Self-proclaimed firewall guru (our term) and CSO of Tenable Security Inc, Marcus Ranum, has alerted us to his “Six Dumbest Ideas in Computer Security”, attracting attention from Slashdot, as well as some inevitable ire.
“These dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them,” he says.
He rails against a number of concepts that security people kick around endlessly without coming up with an easy consensus. A common theme – he uses the example of anti-virus software as elucidation – is that security has become about identifying bad software and stopping it running on a piecemeal basis.
Why not simply ban everything and insist that only software on a whitelist gets processor cycles?
“Instead of you taking the time to list the 30 or so legitimate things you need to do, it's easier to pay $29.95/year to someone else who will try to maintain an exhaustive list of all the evil in the world.”
However powerful this idea is conceptually – and it is already used to some extent - it has some wrinkles. What happens if the dominant software houses of the day become the only applications allowed by worried corporates? Perhaps we’ve missed something.
Other targets make interesting reading. He harries penetration testing, the reverence afforded hackers, and any number of myths he identifies about good security methods.
Ranum is the author of The Myth of Homeland Security, a debunking of the….the myth of homeland security. Given the jaw-dropping confusion shown by various US federal and state agencies after the recent New Orleans flooding, the idea that the powerful organisations with every facility can still get it wrong deserves closer examination.
Ditto security then.