Comment by simonw

Comment by simonw a day ago

18 replies

View on Hacker News

I found an example!

https://retail.direct.zurich.ch/resources/definition/product...

Questionnaire Zurich Cyber Insurance

Question 4.2: "Do you have a technically enforced password policy that ensures use of strong passwords and that passwords are changed at least quarterly?"

Since this is an insurance questionnaire, presumably your answers to that question affect the rates you get charged?

(Found that with the help of o4-mini https://chatgpt.com/share/680bc054-77d8-8006-88a1-a6928ab99a...)

smithkl42 19 hours ago

We've been asked that question before on security questionnaires, and our answer has always been, "Forcing users to change passwords regularly is widely regarded as a very bad security practice, and we don't engage in bad security practices." We've never had anyone complain.

Reply View 2 replies
  • austhrow743 8 hours ago

    I've never had a complaint about anything I put in to a form requesting a quote for insurance. I just get the quote back. Did you write that in the comment expecting an insurance salesperson to call you up and argue passwords with you? Call their back office and say "hey this guy says our password question is crap, get our best guys on it!"?

    I just cant imagine any outcome other than it was translated to just a "no" and increased your premium over what it would have otherwise been.

    Reply View 1 reply
    • gusgus01 30 minutes ago

      I've also filled out insurance quote forms several times to see the interplay of the questions and price. Quite often many of the questions do not change the quote. So the existence of the question in a form does not imply a change in price, or any true guess at the magnitude of the change at all.

      Reply View 0 replies
betaby a day ago

Password policy is something rather common, and 'standard' firewalls. Question is in the context of of WAF as in the article. WAF requirement is something more invasive to say the least.

Reply View 0 replies
kiitos a day ago

Directly following is question 4.3: "Are users always prevented from installing programs on end-user devices?"

Totally bonkers stuff.

Reply View 13 replies
  • 9x39 a day ago

    A trend for corporate workstations is moving closer to a phone with a locked-down app store, with all programs from a company software repo.

    Eliminating everything but a business's industry specific apps, MS Office, and some well-known productivity tools slashes support calls (no customization!) and frustrates cyberattacks to some degree when you can't deploy custom executables.

    Reply View 6 replies
    • bigfatkitten a day ago

      That's why this it's been a requirement for Australian government agencies for about 15 years.

      In around 2011, the Defence Signals Directorate (now the Australian Signals Directorate) went through and did an analysis of all of the intrusions they had assisted with over the previous few years. It turned out that app whitelisting, patching OS vulns, patching client applications (Office, Adobe Reader, browsers), and some basis permission management would have prevented something like 90% of them.

      The "Top 4" was later expanded to the Essential Eight which includes additional elements such as backups, MFA, disabling Office macros and using hardened application configs.

      https://www.cyber.gov.au/resources-business-and-government/e...

      Reply View 0 replies
    • michaelt a day ago

      Then the users start using cloud webapps to do everything. I can't install a PDF-to-excel converter, so I'll use this online service to do it.

      At first glance that might seem a poor move for corporate information security. But crucially, the security of cloud webapps is not the windows sysadmins' problem - buck successfully passed.

      Reply View 0 replies
    • serial_dev a day ago

      I don’t think locking down slashes support calls because you will now receive support requests anytime someone wants to install something and actually have a good business reason to do so.

      Reply View 3 replies
      • 9x39 a day ago

        Consider the ones you don't get: ones where PCs have to be wiped from customization gone wrong, politics and productivity police calls - "Why is Bob gaming?", "Why is Alice on Discord?".

        It's about the transition from artisanal hand-configuration to mass-produced fleet standards, and diverting exceptional behavior and customizations somewhere else.

        Reply View 2 replies
  • pjmlp a day ago

    This is standard practice for years in big corporations.

    You install software via ticket requests to IT, and devs might have admin rights, but not root, and only temporary.

    This is nothing new though, back in the timesharing days, where we would connect to the development server, we only got as much rights as required for the ongoing development workflows.

    Hence why PCs felt so liberating.

    Reply View 5 replies
    • betaby a day ago

      It's a standard practice. And at $CURENT_JOB it's driven by semi-literate security folks, definitely not insurance.

      Reply View 4 replies
      • pjmlp a day ago

        Insurance and liability concerns drive the security folks.

        Just wait when more countries keep adopting cybersecurity laws for companies liabilities when software doesn't behave, like in any other engineering industry.

        Reply View 3 replies