SecMusings

This is a video sidebar I did for BusinessWeek.com to accompany a case study dealing with a company that fired an employee for visiting pornographic web sites in the office during working hours. You can see my video here, but the case study is worth reading, especially since there is another nice video sidebar by attorney James G. Ryan dealing with the legal issues.

Let’s face it, the conventional wisdom is not always wise – in fact, it is often just plain wrong. In security, this means that we imbed things in our folkways of “best practices” that, in fact, have the effect of decreasing security. Gene Spafford, in a blog post on password security myths, puts it this way:

In the practice of security we have accumulated a number of “rules of thumb” that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology changes, the underlying (and unstated) assumptions underlying these bits of conventional wisdom also change. The result is a stale policy that may no longer be effective…or possibly even dangerous.

Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom.

In “Unconventional Wisdom” posts, we will look at cases where the conventional wisdom is wrong, and can weaken your security. For starters, we will explore Spaf’s specific objections to password change policies (and mine to bad password lockout policies) in future posts.