[chunkyks]

My current title at work includes the words "software" and "engineer", and thus I have a natural mutual predator-prey relationship with infosec and compliance/IA.

Which brings me to the point: Compliance isn't just there to cargocult and boxtick. It's there because, left to their own devices, most organisations/sub-organisations will end up, at pinnacle-best, half-assing security.

Compliance is an easy way to force everyone to three-quarter-ass, possibly even hit 90%. It's true that, without compliance, some orgs will hit 99%. It's true that some compliance requirements force you to be less secure than you might otherwise have chosen [1]

But it's also true that for every org that would hit 99% under their own steam, there are a hundred that would do the default ubuntu install, then only patch when something breaks. And that is why I like compliance. I work with our compliance team on lots of things, and everybody ends up winning.

[1] Consider password rules. Some compliance rule says must have a couple funny characters and a mixture of upper and lower case, minimum ten characters. Basically, forces a password that users hit the minimum on, then have no choice but to write down. Compare with an entropy-based measure that would lets users have an essay question, but one that's memorable and has higher entropy. Far more secure, yet rarely how compliance express their password concerns.

[busterarm]

I largely agree with you, but the problem ends up being when you have some braindead person in your GRC role who persistently fails to grok the scale of the operation...or doggedly insist that you prove negatives.

Example: Some idiot person we have in IT insists that a control for proving lack of user admin access should be to screenshot the userlist w/ group permissions of every single server in our operation. Idiot IT person doesn't realize that we're at n*10^5 servers and still fails to understand how braindead his request is when you explain it to him.

A lot of people now persue the IT security industry itself without having any shred of experience managing computer systems, then confidently wade out into industry claiming to be experts.

[dsfyu404ed]

Which kind of begs the question why pro-compliance people don't work to weed out what are effectively the white collar equivalent of clipboard warriors within their ranks since they reflect so poorly on and cause headache for the people who actually know anything.

[durnygbur]

"I used to be a lawyer but now work in IT", "I'm reporting and escalating your non cooperativeness right now"

[busterarm]

I've seen a lot of exodus professions into tech but thankfully after 20 years, I haven't seen many lawyers yet. Very few have the personality for it.

Give me all of the hungry musicians that you can find though, they're great systems-thinkers.

[sokoloff]

The “proof via a series of tedious screenshots” method of audit is absolutely infuriating. Please bring on the 10x auditors…

[busterarm]

When you don't know what you're doing, dazzle them with bullshit.

Best part of the story above is that in our system there are no human users that can access a live system. And proof of that is insufficient because the IT person isn't familiar with the practice.

[lasereyes136]

> When you don't know what you're doing, dazzle them with bullshit.

100% because most people don't know what makes good security so it is easy to get them to mistake volume with quality.

[mianos]

Then they printed those screenshots out to be bound into a thick report to be presented the board. (Not where I am but in a previous employer. Still makes me laugh).

[pooper]

> Which brings me to the point: Compliance isn't just there to cargocult and boxtick. It's there because, left to their own devices, most organisations/sub-organisations will end up, at pinnacle-best, half-assing security.

There is one company I know of that added a two step login to their azure active directory where logins expire every twenty four hours. It made no sense to me why they did things this way. As far as I knew, even Microsoft wasn't this restrictive with logins.

Until I saw last week that people are willing to let tools like https://news.ycombinator.com/item?id=34416386 basically hijack their session tokens. If they can use this for good, imagine what other add-ons can use this for evil...

So I think the idea is if someone steals your credentials, they will only work for twenty four hours and they would fail because hopefully they don't have your two step authenticator? I still don't like the idea but at least I see why they'd do this...

Edit: maybe someone else here has a better idea why it is a good idea to require password and two step authentication every twenty four hours?

[g_p]

> maybe someone else here has a better idea why it is a good idea to require password and two step authentication every twenty four hours?

Not saying it's directly the answer here, but some distributed systems lack proper session blocking or revocation, as a session is a signed JWT or similar standalone token.

If the security decision makers favour a 24 hour guaranteed lockout, rather than risking someone whose access has been suspended having an old session still live, this could make sense from being able to know and show access is always "gone" in 24 hours of blocking their ability to get a new token.

[m3047]

Here's a real-world example: https://cloudsek.com/security-flaw-in-atlassian-products-jir...

"... cookie validity is 30 days. They only expire when the user logs out, or after 30 days."

[thedougd]

24 hour session limits are what's asked from our site reliability (cybersecurity) insurance carrier.

[walrus01]

> Which brings me to the point: Compliance isn't just there to cargocult and boxtick. It's there because, left to their own devices, most organisations/sub-organisations will end up, at pinnacle-best, half-assing security.

I have to agree with you because I have seen first hand how many ordinary office workers, if left to their own devices and not given any other tool that they're mandated to use, will happily and blithely do things like store shared credentials/passwords in an Office365 Excel sheet that everyone in the company has access to.

It's the role of the infosec people to set up something better and work with the C-levels to ensure that its usage is mandated, and people are not sneakily bypassing its use or sharing credentials for expediency's sake.