6 Dumbest ideas in computer security

On the topic of ridiculous password rules check out this Dilbert comic strip .

I use Password Safe to store my passwords. I now just need to remember one Master Password.

Im curious what you guys think about the #4 point though.
would it not make you a better security tech, even a better security designer if you understood penetration and expliots?

to me if i was designing a network around security and didnt have an idea how a penetration network it would in effect be less secure.

The article is great and he has really valid points about focusing on good engineering rather then patch & penetrate. But dont other engineers, like if your building a bridge need to test structure under say, earth quake, and weather considitions?

Im just saying I really understand his points and they are valid, i just think theres a little bit more of a middle ground when it comes to that point.

what do you guys think?

I don't think he's saying that attempting to penetrate your own systems is a bad idea. It's a great idea from a security point of view and we should all do at least the basics on our own networks and systems. What I think he's coming against is this idea that hackers get skilled, commit a few high-profile criminal acts, get jailed for it then when they come out get hired as 'security consultants' by top companies. Sure, they are very good at penetrating systems but would a company be as eager to hire say a convicted stock market fraudster into their finance department? Or a discharged bankrupt who's been banned from being a comany director onto their semior management team?

i see.
its like, even though they do thier time, The hacker is still being rewarded/prised for his previous malicious intent which is usually a goal for them anyway.

Yeah basically. That's the way I read the article anyway

Hmm.. this article went through major debate at the security company where I work. First and foremost.. Marcus Ranum is no fool -- he comes from a time of *real* security research, so he knows what he's talking about.

Basically, the concept of 'penetration testing' did make sense when you had a few commonly known and exploited vulnerabilities and when systems were substantially less complicated. Nowadays, the idea of checking for a small 'blacklist' of holes doesn't make sense, because you're gonna have 20 more holes that you *didnt* look for.

This does not make this approach wrong. I think what he's driving at is the commoditization of this auditing industry. The people who are 'pentesters' and 'ethical hackers (ughh)' are basically just software users -- tool pushers -- they operate on the basis of 4-5 'situations' that they understand, and try to detect.. if they can't -- voila ! You're secure !

What you should have is someone who actually knows not just how to think out of the box, but can IMPLEMENT her out of the box thinking. In short, you need hackers. And no, not CEH's or ex-network admins who learned how to run Nessus. You need guys who understand how systems fall apart, and who can discover new vulnerabilities themselves.

These people are -- unfortunately -- not that easy to get hold of.

The next thing you do, is you give them the same scope that a real attacker would have. Don't just tell them, 'Okay, here's my border router IP, hack in and make an entry in my database'. If you wanna do this, give them just the company name, and a month in which to get something done (of course with regular check-ins).

Yes, this *still* will not tell you that you're secure. However, in theory at least, it should cover the paths most commonly travelled by attackers. Do this exercise regularly, and actually derive some value from the results by *listening* to what the hackers have to say, and you'll probably have above-average security..

Ultimately however, it always comes down to the skills of your testing team. If you want proof -- give an assignment to two competing 'pen-test' companies, and see if they find the same things.

You'll also be amazed at the incredibly low penetration success rate that most companies have simply because they're just tool runners.

It should be a matter of pride to the tester -- nay, hacker, to gain access. Then you have the passion, and you'll get some worthwhile results.

This probably is rather funny considering that I do this stuff daily, I would love to believe that you can do something comprehensive, but in the limited time frames, with the administrative restrictions, you often can't.

Either way. Marcus has a point -- 99% of the security 'industry' is selling snake oil and cashing in on ignorance. There are alot of people who long for the 'old days'.

What can I say... we're all sell-outs

Don't take me too seriously though.

Cheers,