Mandiant Security Remediation

Project Summary

Consolidated remediation program for findings from Google/Mandiant penetration tests conducted at CHLA. January 2026 assessment identified critical posture redirect ACL vulnerability and ISE XXE CVE. April 2026 wireless assessment added 7 WIR findings. This project tracks all workstreams from finding through remediation to validation.

Status

Workstream Description Status Notes

Workstream	Description	Status	Notes
Jan 2026 Assessment	External (Jan 13-16) + Internal (Jan 19-23) pentest	✅ Done	Findings documented, remediation in progress
Posture ACL Remediation	PENTEST-POSTURE-ACL-001 — strip Kerberos/SMB/LDAP from redirect ACL	🟡 In progress	CR drafted, awaiting approval. Zero-trust ACL designed.
ISE CVE Patching	CVE-2026-20029 XXE — upgrade to ISE 3.2 Patch 8	⚠️ Verify	Scheduled Feb 10-12. Confirm completion status.
dACL Enforcement	Downloadable ACL deployment across wired/wireless	🟡 In progress	V5 dACL tested in home lab. Production deployment pending.
WIR-H-01/H-03 (Rogue AP)	WIDS alerting — depends on QRadar→Sentinel migration	🟡 In progress (25%)	Log source inventory complete (3,037 records). Sentinel connector mapping pending.
WIR-H-02 (EAP Cert Validation)	MDM profile remediation — aligned with MSCHAPv2 deprecation	🟡 In progress (25%)	6 use cases, 8 platforms, all owners confirmed. Window 5/4-5/30.
WIR-I-01 (MFP)	Management Frame Protection — CR pending for 3 SSIDs	⏳ Pending CR	Non-disruptive, backward compatible.
WIR-I-02 (Wi-Fi Direct)	GPO to disable Wi-Fi Direct radio on HP printers	⏳ Pending coordination	Inventory from Appendix D required.
WIR-L-01 (EAP Identity)	Anonymous identity in outer EAP tunnel — folded into MSCHAPv2 migration	🟡 In progress (25%)	All central mgmt profiles will use anonymous identity.
WIR-M-01 (Ethernet Ports)	Guest CWA redirect ACL hardening — pre-AUP dACL + switch redirect ACL	🟡 In progress (25%)	`GUEST_CWA_REDIRECT_MAX_SECURITY` designed. Tony Sun (NE) for switch ACL. Lab validation pending in d000. Joint CR required.
MSCHAPv2 Deprecation	6,088 devices migrating to certificate-based auth	🟡 In progress	5-wave deployment. See MSCHAPv2 Migration Project.
Apr 2026 Assessment	Q2 wireless assessment — 7 WIR findings received	🟡 In progress	Findings integrated, remediation underway.
Validation & Close-out	Verify all remediations, re-test, document	❌ Not started	—

Jan 2026 Assessment

External (Jan 13-16) + Internal (Jan 19-23) pentest

✅ Done

Findings documented, remediation in progress

Posture ACL Remediation

PENTEST-POSTURE-ACL-001 — strip Kerberos/SMB/LDAP from redirect ACL

🟡 In progress

CR drafted, awaiting approval. Zero-trust ACL designed.

ISE CVE Patching

CVE-2026-20029 XXE — upgrade to ISE 3.2 Patch 8

⚠️ Verify

Scheduled Feb 10-12. Confirm completion status.

dACL Enforcement

Downloadable ACL deployment across wired/wireless

🟡 In progress

V5 dACL tested in home lab. Production deployment pending.

WIR-H-01/H-03 (Rogue AP)

WIDS alerting — depends on QRadar→Sentinel migration

🟡 In progress (25%)

Log source inventory complete (3,037 records). Sentinel connector mapping pending.

WIR-H-02 (EAP Cert Validation)

MDM profile remediation — aligned with MSCHAPv2 deprecation

🟡 In progress (25%)

6 use cases, 8 platforms, all owners confirmed. Window 5/4-5/30.

WIR-I-01 (MFP)

Management Frame Protection — CR pending for 3 SSIDs

⏳ Pending CR

Non-disruptive, backward compatible.

WIR-I-02 (Wi-Fi Direct)

GPO to disable Wi-Fi Direct radio on HP printers

⏳ Pending coordination

Inventory from Appendix D required.

WIR-L-01 (EAP Identity)

Anonymous identity in outer EAP tunnel — folded into MSCHAPv2 migration

🟡 In progress (25%)

All central mgmt profiles will use anonymous identity.

WIR-M-01 (Ethernet Ports)

Guest CWA redirect ACL hardening — pre-AUP dACL + switch redirect ACL

🟡 In progress (25%)

GUEST_CWA_REDIRECT_MAX_SECURITY designed. Tony Sun (NE) for switch ACL. Lab validation pending in d000. Joint CR required.

MSCHAPv2 Deprecation

6,088 devices migrating to certificate-based auth

🟡 In progress

5-wave deployment. See MSCHAPv2 Migration Project.

Apr 2026 Assessment

Q2 wireless assessment — 7 WIR findings received

🟡 In progress

Findings integrated, remediation underway.

Validation & Close-out

Verify all remediations, re-test, document

❌ Not started

—

Field	Value
PRJ ID	PRJ-2026-01-mandiant-remediation
Author	Evan Rosado
Created	2026-01-18
Updated	2026-04-06
Status	Active — Posture ACL remediation + Q2 assessment in progress
Category	Security Remediation / Penetration Test Response
Priority	P0 (critical security infrastructure)
Engagement	Google/Mandiant — External (Jan 13-16) + Internal (Jan 19-23)
Stakeholders	CISO (Sarah), InfoSec team, Network Engineering

Field

Value

PRJ ID

PRJ-2026-01-mandiant-remediation

Author

Evan Rosado

Created

2026-01-18

Updated

2026-04-06

Status

Active — Posture ACL remediation + Q2 assessment in progress

Mandiant Security Remediation

Project Summary

Status

Related