@alex-dcosta Daniel will be starting PenTest+ this month followed by CEHv10. We are also planning more Practical Security Skills shows like the one we are recording this week with Brad Stine who is an experienced PenTester. Hope this helps! Thanks!

@murali-krishna It is a work in progress. It can take up to a week once we post an episode for the transcripts to be complete and added. Thanks for your patience and thank you for watching!

Art,

Great question, Let me give you some initial information, and then depending on additional questions yu may have, and / or other posts, follow up as needed.

Multi-Factor Authentication (MFA) is discussed as part of NIST 800-171 compliance under requirement #3.5.3 - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

There are two broad approaches to incorporate MFA:

Out-of-Band (OOB) (e.g., accept an alert on an app on your phone, receive a call or text message with a One-Time Password (OTP))

Cryptographic Tokens (e.g., digital certificate, YubiKey, etc...)

A company may have to incorporate more than one type of MFA to comply with NIST 800-171, since many businesses operate in a hybrid environment where some of their data is stored locally and some is hosted in the cloud, complicating the architecture and compliance solutions.

For companies with everything on-site and an Active Directory (AD) domain, digital certificates would be the most painless and seamless way to incorporate MFA.

However, that is generally not an option with most cloud providers, so OOB MFA solutions have to be considered for those environments.

Determining the "best fit" MFA technology solution comes down to two things:

#1 - Know what your Controlled Unclassified Information (CUI) is

#2 - Once you know where your CUI is, know where your CUI is stored, transmitted and processed so you can segment it off from non-CUI data to minimize compliance scope

Having said all of that, some websites and documents that may prove to be helpful:

https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf

https://www.complianceforge.com/free-guides/free-nist-800-171-cybersecurity-compliance-scoping-guide.html

Please let me know if that points you in the right direction, and / or if you have any further questions that you want to discuss as you move through deciding n a solution.

Good Luck !!!

Cheers,

Adam

Hey Penny,
Sorry that you're having a bit of trouble with your nmap scan. Let's see if we can't figure out the problem.

Let's start by verifying your IP information.
From your Command Prompt type ipconfig and press <enter>
Look for...

IPv4 Address. . . . . . . . . . . . : <your IP address here>

If your IP address isn't 192.168.219.something then this could be why your scan isn't working. But not to worry.
Once you have your IP address information, try running...

C:\>nmap -sT <your IP address here>

This should return some results. Then you should also be able to scan live hosts on your network giving nmap a range of hosts (like 192.168.0.30-50), or just scan the whole network using CIDR notation (like 192.168.0.0/24).

I hope this helps you and let me know if it does. If it doesn't, let me know that too and we'll continue troubleshooting.

Daniel

Art,

I hope all is well. Great question !! The best place to start is with a definitive answer, which is a resounding "No", but...

Let me explain. There are no specific requirements that must be implemented in support of NIST SP 800-171 (R1), rather the document is a statement of Security Requirements that are then cross referenced against two distinct documents that offer relevant security controls, NIST SP 800-53 R4 and ISO/IEC 27001. As a result, the options available to implement the security controls are actually bounded by the two documents, which offer guidance and a selection of options, but no specific "must-do's".

For instance, in NIST SP 800-53R4 SC-28:

"PROTECTION OF INFORMATION AT REST
Control:
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].

Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7.

Control Enhancements:

(1) PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]

Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12.

(2) PROTECTION OF INFORMATION AT REST | OFF-LINE STORAGE The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information].

Supplemental Guidance: Removing organizational information from online information system storage to off-line storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to off-line storage in lieu of protecting such information in online storage."

Based on the above, you see two things:

A cross referencing of additional controls that offer guidance, and in some cases options on what approaches may be implemented

Options presented in the supplemental guidance section(s) that offer possibilities, but not specific declarative "must-do" statements.

The goal of NIST SP 800-171 R1 is to "provide a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry. The security requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations."

The key words: "provide a set of recommended security requirements" It's all about the options in other words, and they will vary, and be contextual, and may or may not be implemented the same way across organizations.

Hope that helps.

Cheers,

Adam

G F,
Good morning, I hope all is well. Great question !! Let's discuss two different scenarios that may help to unravel this for you.

Scenario 1: You could bypass the group policy settings if you had knowledge of the local administrators account on the device in question. This would allow you to mount a USB based device and access tools from it. Depending on the O/S in question, you would be able to either switch users, and / or log off and log back in as the local administrative user.

Scenario 2: You could access the tools in question via a network connection and as a result not have to use a USB device to introduce them to the machine, effectively bypassing the Group Policy.

