Networking / Beginners

Myth 10: An Expert Recommended This Tweak as Defense in Depth

This myth has two parts. Let us deal with the defense-in-depth aspect first. Defense-in-depth is a reasoned security strategy applying protective measures in multiple places to prevent unacceptable threats. Unfortunately, far too many people today use the term defense in depth to justify security measures that have no other realistic justification. Typically, this happens because of the general belief in myth 3 (more tweaks are better). By making more changes, we show the auditors that we are doing our job, and therefore they chalk us up as having done due diligence.

This shows an incredible immaturity in the field, much like what we saw in western "medicine" in the middle ages. Medics would apply cow dung, ash, honey, beer, and any number of other things, usually in rapid succession, to wounds to show that they were trying everything. Today, doctors (more typically nurses actually) clean the wound, apply a bandage and potentially an antibiotic of some kind, and then let it heal. Less is very often more, and using defense in depth as a way to justify unnecessary and potentially harmful actions is inappropriate.

The first part of this statement is one of our favorites. As a society, we love deferring judgment to experts, because, after all, they are experts and know more than we do. The problem is that the qualification process for becoming an expert is somewhat, shall we say, lacking. We usually point out that the working definition of a security expert is "someone who is quoted in the press." Based on the people we often see quoted, and our interaction with those people, that belief seems justified. It is no longer actions that define an expert, just reputation; and reputation can be assigned. Our friend Mark Minasi has a great statement that we have stolen for use in our own presentations. To be a security consultant, all you have to know is four words: the sky is falling. Having been security consultants and seen what has happened to the general competence level in the field, this statement certainly rings true. There are many, many good security consultants, but there are also many who do not know what they need to and, in some cases, fail to recognize that and then charge exorbitant amounts of money to impart their lack of knowledge and skills on unsuspecting customers.

[Previous] [Contents] [Next]

In this tutorial:

  1. Protecting Hosts
  2. Security Configuration Myths
  3. Myth 1: Security Guides Make Your System Secure
  4. Myth 2: If We Hide It, they Not Find It
  5. Myth 3: The More Tweaks, the Better
  6. Myth 4: Tweaks Are Necessary
  7. Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
  8. Myth 6: "High Security" Is an End Goal for All Environments
  9. Myth 7: Start Securing Your Environment by Applying a Security Guide
  10. Myth 8: Security Tweaks Can Fix Physical Security Problems
  11. Myth 9: Security Tweaks Will Stop Worms/Viruses
  12. Myth 10: An Expert Recommended This Tweak as Defense in Depth
  13. Server Security Tweaks
  14. Software Restriction Policies
  15. Do Not Store LAN Manager Hash Value
  16. Anonymous Restrictions
  17. Security Identifiers (SIDs)
  18. Password Policies
  19. SMB Message Signing
  20. Networking LAN Manager Authentication Level
  21. TCP Hardening
  22. Restricted Groups
  23. Audit Settings
  24. Client Security Tweaks
  25. Firewalls
  26. IPsec Filters
  27. SafeDllSearchMode
  28. Local Administrator Account Control
  29. Limit Local Account Use of Blank Passwords to Console Logon Only
  30. Logon Events
  31. Allowed to Format and Eject Removable Media
  32. The Caution ListChanges You Should Not Make
  33. Crash on Audit Failure
  34. Clear Virtual Memory Page File
  35. Security Configuration Tools