Shostack + Friends Blog Archive


So, this, ummm, friend of mine, umm has a problem with security

In a comment on “Drowning In Notices,” Phill Hallam-Baker writes:

My concern was that if the warning notices become too familiar they loose their impact. It might not just be the case people get blase about seeing them, they might lose their embarassment in sending them.

I don’t think people should be more embarrassed about losing data than they are about being mugged. It is very hard to offer good advice, grounded in actuarial analysis, of what makes an effective information security program. Absent that, we have best practices (I declare it a best practice, to, on hearing something described that way, to ask “Why?” seven times.*)

As such, companies put in place the best controls they can. Everyone gets broken into. Lets get over the idea that there are more than a few places in the world with good operational infosec.

* After the break, seven whys, asked and answered.

  1. Why? Because anyone can declare a best practice.
  2. Why? Because we lack data about what works, there are few effective ways to challenge some idiot with a “best practice” stamp.
  3. Why? Because people want to sweep failure under the rug, which inhibits data sharing, data analysis, and improvement.
  4. Why? Because failure is embarrassing, and sometimes career ending.
  5. Why? Because we hide those failures, unlike, say, the air transport industry. As long as we can hide these failures, failures will not be normalized, and will continue to be career ending. So having a law that mandates disclosure breaks this bad cycle.
  6. Why? Because too many of the people who worked on computer security early brought in the military model, where secrecy actually helps. See Peter Swire’s work.
  7. Why? Because it’s time to do better.

5 comments on "So, this, ummm, friend of mine, umm has a problem with security"

  • Mordaxus says:

    Donn Parker had a great argument on why “best practices” are a hindrance. There are two main reasons. The first is that if it is a “best” practice, the very words hinder development of better practices, because you’re already best, right?
    The second is that a “best” practice does not have to be a good practice. It can be the best of a collection of wretched practices, merely the least wretched.
    Parker said that we should stop talking about best practices and start talking about good practices. Sometimes, good enough is good enough, and if it isn’t good the fact that it is best is mostly faint praise.

  • Mr. X says:

    Great post.
    In reply to the comment by Mordaxus, I think your thought can be extended into an even larger realm regarding the language that we employ within the field. What’s a “secure” system? Why is secure shell “secure”? My ATM card is branded as having “total security protection”…
    I think we need a fundamental levelset in the language that we employ.

  • The phrase Best Practices hides a big problem from end users – you can never have perfect security. Beyond this, following industry wide best practices simply means you have exactly the same vulnerabilities and holes as everyone else.
    Like Mordaxus said, what an organization needs to do is good practices and those can only ever be specific to that organization. This is a situation where one size defiantly doesn’t fit all.

  • Phill says:

    OK next round is at my blog, follow the link.
    I think that you overestimate the power of legislation here.

  • In my paper on Silver Bullets I describe why Best Practices are not necessarily good practices. On paper they can even be downright bad practices, and nobody will budge. Whether that happens I’ll let others speculate on!

Comments are closed.