Who is practicing security best practice?

There is a term in the Information Security field that tries my patience in no uncertain terms. That term is, “best practice”. People love to bandy this about in discussions about their security program, widget or what have you. But, who is actually practicing? 

Typically what is meant by this catch all phrase is that an organization it taking the time to work on things such as making sure that their systems are patched, data is encrypted, ssh keys are rotated and that there is a breach response policy in place. 

It is all well and good to say this. However, often it turns out that this is little more than lip service for far too many organizations. The vast majority of large companies have a security team that is overstretched, underfunded and pushed so far down the organizational stack that they have difficulty having any appreciable affect on the security posture of the enterprise. 

To illustrate, today I got to read that the US government is lacking on “security best practices” and I know what the author meant but, I found myself bellowing at the screen “what does that even mean?”

From Reuters: 

The U.S. government itself seldom follows the best cybersecurity practices and must drop its old operating systems and unsecured browsers as it tries to push the private sector to tighten its practices, technology advisers told President Barack Obama.

 

“The federal government rarely follows accepted best practices,” the President’s Council of Advisors on Science and Technology said in a report released on Friday. “It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems.”

So, rather than use the term “best practice” I think that it would be more appropriate to say that they are doing the “bare minimum” for security. This habit that we have as security practitioners to rely on terms that lack clear definition does not do us any justice collectively. We need to become better at addressing the security issues of the day. There needs to be a greater emphasis from ourselves to execute on defined repeatable processes. 

Case in point, the Edward Snowden leaks. We’ve all heard the information that has been slowly making its way into the daylight. What has not have nearly as much focus has been the failures on the part of the NSA to secure their information. 

Example from another Reuters article:

Officials said that while investigators now believe they know the range of documents that Snowden accessed, they remain unsure which documents he downloaded for leaking to the media.

They remain, unsure.

This is a telling line in the article. It demonstrates that, as an example, the NSA was not “practicing” the best security. They weren’t even able to articulate what documents had been purloined.

Troubling.

I would hope that we could move away from junk terminology like “best practice” and start working on defined repeatable processes that can help address issues like, oh, I don’t know…logging?

(Image used under CC from 5150fantast)