The Worst Information Security Advice Ever

"What is the worst information security advice you ever received?" I asked on Twitter. I'd like to highlight (paraphrase) some of the responses and also to point you to a listing of more bad infosec recommendations. This way you know what to advise your adversaries and, perhaps, what mistakes to avoid making yourself.

Just to clarify, the "advice" below is what the kind folks on Twitter received and shared with me. This is not the recommendations they themselves made.

Password Security

  • ebcovert3: Use a password that’s 7 characters long
  • stromsjo: "Your password may not exceed six characters in length."
  • CyberArmory: Use this password… It was randomly generated and is secure (by the IT staff)

Network Security

  • EthernetGuru: "No need to change the default logins, we have a firewall and nonstandard ports in use."
  • rickflores_: We have a firewall, so our web apps are safe, and we do not need a pen test done.
  • chrisomar: No need to protect the database servers—they are behind two firewalls.
  • _Dark_Knight_: If I allow a connection out I have 2 explicitly add a rule to fw to allow traffic back in on said port.
  • mborbanovo: "Use NAT, it will hide your network from intruders."
  • marinusva: Don't worry. It's the trusted internal network.

Security Practices

  • NightShade003: "Deploy it to production first, we don’t have time to test in QA"
  • hybridrisk: "We don't need policy….we have all been working together for 20 years"
  • rogue_analyst: "If you don’t log anything then it can’t be subpoenaed."

Malware Defense

  • heidishey: Why don't you plug this mysterious USB key into your roommate's computer?
  • 4n6woman: Don’t worry about malware if you have a Mac.
  • Marts_McFly: Use anti-virus to protect your WiFi access point from intruders.

Other Areas

  • vmforno: With this "security tool" you don't need nothing more.
  • voodookid: "It is okay the web server runs as root, it is only going to be on a local network."
  • angelofsecurity: "Don't worry, no one will ever target us."

More Bad Advice

Since I've heard (and maybe even given) my share of bad information security advice, I created some time ago a cheat sheet called How to Suck at Information Security. It lists 53 common infosec mistakes ('cause listing 54 would give your adversaries too much ammunition).

Thanks to everyone who shared with me the bad advice they received! I got more responses than I could fit into one blog posting.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more