Which brings me to the point: Compliance isn't just there to cargocult and boxtick. It's there because, left to their own devices, most organisations/sub-organisations will end up, at pinnacle-best, half-assing security.
Compliance is an easy way to force everyone to three-quarter-ass, possibly even hit 90%. It's true that, without compliance, some orgs will hit 99%. It's true that some compliance requirements force you to be less secure than you might otherwise have chosen [1]
But it's also true that for every org that would hit 99% under their own steam, there are a hundred that would do the default ubuntu install, then only patch when something breaks. And that is why I like compliance. I work with our compliance team on lots of things, and everybody ends up winning.
[1] Consider password rules. Some compliance rule says must have a couple funny characters and a mixture of upper and lower case, minimum ten characters. Basically, forces a password that users hit the minimum on, then have no choice but to write down. Compare with an entropy-based measure that would lets users have an essay question, but one that's memorable and has higher entropy. Far more secure, yet rarely how compliance express their password concerns.
Example: Some idiot person we have in IT insists that a control for proving lack of user admin access should be to screenshot the userlist w/ group permissions of every single server in our operation. Idiot IT person doesn't realize that we're at n*10^5 servers and still fails to understand how braindead his request is when you explain it to him.
A lot of people now persue the IT security industry itself without having any shred of experience managing computer systems, then confidently wade out into industry claiming to be experts.
There is one company I know of that added a two step login to their azure active directory where logins expire every twenty four hours. It made no sense to me why they did things this way. As far as I knew, even Microsoft wasn't this restrictive with logins.
Until I saw last week that people are willing to let tools like https://news.ycombinator.com/item?id=34416386 basically hijack their session tokens. If they can use this for good, imagine what other add-ons can use this for evil...
So I think the idea is if someone steals your credentials, they will only work for twenty four hours and they would fail because hopefully they don't have your two step authenticator? I still don't like the idea but at least I see why they'd do this...
Edit: maybe someone else here has a better idea why it is a good idea to require password and two step authentication every twenty four hours?
Not saying it's directly the answer here, but some distributed systems lack proper session blocking or revocation, as a session is a signed JWT or similar standalone token.
If the security decision makers favour a 24 hour guaranteed lockout, rather than risking someone whose access has been suspended having an old session still live, this could make sense from being able to know and show access is always "gone" in 24 hours of blocking their ability to get a new token.
"... cookie validity is 30 days. They only expire when the user logs out, or after 30 days."
I have to agree with you because I have seen first hand how many ordinary office workers, if left to their own devices and not given any other tool that they're mandated to use, will happily and blithely do things like store shared credentials/passwords in an Office365 Excel sheet that everyone in the company has access to.
It's the role of the infosec people to set up something better and work with the C-levels to ensure that its usage is mandated, and people are not sneakily bypassing its use or sharing credentials for expediency's sake.
I want a clear statement of risk and why their proposed compensating control actually mitigates it.
Far too often the answers are just “it’s securerer” or “it’s the way we do it”, and actually proposing something that genuinely mitigates the underlying issue is ignored.
All that said, I’ll end up referencing this in the future as somewhat useful steps in a number of situations.
Some have simpler approaches - eg for password security can just reference NIST guidelines which currently clearly state not to rotate and just require length above complexity. And they’re backup to with tested evidence and a clear rationale.
To put it another way, using a risk-mitigation approach instead of compliance only works when you have honest, earnest, and full good faith investment in the process. In practice, this is incredibly rare. We all know, are, or have been engineers who cannot imagine a system they wrote running without them having the ability to SSH in and sudo at will without having to justify anything.
This is where compliance comes in. It sets standards and forces the issue. Even bad faith, low-effort implementations wind up having to meet a whole series of very clear - if occasionally box-tick-y - standards.
But lately with all the layoffs it's kind of put a spotlight on tech startups and VCs. These are the smartest group of people who are supposed to escape mimetic behavior... but how do you explain all the VCs investing in me-too scooter companies or BNPL companies or yet-another-meal/grocery-delivery-service, who are now all absolutely wrecked by higher interest rates because these can only really thrive (or even survive) in low to no-interest rate environments? Why would these ever be $1B+ companies in the first place??
