Avoiding “Worst Practices,” or praying at “The Temple of Best Practices.”
 
The “Best Practices Mantra” annoys me.
 
I define “Best Practices” as practices validated by experience and common sense. Often the “common sense” component is entirely skipped and the “Best Practices Mantra” is used as an excuse for not thinking.  That includes not thinking about what “Best Practices” actually means. A quick google reveals lots of “Best Practice” links and “Best Practice Institutes,” but none of them bother to define “Best Practices.” No one bothers to define the Bible or Koran either, but I would argue that they do not need to be defined, and are certainly not fads. The jury is out on “Best Practices” .  .  .
 
I was at a new client’s facility yesterday and when I asked about certain security practices and configurations, I often got the blanket statement “Best Practices” as an answer. It was clear in several cases that these alleged “Best Practices” either did NOT apply or were INCORRECTLY implemented. In both cases no one had used their common sense and had instead chosen to place their blind faith and prayers at the “Temple of Best Practices.”

Few best practices are universal.

An example of a best practice might be considered locking your car when parking in a big city. Sounds reasonable, but does it apply everywhere?? Well, not for a friend of mine who lives in New York City. At least in his neighborhood, a locked car is considered worth breaking into.  An unlocked car with nothing in it and a sign in the windshield that reads “No Radio” is far safer.

Best practices are NOT a substitute for thinking and common sense.

A well accepted best practice is to protect your organization’s network from the Internet with a firewall (we’ll ignore the fact that a few organizations have very effective security without a firewall, e.g. MIT). I’ve seen several places where this best practice has been followed without any application of common sense.  For example, a couple months ago I saw a firewall that was actually configured to let all network traffic in and all network traffic out! Yes, they had a firewall, but it accomplished exactly nothing. More commonly I see firewalls with so many holes that you can drive a truck full of Swiss cheese through them.

Best practices are NOT static.

Best practices do have value, especially when they are derived from a large cross section of organizations and experiences. They are a good starting point for doing things right. But the world changes regularly and essentially everything evolves. Best practices must be continuously re examined and re validated. This is especially important in a rapidly changing field like information security.

A big part of being successful is avoiding major mistakes.

A major component of success involves avoiding making any major mistakes. Instead of focusing exclusively on implementing “Best Practices,” I suggest avoiding “Worst Practices.” You can do almost everything perfectly, but if you get one thing horribly wrong you can negate everything. A soldier greatly increases his chances in a firefight by doing things right, but one serious mistake and his odds of surviving plummet. An organization can do all the right things in implementing effective security, but a ten minute firewall misconfiguration can let a hacker come in and establish a foothold. A company can build a great reputation over many years, but one horrible incident can ruin that reputation.
 
Hence we kick off our Worst Practice series with:
 

Worst Practices in Best Practices

Practices to avoid like the plague!!!!
 
1)    Assuming all Best Practices apply.
Few Best Practices are universal.
 
2)    Turning off your brain while implementing and using Best Practices. Nothing is foolproof, and you should always apply common sense.
 
3)    Implementing Best Practices and thinking you are done.
Nothing is static; that includes Best Practices.
 
4)    Implementing Best Practices without avoiding Worst Practices.
One major blunder can negate everything!