|
alienvault usm looks awesome but haven't played around with it too much
|
# ? May 1, 2018 14:50 |
|
|
# ? Apr 27, 2024 10:01 |
|
We use nessus scans (one of our clients uses Qualys) and we use alienvault USM internally + at 2 clients. I don't work with alienvault much that's our SOC team, it seems pretty decent. One thing that was annoying (but honestly expected) was that our one client cheaped out and wouldn't pay for the bigger USM with 2 NICs, well they have a fair amount of traffic and we needed SPAN from 2 switch stacks; we tried to install a NIC ourselves to give us 2 ports but it didn't work (again not surprising), so we're doing RSPAN to an edge switch from both stacks and then to the USM, I'm fairly certain we're missing some traffic because the port can't handle all the traffic, but it's hard to tell and there's more than enough there to keep our SOC guys informed and busy anyway. Just something to be aware of if you want to go with alienvault, you really need to spec it out correctly from the start.
|
# ? May 1, 2018 20:55 |
|
Okay, cool, I've booked calls/demos. Seems like Nessus is half the price of Qualys and like AlienVault can do more than either. Today's thing - Windows 10 has Fast Startup enabled by default, and Fast Startup means Windows Updates might not install. e: Wow AlienVault is expensive. Nessus it is. Jack the Lad fucked around with this message at 12:07 on May 2, 2018 |
# ? May 2, 2018 10:31 |
|
Jack the Lad posted:Okay, cool, I've booked calls/demos. Seems like Nessus is half the price of Qualys and like AlienVault can do more than either. AlienVault does a lot more though. The only thing about Nessus is that it's results are not certified for PCI audits and can't be sent out as proof of compliance (which hopefully you're already aware of), whereas Qualys is. Doesn't mean that Nessus is bad or isn't the industry standard, but if you need to hand off scan results as proof of compliance to whoever your processor/bank is, it's not the right tool.
|
# ? May 2, 2018 17:29 |
|
Can any of those scanners accurately detect installed hotfixes and KBs in a Windows environment? Based on my experiences with nexpose and qualys it's false positives all the way down, mostly because supersedence is a thing that Microsoft hasn't made super easy to detect..
|
# ? May 2, 2018 21:52 |
|
I’d be pretty worried if scanning a host could reveal the hotfixes applied to it. I guess you can provide a WSUS report alongside the scan to show that mitigations are in place.
|
# ? May 2, 2018 23:56 |
|
I'm talking for internal use, not penetration testing. Pure compliance auditing. Most of the time these scanners are provided a credential and they pull poo poo via WMI.
|
# ? May 3, 2018 04:26 |
|
I never had much trouble using WMI for that purpose so neither should a scanner tool. In a rush looking for a single kb lazily using this also works if you’re forgetful about WMI like me systeminfo | select-string ‘KBxxxx’ Don’t know how good/bad all that is in terms of the supercedence issues you’re running into because I don’t know what those are. Do you mean the scanner nagging because it doesn’t know Hotfix A, which you didn’t install, was rolled into Monthly Update B, which you did? Nessus is quite good in that regard in my experience
|
# ? May 3, 2018 08:14 |
|
Old Binsby posted:I never had much trouble using WMI for that purpose so neither should a scanner tool. In a rush looking for a single kb lazily using this also works if you’re forgetful about WMI like me Scanners are typically looking for compliance with CVEs. A fix provided can manifest in potentially hundreds of KBs, but in my experience scanners will choke if the KB produced in November of 2017 for a CVE in November of 2017 isn't present even if a January 2018 KB that encompasses the fix is there. I'm not sure why these scanners (at least the ones I have experience with) aren't looking at dll file revisions; most of them are looking for strings in the registry for this stuff, which is a special kind of dumb. Pulling existing KBs is easy and not a challenge in the slightest, my problem is being handed a 400 page PDF with a string of CVEs dating back to 2015 and having to validate it all, with 99% of it being inaccurate.
