Re: [sacm] minor comments on draft-lin-sacm-nid-mp-security-baseline-03

[Benjamin Kaduk <kaduk@mit.edu>]

On Mon, Jul 23, 2018 at 03:28:30PM -0500, Adam Montville wrote:
> Two good points, Ben. I have two comments inline. 
> 
> I think I mentioned this at the mic, during the SACM session, but I'm interested in whether anyone else sees value in defining a "baseline registry" over draft-based baselines (I'm still not sure that baseline is the right label for these, but I'm going with it until I think of something better). 
> 
> For example, a year from now those password complexity settings may be something the world wants to remove from the baseline... I wouldn't want to need to reopen the draft. I'd prefer to update a registry somewhere. This may be less of an issue (but not a non-issue) for network devices, and it's certainly an issue for operating systems, applications, cloud environments, and probably IoT.
> 
> If folks think this is a sane idea, I'd volunteer to create such a draft.

I'm of a mixed mind on this; it seems like something that might want more
nuance than a registry allows, and thus fit better as a BCP doc (that could
be regularly updated), though as you know the process for that is more
heavyweight.

> Kind regards,
> 
> Adam
> 
> > On Jul 23, 2018, at 1:01 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> > 
> > During Jessica's talk I noticed a couple things I wanted to mention, but
> > that didn't seem to merit getting up to the mic:
> > 
> > There's a container for 'telnet' admin access; my understanding is that
> > there are not any applications out there that could be called "telnet" and
> > are actually secure these days (but maybe I'm missing some!); e.g.,
> > kerberized telnet mostly only uses single-DES and a lousy cipher mode, with
> > a vendor-specific option for triple-DES, which is deprecated as of my
> > document that's currently at the RFC Editor.  So we may want to have some
> > text clarifying the situation and disrecommending its use (or even remove
> > it entirely, if that's feasible).
> 
> 
> FWIW, I don't believe there's a single recent CIS Benchmark (security configuration guide) that doesn't recommend disabling telnet entirely.
> 
> > 
> > Similarly, there's a pwd-sec-policy container that describes password
> > security policies.  While it's definitely true that password policies and
> > mandatory change intervals are currently widely deployed, it's less clear
> > whether their usage should still be considered useful or a best current
> > practice -- I think I've seen some research go by that suggests that not
> > requiring character classes or frequency of change can be just as secure
> > (and, of course, if passwords can be avoided entirely that can also help).
> > So, perhaps there is room for some qualifying text here as well.
> 
> Qualifying text is a good idea. There are usually caveats accompanying more modern guidance (i.e. MFA or use of loooong passwords). At CIS, we've had a hard time reconciling both worlds while we're in a transition. There is still a large group of folks out there who find comfort in the complexity constraints and don't have faith in users to rely on long pass phrases, etc.

Indeed, this is a hard space to get universal agreement on what is "best".
Perhaps the best (sic) we can do is to document the tradeoffs involved.

-Ben