NIST 800-63B - If you are a #sysadmin you should be familiar with the 2022/2023 updates in regards to authentication security. Here's a summary. Link to the full publication EOF.
If you are in a specialized industry, or have other regulatory hurdles, then proceed as recommended by your security teams after consulting legal (or just read the damn laws yourself lol). LISTEN TO YOUR #SECURITYGEEKS!!
Checklist for aligning with #NIST’s new password guidance.
Updating a password strategy may not be an overnight process for most organizations. However, there are several steps you can keep in mind while working towards meeting NIST guidelines:
:finger_point: Update internal password policies: Organizations will want to make sure their password policies include the latest NIST’s recommendations, such as prioritizing length over complexity requirements and adjusting password expiration timings.
:finger_point: Use password filtering lists: Organizations will want to start looking at tools that allow using password filtering lists to prevent the use of well-known compromised passwords and commonly used passwords.
:finger_point: Move towards passphrases: End users likely need to be educated on the use of passphrases and taught the benefits of longer passwords. Use good examples to show how longer passphrases can be more memorable than short complex passwords.
:finger_point: Multi-factor authentication: Make MFA mandatory for all important systems and sensitive data. MFA solutions will provide an additional layer of defense against a cyberattack.
:finger_point: Move away from password hints and knowledge-based questions: Use secure recovery methods and get rid of weak password reset processes that relay on information that could be easily guessed by hackers.
:finger_point: Employee cybersecurity training: Update end users on why NIST guidelines are worth following and how it will help keep everyone safer from cyber-attacks.
https://pages.nist.gov/800-63-4/sp800-63b.html#AAL_SEC4
=> More informations about this toot | More toots from Geekmaster@ioc.exchange
So what kind of policy framework do I have at my org? Goal is AAL2 per NIST 800-63B. Keep in mind, at least for the next decade or so still, passwords are not going anywhere - they are the last line of authentication while the world transitions to #passwordless
:finger_point: Encrypt everything, everywhere, all the time
:finger_point: VPN tunnels everywhere
:finger_point: PW polciy that enforces a minimum of 13-complex characters for passwords (passphrases are evangelized heavily) + mandatory MFA via an Authnticator app + 365-day rotation policy (unless someone phishes their credential or it comes up on a #darkweb monitor) + 30-day token expiration - we do have filtering to prevent anyone reusing old password or common passwords (no, I don't pay for it, you can integrate with AD directly with some clever #powershell, #jfgi.
:finger_point: For our admin accounts, we require #passphrases of at least 4 words (7 are recommended), using the diceware method (physical, not a website). PW rotation occurs every 180-days. Tokens expire every 24-hours.
:finger_point: Service accounts (where we cannot use auto-cycling API tokens) require a minimum 24-character very complex password or 4-word passphrase as MFA is required to be disabled. PW rotation occurs every 180-days.
:finger_point: Awareness trainings every quarter for high-risk/high-exposure employees, annually for the rest of the company. I update my presentation facts, data, and reported metrics frequently based on OSINT, SIGINT, HUMINT, research, and constant education.
[#]BeCyberSafe #StayCyberAware
=> More informations about this toot | More toots from Geekmaster@ioc.exchange This content has been proxied by September (3851b).Proxy Information
text/gemini