The Worst Information Security Advice Ever

“What is the worst information security advice you ever received?” I asked on Twitter. I’d like to highlight (paraphrase) some of the responses and also to point you to a listing of more bad infosec recommendations. This way you know what to advise your adversaries and, perhaps, what mistakes to avoid making yourself.

Just to clarify, the “advice” below is what the kind folks on Twitter received and shared with me. This is not the recommendations they themselves made.

Password Security

  • ebcovert3: Use a password that’s 7 characters long
  • stromsjo: “Your password may not exceed six characters in length.”
  • CyberArmory: Use this password… It was randomly generated and is secure (by the IT staff)

Network Security

  • EthernetGuru: “No need to change the default logins, we have a firewall and nonstandard ports in use.”
  • rickflores_: We have a firewall, so our web apps are safe, and we do not need a pen test done.
  • chrisomar: No need to protect the database servers—they are behind two firewalls.
  • _Dark_Knight_: If I allow a connection out I have 2 explicitly add a rule to fw to allow traffic back in on said port.
  • mborbanovo: “Use NAT, it will hide your network from intruders.”
  • marinusva: Don’t worry. It’s the trusted internal network.

Security Practices

  • NightShade003: “Deploy it to production first, we don’t have time to test in QA”
  • hybridrisk: “We don’t need policy….we have all been working together for 20 years”
  • rogue_analyst: “If you don’t log anything then it can’t be subpoenaed.”

Malware Defense

  • heidishey: Why don’t you plug this mysterious USB key into your roommate’s computer?
  • 4n6woman: Don’t worry about malware if you have a Mac.
  • Marts_McFly: Use anti-virus to protect your WiFi access point from intruders.

Other Areas

  • vmforno: With this “security tool” you don’t need nothing more.
  • voodookid: “It is okay the web server runs as root, it is only going to be on a local network.”
  • angelofsecurity: “Don’t worry, no one will ever target us.”

More Bad Advice

Since I’ve heard (and maybe even given) my share of bad information security advice, I created some time ago a cheat sheet called How to Suck at Information Security. It lists 53 common infosec mistakes (’cause listing 54 would give your adversaries too much ammunition).

Thanks to everyone who shared with me the bad advice they received! I got more responses than I could fit into one blog posting.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more