The following text is copyright 2009 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Information Security How Not-Tos
By: Scott Bradner
It's not easy getting information security right. It is easy to get advice (often from vendors who want to sell you their semi-magic fix for all that ails you) on what you should be doing. But actually protecting your corporate or personal data turns out to be hard in the real world. Take a look at the Identity Theft Resource Center's report on what happened last year to see. (http://www.idtheftcenter.org/BreachPDF/ITRC_Breach_Report_2008_final.pdf)
There are lots of rule sets you can follow, or in some cases must follow, to protect information. These range from the multiple families of security standards put out by the International Organization for Standardization (ISO) (see http://www.iso27001security.com/html/others.html) to the new Massachusetts regulations implementing the Massachusetts Identity Theft Law.
To me, standards like the ISO security standards are too complex and theoretical for humans to effectively implement. The new Massachusetts regulations (http://www.mass.gov/?pageID=ocaterminal&L=3&L0=Home&L1=Business&L2=Identity+Theft&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17&csid=Eoca) are quite good and almost all of them can be reasonably implemented (a personal, not official Harvard view) although the Massachusetts business community seems to be going non-linear over them.
It is frequently quite hard to figure out why these types of rules say what they do - too rarely do the rules include enough context for the reader to understand what threat is being addressed and how the rule will address the threat. It is also hard to understand what specific parts of the rules are key and which parts can be tweaked for a local environment without seriously impacting actual security.
Sometimes one can learn more by finding out what not to do than by being told what to do. The best list of things not to do, or more precisely, dumb security ideas is Marcus Ranum's The Six Dumbest Ideas in Computer Security (http://www.ranum.com/security/computer_security/editorials/dumb/). It has a good list of bad ideas and very good explanations on why they are dumb. It's a few years old but the lessons are for today. The dumb idea I most relate to (being from an educational institution) is number 5 - "educating users." Fundamentally users can not be educated to pay reliable attention to security and any security mechanism that depends primarily on educating users will fail.
A different type of list of what not to dos was just published by the SANS Institute. This is a list of "How to suck at Information Security"
(http://isc.sans.org/diary.html?storyid=5644). This list does not have any of the kind of background and explanation for each of the bad ideas that Ranum puts in his list but is quite instructive anyway. If you know something is a bad idea maybe you can think about why and learn from that process.
The SANS list is broken into 5 parts, each listing common information security mistakes and misconceptions. The sections include security policy and compliance, security tools, risk management, security practices and, finally, password management. Some examples: "say 'no' whenever asked to approve a request", "enforce policies that have not been properly approved", "make somebody responsible for managing risk, but don't give the person any power to make decisions", and "require your users to change passwords too frequently". There are lots more bad ideas - take a look.
disclaimer: Education, at places like Harvard, involves exposing students to bad ideas as well as good ones so that they can tell the difference - but I know of no University view on the usefulness of bad security ideas so the above reviews are mine alone.