Computer security remains a “hot topic.” Despite the significant investment of time and money by many businesses and individuals, security issues persist. Why is that?
1. Default Allow
One of the biggest problems in computer security is “default allow.” This approach, common in firewall rules, forces administrators to decide whether to block new vulnerabilities as they are discovered. This leads to an endless race with hackers. On the other hand, a “default deny” approach could be a better security solution.
2. Listing the Bad
In the early days of computer security, only a few well-known security holes existed. However, as the internet has evolved, malicious entities have outnumbered benign ones. “Listing the bad” involves identifying and blocking all malicious elements, which is highly inefficient. Instead, a “listing the good” approach is more effective.
3. Penetrate and Patch
“Penetrate and patch” involves finding and fixing security vulnerabilities. However, this method doesn’t address the fundamental issues within the code. Security systems should be designed to be secure from the ground up.
4. Glorifying Hacking
Viewing hacking as merely a technical issue rather than a social problem is a foolish mindset. Glorifying hackers as heroes encourages hacking. It’s also unwise for security professionals to learn hacking techniques. Hacking should be approached as a social issue.
5. User Education
User education is the “penetrate and patch” equivalent for humans. Educating users is not a fundamental solution. Eliminating the problem, rather than addressing it, is a better approach.
6. Action Over Inaction
It’s better to thoroughly review and wait before adopting new technology. Remember, “It’s easier to avoid doing something foolish than to do something smart.”
Conclusion
Today, we’ve explored some common foolish mistakes in computer security. When designing security systems, it’s crucial to address the root causes. Additionally, a culture that glorifies hacking can exacerbate the problem, and addressing issues at their core is more effective than user education. Finally, taking a cautious approach when adopting new technologies is key.
Reference: ranum.com, “The Six Dumbest Ideas in Computer Security”