|
|
|
|
|
|
by nickpsecurity
3358 days ago
|
|
|
I agree. They got subverted at one point by an organization they thought was helping them. Their overall catalog of advice is OK in that it's a lot of the stuff readers would hear from people they paid for IT or INFOSEC advice. Just free instead. A good example are the recommendations in this one for small, business owners that don't know anything about INFOSEC: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf DISA has the "STIG's" for security configuration: http://iase.disa.mil/stigs/Pages/index.aspx The NSA themselves, the Information Assurance Directorate, had guides on hardening various things. There's one for deploying Chrome in the link below that also references STIG on Chrome: https://www.iad.gov/iad/library/ia-guidance/security-configu... It would be straight-forward for INFOSEC people to vet the NIST or STIG guides for content accuracy then host that copy on their own sites. Or produce similar guides as some do. Just important to target them at people of low knowledge or competence so they know exactly what they need to do. It's them whose hardware will become part of the next DDOS due to configuration error. |
|
|
Fair points, shouldn't throw the baby out with the bathwater etc. But as a governmental agency, do they have the autonomy to avoid being similarly subverted in the future? Not rhetorical, I genuinely don't know how they are governed/if they can refuse the "help" of the 3 letter agencies.
Which makes me realize, the 3 letter agencies may have still benefitted by the Dual_EC_DRBG scandal coming to light - what they lost in a backdoor, they gained in a chilling effect on the spread of good crypto practices by staining NIST's reputation.