Husband, Father, IT Pro, service.
I ask a lot of questions to try to understand how people think.
What do you guys use for STIG audit?
Manual STIG viewer or SCAP?
Makes sense. Thanks. I have heard of R7. Had not heard of Qualys.
Thanks
Good info, thanks.
I am familiar with ACAS, which is why I am testing the products.
Fully capturing all the capabilities of scanning, auditing configuration seems like you could put countless hours into the implementation.
I imagine the ROI is high based on what I’ve seen.
Would you agree?
Thanks,. I’ll check into those two
I know businesses like to skip on spending money for upgrades, but still using 2010 is pretty far out. These just mom and pops that have no idea, or these just businesses that don’t care?
I spent Wednesday tracking down what was transferring too much data. It was domain controllers. The team didn’t figure out why though. I’m waiting in anticipation. I also can’t call people names without knowing/JK
Spent the day/week wondering why part of a network was transferring 100 times the planned data, wondering if data exfil, etc.
Nope, just misconfigured domain controllers. Still waiting on the geniuses on that team to figure something out.
If your DC uses GBs instead of MBs to replicate a mostly static directory, you might have a problem…
Thanks for posting interesting stuff.
I like getting infosec info on infosec instance :)
If you cross post to two communities on the same instance, we all see double posts.
Maybe we can pick between cybersecurity and security news for articles and the other for discussion?
Nice. You guys allowing the playbooks to configure or just audit?
Can you share any of the baseline that’s not specific to your org/sensitive? What sources are you using as a reference?
I hear what you’re saying, you’re not wrong.
I would argue that the technical implementations, the ones that are about a quantified or Boolean evaluation, that’s not the case.
Sure, STIGs can be open to interpretation like any benchmark or compliance standard and are open to the reviewers personal discretion or trends in the industry.
I wouldn’t suggest that stigs are more relevant than CIS, since it’s mostly only used by federal government, but it is something to be aware of and a skill set that’s in demand.
I wouldn’t say cis, or stigs, aren’t a security practice by themselves. Security practices come from implementing good policies and evaluation, and I would suggest that the new cybersecurity framework 2.0 would help inform good security practices.
Have you never found ambiguous standards anywhere else?
They’ll all over the place time wise.
I skip forward when he goes on tangents, though I can usually relate to them 😀
Yeah, he’s an acquired taste. I could see being friends, but you have to be interested in wading through a lot of friendly commentary, or do a lot of skipping forward.
I like the domain admin dance.
How would you constructively mentor someone who you think was rased that way? Assuming you had the kind of relationship that allowed it?
I’ve had these kind of talks with people before. You ever made progress with giving someone more options?
guys pat each other on the ass after a good play
But it’s such a masculine pat, not even a pat, a hit, a slap! A hard, masculine manly slap.
There’s a Key and Peele skip coming to mind…
Found it. Slap-Ass](https://www.youtube.com/watch?v=5-uIwpo0dCU)
Edit, and yes, I agree to an extent. I don’t think previous generations of men were taught healthy ideas about emotions, feeling, etc. Anger is generally accepted, sadness, hurt, etc are not. They are just translated to anger to be accepted. I think the general problem is starting to be acknowledged. Maybe not fixed, but there’s a start maybe.
some like things, some don’t
The replies about the stats goes so well with my thought on this.
If I was to talk about some other topic as much as people talk about sports ball stuff, I’d get crap for it.
If I don’t want to talk about sports ball crap, I get crap for it.
It’s a weird double standard sometimes. Maybe because sports are so prevalent and common?
How far do you guys go?
'All of it’s or until it’s inconvenient?
What’s the pain tolerance for when everyone says it makes the job too hard?
Ever compared CIS controls to STIG ACAP?
I’ve only ever used SCAP for a few reasons z but one being it’s free.