The Six Dumbest Ideas in Computer Security
Marcus Ranum has brought in interesting thoughts worth reading. An IT Professional should now start thinking reverse. This is what we now call "CHANGE". Though I may say that i don't agree all the points but they are definitely some thoughts that need to be noted. These dumb ideas are the fundamental reason(s) why all that money we spend on information security is going to be wasted, unless we somehow manage to avoid them.
I would agree with the Point # 1, "Default Permit":
With this strategy, you give the firewall the set of conditions that will result in data being blocked. Any host or protocol that is not covered by your policy will be passed by default.
Sound good to me at the moment but I would not talk more on this unless I learn more on this technology. Here he also says,
The opposite of "Default Permit" is "Default Deny" and it is a really good idea. It takes dedication, thought, and understanding to implement a "Default Deny" policy, which is why it is so seldom done. It's not that much harder to do than "Default Permit" but you'll sleep much better at night.
Does anyone really agree that? Are the professionals not giving enough dedication, and understanding or have not given a thought to it yet?
Point # 2 is discussed on "Enumerating Badness":
Here I would simply quote the important note,
Examine a typical antivirus package and you'll see it knows about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I've installed on my machine, and you can see it's rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness.
A good point # 3: "Penetrate and Patch":
Note this point:
If "Penetrate and Patch" was effective, we would have run out of security bugs in Internet Explorer by now.
Here is something more that I would like to point out related to Firefox
And if you have read the Fenyman's conclusion:
For a successful technology, reality must take precedence over public relations,
for nature cannot be fooled.
Point # 4 on "Hacking is Cool" is one of the best points:
Note this point:
If you're a security practitioner, teaching yourself how to hack is also part of the "Hacking is Cool" dumb idea. Think about it for a couple of minutes: teaching yourself a bunch of exploits and how to use them means you're investing your time in learning a bunch of tools and techniques that are going to go stale as soon as everyone has patched that particular hole. It means you've made part of your professional skill-set dependent on "Penetrate and Patch" and you're going to have to be part of the arms-race if you want that skill-set to remain relevant and up-to-date. Wouldn't it be more sensible to learn how to design security systems that are hack-proof than to learn how to identify security systems that are dumb?
Thats a very true and valid point. You will find many other points. For me, I feel this is not so dumb but useful to know that. Better learn both break and make. Read to what he says at the end:
"Good Engineering is Cool" but so far there is no sign that's likely to happen.
Point # 5 speaks on "Educating Users":
A very good point I would make a note of:
Anna Kournikova worm showed us that nearly 1/2 of humanity will click on anything purporting to contain nude pictures of barely clothed females.
So does that mean the users need not be educated? Nah, I don't totally agree. Yes, there are few users who don't behave securely but some counter measures need to be taken on them.
Point # 6, "Action is Better Than Inaction":
Yes, I would agree with this point.
"It is often easier to not do something dumb than it is to do something smart."
So my end point, I am Smart... and can be a part of improving the 6 dumb ideas.
Computer security is definitely a "hot topic." Why are we spending all this time and money and still having problems?"
Post a Comment