I could point you to over zealous auditors trying to force implementation of USGCB (http://usgcb.nist.gov/usgcb_faq.html) and going line by line through the the NIST Special Publication 800-53 control catalog trying to find things you don't implement so they can ding you (what?! Your Linux auth isn't using FIPS 140-2 validated encryption?! Or how are you ensuring transmission integrity for everything?).[1]
Luckily those auditors don't have a long shelf life inside my org but they do exist and wreak havoc while they are active. Carolyn [1] Password policies are part of this. I'm waiting for the new Mac security folk to run into the case where some poor user gets auto-locked out because their password meets the org level rules for passwords but doesn't match the local Mac password enforcement (different requirements) which they just enabled in order to be thorough. :p Sent using a mouse-sized keyboard with feigned autocorrect intelligence. > On Dec 3, 2014, at 10:31 PM, Doug Hughes <[email protected]> wrote: > > >> On 12/3/2014 10:42 AM, Jan Schaumann wrote: >> Hello, >> >> I'm currently exploring the intersection of #sysadmin / #infosec[1] a >> bit. There is obvious overlap, yet at many companies the two camps also >> frequently end up at loggerheads. I'd like to collect some feedback: >> >> What #infosec or (PCI) compliance mandates and rules drive you nuts? >> What (seemingly or actually) pointless, braindead things are demanded of >> you?[2] >> >> On the flip side, what are some of the security related concepts or >> fundamentals that you think junior sysadmins are frequently lacking or >> having trouble understanding?[3] >> >> Feel free to email me off-list, if you prefer. Alternatively, you can >> also reply to the tweets referenced. > > Here's one (that, thankfully, I currently don't have to deal with). > > Password policies that enforce very explicit lists of things like 1 this, 1 > that, 1 the other, and maybe another one of something else that also must be > changed every 30 days. The results tend to be totally counterproductive, and > have been documented many times in relevant literature, but somehow many > organization still end up making the same mistakes. > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