|
# ? May 3, 2018 20:49 |
|
Wrath of the Bitch King posted:Scanners are typically looking for compliance with CVEs. A fix provided can manifest in potentially hundreds of KBs, but in my experience scanners will choke if the KB produced in November of 2017 for a CVE in November of 2017 isn't present even if a January 2018 KB that encompasses the fix is there. I'm not sure why these scanners (at least the ones I have experience with) aren't looking at dll file revisions; most of them are looking for strings in the registry for this stuff, which is a special kind of dumb. I think we're talking about the same thing in that case. It can definitely be a hassle to make sense of a mile-long list of irrelevant 'critical' vulnerabilities. Which tool does this best, I don't know but I've only ever used nessus seriously enough with results that I could work with to recommend it.
|
# ? May 3, 2018 21:13 |
|
I recently took over an IT dept with, among a laundry list of other things, an issue with documentation of credentials. It appears one previous admin kept most passwords in a collection of password.xls or password.txt which still didn't add up to a complete list, while another previous admin kept passwords in hidden encrypted drives where part of the passwords was never written down and expected to be memorized by the IT staff, of which none of them still work for the company. It was super fun to admin stuff I didn't have admin rights to until I managed to reset some stuff. What are some recommended ways of keeping credentials that are useful but still secure for a company that may have to comply with stuff like HIPAA and IRS regs? I don't know if those things say anything besides 'passwords must be kept secure' but management doesn't seem to have a policy, yet. My thought was to just use Keepass, which I am familiar with anyway, and probably sync it to s3 and put the link and pw in a safe place as a break glass. I mentioned this in passing to a consultant that came in and he said that should be fine. A couple issues I thought of is that some of our networks are required to be air gapped and I would like to access it from my phone. I think I would make a Keepass file on each DC, then manually copy it off and upload since they really shouldn't change much. I don't know if the mobile Keepass stuff is good or not. Is this a dumb idea or am I going about it the wrong way?
|
# ? May 5, 2018 22:32 |
|
If the company has issues keeping to procedure, maybe just use an online team password manager and skip the headache of people being dumb online manager i.e the subscription 1password or something
|
# ? May 5, 2018 22:38 |
|
CampingCarl posted:I recently took over an IT dept with, among a laundry list of other things, an issue with documentation of credentials. It appears one previous admin kept most passwords in a collection of password.xls or password.txt which still didn't add up to a complete list, while another previous admin kept passwords in hidden encrypted drives where part of the passwords was never written down and expected to be memorized by the IT staff, of which none of them still work for the company. It was super fun to admin stuff I didn't have admin rights to until I managed to reset some stuff. 1password also released a commandline version of their vaulting, which I started looking at for very similar reasons to yours. Though I'm very concerned about accidentally letting password vaults outside of direct company control. There are a few password vaulting/rotating/logging products out there too, which may be more compliant with the regs you work under but would require a bigger management deployment. You may need to be able to answer questions like "who pulled the password for what and when?" that Keepass isn't going to be able to answer (nor 1password). Last I knew Keepass policy was set at the endpoint and can't be forced through settings attached to the vault. Disclaimer: my environment is in no way small shop, but has a lot of small shop problems that prevent a one-size-fits-all solution.
|
# ? May 5, 2018 22:52 |
|
I've seen people recommend Secret Server in the past, but I haven't tried it myself yet.
|
# ? May 5, 2018 22:55 |
|
Potato Salad posted:If the company has issues keeping to procedure, maybe just use an online team password manager and skip the headache of people being dumb Now I am thinking about the all the devs and accountants that just have 'password' for their stuff and wonder if I should push for that. $8 a month per user that is going to end up using sticky note anyway might not work.
|
# ? May 5, 2018 23:34 |
|
Just lol if your company doesn't keep internal, external and customer passwords alike in cleartext on a Confluence page that is visible to every single employee with an AD account, and that is reachable from the internet.
