Unconventional Wisdom
Let’s face it, the conventional wisdom is not always wise - in fact, it is often just plain wrong. In security, this means that we imbed things in our folkways of “best practices” that, in fact, have the effect of decreasing security. Gene Spafford, in a blog post on password security myths, puts it this way:
In the practice of security we have accumulated a number of “rules of thumb” that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology changes, the underlying (and unstated) assumptions underlying these bits of conventional wisdom also change. The result is a stale policy that may no longer be effective…or possibly even dangerous.
Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom.
In “Unconventional Wisdom” posts, we will look at cases where the conventional wisdom is wrong, and can weaken your security. For starters, we will explore Spaf’s specific objections to password change policies (and mine to bad password lockout policies) in future posts.
June 29th, 2008 at 6:57 am
Oh yes, I would love to know where many of these “sounds like security, but it’s not” policies come from.
Auditors often suggest policies which engineers should know better than to accept.
I don’t know if you recall the furor a few years ago about “MarketScore” (now called comScore) amongst .edus, but that was a good example of auditor-driven policies (firewalling off MarketScore’s servers) which weren’t the best solution.
June 30th, 2008 at 10:08 am
I missed that one. I’d love to hear more about it.