Their main concern is to earn brownie points by reporting to their managers that they have achieved whatever level of appliance is deemed necessary.

– Security is not an add-on

Looks like we’ll be checking out the “approved” displays at the local minor league stadiums in the coming weeks.

Auditors often suggest policies which engineers should know better than to accept.

I don’t know if you recall the furor a few years ago about “MarketScore” (now called comScore) amongst .edus, but that was a good example of auditor-driven policies (firewalling off MarketScore’s servers) which weren’t the best solution.

Back-off timers seem to be a nice solution: a human interactively logging in will realize they’re making a mistake if after three tries it takes them a minute to get another prompt.

Sad but true that at this point it has gone beyond conventional wisdom to lock out after three attempts, it has joined the ranks of generic audit checklists. This will make well meaning, but not well skilled audit teams simply look for a binary answer of “yes we do lock out or no we don’t” with little to no understanding of the implications.

I fear this policy will be with us long after any utility to it (if there ever was any utility in the first place) is gone.

Really enjoyed the post. Good stuff. As you and the other commenters have pointed out, password lockouts are another fine example of “It Depends.” Having the business folks chime in on issues like this is vitally important as you allude to with your example of stock traders not being able to work because of lockouts.

On a bit of a side note, what a great way to attack the brand of a company that relies on their people being able to access systems real-time.

Keep up the good work.

Kevin

http://securecyber.blogspot.com (CISSP resources, cyber crime, etc)