On 09/05/2018 05:28 PM, Tim Cross wrote: [snip]
Unfortunately, that is a reflection of the poor standard of most auditors. They are rarely technical people and just follow a rule book. Most of their rules are outdated and many are wrong. For example, many still require 'complex' passwords consisting of mixed case, punctuation/special characters etc. This is despite the fact the person who originally proposed such a scheme has actually come out and apologised and said he had it wrong (plus this 'standard' was removed from NIST standards over 2 years ago) and ignores the changes in technologies which has changed the threat (i.e. rainbow tables etc now mean length is far more important than complexity). The 'trick' with auditors is to only answer what they ask and answer in such a way that what you say is true, but perhaps open to favourable interpretation. e.g. Auditor: do your accounts get locked after X failed login attempts Answer: We use Active directory for our Windows domain, which has the failed login policy enabled. Auditor: Ah yes, I know about that - good, I will mark you as compliant. rather than Answer: Well sort of. We have AD for our windows accounts which has the failed login policy enabled, but some of our systems, like Postgres, don't use that service. Auditor: So do you get locked if you try to login to postgres and fail X times Answer: No Auditor: Oh dear, I will have to mark you as non-compliant.
Sadly, our auditors are a bit cleverer. "Send us a screenshot showing that Server X gets locked out after three failed tries." Naturally, Server X runs Postgres.
-- Angular momentum makes the world go 'round.