|
# ? May 6, 2018 00:12 |
|
Hollow Talk posted:Just lol if your company doesn't keep internal, external and customer passwords alike in cleartext on a Confluence page that is visible to every single employee with an AD account, and that is reachable from the internet. You should whistleblow that.
|
# ? May 6, 2018 00:14 |
|
Collateral Damage posted:I've seen people recommend Secret Server in the past, but I haven't tried it myself yet.
|
# ? May 6, 2018 01:04 |
|
^ Thycotic is loving great Centrify is even better, it's loving IdP and contextual MFA in box This comes down to how many non IT people you want to serve
|
# ? May 6, 2018 02:45 |
|
Secret server is kind of poo poo, we used it for a while and I did not like it; we use AuthAnvil now, also utilize them for 2FA for a few environments, it is generally decent, has decent reporting, the only issue is it can load a little slow, not sure if that's our environment or in general.
|
# ? May 6, 2018 04:10 |
|
Secret Server works well but the licensing model is... questionable. Your user account licenses are separate from your per-user support licenses, but the user account licenses don't activate if there aren't an equal number of support licenses.
|
# ? May 6, 2018 12:14 |
|
Pleasant Password Server. On-Premise. Integrates with KeePass client. Integrates with AD. Full, useful logging. Customizable access based on usergroups. I installed for my .com about 2 years ago and we love it.
|
# ? May 6, 2018 17:28 |
|
We use CyberArk and it's one of the most overwrought products I've ever used. The UI was clearly an afterthought.
|
# ? May 6, 2018 17:41 |
|
Digital_Jesus posted:Pleasant Password Server. Perhaps I am wrong though, the site lists "Manually create/delete/edit/disable users, assign roles, change passwords, etc." as part of Community but "Produce and manage custom access levels; plus set granting which allows for assigning permissions to other users." as Enterprise. I don't know which I need to just have something where I can say X user can only see specific entries. Scheduled backup is Enterprise only though, but if its locally hosted is there a reason I couldn't just have the whole thing backed up with the rest of the files we (should) back up? Or just export the database to somewhere every once in a while?
|
# ? May 6, 2018 19:45 |
|
CampingCarl posted:I was looking at that one and while I like that it is local KeePass I think a couple of the features I am looking for are only in the Enterprise Edition which is $926 for 10 users, which is a bit much for what I need and I'm sure will get shot down. I set up for Enterprise, as we're an MSP and having the custom access levels was beneficial to us based on how our employees interact with various customers and the access each technician needs at a given client site. The community edition comes with pre-canned access roles, and while they aren't bad at all, they also aren't as drilled down as some folks might want. You're also stuck manually creating and managing your users rather than allowing AD to handle it all via user accounts. Having the ability to make custom access roles is useful if you have non-technical people that will need severely restricted access or customize who can touch what where. Unfortunately AD integration and Audit Logging are part of the enterprise versions, and the ability to tell who the last person to access a password was before something fuckin exploded is invaluable. Also good if people are (maybe) playing with poo poo they shouldn't be without supervision and you want to be notified via email any time someone accesses what would be considered a restricted credential. With regards to the "Set user permissions and Grant Access" portion, you can give some users the ability to grant other users permissions to certain folders without requiring them to be a full-blown system Admin, so thats handy if you have senior staff who manage the little folk but you don't want them being able to troll the audit logs or gently caress around with backups/AD settings. I find the scheduled backup feature handy because if someone accidentally deletes something, I can do a database restore to an hour ago and not lose a days+ worth of changes in the system. If you want to manually export your DB once a day sure but that seems like a waste of time IMO. As to the restore question, I've never bothered to test trying to manually copy/paste the DB file back into its install location, so I have no idea how valid of a course of action that would be. Honestly for the initial price its well worth it, and you can assign the keepass client to be online-only if you don't want employees able to take their passwords home (excellent if someone gets termed involuntarily). Also after the initial purchase price the maintenance is very reasonable, you can also choose to not go on maintenance and make it a one-time purchase as the license is perpetual and not subscription based. The only way I