Worst Best Practices: Regarding Default Deny Rules #GartnerSecurity

The Gartner Information Security conference is over so I have a chance now to catch up on some blogging. I’m planning to spread my posts out over a few days.
The last session was a tongue in cheek (or sometimes just truthful) look at the worst “best practices”. People have dumb ideas accepted as gospel. Times change and what was once an OK idea now just needs to go away. In addition to ideas, there are also technologies that aren’t as useful as they are billed.
First on the list of questionable security best practices is Default to Deny. Default deny is ingrained in security culture. The discussion leader said that is the problem. What was meant as a technical rule became a cultural mantra. It was a repeated refrain during the conference, “Infosec is known as Dr No”. We need to be aligned with the business first and foremost.
A ” default deny” Infosec is one that is innovation phobic. When Infosec says “no” business will circumvent and now you’re in a doubly worse situation. The activity is taking place, and its completely unmanaged. As an aside, my goal is to allow users to do it, but make it secure. In the case of IM, you get IM security and block IM that circumvents. You provide a VPN and block GoToMyPC.
The presenter argued that default enable supports innovation. You block known bad, you monitor the reset. And here’s the worst part of the argument in my opinion. You use a honeypot to look at what the bad guy is trying to do to your open port and you learn. (This is a horrible argument because you are potentially destroying your companies security for your personal edification. Also honeypots can still exist in other network locations. Default allow on the firewall is not necessary for that.
Ultimately, this presenters goal wasn’t Jericho. Removing default denys goal is expunging Dr No rather than removing the last rule on everyone’s firewall.
The discussion was interesting as well:
1. If you think you’re doing “default deny” you are wrong. The universal firewall traversal exploit (80/TCP) and the secure universal firewall traversal exploit (443/TCP) let through plenty. Beyond that users seem to work to circumvent default deny through other methods accidental and intentional.
2. This talk of needing to align ourselves with business is wrong. We ‘re a part of business.
3. If we don’t assume badness and default deny, then we will be drilled by innovating bad guys who are always a step ahead.
4. Control is an illusion of your personal experience
5. How many companies have failed due to a Infosec breach? (I think this was an argument for default allow).
6. Sometimes you have to let them fail. I hear infosec people say this but what about due care? You can’t just wash your hands and wait for them to shipwreck. Make sure you have a get out of jail free card.
My thoughts:
I hate the concept that if I can’t prove something is insecure than it must be secure. You run into that all the time with patching or with any new service. To these people it is not enough to have a concept of how a service would be exploited, you have to demonstrate the exploit. It will be a challenge going into the future as services become more dynamic, technology more consumer oriented and access to data needed anywhere.