The Worst Information Security Advice Ever

A collection of terrible security advice gathered from Twitter: use short passwords, rely solely on firewalls for protection, skip testing before production deployment, avoid logging to prevent subpoenas, and assume Macs are immune to malware. Knowing bad advice helps recognize mistakes to avoid.

“What is the worst information security advice you ever received?” I asked on Twitter. I’d like to highlight (paraphrase) some of the responses and also to point you to a listing of more bad infosec recommendations. This way you know what to advise your adversaries and, perhaps, what mistakes to avoid making yourself. Just to clarify, the “advice” below is what the kind folks on Twitter received and shared with me. This is not the recommendations they themselves made.

Password Security

ebcovert3: Use a password that’s 7 characters long
stromsjo: “Your password may not exceed six characters in length.”
CyberArmory: Use this password… It was randomly generated and is secure (by the IT staff)

Network Security

EthernetGuru: “No need to change the default logins, we have a firewall and nonstandard ports in use.”
rickflores_: We have a firewall, so our web apps are safe, and we do not need a pen test done.
chrisomar: No need to protect the database servers—they are behind two firewalls.
_Dark_Knight_: If I allow a connection out I have 2 explicitly add a rule to fw to allow traffic back in on said port.
mborbanovo: “Use NAT, it will hide your network from intruders.”
marinusva: Don’t worry. It’s the trusted internal network.

Security Practices

NightShade003: “Deploy it to production first, we don’t have time to test in QA”
hybridrisk: “We don’t need policy….we have all been working together for 20 years”
rogue_analyst: “If you don’t log anything then it can’t be subpoenaed.”

Malware Defense

heidishey: Why don’t you plug this mysterious USB key into your roommate’s computer?
4n6woman: Don’t worry about malware if you have a Mac.
Marts_McFly: Use anti-virus to protect your WiFi access point from intruders.

Other Areas

vmforno: With this “security tool” you don’t need nothing more.
voodookid: “It is okay the web server runs as root, it is only going to be on a local network.”
angelofsecurity: “Don’t worry, no one will ever target us.”

More Bad Advice

Since I’ve heard (and maybe even given) my share of bad information security advice, I created some time ago a cheat sheet called How to Suck at Information Security. It lists 53 common infosec mistakes (‘cause listing 54 would give your adversaries too much ammunition).

Thanks to everyone who shared with me the bad advice they received! I got more responses than I could fit into one blog posting.

About the Author

Lenny Zeltser is a cybersecurity leader with deep technical roots and product management experience. He created REMnux, an open-source malware analysis toolkit, and the reverse-engineering course at SANS Institute. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He writes this blog to think out loud and share resources with the community.

Learn more →