MY question is which section in PCI explicitly states you need to use account lockout for compliance aspect. You are right there is a legitimate risk of having your accounts locked out, causing a DOS, but also the DOS itself would be pretty noisy and you should be able to detect that in your incident response measures.
Also if you are using long and complex passwords, its going to be pretty hard to bruteforce guess the password. (Now if they get the hash to the account then that is another story) Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> Work:401-255-2497 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: [email protected] [mailto:[email protected]] On Behalf Of Eric Wittersheim Sent: Tuesday, September 24, 2013 1:20 PM To: [email protected] Subject: [NTSysADM] PCI compliance and account lockout policies I'm wondering what you all are using for your account lockout policy if you are PCI compliant or something similar. Our auditors are requesting account lock out after 3 attempts for a minimum duration of 30 minutes. Our concern is what happens if we are brute forced and all of our users are locked out. We already have very strict firewall policies in place and our network is segmented as well but you never know. Do any of you use any tools that might help mitigate damage that can occur with a lockout policy in place? Thank you, Eric
<<inline: image001.jpg>>
