undefined | Better HN

0 pointshrimfaxi6mo ago0 comments

I was thinking of:

> The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period.

https://csf.tools/reference/nist-sp-800-53/r5/ac/ac-7/

0 comments

akerl_6mo ago

That’s almost always going to be a setting in your IDP, not based on log capture/retention.

The IDP will have some settings for max fails before lockout, and apply it by counting.

hrimfaxiOP6mo ago

A centralized IDP that touches every service is not mandated by NIST though. So while you are right that an IDP can handle that, the organization may not have the IDP integrated with a given system and you will still need compensating controls or mitigations. Outright incredulity over logging failed access attempts is surprising.

akerl_6mo ago

Did I express outright incredulity about logging failed attempts?

If you’re a company trying to meet a compliance regime and you don’t already have a central IDP, that’s step zero. None of the NIST requirements say “you must have an IDP”, but a massive portion of them are trivial with an IDP and a massive pain in the ass (both to implement and evidence to auditors) without one.

j / k navigate · click thread line to collapse

0 comments

akerl_6mo ago

That’s almost always going to be a setting in your IDP, not based on log capture/retention.

The IDP will have some settings for max fails before lockout, and apply it by counting.

hrimfaxiOP6mo ago

akerl_6mo ago

Did I express outright incredulity about logging failed attempts?

j / k navigate · click thread line to collapse