could see community edition being valid is if you're a very small shop that doesn't care who accesses what when outside of the default rulesets and don't want to audit anything. I spent quite a while looking for a password vault that fit my wants for a premise-based setup. This was hands down the best $$$ we invested. I wouldn't trust my passwords to a cloud hosted service for anything. As in we don't have a single employee here who doesn't love this fuckin thing. (It's got a mobile App too, so you can get passwords off your phone when your laptop ain't got no internets in some chucklefucks "server" closet and their firewall/router doesn't work right and you need to get in it.) Set up the demo version and get everyone hooked. Then its an easy sell. Digital_Jesus fucked around with this message at 04:06 on May 7, 2018 |
# ? May 7, 2018 03:56 |
|
Make sure you can do these things with your password mgr: - be able to give per-password access to specific groups or people - be able to audit who accessed specific records and when - require mfa to access
|
# ? May 7, 2018 17:52 |
|
Is Pleasant something you guys are using throughout the company or just IT? I'm skeptical of getting money for Enterprise for the 5 user level for IT purposes, nevermind the rest of the company. It will probably come down to how much they care about auditing and if they think our financial people, customer care, managers, ect. will use it at all.
|
# ? May 7, 2018 22:49 |
|
CampingCarl posted:Is Pleasant something you guys are using throughout the company or just IT? I'm skeptical of getting money for Enterprise for the 5 user level for IT purposes, nevermind the rest of the company. It will probably come down to how much they care about auditing and if they think our financial people, customer care, managers, ect. will use it at all. I mean... we're an MSP so we don't really have non-IT people in any capacity except for one sales guy, but we don't let him in it because lol sales dude.
|
# ? May 8, 2018 01:54 |
|
Secret Server is a dumpster fire. The UI is terrible and slow. There is a lot about the access provisioning process that doesn't make any sense to me when setting up multiple teams with different access. Give Clickstudios PasswordState a look. I would love to use it but the higher ups don't trust the company's corporate structure or financials so it looks like we are looking at CyberArk.
|
# ? May 8, 2018 02:13 |
|
I just use Keepass, the only people with the password to it are myself and the company owner, who actually has it in a safe. Works well enough for me, have only had to ask him to unlock the safe once. Told him it was a test procedure and not because i was having a slow morning.
|
# ? May 8, 2018 10:25 |
|
PDQ Inventory 16 was released yesterday. It has an installable agent for computers that are outside of your network.
|
# ? May 8, 2018 17:06 |
|
The Fool posted:PDQ Inventory 16 was released yesterday. Oh poo poo! Nice.
|
# ? May 8, 2018 17:35 |
|
2010: Hi we're looking for agentless management software. 2016: Uh we really don't want to give you admin accounts, do you have an agent?
|
# ? May 9, 2018 00:12 |
|
whizperz posted:Secret Server is a dumpster fire. The UI is terrible and slow. There is a lot about the access provisioning process that doesn't make any sense to me when setting up multiple teams with different access. I'll disagree a bit here - I think Secret Server is pretty drat solid - the work you put into setting it up will dictate what you get out of it with respect to thinking about groups / permissions, folder hierarchy, etc. For reference, I have a team of about 30 people using it, mostly technical staff. I use Duo for MFA as it integrates quite well (and Duo kicks rear end anyway). I don't seem to have any issues running it on a VM at my datacenter with MS SQL on the backend, with 4 vCPU and 8 GB RAM with 100 gig disk. You can set up a passive HA copy with SQL server replication at a DR site too if you want, without too much headache. Active/active load balancing requires an additional license unfortunately. I'm super picky about UI and overall design with software in general, and I've been using it for years now without too many issues. Granted, I started out with Keepass on an FTP server for concurrent user access, which worked great but didn't scale. Another one to recommend is Passportal - I have pushed a few other MSPs in my area to test this and so far, good feedback (https://www.passportalmsp.com). You can resell password management as a service to your customers with this one. Someone mentioned Centrify, and that has my interest piqued - guess I'll have to give them a ring just to scope out their solution. I know a number of folks going LastPass Enterprise as well - you can always schedule offline backups of monthly data dumps to an encrypted USB flash drive (or two) stored in a safe just to ensure you have a second copy of your data off whatever cloud it lives on.
