Re: CyberSec Tips: Follow the rules - and advice

["Blanchard, Michael (InfoSec)" <michael.blanchard () emc com>]

Hear, Hear!  Can't agree more!

<applause!!!>

Michael P. Blanchard
Principal Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
Cyber Security Services
EMC ² Corporation
32 Coslin Drive
Southboro, MA 01772


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rob, grandpa of Ryan, Trevor, 
Devon & Hannah
Sent: Thursday, December 05, 2013 3:18 PM
To: funsec () linuxbox org; infosecbc () yahoogroups com
Subject: [funsec] CyberSec Tips: Follow the rules - and advice

A followup to 1-2-3-4-5 (or 00000000):

A recent story (actually based on one from several years ago) has pointed out 
that, for years, the launch codes for nuclear missiles were all set to 00000000.  
(Not quite true: a safety lock was set that way.)

http://gizmodo.com/for-20-years-the-nuclear-launch-code-at-us-minuteman-si-
1473483587

Besides the thrill value of the headline, there is an important point buried in the 
story.  Security policies, rules, and procedures are usually developed for a reason.  
In this case, given the importance of nuclear weapons, there is a very real risk 
from a disgruntled insider, or even simple error.  The safety lock was added to the 
system in order to reduce that risk.  And immediately circumvented by people who 
didn't think it necessary.

I used to get asked, a lot, for help with malware infestations, by friends and family. 
 I don't get asked much anymore.  I've given them simple advice on how to reduce 
the risk.  Some have taken that advice, and don;t get hit.  A large number of 
others don't ask because they know I will ask if they've followed the advice, and 
they haven't.

Security rules are usually developed for a reason, after a fair amount of thought.  
This means you don't have to know about security, you just have to follow the 
rules.  You may not know the reason, but the rules are actually there to keep you 
safe.  It's a good idea to follow them.


(There is a second point to make here, addressed not to the general public but to 
the professional security crowd.  Put the thought in when you make the rules.  
Don't make stupid rules just for the sake of rules.  That encourages people to 
break the stupid rules.  And the necessity of breaking the stupid rules encourages 
people to break all the rules ...)

Posted at http://blogs.securiteam.com/index.php/archives/2304

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
It doesn't matter if the cup is half full or half empty.
                     Whatever's inside it is evaporating either way.
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.