This story appeared on Network World at

This story appeared on Network World at
http://www.networkworld.com/columnists/2009/012009-bradner.html

Information security 'how not to's'

Advice on what not to do if you want information security

'Net Insider By Scott Bradner , Network World , 01/20/2009

It's not easy getting information security right. It is easy to get advice (often from vendors who want to sell you their semi-magic fix for all that ails you) on what you should be doing. But actually protecting your corporate or personal data turns out to be hard in the real world. Take a look at the Identity Theft Resource Center's report on what happened last year to see.

There are lots of rule sets you can follow, or in some cases must follow, to protect information. These range from the multiple families of security standards put out by the International Organization for Standardization (ISO) to the new regulations implementing the Massachusetts Identity Theft Law.

To me, security standards like the ISO's are too complex and theoretical for humans to effectively implement. The new Massachusetts regulations are quite good, and almost all of them can be reasonably implemented (a personal, not official Harvard view), although the Massachusetts business community seems to be going nonlinear over them.

It is frequently quite hard to figure out why these types of rules say what they do -- too rarely do the rules include enough context for the reader to understand what threat is being addressed and how the rules will address the threat. It is also hard to understand what specific parts of the rules are key and which can be tweaked for a local environment without seriously impacting actual security.

Sometimes one can learn more by finding out what not to do than by being told what to do. The best list of things not to do, or more precisely, dumb security ideas is Marcus Ranum's "The Six Dumbest Ideas in Computer Security." This list of bad ideas features very good explanations on why they are dumb. It's a few years old, but the lessons are for today. The dumb idea I most relate to, being from an educational institution, is No. 5: "educating users." Fundamentally users can not be educated to pay reliable attention to security, and any security mechanism that depends primarily on educating users will fail.

A different type of list of "what not to do's" was just published by the SANS Institute: "How to suck at Information Security." This list does not have any of the kind of background and explanation for each of the bad ideas that Ranum puts in his but is quite instructive anyway. If you know something is a bad idea maybe you can think about why and learn from that process.

The SANS list is broken into five parts, each listing common information-security mistakes and misconceptions. The sections include security policy and compliance, security tools, risk management, security practices and, finally, password management.

Some examples: "say 'no' whenever asked to approve a request," "enforce policies that have not been properly approved," "make somebody responsible for managing risk, but don't give the person any power to make decisions," and "require your users to change passwords too frequently." There are lots more bad ideas -- take a look.

Disclaimer: Education at places like Harvard involves exposing students to bad ideas as well as good ones so that they can tell the difference. But I know of no University view on the usefulness of bad security ideas, so the above reviews are mine alone.