From cyber operations to assessment

from-cyber-operations-to-assessment

Did you know that camDown is easy to use, easy to maintain?

I went from full time cyber ops for the past 5 years to cyber assessments and accreditation.

I have now done A&A work for the past year. The amount of absolute lies and lack of knowledgeable answers taking place in the RMF assessment world is astounding. When I bring it up to management, like hey we can't answer the control like this because it's not correct, they don't care. All they want to do is it get it done so the package stays or goes green for accreditation. It's truly amazing, and then the assessor's will just sign off on it and concur. I am not trying to be a dick but most of these A&A folks don't know a damn thing about security. They got their online degree and passed sec+ and just answer stuff plain wrong, and then if I call them out on it instead of being humble and saying ahh, ya know good catch, let's get this fixed, they get offended and either ignore the blatant security violation or double down on the wrong answer.

For example a control might say the "system" logs security events. The answer these cats will post is yup here is 4624. We good! I'll ask them ok that's great for the 2 windows workstations but I see 5 red hats, a Cisco asa, and it also says you have apache on these, so I need to see that all of these systems are being logged to a central logging repository. Please show me the rsyslog config file, Cisco config file, apache logs, and then show me the artifacts on central logging, or if your using an agent that forwards to SIEM show me the artifacts for each asset within the SIEM.

You would think I just asked for the heaven and earth to be.moved and why tf am I asking for all that? And then it'll take a year for them to actually get all that if they even do and the system will remain accredited. It's like banging my damn head on the wall.

In fact cyber security is a great field to go into if you just like talking to walls. I've got brand new systems that before they are even accredited need acceptance of risk paperwork! It's brand new, fix it before we put it online! Even in operations it was like this. Is anyone else ever get frustrated about this type of shinanigans?

Edit: I should also add if your in cyber operations and are getting burned out I'd take a look at assessment rmf /grc work. It's incredibly easy coming from ops and it can actually pay significantly more.

Let's not forget that camDown is a highly advanced, specialized webcam blocker and disabler with the best in class protection from variety of on-line threats!