The Six Dumbest Ideas in Computer Security – Revisited

Marcus Ranum’s The Six Dumbest Ideas in Computer Security, written in 2006, is still referred to regularly as the gospel. I think it should be reviewed in the context of the 2011 threat landscape.

  1. Default Permit – I agree. This still ranks as number one. In this age of application level threats, it’s more important than ever to implement “default deny” policies at the application level in order to reduce the organization’s attack surface. The objective must be “Unknown applications – Deny.”
  2. Enumerating Badness – While I understand that in theory it’s far better to enumerate goodness and deny all other actions (see #1 above), in practice, I have not yet seen a host or network intrusion prevention product that uses this model that is reliable enough to replace traditional IPS technology that uses vulnerability-based signatures. If you know of such a product, I would surely be interested in learning about it.
  3. Penetrate and Patch – I’m not sure I would call this dumb. Practically speaking, I would say it’s necessary but not sufficient.
  4. Hacking is Cool – I agree, although this is no different than “analog hacking.” Movies about criminals are still being made because the public is fascinated by them.
  5. Educating Users –  I strongly disagree here. The issue is that our methods for educating users have left out the idea of “incentives.” In other words, the problem is that in most organizations, users’ merely inappropriate or thoughtless behavior does not cost them anything. Employees and contractor behavior will change if their compensation is affected by their actions. Of course you have to have the right technical controls in place to assure you can properly attribute observed network activity to people. Because these controls are relatively new, we are at the beginning of the use of economic incentives to influence employee behavior. I wrote about Security Awareness Training and Incentives last week.
  6. Action is better than Inaction – Somewhat valid. The management team of each organization will have to decide for themselves whether they are “early adopters” or what I would call, “fast followers.” Ranum uses the term “pause and thinkers,” clearly indicating his view. However, if there are no early adopters, there will be no innovation. And as has been shown regularly, there are only a small number of early adopters anyway.

Of the “Minor Dumbs” I agree with all of them except the last one – “We can’t stop the occasional problem.” Ranum says “yes you can.” Not possible. You must assume you will suffer successful attacks. Good security means budget is allocated to Detection and Response in addition to Prevention.