“What is the worst information security advice you ever received?” I asked on Twitter. I’d like to highlight (paraphrase) some of the responses and also to point you to a listing of more bad infosec recommendations. This way you know what to advise your adversaries and, perhaps, what mistakes to avoid making yourself.
Just to clarify, the “advice” below is what the kind folks on Twitter received and shared with me. This is not the recommendations they themselves made.
- ebcovert3: Use a password that’s 7 characters long
- stromsjo: “Your password may not exceed six characters in length.”
- CyberArmory: Use this password… It was randomly generated and is secure (by the IT staff)
- EthernetGuru: “No need to change the default logins, we have a firewall and nonstandard ports in use.”
- rickflores_: We have a firewall, so our web apps are safe, and we do not need a pen test done.
- chrisomar: No need to protect the database servers—they are behind two firewalls.
- _Dark_Knight_: If I allow a connection out I have 2 explicitly add a rule to fw to allow traffic back in on said port.
- mborbanovo: “Use NAT, it will hide your network from intruders.”
- marinusva: Don’t worry. It’s the trusted internal network.
- NightShade003: “Deploy it to production first, we don’t have time to test in QA”
- hybridrisk: “We don’t need policy….we have all been working together for 20 years”
- rogue_analyst: “If you don’t log anything then it can’t be subpoenaed.”
- heidishey: Why don’t you plug this mysterious USB key into your roommate’s computer?
- 4n6woman: Don’t worry about malware if you have a Mac.
- Marts_McFly: Use anti-virus to protect your WiFi access point from intruders.
- vmforno: With this “security tool” you don’t need nothing more.
- voodookid: “It is okay the web server runs as root, it is only going to be on a local network.”
- angelofsecurity: “Don’t worry, no one will ever target us.”
More Bad Advice
Since I’ve heard (and maybe even given) my share of bad information security advice, I created some time ago a cheat sheet called How to Suck at Information Security. It lists 53 common infosec mistakes (’cause listing 54 would give your adversaries too much ammunition).
Thanks to everyone who shared with me the bad advice they received! I got more responses than I could fit into one blog posting.