On 09/05/2018 05:28 PM, Tim Cross wrote:
[snip]
> Unfortunately, that is a reflection of the poor standard of most
> auditors. They are rarely technical people and just follow a rule
> book. Most of their rules are outdated and many are wrong. For example,
> many still require 'complex' passwords consisting of mixed case,
> punctuation/special characters etc. This is despite the fact the person
> who originally proposed such a scheme has actually come out and
> apologised and said he had it wrong (plus this 'standard' was removed
> from NIST standards over 2 years ago) and ignores the changes in
> technologies which has changed the threat (i.e. rainbow tables etc now
> mean length is far more important than complexity).
>
> The 'trick' with auditors is to only answer what they ask and answer in
> such a way that what you say is true, but perhaps open to favourable
> interpretation. e.g.
>
> Auditor: do your accounts get locked after X failed login attempts
> Answer: We use Active directory for our Windows domain, which has the
> failed login policy enabled.
> Auditor: Ah yes, I know about that - good, I will mark you as
> compliant.
>
> rather than
>
> Answer: Well sort of. We have AD for our windows accounts which has the
> failed login policy enabled, but some of our systems, like Postgres,
> don't use that service.
> Auditor: So do you get locked if you try to login to postgres and fail X
> times
> Answer: No
> Auditor: Oh dear, I will have to mark you as non-compliant.
Sadly, our auditors are a bit cleverer. "Send us a screenshot showing that
Server X gets locked out after three failed tries." Naturally, Server X runs
Postgres.
--
Angular momentum makes the world go 'round.