Sorry for the rant, it's just that the more you look, the more even the "smartest people in the room" are just performing rituals and it's disheartening and depressing.
Well. That is your problem. You bought the marketing. There is no reason to think that VCs and startups are the “smartest group of people”.
Generally this is not something that should be disheartening. It’s an incredibly efficient learning method that spreads cultural advancements quickly.
Have you ever tried to train a dog? They try to understand you, but they don’t imitate. You have to meticulously motivate them through each step of a behavior and mark it consistently with commands. It’s fun, but requires a lot of patience.
With humans you can just demonstrate something and they can imitate complex workflows in just a session or two.
The master said to the apprentice: “I’ll only show you this once, so watch carefully!”
Ceremonies mostly get discarded by evolutionary pressure in the long term. Some end up taking a lot of time and energy to perform for zero benefits so they reduce the evolutionary fitness of those who perform them. These ceremonies get gradually removed from the "gene pool", being replaced by behaviors that actually bring some benefit. But those will be imperfectly copied as well and the cycle begins again.
There may be huge variances in the degree that we do that, though, and to the degree that we're able to prevent really bad ideas to spread. Some organizations are seeing really bad (but good looking) ideas spread like cancers, until the organization is completely perverted.
> Ceremonies mostly get discarded by evolutionary pressure in the long term.
This is perhaps the main strength of capitalism. There needs to be an actual mechanism for bad ideas to die off. Many large organizations (especially "too large to fail" or publicly owned) lack good mechanisms to limit the growth of organizational entropy.
On their own, too many people are prone to following misinformation, and can't even be trusted to read both sides of any given argument critically. If the last few years hasn't taught us this lesson, what has it taught us?
I have many gripes with this attitude; experts can be wrong and even entire fields can be wrong. The satanic ritual abuse is a particularly egregious example with many "experts" mouthing off complete nonsense, but also see e.g. the replication crisis.
And which expert do you believe? There are many expert. "You've got to ask the right expert" https://www.youtube.com/watch?v=lADB9Qu53CY
Remember all the "experts" that told us that asbestos and smoking was harmless? Or the "experts" that told us climate change wasn't real? Later turned out that this was just industry FUD/lies.
Experts view things from their expertise. That's great, but many scenarios extend beyond one expertise and involve trade-offs, and can't be viewed purely through one lens.
Now, I'm not so arrogant to think that "I know better than the experts"; in many cases I don't, but to always just "believe the experts" seems naïve.
The word "Science" came from a type of knowledge/knowledge-seeking that has been very successful from the age of Newton to present day.
But Science's success has become it's curse. Lots of fields now call themselves "Sciences" even if they're not employing the kinds of standards and methodologies that lead to the early successes. People with ulterior motives (economic, ideological, political, social or religious) have for a long time claimed to represent Science.
Lately, "Science" has warped into "the Science", meaning a world view promoted by a set of authorities that can be highly partisan. In many cases, the kind of mechanisms that ensured (eventual) falsification of bad ideas have been abandoned. Instead, "the Science" now must now often comply with what is what we WANT to believe, rather than with evidence.
Understanding real Science is still as useful as ever. Not only does an actual scientific education give access to undertanding directly, it also helps us see through those who claim to represent "the Science", but who are not respecting the Scientific Method. People without a proper scientific education will, today, be helpless in distinguishing between real Science, cargo cult Science and outright fraud.
I would argue the same goes for IT security. At least a few decision makers in an organization needs to have a fairly good understanding of it if the organization of the topic to know how to deal with it, either internally or through service or software vendors.
Part of my job is training our staff on the new requirements. They question everything from why each individual has to badge in one by one to why doors can no longer be propped open. Why can they no longer access company resources with personal gear? Why can't they install whatever they want on their company gear? It goes on and on.
My answer is always the same, in order to be certified we need to show that we have demonstrable, verifiable control over this (for example entry logging).
The security cameras.
The door logs.
The DNS and netflow logs.
Ok, not sure about 10,000 screenshots showing nobody has admin access...
