Re: Are users right in rejecting security advice?

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Wed, 17 Mar 2010 08:54:47 EDT, "Mclaughlin, Kevin (mclaugkl)" said:
> Really?  They are considered best practices, common knowledge, the way to do
> things, (pick your semantic here), etc.  because a lot of folks (smarter than I
> am, I bet) spent the time to analyze, research and come up with a best practice
> and that's how NIST, ISO, COBIT, etc. get produced.

There's a few actual "best practices" out there.  However, in practice they
tend to be swamped by the wave-a-dead-chicken voodoo security checklists often
seen in the hands of clueless auditors.

There's only a limited number of times you can sit through a security audit
that has "Do you have a firewall?" as a checkbox item but does *not* have
"Is it actually installed/enabled?" and "Has anybody actually configured it?"
checkboxes before you start screaming "The Stupid, It Burns!".

You say you haven't seen that yet?  Then there's still hope for you. Run
and escape while you still can. :)

Attachment: _bin
Description: