Schneier on Security: Marcus Ranum's "The Six Dumbest Ideas in Computer Security"
Link from Bruce Schneir's blog to an article by Marcus Ranum. As always some interesting thoughts, this time about the dumbest ideas in security, some of which I agree with and some which I'm not so sure about.
The 1st, default permit I'd agree with. Default Permit is all over IT. One example which I think is interesting but not mentioned is URL filtering. Any company I've seen run a default permit and blacklist concept for web traffic filtering. Whilst I can see why that would work from a usability perspective, it's next to useless from a security standpoint. As soon as you allow access to unknown sites, you're allowing access to everything as users can use one of the variety of tunnelling or proxying programs to get access to all the content you've blocked, as can any virii or worms that might get installed..
Enumerating badness, yeah, I like it in principle, although I do think that Marcus is understating the level of complexity in enumerating the goodness. Sure there may be only 20-30 programs you use in an interactive sense, there are many more pieces of code executed that you're not aware of...
Penetrate and Patch. This is a well made point, in that code should be designed to be secure, as should systems. However I'm not convinced of the wortlessness of penetration testing. Once you've designed your secure system and implemented it, shouldn't someone test that it actually is secure?
Number four's a bit of a "yeah but no" point. Yeah hacking isn't cool (in the criminal sense of hacking) but understanding how you're current adversary operates, is to my mind, useful.....
Number Five... nah ain't buying it. The implication of this point is that user education has done nothing for security, because there are still some users who don't behave securely... so should we not take any countermeasures unless they're going to be 100% successful!? User education has done a lot for security it's just, like all other countermeasuers not perfect...
Number Six, I'll go along with, the number of people who seem ready to jump on the latest security bandwagon, whilst still not doing the fundamentals of good security operations well never ceases to amaze me...
All interesting stuff though and well worth a read...
