Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: David Escalante <david.escalante () BC EDU>
Date: Wed, 17 Mar 2010 11:53:18 -0400
Best practices can be extremely useful, as was noted. They can also be silly, as was also noted. I believe the reason for this is that best practices tend to coalesce from some group effort over time. Rarely does a best practice simply become immediately apparent and widely implemented and tested in practice in a short term time frame. When a best practice DOES appear, as noted in an earlier message, it frequently represents the distilled, vetted advice of multiple experts. In the security field, however, adversaries are actively working against whatever defenses are in place, and in many cases a best practice gets overcome by events and maybe isn't so effective as it used to be, but the "best practice" tag tends to stay with it irrespective of reality. Over time, that best practice may be retired and replaced with other, newer, best practices. Like every other technology or policy I've run into in the security field, best practices can be very useful, but they're not a panacea. And like any other technology or policy, they can be correct in theory but implemented incorrectly, reducing or eliminating their value. So completely ignoring best practices isn't cool for a variety of reasons. But blindly implementing best practices and assuming they'll protect you isn't cool, either. There! Everyone happy (or depressed)? -- David Escalante Boston College
Attachment:
david_escalante.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Michael Van Norman (Mar 17)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Dick Jacobson (Mar 17)
(Thread continues...)