Security Configuration Standard Assignment

Security Configuration Standard Assignment

Part 1: Evaluate a Security Policy (0/3 completed)

Note: The current National Institute for Standards and Technology (NIST) guidance for the use of passwords introduced some major changes to the best practices that cybersecurity professionals have historically followed. If you completed these labs in order, you may recall from Lab 1 that you reviewed NIST SP 800-63b, Authenticator and Verifier Requirements, which includes these standards. The current NIST best practices include:

· Passwords should be at least 8 characters in length.

· Passwords should be permitted to be up to 64 characters in length.

· Users should not be prompted to provide a password hint.

· Passwords should not be composed of dictionary words.

· Passwords should not include repetitive or sequential characters or context-specific words.

· Passwords may not be passwords included in previous breaches.

· Passwords should not be subject to other complexity rules.

· Passwords should not be set to expire arbitrarily.

· Authentication systems should provide guidance on the strength of selected passwords.

· Authentication systems should limit the number of failed consecutive logins for an account.

In this part of the lab, you will review a real-world access control policy and determine whether it complies with these best practices. You will also suggest changes to the policy that bring it into compliance with the new best practices.

1. Download and review the policy document .

This is a sample password policy provided by the State of Michigan for use as a template in designing password policies for state government agencies.

2. Evaluate the policy document against the NIST best practices summarized above. Identify by number which, if any, of the eight best practices the policy satisfies. For each practice that you identify, provide a reference to the statement in the policy that aligns with that best practice.

3. Suggest how you would revise the policy to directly align with the standards. Provide specific statements that you would add/modify in the policy.

4. Describe whether this document is best titled as a policy or whether it would be better described using another element of the policy framework.

Part 2: Review a Security Configuration Standard (0/3 completed)

Note: Security configuration standards are often very detailed documents containing granular implementation details for configuring systems and devices. Creating these standards is time-consuming work and organizations should consider leveraging the work already performed by industry groups.

The Center for Internet Security (cisecurity.org) is a cybersecurity organization that uses a collaborative process to create consensus standards for many different operating systems and applications. Organizations may choose to use the Center for Internet Security standards as the baseline for their own configuration standards. They may either simply adopt the Center’s standards as is or write their own document that notes changes from the Center’s standard.

In this lab, you will review one of these consensus security standards and describe how you would implement it in your environment.

1. Navigate to https://www.cisecurity.org/ and locate the Center’s benchmarks for configuring Windows Server systems.

You will need to register to create an account on the Center’s website to download their standards. There is no fee required to complete this process.

2. Review the “Consensus Guidance” section of the document.

3. Describe the process that the Center uses to ensure that its standards represent the consensus of the cybersecurity community.

4. Locate and review the section of the standard that implements password composition requirements.

5. Identify the section of the recommendations that achieves this goal.

6. Compare the configuration suggested in the policy to this subset of the NIST best practices that you reviewed in Part 1 of this lab:

· Passwords should be at least 8 characters in length.

· Passwords should not include repetitive or sequential characters or context-specific words.

· Passwords should not be subject to other complexity rules.

· Passwords should not be set to expire arbitrarily.

· Authentication systems should limit the number of failed consecutive logins for an account.

7. For each of the five best practices in the previous step, classify the practice as:

· Satisfied (indicate recommendation number that achieves the best practice)

· Violated (indicate recommendation number that violates the best practice)

· Not addressed

Challenge Exercise (0/1 completed)

Note: The following scenario provided to allow independent, unguided work, similar to what you will encounter in a real situation.

For this section of the lab, you should consider a security standard that you are familiar with from your employment, academic institution, and/or personal life. If you do not have a security standard that you are familiar with, use a search engine to locate a standard used by a government agency or educational institution.

Identify a set of industry best practices covering the same area as the standard you selected. You may choose to use standards published by the Center for Internet Security, the National Institute for Standards and Technology, a vendor, or other sources.

Select three specific statements included in the standard that you drew from your own experience that are covered by the industry best practice document that you selected. For each of these three statements:

· Identify the section of your standard.

· Identify the section of the industry best practices that covers the same topic.

· Identify whether the standard you selected satisfies or violates the industry best practice.

· Provide a rationale for your conclusion.