Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet- mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible—which is another way of saying “trying to ignore reality.” Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don't fully understand the situation, but other times it's just a bunch of savvy entrepreneurs with a well-marketed piece of junk they're selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them.
“The Six Dumbest Ideas in Computer Security [1]”
The first two myths listed, “Default permit” and “Enumerating Badness,” are hard for me to accept since I basically believe in an open network. I'm a programmer by training, and I like playing around with stuff, and having a closed “default deny” attitude towards the network would make it too annoying for me to [DELETED-play-DELETED] work. I'm also lazy and just want things to work without having to configure a bunch of crap.
In his second myth, “Enumerating Badness,” he also talks about restricting execution of programs to those that are required to run. I doubt he's ever worked with something like SELinux [2]. I have, and if it's ever running, I turn it off since it's a bitch to get anything working (and our support costs would go up as well as our customers try to install scripts and can't get them running).
But I'm also getting tired of clearing out script kiddies out of our servers. It might actually be worth it to adopt a “default deny” stance on things (but perhaps not as far as running SELinux—I don't think it's cost effective with our setup).
His advice on a rtificial ignorance [3] is great though, and is something I would like to do. “Artificial Ignorance” in this case, is scanning through log files throwing out everything that is not of interest (read: “is a known quantity and can be ignored”); anything left over is by definition “interesting” and should be investigated. It would certainly beat the log summaries that LogWatch [4] produces.
And some of the best advice on that page?
One extremely useful piece of management kung-fu to remember, if you find yourself up against an "early adopter" is to rely on your peers. Several years ago I had a client who was preparing to spend a ton of money on a technology without testing it operationally. I suggested offhandedly to the senior IT (Information Technology) manager in charge that he should send one of his team to a relevant conference (in this case, LISA (Large Installation System Administration) [5]) where it was likely that someone with hands-on experience with the technology would be in attendance. I proposed that the manager have his employee put a message on the “meet and greet” bulletin board that read: “Do you have hands-on experience with xyz from pdq.com? If so, I'm authorized to take you to dinner at Ruth's Chris if you promise to give me the low-down on the product off the record. Contact, etc …” The IT manager later told me that a $200 dinner expense saved them over $400,000 worth of hellish technological trauma.
“The Six Dumbest Ideas in Computer Security [6]”
Heh.
[1] http://www.ranum.com/security/computer_security/editorials/dumb/
[2] http://www.nsa.gov/selinux/
[3] http://www.ranum.com/security/computer_security/papers/ai/index.html
[4] http://www2.logwatch.org:81/
[5] http://www.usenix.org/events/lisa05
[6] http://www.ranum.com/security/computer_security/editorials/dumb/