Concerning Faulty Information and Advice Given to Information Security Professionals
Occasionally I hear something that strikes me as unusually incorrect. Most of this information is about world news, the stock market, and politics, but some of it is within the mainstream of information security.
Consider an example from a conference at which I recently participated in a panel on emerging security threats and risk. After a few panel members made their opening spiels, another panel member made one that contained a claim that government compliance burdens were currently the biggest information security risk of all. He asserted that the federal government is so badly overregulating organizations that the cost of security compliance exceeds the expected loss from security-related incidents.
Shortly afterwards a member of the audience challenged the panelist who made this assertion, saying that information security compliance is actually beneficial to information security practices in that it often results in obtaining resources needed to implement security controls that would not otherwise have been available. The audience member was correct—I was impressed with his challenge, because it was clear that he had considerable real-world experience in information security, something on which reality in information is heavily based. I then added that not only does security compliance make resources available to information security practices, but security compliance issues provide a natural way for security professionals to win the proverbial ear of senior-level management, which learns very quickly in MBA programs about the importance of compliance. Furthermore, I said that the provisions of most of today’s security-related regulations are really quite reasonable. For example, PCI-DSS requires that credit card data must be stored in machines that are not directly accessible from outside an organization’s internal network. Additionally, it requires that credit card data at rest must be encrypted. One does not have to know very much about basic principles of information security to realize that a competent security practice would implement these two security control measures regardless of whether it was required to by PCI-DSS regulations. After the session ended, all I could do was hope that not many of those who attended the session ended up believing that government overregulation is the greatest security risk that we information security professionals face.
Several years earlier at another conference a speaker advised the audience to “strike back”—to damage or disable systems that attack systems, no matter who owns these systems and where they reside. Additionally, I recently read an otherwise very nicely written article in an information security journal that advised the readership to avoid disconnecting potentially compromised systems from the network during investigation of potential security breaches. And, believe it or not, I once heard a speaker claim that because there are vulnerabilities in the WEP (Wired Equivalent Privacy) protocol, it is better to have no encryption in wireless networks than to use WEP. Honestly, these are just a few of scores of sordid examples of misinformation and advice that have been spread in the name of information security training and awareness.
Free exchange of ideas among professionals is something to be highly valued and desired. At the same time, however, I worry that fledgling information security professionals and students will believe some of obviously wrong advice and information to which they are exposed. Fortunately, certain processes, the best known of which are reviews of papers and articles that are submitted to journals and magazines, help weed out submissions by faulty thinkers and talks by unknowledgeable speakers. But no process is perfect. So after thinking about this problem for some time, I’ve come to the conclusion that all one can do is to firmly but politely point out specious assertions and poor advice to ensure at least that those who are more likely to accept both at face value are less likely to do so. I view doing this as a professional obligation—in some respects, a matter of ethics—so that the truth as we know it (e.g., the GASP—Generally Accepted Security Principles) will be properly disseminated and preserved.