Comments: New Best Practice for security: Avoid "Best Practices"

Thanks for this!
We've had recent experience of trying to sell a 'dark site' (for helping to marshall infomration during an emergency) to a major company with extensive security rules. We have tried (so far in vain) to point out that everything on the dark site is meant to be shown to the media - so it doesn't have to match all of their security rules. But alas their IT department works on a set of inflexible guidelines. I'll try showing them your post and see what happens!

Posted by David Upton at June 10, 2005 01:07 PM

Cheers! I don't know what a darksite is (ok, I can read the site, I know...) but you might like to read this one too:

http://www.wired.com/wired/archive/13.06/start.html?pg=3?tw=wn_tophead_6

Blog entry to follow one day :-)

Posted by Wired Says Disobey! at June 10, 2005 01:39 PM

On passwords, see...

http://cquirke.mvps.org/pwdssuck.htm

My take; if you're going to use an out-of-band token (which is what a written-down password is) then do it properly, either via a biometric, or with something a little more rigorous (non-cloneable, known to be single-instance, etc.)

It also makes me laugh how we recognise the need for token complexity (e.g. 128-bit tokens) and then feel safe when banking in the street with a 5-digit PIN.

Posted by Chris Quirke at June 11, 2005 11:00 PM

Hey Chris,

thanks, that's a fun read. Can you explain why people still use mountains of passwords even though they are so evidently bad?

Posted by Iang at June 12, 2005 10:37 AM

> A best-fit model is, instead, about understanding what the risks are
> and applying the most
> appropriate risk mitigation strategy to reduce them,

Isn't this called risk analysis? This is how we've been dealing with the problem for a couple of decades. I've just written a pamphlet on it for (yes, it's true) The Institute of Chartered Accountants...

Posted by Dave Birch at June 12, 2005 03:45 PM

Ian

thanks. a Darksite is a site used (mostly for corporate PR purposes) to put out information relevant to a crisis. It's called a dark site because it stays dark (ie switched off) until it is wanted, then you can just turn it on and all the information is there without having to be set up from scratch.

My point was that this is all information you want journalists to have - so applying too much security is a bit of a nonsense. Of course you need to protect it from defacement - but then look how Wikipedia gets round that problem! But this doesn't work with the corporate IT mafia who have a set of rules to enforce and sometimes seem to be permanently frozen in the Fortan era. I won't name the particular client, because we have many more like it!

The Wired article is fascinating - I hadn't seen it, so thanks. When I'm not blogging, my company www.stirlingreid.com specialises in emergency response consultancy, and this is a good (though tragic) "case study".

Thanks for your blog which I read regularly.

Posted by David Upton at June 14, 2005 08:30 AM
Post a comment









Remember personal info?






Hit Preview to see your comment.
MT::App::Comments=HASH(0x55a25449cda8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.