redfox

After reading this article, I had a few dissenting thoughts, maybe someone will provide their perspective?

The article suggests not running critical workloads virtually based on a failure scenario of the hosting environment (such as ransomware on hypervisor).

That does allow using the 'all your eggs in one basket' phrase, so I agree that running at least one instance of a service physically could be justified, but threat actors will be trying to time execution of attacks against both if possible. Adding complexity works both ways here.

I don't really agree with the comments about not patching however. The premise that the physical workload or instance would be patched or updated more than the virtual one seems unrelated. A hesitance to patch systems is more about up time vs downtime vs breaking vs risk in my opinion.

Is your organization running critical workloads virtual like anything else, combination physical and virtual, or combination of all previous plus cloud solutions (off prem)?

This is a network defense design scheme question.

In a scenario where your organization is designing multi-layered firewall deployment and management, how granular  do you create rules at each of these three layers?

Example site is a main/HQ site that also houses your data center (basic 3 tier model).

1. Site has your main internet gateway and VPN termination point. As am example, it's a Cisco or other ZBF. It has four zones: (1) Internet, (2) VPNs from other sites/clients, (3) your corporate LAN including data center, (4) Guest/untrusted/Iot.

2. Between your gateway and the rest of your corporate network/datacenter, you have transparent proxy firewall/IPS/monitor. It's bridging traffic between gateway and data center.

3. Within data center, hosts have software host based firewalls, all centrally managed by management product.

Questions:

• How granular do you make ZBF policies at gateway? Limit it to broad zones, subnets, etc? Get granular by source/destination? Further granular by source/destination/port?

• How granular do you make rules for transparent proxies between segments? Src/dst? Src/dst/port?

• How granular do you make rules for host based firewalls? Src/dst? Src/dst/port? Src/dst/port/application/executable?

• How have organizations you've worked for implemented these strategies?

• Were they manageable vs effective?

• Did the organization detect/prevent lateral movement if any unauthorized access happened?

• What would you change about your organization's firewall related designs?

What sources of technical controls does your organization use?

Do you base device/operating system configurations on:

• CIS workbench?
• NIST/STIG?
• Microsoft best practice?
• Google searches and 'that looks good'?

How closely rigorously does your organization enforce change management for policies or settings?

• Can you change GPOs/Linux/Network device settings as needed?
• During maintenance window?
• After a group meeting with code/change review and some sort of approval authority?

Does anyone fully implement workstation and server logon restrictions, and priviledged access workstations (PAW) as prescribed by NIST/STIG/CIS?

The URL is Microsoft's long description of the same concepts.

Specifically from the above, there's a few things like:

• Establishing asset/systems tiers (domain controllers or entire org compromise tier 0, moving towards less consequence in the event of system compromise)
• Accounts with the Active Directory Domain Admins or equivalent are supposed to be blocked from logging into lower tier assets
• Workstations that have access to log into these super sensitive assets like Domain controllers for management are considered PAWs, and are blocked from internet access, highly locked down, might have extra hoops or management plane assets are air gapped?

Question:

Does anyone actually do any of this at their organization?

If so, to what degree?

People hated red forest because it was a whole other set of infrastructure to baby sit.

People hate air gapped systems because no remote access or work from home.

The above doesn't work well with cloud, and as a result Microsoft (just as an example) pushed for the new hybrid PIM models replacing their old red forest concept.

I'm just curious.

This is not an ad.

Does anyone have experience with Tenable products?

I'm interested in real world experience regarding:

• cost
• effectiveness
• ease of use

I'm playing with Tenable Security Center and Nessus Scanner. I'm early in the deployment, just looking for pointers and whether anyone has used it?

What alternatives is your org using if not?

Can you compare?

Edit, if anyone is interested, I can post results and opinions here also.

I like this bean. It's smooth, and I usually like roasts with chocolate notes.

I'm also cheap. This is around .50 cents US per once.

Do you have a favorite bean that's medium/smooth, and also in the .50 range that can be ordered online?

My local roasters are all around a dollar per once and I haven't found anything that was so good, I couldn't go back to this for half the cost, so I do them as a special occasion.

