On Fri, Oct 06, 2006 at 02:41:31PM -0400, stuartv wrote:
> Ryan,
>
> Thanks for your input. I have been gently pushing those who make
> the decisions here towards sftp for some time now; however,
> ultimately that is one decision that is out of my hands.
> According to the inspector that is doing our PCI inspection the
> only requirement we haven't met as reguards to our FTP server is the
> one for locking out an account that has failed 3 times in a row.
> Personally I think that this requirement is rather dumb and adds
> little to security, but we have to do what the inspector wants if
> we want certification. I have told my supervisor of your thoughts
> as to encrypted passwords (or the lack of in FTP) so we'll see if
> that helps.
>
> Thanks again,
> stuart
>
> >You mean besides the fact that you're running FTP at all, right?
> >- PCI requires that all passwords are encrypted in transmission, and FTP
> > doesn't do this.
> >- Depending on how you interpret the wording, PCI either prohibits or
> > strongly discourages the use of FTP from 'untrusted' networks/hosts
> >
> >Consider replacing your FTP solution with scp/sftp.
> >
> >-Ryan
I've had the misfortune of working with auditors regarding SOX
compliance. I'm not sure who's coming up with these security
policies, but they don't seem to have a background in security work.
To compound the problem, the auditors I've dealt with seemed to simply
be following a checklist. It's almost like the people creating the
auditing requirements read Gene Spafford's article on "Security Myths and
Passwords" [1] and decided to base their policies on the myths.
So where did the change passwords once a month dictum
come from? Back in the days when people were using
mainframes without networking, the biggest uncontrolled
authentication concern was cracking. Resources, however,
were limited. As best as I can find, some DoD
contractors did some back-of-the-envelope calculation
about how long it would take to run through all the
possible passwords using their mainframe, and the result
was several months. So, they (somewhat reasonably) set
a password change period of 1 month as a means to defeat
systematic cracking attempts. This was then enshrined
in policy, which got published, and largely accepted by
others over the years. As time went on, auditors began
to look for this and ended up building it into their
best practice that they expected. It also got written
into several lists of security recommendations.
-Damian
[1] http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/
