A bit nerdier then usual, but still a great article about the 6 worst ideas that are in use in computer security. Below is a quick excerpt and you can read the entire thing over on Ranum.com

#1 Default Permit:

This dumb idea crops up in a lot of different forms; it’s incredibly persistent and difficult to eradicate. Why? Because it’s so attractive. Systems based on “Default Permit” are the computer security equivalent of empty calories: tasty, yet fattening.

The most recognizable form in which the “Default Permit” dumb idea manifests itself is in firewall rules. Back in the very early days of computer security, network managers would set up an internet connection and decide to secure it by turning off incoming telnet, incoming rlogin, and incoming FTP. Everything else was allowed through, hence the name “Default Permit.” This put the security practitioner in an endless arms-race with the hackers. Suppose a new vulnerability is found in a service that is not blocked - now the administrators need to decide whether to deny it or not, hopefully, before they got hacked. A lot of organizations adopted “Default Permit” in the early 1990’s and convinced themselves it was OK because “hackers will never bother to come after us.” The 1990’s, with the advent of worms, should have killed off “Default Permit” forever but it didn’t. In fact, most networks today are still built around the notion of an open core with no segmentation. That’s “Default Permit.”

Another place where “Default Permit” crops up is in how we typically approach code execution on our systems. The default is to permit anything on your machine to execute if you click on it, unless its execution is denied by something like an antivirus program or a spyware blocker. If you think about that for a few seconds, you’ll realize what a dumb idea that is. On my computer here I run about 15 different applications on a regular basis. There are probably another 20 or 30 installed that I use every couple of months or so. I still don’t understand why operating systems are so dumb that they let any old virus or piece of spyware execute without even asking me. That’s “Default Permit.”

A few years ago I worked on analyzing a website’s security posture as part of an E-banking security project. The website had a load-balancer in front of it, that was capable of re-vectoring traffic by URL, and my client wanted to use the load-balancer to deflect worms and hackers by re-vectoring attacks to a black hole address. Re-vectoring attacks would have meant adopting a policy of “Default Permit” (i.e.: if it’s not a known attack, let it through) but instead I talked them into adopting the opposite approach. The load-balancer was configured to re-vector any traffic not matching a complete list of correctly-structured URLs to a server that serves up image data and 404 pages, which is running a special locked-down configuration. Not surprisingly, that site has withstood the test of time quite well.

One clear symptom that you’ve got a case of “Default Permit” is when you find yourself in an arms race with the hackers. It means that you’ve put yourself in a situation where what you don’t know can hurt you, and you’ll be doomed to playing keep ahead/catch-up.

The opposite of “Default Permit” is “Default Deny” and it is a really good idea. It takes dedication, thought, and understanding to implement a “Default Deny” policy, which is why it is so seldom done. It’s not that much harder to do than “Default Permit” but you’ll sleep much better at night.

Via: Digg