@NattNatt said in Pentest - Who would you recommend?:

@Jimmy9008 said in Pentest - Who would you recommend?:

@IRJ said in Pentest - Who would you recommend?:

@scottalanmiller said in Pentest - Who would you recommend?:

@IRJ said in Pentest - Who would you recommend?:

@scottalanmiller said in Pentest - Who would you recommend?:

@Carnival-Boy said in Pentest - Who would you recommend?:

@IRJ said in Pentest - Who would you recommend?:

You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

Both are valuable, but one tells you a lot more, typically.

Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

Unless the attacker was an internal attacker//had links to someone internal to know a bit more...? Never forget that the biggest vulnerability in any business is the fleshy thing in front of the screen.

Which much more likely than an external attack....

@s.hackleman said in Pentest - Who would you recommend?:

I used to use Trustwave for external PCI pen testing. They were a solid meh. It let me fill in the box that we had been externally scanned for vulnerabilities from a third party on our self assessment. That being said if they found anything that needed attention they would never give any advice or talk with me, just hand me a report with a yellow or red dot on it, and tell me I can request another scan after updating my config. I'm assuming to cover their asses, but it was frustrating that they were so close lipped for the amount of money we were giving them.

Unfortunately, that is pretty standard. That is why the SOW is so important.

@scottalanmiller said in Pentest - Who would you recommend?:

@Jimmy9008 said in Pentest - Who would you recommend?:

Yes, we are aware of this - however that is not the test. We have to trust employees. If we didn't, they would be gone.

No, you have to trust top level IT. You don't have to trust other employees. This is the most important piece of IT security - that trusting employees is what you must avoid. In the real world, they are your security holes.

That is literally Cyber Security 101. Human Error and Internal Attacks are much more likely than someone exploiting a complicated external buffer overflow attack.

Does anyone know of an easy way to convert MS KBs to the bulletin number or vice versa? I know I can manually search each one, but what I am really looking for is a list of MS Bulletins for each month.

Does anyone know of any decent software that splits one display into two? I would like to use on of my TVs as a dual display.

A quick Google search showed this software, but I'm wondering if there is something completely free that would work. Although $19 isn't bad.

https://maxto.net/?from=winsplit-revolution.com/

@Danp said in Splitting one display into two virtual displays:

@dafyre Are you sure? I believe it does...

I think it does as well when I am reading the features. Window management is essentially what I am looking for.

$12.50 is better than $19. They both have a trial so I can test.

This is also very important information to highlight:

Note Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.

To maximize compatibility with older operating system versions (Windows 7 and earlier versions), we recommend that you enable this setting with a value of 1.

To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero).

Here is a way to convert youtube videos to text so you can offer both formats

https://www.quora.com/How-do-I-convert-the-voice-in-a-YouTube-video-to-text

@jsecurity2017 said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

@irj said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

This is also very important information to highlight:

Note Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled.

To maximize compatibility with older operating system versions (Windows 7 and earlier versions), we recommend that you enable this setting with a value of 1.

To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero).

My questions: After installing the security update on Domain Controllers and creating the LdapEnforceChannelBinding registry, do clients have to install the security update if the LdapEnforceChannelBinding registry value DWORD on the DCs were set to 1 (enabled, when supported)? Or only if it was set to value 2 (enabled, always)? I didn't know if clients needed the security update no matter what the DWORD value was set to after creating the LdapEnforceChannelBinding reg key...

Yes you absolutely still need to patch. If you look at the associated kb, more than that particular cve is being fixed.

https://support.microsoft.com/en-us/help/4025338/windows-10-update-kb4025338

@jsecurity2017 said in RegKey needed in order to fix Patch Tuesday LDAP Vulnerability (CVE-2017-8563):

@dashrender

If clients require the patch first before installing on the DC and making the registry change it should be more clear. https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry states that "Before you enable this setting on a Domain Controller, clients must install the security update that is described in CVE-2017-8563. Otherwise, compatibility issues may arise, and LDAP authentication requests over SSL/TLS that previously worked may no longer work. By default, this setting is disabled."

