[fc-discuss] Financial Cryptography Update: New Best Practice for security: Avoid "Best Practices"

iang@iang.org iang@iang.org
Fri, 10 Jun 2005 16:35:20 +0100 (BST)


 Financial Cryptography Update: New Best Practice for security:  Avoid "Best Practices" 

                             June 10, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000465.html



------------------------------------------------------------------------

I've written long and critically (including in a draft paper) how "best
practices" may actually oppose security rather than support it.  Yes,
there is a model that explains why best practices is bad.  It appears
that others may be coming to the same conclusion;  here's a few
snippets in that direction.

1.  "Best fit" is better fit.	An otherwise routine article by a
partner at PricewaterhouseCoopers suggests:

"It is becoming more common for organisations to strive for a "best
fit" solution, as opposed to
obtaining "best practice" in every security-related matter. Conforming
to a set of best practices
can be an extremely expensive exercise that does not necessarily
deliver business benefits equal to
or greater than the resources expended to get there.

A best-fit model is, instead, about understanding what the risks are
and applying the most
appropriate risk mitigation strategy to reduce them, as opposed to
applying best practice processes
regardless of the associated risk."

Tan Shong Ye is Partner and Head of Security & Technology Practice at
PricewaterhouseCoopers.

Copyright IDG Communications (S) Pte. Ltd. 2005
http://cio-asia.com/showpage.aspx?pagetype=2&articleid=1072&pubid=5&iss
ueid=48

2.  Write your passwords down!	Another "best practices" looks like it
is leaving us.	Signs are that companies are finally starting to
recommend that passwords be written down.  Thank heavens for that. 
Slashdot reports that Netgear and Microsoft are doing it, they must
have seen the blog (look at #4 to the right).

http://ask.slashdot.org/askslashdot/05/06/08/1955253.shtml?tid=172&tid=
4
http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/210
0-7355_3-5716590.html?tag=nefd.ac

Writing passwords down is common sense.  If you have a dozen passwords,
how elsewise are you going to remember them?  And what happens when you
don't remember them?  You can't use the system!  Which means admin
time, help desk support time, your time, and sometimes your opportunity
costs all kick in.

Writing passwords down was banned back in the days when we each had one
password only so we should be able to remember it.  And, it helps to
remember that the problem wasn't writing them down, it was pinning them
to the very machine itself with big letters saying ACCOUNT PASSWORD ...

All people have to do is hide it from view.  That's all.  Back in the
days when I was a systems administrator I would carefully and obviously
take all the root passwords, write them down on a piece of paper, put
the paper into an envelope and seal it.  Also sign all over the back. 
Finally I would pin the envelope on the boss's notice board where
anyone could get it.

I'd do this obviously and blatently so that everyone in the office knew
where to get them.  And then I'd check every week to make sure it
hadn't been opened.

3.  Don't outsource your soul to big companies.  Smaller companies
bemoan how large companies only buy from large security suppliers. 
Obviously, large security suppliers get stuck in large ruts.  Buying
from a large safe company may be a way to avoid having to learn the
real risks, but it doesn't mean that you've covered those risks...

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci
1096619,00.html

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci
1096619,00.html

4. And finally, Security is now the #1 concern of Financial Executives.
 So pay attention!

http://www.ebcvg.com/articles.php?id=762

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/