|
# ? May 10, 2018 01:56 |
|
NevergirlsOFFICIAL posted:I just block all EU IPs from accessing my website :rollsafe: When I took over at the design studio we had a hideous spam problem. It was 2008, so pretty much everyone did. We were running Communigate on OS X with some bolt-on spam filter I forget the name of. It didn't catch poo poo. Even running incoming mail through Postini didn't do more than get it down to a dull roar. I was diligent, I kept on top of it. Eventually I was blocking ranges of class As; Eastern and North-Eastern Europe. Then someone mentioned they hadn't gotten any email from our large client in NE Europe. Whoops. I released a bunch of stuff from quarantine and carved them out a class B. Other than that, blocking something like 4.0.0.0 to 9.255.255.255 was the most effective thing I did, at least until gCal proved out and I cut us over to gMail. I'm pretty sure that somehow that org had gotten on the radar of some pretty serious black hats. I have no insight into the before times, the long long ago, but I do know what happened when VMWare Console forgot which VMs it should and shouldn't spin up when the service started. Our 50/50 connection saturated so bad it looked like an outage, except MRTG showed utilization pegged at 100%. A defunct subsidiary org's website was one of the VMs that should never, ever, ever be spun up. God alone knows what was hosted on there, I'm just glad I never heard from the FBI about it. I managed a successful bit of security by obscurity at that gig. Our ftp server was run on a 450MHz single-processor G4 tower running an obsolete version of OS X. It didn't use the BSD ftpd, it was some commercial ftp server with a lovely UI that wouldn't talk to LDAP for authentication. Every night, about 2 am local, it would receive exactly 50 brute force attempts to gain access. These all came from Central Europe. Since they were trying to brute force the "Administrateur" account, which didn't exist, I was willing to let it slide. All I ever did with that box was put in a bigger hard drive.
|
# ? May 10, 2018 03:25 |
|
My company is moving to NetSuite and someone said we can do helpdesk on it. Is that even a thing or should I ask for something else? The previous admin had Spiceworks but didn't leave the password for it. I assume there is a way to reset it but was told we would be getting something new so I didn't put in the time. Either way in the short term I need something basic I can setup quick. In other news management agreed we need credential management, but Enterprise Pleasant at $70-90/user didn't seem to go over so well and I think all the alternatives with role access are subscriptions so looking forward to some fun conversations.
|
# ? May 11, 2018 01:10 |
|
CampingCarl posted:My company is moving to NetSuite and someone said we can do helpdesk on it. Is that even a thing or should I ask for something else? The previous admin had Spiceworks but didn't leave the password for it. I assume there is a way to reset it but was told we would be getting something new so I didn't put in the time. Either way in the short term I need something basic I can setup quick. Don't use spiceworks, but if you gotta reset the pw, what you need to do is laid out step by step in their community. Google it.
|
# ? May 12, 2018 22:08 |
|
there’s probably a shorter, better version of that guide on serverfault.com though
|
# ? May 14, 2018 15:44 |
|
I've joined your ranks as the only IT dude in a twenty-ish user environment. Any sage wisdom you guys could pass down?
|
# ? May 15, 2018 22:05 |
|
|
# ? Apr 27, 2024 10:01 |
|
Document everything, automate as much as possible. The more you are able to automate, the more standardized your environment becomes, the less time you have to worry about putting out fires and the more time you can spend on meaningful projects.
|
# ? May 15, 2018 22:11 |