Re: Are users right in rejecting security advice?

[David Escalante <david.escalante () BC EDU>]

Best practices can be extremely useful, as was noted.  They can also be
silly, as was also noted.

I believe the reason for this is that best practices tend to coalesce
from some group effort over time.  Rarely does a best practice simply
become immediately apparent and widely implemented and tested in
practice in a short term time frame.  When a best practice DOES appear,
as noted in an earlier message, it frequently represents the distilled,
vetted advice of multiple experts.

In the security field, however, adversaries are actively working against
whatever defenses are in place, and in many cases a best practice gets
overcome by events and maybe isn't so effective as it used to be, but
the "best practice" tag tends to stay with it irrespective of reality.
Over time, that best practice may be retired and replaced with other,
newer, best practices.  Like every other technology or policy I've run
into in the security field, best practices can be very useful, but
they're not a panacea.  And like any other technology or policy, they
can be correct in theory but implemented incorrectly, reducing or
eliminating their value.

So completely ignoring best practices isn't cool for a variety of
reasons.  But blindly implementing best practices and assuming they'll
protect you isn't cool, either.

There!  Everyone happy (or depressed)?
--
David Escalante
Boston College

Attachment: david_escalante.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature