we usually do practice what we preach…

…but security is rarely about absolutes.

Bill Brenner has posted 7 Ways Security Pros Don’t Practice What They Preach. I’m surprised more of these types of lists don’t show up, especially as normal users rage against security measures.

So, my thoughts and how do I rate?

1. Using URL shortening services. Yeah, these suck. I hate clicking them and I hate using them. But sadly, Twitter use has forced us to do something risky in order to fit ghastly URLs into small boxes. Hell, even magazines use them. Just think if browsers could only handle xx characters and had to truncate the rest of the URL inthe address bars. Yeah, fucked. This reminds me of 1997 IRC where you’d learn quickly not to click on blind links because you’re see some fucked up shit that you thought was going to be something cute. This is probably why “Rick Rolling” never seemed that big a deal to me. Am I guilty of using these? Sadly, yes, I use (and only use) tinyurl.com, but I should move to one that, by default, previews the URL first.

2. Granting themselves exemptions in the firewall/Web proxy/content filter. Disclaimer: Yes, I’m exempt from some policies at work because I have to investigate such things. Yes, I get to exempt myself from some web site category filters (ever do security research when “hacking” sites are blocked? ever investigate hits on your external services when you have no idea what might be hosted on the other end? ever go to a blocked URL that a user hit only to see just why it was blocked?). But other than legitimate work uses, I don’t poke my own holes into security protections just because I want to, such as gaming sites or opening up holes for me to bridge a home network…

But here’s the real deal. Business wants you to get XYZ done. If you were a normal employee, you’d do whatever you *can* to skirt the rules if those rules are stopping you from getting XYZ done as requested. When you start doing that same business habit to the people who control the rules, then you put those people into a position where they *can* accomplish XYZ because they *do* have that power. This is a classic example of how security and convenience butt heads, and sadly convenience almost always wins without some help on the security side. This is why I hate the question, “But technically, you *can* open the firewall for me, right?” Yes, duh I *can,* but I won’t.

3. Snooping into files/folders that they don’t own. Doing this in the course of an investigation or because a manager or HR has specifically requested it (properly I might add) should be quite alright. Again, this is like saying don’t jump in the water, and then yelling at the fish because they’re inherently in the water.

There are also other reasons, such as disk usage investigations (really, I shouldn’t run that 300MB movie file you have on your network drive to determine business need because my fileserver disk is filling up at 10pm?) or when migrating a user from one system to another (yeah, people shove shit in the craziest places on their disk…).

But looking at things you shouldn’t look at, should be avoided. If a file says something like, “performance appraisal” or “tax return,” you probably want to take extra care not to open it. If you’re on an exec system, it’s probably best to stick to only the exact task at hand. Basically: common fucking sense.

Then again, this is just me. Even if I have such files in front of me, I won’t open them or touch them if I can help it. I think IT and especially security are hinged entirely on the integrity of the employees. Once that goes, there is no getting it back. So I try to vehemently protect that.

4. Using default or easy passwords. This is a red herring point; shame on Brenner. But it does ring of some truth. First, of course I use some easy passwords. Why? Because I dub such uses as low value fruit. For instance, I tend to reuse forum passwords because they’re untrusted systems and I maybe post 3 times and that’s it. I don’t care if the admin boinks the database and publishes my password. But for other things, in recent years I have slowly migrated all those passwords I made before I thought about security, into more complex ones. I’m almost complete, in fact. In defense of admins, I’m positive we tend to have a far higher tendency to use complex passwords vs easy passwords, than your normal population of users.

5. Failure to patch. I patch any time I have a moment at home, especially my Windows boxes. Applications getting patched is a bit different, but I have only limited Windows use these days. At work, this is a whole new ballgame as patch management needs to scale and there needs to be testing and change management. Windows/Microsoft patches are one thing, but I conjecture that very few shops keep applications patched (let alone internal applications). See item #2 for clues on why patches sometimes either don’t get down or keep getting pushed off (hint: it has to do with stakeholders/customers).

6. Using open wireless access points. This is an interesting item. First, security pros at least know what to look for and what not to do at wireless access points. Hopefully they’re not checking email with clear text auth. Second, the risk of being snarfed at a wireless hotspot can be low. But all it takes is once and you’re pwned. Me? I use open wireless, but I’m highly conscious what I do on them, even including sidejacking/injected CSRF attacks. Then again, I tend to be the snooper as opposed to the snooped…

See, when security pros tell “users” to not use open wireless access points, we’d only do so because we know the user isn’t technical enough to do it the right way. But what we’re really saying is, “don’t do sensitive things on open wireless, and be careful and protected from other things already.” This limits your risk greatly.

7. Misuse of USB sticks and other removable storage devices. I don’t have much to say on this one! But I will say I don’t use USB sticks at work or for moving work data. And I don’t keep sensitive stuff on my personal USb sticks longer than I need to. My assumption is that I will lose the stick at some point.

8. Seriously, you forgot to include running as least privilege Windows user? I’d be guilty of this, both at work and at home. At least at work I only run as domain admin on servers or using runas. For as much as we preach about least privs, we cheat at our own advice by running more Linux and MacOS. If we were on Windows systems, I’d bet most still run as local admin.

One thing I notice is how so many of these points skew our “advice” a bit. Most of these are, “Don’t do this unless…” or “Do this, but…” It’s the ability to fill in those second halves that make us security geeks. When people want advice, they usually want simple advice. “Don’t use simple passwords,” is far easier and digestable than explaining how to rate the risk of all the services you use a password for and how they interoperate.