While both scenarios could work, depending on circumstances and variables, both have risks associated with them. In scenario 1, you run the risk of losing information about the current user session and that may be unacceptable. In scenario 2, you run the risk of further compromising the system, and / or allowing it to compromise other systems if a connection to the network and / or the internet is allowed.

Sometimes in forensics, we have to make the best choice based on circumstances. As a result, we are not always able to operate in a way that is ideal, but rather, we operate in a way that does the least amount of harm and attempts to maximize our ability to recover information in a forensically sound manner.

I hope that helps. Please let me know if you have any further questions.

Good Luck !!

Cheers,

Adam

This is a really good question and if there is such a process, it would help increase the site membership greatly.

@rwong-admin , could you please help us here ?

Hi Kelly,
The BCP is the entire business process of recovering (or continuing) after a disaster (typically owned by the business - aka not IT) and the DRP, which is a subset of the BCP, is owned by IT and involves the recovery of business critical IT systems.

So the easiest way I would differentiate BCP and DRP is ownership; BCP is owned (typically) by the business and DRP is owned by IT.

Hi Adam,

Appreciate the prompt reply. I will make use of the transcript as suggested.
Thank you and have a good day!

Thanks,
Ramil

DJ,

Good evening, I hope all is well. GRC is a broad topic, as it encompasses Governance, Risk & Compliance activities across the enterprise. It is discussed in any shows (at some level) that address Risk as a topic as noted below:

CISSP (ISC2)
CCSP (ISC2)
CISA (ISACA)
CISM (ISACA)

Having said that, I agree with you that the topic is often covered in a "scatter-shot" manner and is disjointed and hard to follow. The best certification based approach and material would be for CRISC & CGEIT (ISACA), but we currently do not have content in the library for these. You could look at the following NIST documents for a good primer on risk overall and the ISACA COBIT framework for the Governance piece.

NIST Risk Management Framework: https://csrc.nist.gov/Projects/Risk-Management/Risk-Management-Framework-(RMF)-Overview

ISACA COBIT: http://www.isaca.org/COBIT/Pages/default.aspx

Once you have had a chance to digest the info, please feel free to reach out as needed with any questions that you have.

Good luck !!!

Cheers,

Adam

@delroy-mckenzie said in CEH v9 Certification:

https://cert.eccouncil.org/application-process-eligibility.html#ceh

We're not a recognized training partner with EC Council. So you would choose Option 2.

@julius-thyssen Technology is funny like that. Even with the best planning sometimes releases are delayed. Our partner Practice Labs typically has been spot on with meeting their goals. Hope you enjoy the additional lab!

Agreed. I would have hired my own legal team to assess as I am sure the client would have their legal team look at it, however I am sure their legal term is not as versed in the digital matters, unlike the legal teams and Hackers I met with at last years Defcon 25 giving presentations on various topics.

Just thought it would be an interesting item of discussion and happen-stance that could literally happen.

Lowell,

Great question, and as I see, a lot of great guidance that others have offered you already as well.

I think that What you have seen collectively, as well as what you have decided on, which is to push through and get it done before the April deadline, is the right course of action.

Good luck !!! and if I can be of any assistance as you prepare, please be in touch.

Congrats, @James and @Derek-Agar252 !!!!!

@derek-agar252 I apologize for that! The link to the document above should now work. Thanks for your patience.

@CyberWarrior ,

Please check the following to make the interfaces connect to internet from pfSense.

Check your firewall rules, verify that your LAN2 traffic has a rule where LAN2 is your source and then * is your destination . Also that protocol is any. Check your NAT Rules under outbound verify you have NAT rules for the WAN interface with your LAN2 subnet using the WAN address.

If you don't have #1, then Adam's advice will help and you'll need to set up the rule for LAN2.

But it's not all, because you're using Private IP Addresses (RFC 1918) for your LAN2, you'll also need to configure NAT to work with them. If this outbound NAT is missing, traffic will not be allowed out either.

Try both of these and let me know what the result is...I may have missed something!

addendum you may also need to set your DNS servers for LAN2 as well.

@addy-sharma,

If the show notes are not showing up per episode. We also attach them to the overview video in the upper right corner of that video. It is there as a zipped file, which includes all the notes and files provided by the Subject Matter Expert for that Show.

@ronnie-wong said in Security forums, chat, group suggestions?:

Adam Gordon

This is great! Exactly what I was looking for. Thank you Ronnie!

@george-williams-0,

I had to ask Don who did the show.

He writes that if you setup SFTP with password authentication and combine it with the SSH using certificate authentication. You will end up with SFTP using certificate based authentication.

Don also says in the near future, he'll probably shoot a video for it to combine both but it is possible if you do both on your own.