up

2020-01-15

Assignment #1 has not been enabled on MyCourses, so the due date is delayed until next week.

There’s an independent study op, working with the NIST NICE framework to measure CSEC skills.

What is Auditing?

• Verifying that a set of standards are being followed
  • Does the model of what’s happening match what’s actually happening?

What standards do we compare against?

• External Standards
  • NIST
  • PCI
  • HIPAA
  • SOX
  • SOC2
• Internal Standards
  • Internal Security Policies

How to verify that existing passwords are compliant with policy?

• Expire everything
• Store it in plaintext?
• Crack their hashes

RIT wrote a script:

• In an isolated, sandbox environment,
• Crack each user’s password,
• verify against standards,
• If broken, send email and expire in 5 days
• Wipe memory

An audit should provide business value.

• Generate interesting results
• Provide actionable information

Assignment 1 updated

• Read the CIS benchmark for an OS you use
• Find two things you’ll fix
• Find three things you won’t fix, tell why not.