Thursday, May 27, 2010

Revisiting Ranum's "The Six Dumbest Ideas in Computer Security"



A friend of mine reminded me about this article recently.  The funny thing about this is that he wrote this 4 1/2 years ago, and some of these things are still true. 


  1. "Default Permit" - I think this is changing.  We saw this with Win2008 having reduced features turned on by default. 
  2. "Enumerating Badness" - I think organizations as a whole would rather target "badness" than defining "goodness", but its a never ending challenge of trying to find all "bad".  While its challenging, you have a much better chance at enumerating your own "goodness".  The problem with this is that companies have to want to have positive control over their environment, which is entirely dependent on senior leadership in a company, and their support of senior IT leadership.  "The first lesson in management is that its always your fault."
  3. "Penetrate and Patch" - While I think security reviews of code are more common now than in the past, they're not as common as necessary.  We need better education at the collegiate level and then continuing education to hammer good programming practices into the heads of developers.  They need this because it has to be second nature to develop secure code.  Just like in IT Operations, frequently best practice and security principles go out the window when there's an urgent deadline or political pressure to get something implemented.  These guys and gals that write code need to do it securely, in their sleep, if we're going to get ahead of the "penetrate and patch" methodology.
  4. "Hacking is cool!" - I think this has changed some.  I read an article just recently about how articles and media that sensationalize suicide frequently leads to copycat and higher incidents of suicides.  This changes, though, when the right people say the right things at the right times about the incidents.  The point is that while the popular attitude is that hacking is cool (I'm one of them, admittedly.), the consequences need to be stressed more.  I think we've seen this more too.  We haven't had a good "hacker" movie in a while.  Coincidence?
  5. "Educating Users" - This is a constant problem because education itself is challenging.  Can you think of a time when it was easy to take an entire organization and get everyone thinking the same way?  If it was procedural, sure, "follow the tail in front of you" like a pack mule on the trail.  "Step1, complete this step and move to Step 2."  The primary challenge with educating users is that because of #2 above, we expect them to make decisions, on the fly, and then not give them good options to choose from.  Educating users should be based on what the company wants them to DO, not what it wants them to feel.  Make it actionable, make it relevant, make it about the company and what the company wants them to do.  As InfoSec people, we are frequently crossing the line between company threats and overall, personal information management threats.  We need to keep company education to company education and leave the personal InfoSec advice to the media and water cooler conversations.  Its not that hard, we just need to commit to clear messages and expectations of the users.  That, of course, relies on whether management has figured out #2, above, though.
  6. "Action is Better than Inaction" -  Ranum is right on with this one.  Early adoption of technology is a gamble.  Some companies are more risk averse than others.  Sometimes when you gamble, you win and sometimes you lose.  IT Operations runs more smoothly when things are predictable.  Which is going to lead to predictability and therefore more secure?  You guessed it, "pause and think".  The problem is if your company is run by sales, sales people and market timing, "pause and think" isn't going to go over well, unless you have strong senior IT leadership, and management above them that's going to let them run the IT show.  I've seen "pause and think" work much better than gambling on IT.  This is still a big issue in corporate America as a whole I think.
What do you think?

Chris Grant
LABrat.com