Ted Demopoulos    Demopoulos Associates
keynote speeches
Security, IT, Business Consulting
securITy newsletter
Articles

Ted Demopoulos’ securITy

November 2004
___________________________________________________________

The free newsletter of Demopoulos Associates, www.demop.com

Please forward this newsletter to anyone you know who might enjoy it!

  • Ted Demopoulos quoted in Processor Magazine.
     

  • It’s impossible to spend 20 years in high tech, including 15+ years consulting and a few startups, without developing some business acumen. And in my case, without forming some strong opinions on what does and does not work. Some of these experiences and opinions will be described on http://www.demop.com/Articles.html soon.
     

  • The first in our “Worst Practices” series follows. Suggestions for Worst Practices topics welcome!

Avoiding “Worst Practices,” or praying at “The Temple of Best Practices.”

The “Best Practices Mantra” annoys me.

I define “Best Practices” as practices validated by experience and common sense. Often the “common sense” component is entirely skipped and the “Best Practices Mantra” is used as an excuse for not thinking. That includes not thinking about what “Best Practices” actually means. A quick google reveals lots of “Best Practice” links and “Best Practice Institutes,” but none of them bother to define “Best Practices.” No one bothers to define the Bible or Koran either, but I would argue that they do not need to be defined, and are certainly not fads. The jury is out on “Best Practices” . . .

I was at a new client’s facility yesterday and when I asked about certain security practices and configurations, I often got the blanket statement “Best Practices” as an answer. It was clear in several cases that these alleged “Best Practices” either did NOT apply or were INCORRECTLY implemented. In both cases no one had used their common sense and had instead chosen to place their blind faith and prayers at the “Temple of Best Practices.”

Few best practices are universal.

An example of a best practice might be considered locking your car when parking in a big city. Sounds reasonable, but does it apply everywhere?? Well, not for a friend of mine who lives in New York City. At least in his neighborhood, a locked car is considered worth breaking into. An unlocked car with nothing in it and a sign in the windshield that reads “No Radio” is far safer.

Best practices are NOT a substitute for thinking and common sense.

A well accepted best practice is to protect your organization’s network from the Internet with a firewall (we’ll ignore the fact that a few organizations have very effective security without a firewall, e.g. MIT). I’ve seen several places where this best practice has been followed without any application of common sense. For example, a couple months ago I saw a firewall that was actually configured to let all network traffic in and all network traffic out! Yes, they had a firewall, but it accomplished exactly nothing. More commonly I see firewalls with so many holes that you can drive a truck full of Swiss cheese through them.

Best practices are NOT static.

Best practices do have value, especially when they are derived from a large cross section of organizations and experiences. They are a good starting point for doing things right. But the world changes regularly and essentially everything evolves. Best practices must be continuously re examined and re validated. This is especially important in a rapidly changing field like information security.

A big part of being successful is avoiding major mistakes.

A major component of success involves avoiding making any major mistakes. Instead of focusing exclusively on implementing “Best Practices,” I suggest avoiding “Worst Practices.” You can do almost everything perfectly, but if you get one thing horribly wrong you can negate everything. A soldier greatly increases his chances in a firefight by doing things right, but one serious mistake and his odds of surviving plummet. An organization can do all the right things in implementing effective security, but a ten minute firewall misconfiguration can let a hacker come in and establish a foothold. A company can build a great reputation over many years, but one horrible incident can ruin that reputation.

Hence we kick off our Worst Practice series with:
Worst Practices in Best Practices
Practices to avoid like the plague!!!!

1) Assuming all Best Practices apply.
Few Best Practices are universal.

2) Turning off your brain while implementing and using Best Practices.
Nothing is foolproof, and you should always apply common sense.

3) Implementing Best Practices and thinking you are done.
Nothing is static; that includes Best Practices.

4) Implementing Best Practices without avoiding Worst Practices.
One major blunder can negate everything!

___________________________________________________________

The free newsletter of Demopoulos Associates, www.demop.com

This newsletter is Copyright © 2004 by Demopoulos Associates, Durham, New Hampshire, USA.  All rights are reserved, except that it may be freely redistributed if unmodified.

Sharing securITy is encouraged if the copyright and attribution are included.

 Subscribe to the securITy newsletter

Name
Email

We NEVER rent, sell, or share email addresses.

Please forward this newsletter to anyone you know who  might enjoy it!

© Copyright 2002-2008, Demopoulos Associates