The Six Dumbest Ideas in Computer Security – Revisited

Marcus Ranum’s The Six Dumbest Ideas in Computer Security, written in 2006, is still referred to regularly as the gospel. I think it should be reviewed in the context of the 2011 threat landscape.

  1. Default Permit – I agree. This still ranks as number one. In this age of application level threats, it’s more important than ever to implement “default deny” policies at the application level in order to reduce the organization’s attack surface. The objective must be “Unknown applications – Deny.”
  2. Enumerating Badness – While I understand that in theory it’s far better to enumerate goodness and deny all other actions (see #1 above), in practice, I have not yet seen a host or network intrusion prevention product that uses this model that is reliable enough to replace traditional IPS technology that uses vulnerability-based signatures. If you know of such a product, I would surely be interested in learning about it.
  3. Penetrate and Patch – I’m not sure I would call this dumb. Practically speaking, I would say it’s necessary but not sufficient.
  4. Hacking is Cool – I agree, although this is no different than “analog hacking.” Movies about criminals are still being made because the public is fascinated by them.
  5. Educating Users –  I strongly disagree here. The issue is that our methods for educating users have left out the idea of “incentives.” In other words, the problem is that in most organizations, users’ merely inappropriate or thoughtless behavior does not cost them anything. Employees and contractor behavior will change if their compensation is affected by their actions. Of course you have to have the right technical controls in place to assure you can properly attribute observed network activity to people. Because these controls are relatively new, we are at the beginning of the use of economic incentives to influence employee behavior. I wrote about Security Awareness Training and Incentives last week.
  6. Action is better than Inaction – Somewhat valid. The management team of each organization will have to decide for themselves whether they are “early adopters” or what I would call, “fast followers.” Ranum uses the term “pause and thinkers,” clearly indicating his view. However, if there are no early adopters, there will be no innovation. And as has been shown regularly, there are only a small number of early adopters anyway.

Of the “Minor Dumbs” I agree with all of them except the last one – “We can’t stop the occasional problem.” Ranum says “yes you can.” Not possible. You must assume you will suffer successful attacks. Good security means budget is allocated to Detection and Response in addition to Prevention.

About Cymbel

Specialists in information security. Helping organizations secure their networks and mitigate the risks of modern threats.


  1. While you are right about this article being still pertinent, I see your points as limiting because they are based on the network, and I see Ranum’s article as being at the system level. I think he would build his networks with inherently secure systems, and eliminate the need for a lot of the network security.

    1) While your comment is not incorrect, it should advocate controls that are more granular than the app level. How about whitelisting end user behaviors? Everything can boil down to an executable.

    2) The reason you don’t see any IPS achieve this is that it requires kernel level enforcement on any node where the controls are required. (Hint: Scalable MLS)

    3) Yes its dumb. Got to get away from patch and prey to models that prevent threats from exploiting vulns, then you get protection where one can’t patch and against zero days.

    4) Definitely lame. Many breakers would fail at building.

    5) Educating users has generally proven to be poor value with limited effectiveness. Put those users on inherently secure high assurance systems and see how much education they need. People push education because they are selling it or its all they have to go on.

    6) Early adoption for the sake of early adoption is plain dumb. Don’t bother to do anything unless conceptually it makes much more sense than the status quo, otherwise it is only incremental change.

    As far as minor dumbs, a few new threats are inevitable until the end goal is reached. If we had networks full of inherently secure systems, how many problems do you think would just go away?


Speak Your Mind