The Worst Information Security Advice Ever

"What is the worst information security advice you ever received?" I asked on Twitter. I'd like to highlight (paraphrase) some of the responses and also to point you to a listing of more bad infosec recommendations. This way you know what to advise your adversaries and, perhaps, what mistakes to avoid making yourself.

Just to clarify, the "advice" below is what the kind folks on Twitter received and shared with me. This is not the recommendations they themselves made.

Password Security

  • ebcovert3: Use a password that’s 7 characters long
  • stromsjo: "Your password may not exceed six characters in length."
  • CyberArmory: Use this password… It was randomly generated and is secure (by the IT staff)

Network Security

  • EthernetGuru: "No need to change the default logins, we have a firewall and nonstandard ports in use."
  • rickflores_: We have a firewall, so our web apps are safe, and we do not need a pen test done.
  • chrisomar: No need to protect the database servers—they are behind two firewalls.
  • _Dark_Knight_: If I allow a connection out I have 2 explicitly add a rule to fw to allow traffic back in on said port.
  • mborbanovo: "Use NAT, it will hide your network from intruders."
  • marinusva: Don't worry. It's the trusted internal network.

Security Practices

  • NightShade003: "Deploy it to production first, we don’t have time to test in QA"
  • hybridrisk: "We don't need policy….we have all been working together for 20 years"
  • rogue_analyst: "If you don’t log anything then it can’t be subpoenaed."

Malware Defense

  • heidishey: Why don't you plug this mysterious USB key into your roommate's computer?
  • 4n6woman: Don’t worry about malware if you have a Mac.
  • Marts_McFly: Use anti-virus to protect your WiFi access point from intruders.

Other Areas

  • vmforno: With this "security tool" you don't need nothing more.
  • voodookid: "It is okay the web server runs as root, it is only going to be on a local network."
  • angelofsecurity: "Don't worry, no one will ever target us."

More Bad Advice

Since I've heard (and maybe even given) my share of bad information security advice, I created some time ago a cheat sheet called How to Suck at Information Security. It lists 53 common infosec mistakes ('cause listing 54 would give your adversaries too much ammunition).

Thanks to everyone who shared with me the bad advice they received! I got more responses than I could fit into one blog posting.


About the Author

I design practical security solutions and shepherd them to a sustainable state. I used to be hands-on in many areas of cybersecurity and IT. Now I focus on strategy and leadership, treating security as an enabler that helps people and companies achieve their goals. As the CISO of Axonius, I lead the security program to earn customers' trust and fuel the company's growth. Earlier, I built security products and services. I'm also a Faculty Fellow at SANS Institute, where I help professionals develop malware analysis skills.

Learn more