May 11, 2006

Blindly Applying ‘Best Practices’

sw-0025Professor Spafford expounds on his previous article we talked about to say that we should examine all best practices to see which ones make since for a given application. My favorite example of this:

One example, told to me by a Federal law enforcement agent, is when he showed his badge and papers while passing though security. They didn’t make him take out his weapon when going through the metal detector…but then they insisted that he run his shoes through the X-ray machine!

The lesson here: don’t check your brain at the door when applying best practices. When security profeesionals walk around saying that all security requirements need to be met without doing even a back-of-the-napkin risk assessment, we all look bad.

Spaf: Passwords and Myth [Purdue's CERIAS Blogs]

Share It:
Read More: Authentication, Passwords, Policy, Threats
Related: Rethinking Security By Obscurity
 Ransonware Victim Profiled
 Yahoo! Worm a Harbinger of Those to Come
 Big ISPs to Treat Child Porn Like Viruses

One Response to “Blindly Applying ‘Best Practices’”

  1. Security Wonk - Rethinking Security By Obscurity Says:

    [...] The theme of debunking security myths continues with Roger Grimes bringing us a case for Security by Obscurity. He sites moving services to a non-well-known port as an effective example of security by obscurity: [...]

    May 12th, 2006 at 1:41 pm

Post a Comment...

(required)

(required)
(will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>