Then it states that "To maximize compatibility with older operating system versions (Windows Server 2008 and earlier versions), we recommend that you enable this setting with a value of 1. See Microsoft Security Advisory 973811 for more details."

I was thinking, if you set the DWORD to value of 1 then clients may not need the patch right away.

So I'd apply the patch on all clients. Then audit using Powershell and/or a vulnerability scannet to verify it is installed on all systems. Then only then would I look at Testing this change. Why even touch the reg key until you're sure it's installed everywhere.

They are referring to 2008 (not R2) is EOL so hopefully it's no longer in your environment.

@JSecurity2017

Security guys never want to see any vulnerabilities, but we know for business to function this isn't possible. This is espeically true when we look at something like this that was released two days ago. The best case scenario is having this deployed in a month when you consider patching maintenance windows, missed servers and workstations, onesies and twosies that need manual installs, etc.

I would not break production to get rid of a vulnerability that I am going to assume at least 99% of companies are having at the moment. When you consider the timeframe of the actual patching, testing, deployment, etc. We are probably going to see this for a long time. The impact of breaking LDAP is generally HUGE and affects nearly every single user and system in the company.

Sometimes of times we need to weigh the actual chance of threat vs the potential impact in our environment.

@rojoloco said in Make Encrypted Connection in Home network:

@irj no, there is nothing inherently nefarious about VPN, but the way OP asked the question makes it sound like he wants/needs to hide all his activity, which is a huge red flag. Whether he wants to pirate content, learn how to manufacture heroin, or just look at naked people, there is obviously some unspoken impetus for this. I make no judgment on his potential activity, but this is clearly not an exercise in learning about networks or security, since he seems so very concerned about having unencrypted traffic.

To me he sounds like there is no real understanding of networking or even what is trying to be accomplished.

From my experience only consumer grade devices are an all in one. Even the low end professional routers will not include a modem.

Asus makes a hell of a router for under $80

https://www.amazon.com/Dual-band-Wireless-AC1900-Gigabit-Router-RT-AC68U/dp/B00FB45SI4

@stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

So @IRJ I wasn't sure where else to put this. Do you give root access to your vulnerability scanners? Just a conversation I've been having with some people here.

Unfortunately they need root to scan according to tenables documentation. You can set a specific login window for that account to correlate with your scan. That way it isn't abused anywhere besides during the scan window. Not really 100% secure, but it's better than leaving it wide open.

Ya we do SCAP with the RedHat SCAP tool. We don't control the Nessus box so we weren't going to give up root access, and they are essentially just checking patch levels.

What I don't get is why they need root access. If there is a vulnerability, it has to be able to be seen/leveraged from an unprivileged account. Sure you can see vulnerabilities when you log in as root, because you are the vulnerability. I think it's kind of pointless.

You can do an external uncredentialed scan against a box and only see a few vulnerabilities. It doesn't mean the box only has those vulnerabilities. A skilled hacker could try common exploits against the box and possibly breach it. Another possibility is they are using their own scripts against the box instead of what you'd see with an out of the box scanner.

@wirestyle22 said in Ticketing Solutions for IT Department:

Is the need for this being created by you or was it requested by your boss? If it's you wanting/needing it then use Sodium. If it's your boss use OSTicket and then later on move to Sodium and take the same path @scottalanmiller is taking.

I am not sure I understand this logic. I would not recommend a solution in its infancy for my company under any circumstance. You have no real guarantee of a stable product or continued support. You never buy a new model car the first year it is released.