Not sure if this was already posted.

The article describes the referenced court case, and the artist's views and intentions.

Personally, I both loved and hated the idea at first. The more I think about it, the more I find it valuable in some way.

For anyone interested in compliance and hardening, here's some links to the DOD/US GOV standards for information systems. This information is available to the public.

Security Technical Implementation Guides (STIGs)

This is a document that has recommended settings, methods, etc to make a product the most secure it can reasonably be. STIGs break things or turn off features people might be accustomed to. You have to do testing and figure out how to either make something work with STIG settings applied, or do exceptions. These are similar to Internet Security (CIS) Benchmarks.

STIG Viewer

The STIG viewer is a Java app that basically makes the list into a checklist where you can track applying settings.

SCAP

Going farther with automation, Security Content Automation Protocol (SCAP) can be used to conduct automated checked against systems to determine compliance with a setting. Install the SCAP tool, load the automated checks into it, and then take the results from SCAP tool and import them into the STIG viewer. It will knock out anything that could be checked automatically. The remaining checks would be things that are manually checked.

Compare

Here's a good article that compares STIGs and CIS benchmarks: https://nira.com/stig-vs-cis/#:~:text=The%20Center%20for%20Internet%20Security%20offers%20a%20tool%20similar%20to,robust%20than%20the%20STIG%20tool.

Download STIGs for products: https://public.cyber.mil/stigs/downloads/

STIG Viewer: https://public.cyber.mil/stigs/srg-stig-tools/

Security Content Automation Protocol (SCAP) content: https://public.cyber.mil/stigs/scap/

https://public.cyber.mil/stigs/supplemental-automation-content/

For anyone who's interested in pen. testing, there's a business from MN that does a podcast where the host and business owner, Brian, talks about doing tests, tells stories, and is generally goofy.

Brian made a podcast intro song, kinda funny. He talks about testing successes, tips for security, personal things, and running the business. They do live streaming where they sometimes get into the weeds and teach some techniques.

(I am not affiliated with 7 Minute Security, just enjoy the podcast/learning)

For anyone who's interested in IDS, this is a product that's open source, with support.

It can be run as a single standalone, but it's meant to be run tiered, where you can deploy sensors doing packet capture, analysis, which gets sent to a central manager, and then can be retained in search nodes.

It's incredibly powerful, just have to be willing to learn how to tune it.

https://docs.securityonion.net/en/2.4/ https://blog.securityonion.net/

I am not affiliated with the product, just a user of it. I like it.

The article discusses business successes by entrepreneurs, and outlines the realities of obtaining financing for these businesses.

Black-owned businesses in the U.S. are major contributors to the economy, generating $206 billion in annual revenue and supporting 3.56 million U.S. jobs. Many of these businesses are federal contractors and many more are in a good position to become contractors.

Black entrepreneurs apply for business loans at a higher rate, yet we are receiving funding at a much lower rate compared to white entrepreneurs. Studies show that Black entrepreneurs are three times more likely than white entrepreneurs to report that access to financial capital negatively impacts their profits.

Discussion:

Businesses and government are making efforts to roll back DEI, which naturally leaves people imagining we might lose gains made for minorities and opportunity.

Large efforts have been over the years to legislate fairness by making discrimination illegal (effectiveness questionable since we felt like DEI was needed), then tried to legislate including people based on their gender/race/etc.

The DEI ideas were attacked asserting it shifts from qualifications to a person's physical properties.

• Why can't we eliminate gender and racial aspects of applications for things like education, financial support, employment, etc? (Yes, people's names convey some of this)

• What potential efforts could we make that isn't focused on meeting quotas that continues to put people into boxes based on their physical properties and assess true potential?

Indiana's legislature is getting involved in higher education. Your world view will likely inform whether you think that's good or bad. I can't think of many instances where it's good.

Edit: This post isn't an endorsement of the measure, there are more opposition articles below.

I'll include quotes from the posted article, and include a couple of other related opposition articles.

Indeed, from what I’ve seen, not a single professor or administrator who testified on this bill admitted a lack of ideological diversity in higher education. That is troubling and, at best, reveals an unhealthy institutional blind spot. There are other perspectives.

