Best Practices
I was just involved in a discussion on a site (http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/) and with some friends regarding the concept of “industry best practices” as they apply to IT Security.
Now, regular readers of this blog (i.e. “me”… no wait, I don’t read it regularly either) will know that IT Security is something I am a fan of, so maybe I am a little out of a clear perspective here. Anyway, my arguement was that best practices apply poorly to IT Security. Perhaps security in general. Seems not many agree with my approach.
My reply to the article was as follows:
“Now I’ve worked both sides of this fence – the side that does the security implementations and the side that comes in and tells people to enforce “best practicesâ€? and I’d have to agree with the article.
So many people here jumped to the defence of so called best practice… just what is best practice anyway? No one in this industry seems to have the same answer and most of the people i’ve come across who spout such terminology use it because, as the article says, they have no deep concept of what to do.
So instead we enforce a series of quasi-meaningless bullet points and call it best practice. What’s much worse than this however is the static nature of these “insights�. Consulting / management practice books release a set of best practices, which are in turn read and perhaps even used in short-course (or uni course) testing, to teach people who really have a low level of understanding of the topic material how to pass off pretend-knowledge to people who have even less knowledge. This is called “big picture thinking� or “high level�. Even worse again is that such consultants tend to glorify themselves on the fact that “you don’t need a deep understanding of a subject matter to consult on it�.
So now you have a group of people enforcing 3 year old “best practices�, which by definition cannot be “best practice� because there can only be one “best� and as mentioned above, I’m yet to meet two people with the same answer to “best practice�.
Perhaps we should just call it “what I do coz it’s worked so farâ€? instead of “best practiceâ€?.”
Basically, I get the concept of people working on great generic starting points to problems and thinking about good overall ideas. Thats what a best-practice should be. What it’s become, however, is what I am against. Best Practice is now something that is used as a check list of completeness. “Are you doing….”, “is the server….”, “is your firewall blocking….”. That kind of thing.
It’s become so refined that people who now do this rarely have any strong understanding of IT Security or even IT in general – they just have the capacity to sound knowledgable and sell stuff.
Every single edge facing server should be looked after by someone competent who cares about what happens to it. This will teach that sysadmin to go beyond the “best practice” and start trying to get the best solution for them. So many times I’ve heard consultants talk about “firewall this” or “firewall that”.. then when you ask them about the gaping hole they’ve left in ports 80, 443, 25 and 110 they look at you dumbfounded and say “nothing can get through our firewalls”. Really? Then I presume we may as well turn our server off. Either people can get through or there’s no point having the server at all…(I am not saying don’t firewall, just pointing out that if you ask a question outside the scope of their limited understanding they don’t have a background conceptual knowledge to fall back on. That’s fine if you can admit it but consultancy seems to have lead to contempt for the staff of clients, in many cases.)
This is the kind of stupid thinking “best practice” selling has led to. It’s taught us that knowledge isn’t required coz we’ve got a checklist. If something goes wrong after the checklist has been followed, then it was human fault by the internal IT department (which is true, I suppose because they allowed the checklist to become the end-all and be-all).
To sum up, ask yourself this: if so many companys implementing best practice ar routinely being compromised, why follow their lead? The new best practice should be this: get someone who knows what they are doing and genuinely cares about the box.