@tim_g said in Ticketing Solutions for IT Department:

@gjacobse said in Ticketing Solutions for IT Department:

@tim_g said in Ticketing Solutions for IT Department:

@scottalanmiller said in Ticketing Solutions for IT Department:

@gjacobse said in Ticketing Solutions for IT Department:

@scottalanmiller said in Ticketing Solutions for IT Department:

@wrx7m said in Ticketing Solutions for IT Department:

I did checkout osticket last week, as result of seeing a post, here on ML. It does look good and the hosted pricing is reasonable.

NTG has been hosting their own, it's pretty simple to do. But we'll likely be on Sodium in a week or two. Just a few little things need to be finalized for it to be at a point that we can flip over.

Does my boss know this?

She's the one that decided.

Why wouldn't you wait until it's a more finished product before putting something like this into actual production?

Sure, put not even alpha software in a test environment, but in production? No way! But I guess that depends on where you are and how many and what types of users it will effect.

You could set it up in a real test environment, and tell some users to throw in a ticket here and there, so you can provide Sodium with some real feedback.

Using Sodium as a ticket system - one that should evovle anyway - isn't so much of a problem that I see. Now when you reference the other features - that may be a different story.. though starting now, you can get use to some of the aspects of it as it's being developed - and know how it will work for you as more options are available.

Now - being part of the beta or even alpha isn't always the best - and while there can be several releases of Sodium a day.. that may or not be a problem and may or may not cause some problems...

Some times you just have to say Meh,.. WTH and go for it. Now - when you are talking about a few hundred to thousand PCs,.. Meh I'm not rebuilding all those... so - nope.

That's what I meant. If you work for a place such as the one I do, and you rip out the current fully featured, polished, supported, and working ticketing system... and throw in something like Sodium (no offense, I'm excited about it), your in for some major trouble from all aspects.

That's why I said if it's just a few users/computers, sure, go for it if it fits in your environment.

However, I could stick it in a test environment on the back burner... and ask a few users such as those in IT and some others to throw up a ticket in there once in a while for testing. Using that it could potentially replace the current system and save the company money. But before going too far, I'd keep it internal only to just myself and a few other IT coworkers.

I am all for testing and working with developers on new products. In no way would I ever recommend another tech to put in production.

@scottalanmiller said in Ticketing Solutions for IT Department:

@irj said in Ticketing Solutions for IT Department:

@wirestyle22 said in Ticketing Solutions for IT Department:

Is the need for this being created by you or was it requested by your boss? If it's you wanting/needing it then use Sodium. If it's your boss use OSTicket and then later on move to Sodium and take the same path @scottalanmiller is taking.

I am not sure I understand this logic. I would not recommend a solution in its infancy for my company under any circumstance. You have no real guarantee of a stable product or continued support. You never buy a new model car the first year it is released.

That's not really true. There is far, far more security that this will be stable and supported compared to, say, SW where we know that there are financial and development issues. Just because it has been around for ten years does not make for any security. In fact, a key reason for the switch could be that lack of stability, security and development.

Software is not like cars, you don't buy a first year car because it isn't a living thing. Software is alive, it evolves. You can't compare it to manufactured goods.

I was looking at OSticket or ManageEngine. I wouldn't really consider SW as a real contender for anything other than one man or two man IT shops.

@nashbrydges said in FreePBX for Family?:

@aaronstuder I was going to do this for my parents but then decided to go the Grandstream HT701 direct to voip.ms. Parents have a flaky internet connection so they're forever rebooting the damn ISP router. It's such a pain in the ass I'm almost regretting it. Make sure their internet connection can support voip otherwise you'll kick yourself.

bingo

@mike-davis said in How to Grow from a One Man Operation to Two:

@storageninja said in How to Grow from a One Man Operation to Two:

I never hired guys with zero experience, because they cost me more than they made me vs. the premium to pay someone for 40 hours and benefits who was... useful and I could bill at $120-140 an hour.

Zero experience means you have to ask about the home lab. If they really have an interest in something they will probably be doing it in their free time. If they have zero professional experience and no lab experience, I wouldn't be interested either.

So if they have a home lab and professional experience , you're gonna still pay minimum wage?