8 comments

[ 3.3 ms ] story [ 34.3 ms ] thread
Something else for IT people to ignore and then pikachu face when they get crypto locked because their 90 day password rotations didn't work.
It's actually a REALLY great resource. I highly recommend anyone to at least skim it.

They do a wonderful job breaking down the entire industry into easily understood pieces and connect everything together.

I consider it essential reading for anyone getting into the industry.

I agree, it's just that most IT departments blatantly ignore most recommendations because they just don't care.
Not sure if I'm missing your intentional irony, but NIST was one of the best places to send folks who think user password rotations are a good idea.

I said "was" because pretty much everyone has now caught up, but NIST updated guidance shortly after big breaches were able to be studied.

> Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

Presumably intentional, or at least I had similar sarcastic thoughts.

I listen to supposed experts all the time attempting to explain how their anecdotal and imaginary (or uninformed, to be generous, because they didn't actually read and comprehend it) scenarios explain how 800-63-3 (and soon to be 800-63-4) clearly isn't correct.

I get why it exists but it turns companies into box checking machines. I haven't read this new version so my skepticism may be unwarranted but hackers are not going to refrain from attacking because that'd go against NIST. A lot of the things that are best practice in the industry as a result of adapting to newer attacker techniques and capabilities are not covered by NIST. The problem then is anyone working on those countermeasures is working on stuff that has no value to execs who just want to know how compliant you are with NIST.

The CSF like ATT&CK is just a tool, it can be abused or used properly and if you are a small company with no idea where to start with security or measure your posture it's a good tool. But as a measuring stick of checkboxes, I can't say I'm a big fan.

The new Governance layer should help check the boxes.
GRC non-sense like this is really the cornerstone of cybersecurity. It seems like dumb boxchecking but these domains are the tools that we use to define, measure and most importantly sell security to management / main IT / users. The technical side is more sexy but then you discover that wack-a-moling the hot sploit of the week didn't really build your posture beyond the low hanging fruit.