[user3939382]

I perused the draft and was surprised by my jaded reaction: Great! More effort put into detailed cybersecurity strategies for the likes of OPM, T-Mobile, and Equifax to ignore.

We have thousands of pages of frameworks and NIST guides and the people in charge, especially in the private sector, are free to neglect or ignore them with impunity because apparently regulators don’t care and the market doesn’t care, so why should they?

It’s like we have these brilliant cryptographers working on technical advancements that I can barely grasp, and the people (management) in charge of putting their work to use can’t be bothered with basic patch management.

The whole landscape of practical cybersecurity feels very hopeless to me.

[lvspiff]

Come work in healthcare - if you are at one of the larger insurance orgs (UHG, Anthem, Humana) or hospital networks (HCA, Dignity, etc) you are locked into a world of this model making your life the most difficult imaginable. Need vendor support? Hope you like watching them work over webex as they wont have any access to any of your servers. Need a VPN to tunnel data across? Yeah good luck with that it'll take at least 6 months mostly for legal to approve. On top of rotating passwords on a yearly basis for service accounts , regular entitlement reviews, risk reviews, policy reviews, and rotating passwords for users every 90 days still along with multifactor authentication. I feel like I'm working at ft knox every day.

[ziddoap]

This sort of speaks to what the GP was talking about -- not following guidelines and frameworks.

For example,

>On top of rotating passwords on a yearly basis

> rotating passwords for users every 90 days

NIST 800-63B, as of 2017, explicitly advised against this.

"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)." [1]

[1]https://pages.nist.gov/800-63-3/sp800-63b.html

[freedomben]

Agreed, be careful what you wish for. When I was a consultant at Red Hat I worked with a lot of customers in this boat. We had to jump through absolutely absurd hoops that made a two day job take weeks.

I'm a security pro and I rejoice in secure systems, but swinging the pendulum to the other side is bad too.

[DrBenCarson]

there are ways to 1. be secure, 2. be productive.

I think that's the ultimate goal of "zero trust," but maybe I'm naive

[imwillofficial]

A lot of these frameworks are to convince bean counters that Their sysadmins are right.

“Why do you wanna make that change? It’s expensive!”

“Because it says so right here, sir”

That “official” guidance can go a long way.

[annoyingnoob]

If you want to work in the DoD supply chain after 2024 then you'll have to implement NIST 800-171 and some level of CMMC. Its no longer a self-attestation and requires a 3rd party audit and certification. Its not trivial.

[xxpor]

The compliance costs aren't what worry me. The part that worries me is ending up with FIPS but even worse everywhere. Just because of how slowly it evolves and how people are stuck on old things because of that.

[annoyingnoob]

I cant argue. I dont love all of the things we are required to do. I'm sure my current VPN is better than what I'll have to implement. The things I'm required to implement are major attack targets with histories of vulnerabilities - but they are certified.

[giaour]

One target audience for this document that can’t ignore it (at least not as easily) is the federal government and the contractors they hire. In 2020, the chief information security officer of a federal agency told me they didn’t buy into this newfangled zero trust stuff and would continue to rely on network perimeter security, largely because that’s what CISA and OMB documents offered as a reference architecture.

[imwillofficial]

And if you look, CISA is mostly for gov agencies and critical infra like oil pipelines.. They have a harder time ignoring stuff like this if they are obligated by law.