Today, American public universities are among the least ideologically diverse institutions in the world. Indiana is no exception. I am certain there is more ideological diversity in a typical infantry platoon than would be found at any public university.

Let me be clear by what I mean about ideology. I teach Karl Marx to first year students. That isn’t indoctrination. Likewise, a biology professor should ignore public opinion on evolution or photosynthesis. Our research and teaching should pursue and reflect truth, no matter the distress it causes. I am not referring to party affiliation or support for a particular candidate. By ideological imbalance, I mean there is an artificial closed-mindedness that stifles debate, isolates important perspectives and diminishes the richness of a college education.

One clear example comes from a Ball State University colleague who attended a brainstorming session on how to convince more faculty to live near the university. He suggested that highlighting the many high quality local schools would help attract new faculty. Most normal folks view this as self-evident. Yet, this professor was scolded by a senior university administrator, who said the university would not discuss that because “concern about school quality is white privilege.”

Opposition articles:

https://www.indystar.com/story/news/2024/02/26/senate-bill-202-receives-pushback-public-universities-indiana-purdue-ball-state-general-assembly/72743950007/

“If you’re saying that you want to be able to fire faculty for not promoting intellectual diversity, it’s basically giving a gag order to them to say: ‘Don’t upset students. Don't challenge them, or we might have to fire you,'” Erickson said.

While Purdue has not yet made a formal statement, their faculty-led Senate released a statement claiming the bill poses a near-existential threat to faculty tenure, making retaining and recruiting faculty harder and potentially eroding academic freedom.

Ball State's University Faculty Council chimed in as well in a statement condemning the bill and rejecting "the provisions in SB 202 which grant the Board of Trustees oversight of intellectual diversity on campus."

https://www.indystar.com/story/news/politics/2024/02/29/indiana-senate-bill-202-universities-purdue-deery-tenure-expression-holcomb/72780178007/

House Democrats for the last several weeks have railed on the bill in the chamber's education committee and on the House floor arguing against the premise that Indiana universities need the free expression requirements.

Historical and contemporary examples of such purposefully diminished intellectual spaces abound: from Communist Party-controlled university curriculum in China, to routine dismissals of free-thinking faculty in Islamist-controlled universities in Iran, to countless suspensions, intimidations, and even forced migrations of academics at the behest of political strongmen in Russia, Turkey, Hungary, to countless other similar or worse cases across the globe.

Discussion comments:

First, it's very well known that no one likes American republicans, there's likely no need for party bashing/name calling since there's already tons of posts for that. Please keep party related comments in context on specific educational legislation trends if possible. One of the articles mentions US conservative students though, so it's still relevant.

• Have you ever attended an educational institution that you felt scolded for expressing an ideological view? Examples: Political, economic, religious, etc? What were those views and how were they received?

• Have you attended an educational institution where the course curriculum was heavily influenced by political ideology? What was it? What is the context of your region/locality's views and how did it align or differ from what you were being taught?

• "Our research and teaching should pursue and reflect truth, no matter the distress it causes." Do you have any examples of teachings like this you received? Was it to your benefit or not?

• Did you ever experience a professor in your higher education track teach heavily political view points, even in a class that was not related to politics (like Biology)? What about one's you identify with? Progressive, Liberal, Conservative?

“concern about school quality is white privilege.”

• Do you believe that mentioning good schools in a community to attract talent is 'white privilege'?

• Does that mean areas with good schools are for whites, and areas with bad schools are for underprivileged? Is this racial, or socioeconomic?

• From your higher education experience, what institutional issues did you experience related to this article? Did you experience legislature interference? Did you experience faculty's personal views being reflected in your teaching? Did you get affirmation or rebuking of your original world view before education. Did you feel enlightened or have your original views changed after being exposed to broader viewpoints?

Edit:

• Would good educators in your area be fired for expressing dissenting view points based on the composition of your legislative bodies?

• Do you believe there are more progressive, liberal, or conservative educators?

• Do you believe there should be a mix of all viewpoints?

• Do you believe research topics should be a mix of views, if the research crosses from scientific into political/ideology realms?