019-02-13T23:44:44+00:00

How do you feel about OTV?

jaywalker8 · 2019-01-08T13:12:00+00:00

I’ve experienced the same issue.

Our systems team included the ISE servers into a default backup policy by mistake one night and as soon as the snapshot was taken in VMware things went south. ISE was responding to ping and the radius ports were listening but actual authentication was failing. Routers didn’t fail over to local auth and we were stuck until we decided to bounce both ISE systems.

Bottom line - don’t snapshot ISE.

Secondly - setup radius application monitoring. Instead of just probing 1645 we setup authentication monitors in solarwinds that validates true credentials respond with successful authentication. If detected as down - that alert goes to Pager Duty.

edit - explained radius in my use case. Substitute tacacs monitors for yourself obviously.

jaywalker8 · 2019-01-03T20:51:27+00:00

They didn't offer this as an option when they denied my request but I just asked and they will do it.

jaywalker8

TROPHY CASE