June 10, 2005

New Best Practice for security: Avoid "Best Practices"

I've written long and critically (including in a draft paper) how "best practices" may actually oppose security rather than support it. Yes, there is a model that explains why best practices is bad. It appears that others may be coming to the same conclusion; here's a few snippets in that direction.

1. "Best fit" is better fit. An otherwise routine article by Tan Shong Ye (Partner and Head of Security & Technology Practice at PricewaterhouseCoopers) suggests:

It is becoming more common for organisations to strive for a "best fit" solution, as opposed to obtaining "best practice" in every security-related matter. Conforming to a set of best practices can be an extremely expensive exercise that does not necessarily deliver business benefits equal to or greater than the resources expended to get there.

A best-fit model is, instead, about understanding what the risks are and applying the most appropriate risk mitigation strategy to reduce them, as opposed to applying best practice processes regardless of the associated risk.

2. Write your passwords down! Another "best practices" looks like it is leaving us. Signs are that companies are finally starting to recommend that passwords be written down. Thank heavens for that. Slashdot reports that Netgear and Microsoft are doing it, they must have seen the blog (look at #4 to the right).

Writing passwords down is common sense. If you have a dozen passwords, how elsewise are you going to remember them? And what happens when you don't remember them? You can't use the system! Which means admin time, help desk support time, your time, and sometimes your opportunity costs all kick in.

Writing passwords down was banned back in the days when we each had one password only so we should be able to remember it. And, it helps to remember that the problem wasn't writing them down, it was pinning them to the very machine itself with big letters saying ACCOUNT PASSWORD ...

All people have to do is hide it from view. That's all. Back in the days when I was a systems administrator I would carefully and obviously take all the root passwords, write them down on a piece of paper, put the paper into an envelope and seal it. Also sign all over the back. Finally I would pin the envelope on the boss's notice board where anyone could get it.

I'd do this obviously and blatently so that everyone in the office knew where to get them. And then I'd check every week to make sure it hadn't been opened.

3. Don't outsource your soul to big companies. Smaller companies bemoan how large companies only buy from large security suppliers. Obviously, large security suppliers get stuck in large ruts. Buying from a large safe company may be a way to avoid having to learn the real risks, but it doesn't mean that you've covered those risks...

4. And finally, Security is now the #1 concern of Financial Executives. So pay attention!

Posted by iang at June 10, 2005 05:57 PM | TrackBack

Thanks for this!
We've had recent experience of trying to sell a 'dark site' (for helping to marshall infomration during an emergency) to a major company with extensive security rules. We have tried (so far in vain) to point out that everything on the dark site is meant to be shown to the media - so it doesn't have to match all of their security rules. But alas their IT department works on a set of inflexible guidelines. I'll try showing them your post and see what happens!

Posted by: David Upton at June 10, 2005 01:07 PM

Cheers! I don't know what a darksite is (ok, I can read the site, I know...) but you might like to read this one too:


Blog entry to follow one day :-)

Posted by: Wired Says Disobey! at June 10, 2005 01:39 PM

On passwords, see...


My take; if you're going to use an out-of-band token (which is what a written-down password is) then do it properly, either via a biometric, or with something a little more rigorous (non-cloneable, known to be single-instance, etc.)

It also makes me laugh how we recognise the need for token complexity (e.g. 128-bit tokens) and then feel safe when banking in the street with a 5-digit PIN.

Posted by: Chris Quirke at June 11, 2005 11:00 PM

Hey Chris,

thanks, that's a fun read. Can you explain why people still use mountains of passwords even though they are so evidently bad?

Posted by: Iang at June 12, 2005 10:37 AM

> A best-fit model is, instead, about understanding what the risks are
> and applying the most
> appropriate risk mitigation strategy to reduce them,

Isn't this called risk analysis? This is how we've been dealing with the problem for a couple of decades. I've just written a pamphlet on it for (yes, it's true) The Institute of Chartered Accountants...

Posted by: Dave Birch at June 12, 2005 03:45 PM


thanks. a Darksite is a site used (mostly for corporate PR purposes) to put out information relevant to a crisis. It's called a dark site because it stays dark (ie switched off) until it is wanted, then you can just turn it on and all the information is there without having to be set up from scratch.

My point was that this is all information you want journalists to have - so applying too much security is a bit of a nonsense. Of course you need to protect it from defacement - but then look how Wikipedia gets round that problem! But this doesn't work with the corporate IT mafia who have a set of rules to enforce and sometimes seem to be permanently frozen in the Fortan era. I won't name the particular client, because we have many more like it!

The Wired article is fascinating - I hadn't seen it, so thanks. When I'm not blogging, my company www.stirlingreid.com specialises in emergency response consultancy, and this is a good (though tragic) "case study".

Thanks for your blog which I read regularly.

Posted by: David Upton at June 14, 2005 08:30 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.