- Cool Yule Tools: 2008 Holiday Gift Guide
- 10 kitchen gadgets for the geek gourmet
- Google admits to violating iPhone development terms
- Smartphone smackdown: Storm vs. iPhone
- Google layoffs: 10,000 jobs being cut
Complexity is the enemy of security. Simple systems are inherently more secure than complex solutions. We see this idea validated again and again in security.
Unfortunately, our IT systems are getting more and more complex as we depend on technology to fuel business growth and innovation. But do we really need to expose ourselves to ever-increasing complexity? Surely, in security, less is more.
In my daily life, I try to minimize the amount of unnecessary exposure to risk. Most security professionals do that. I avoid giving out personal details unless absolutely necessary. When asked for ID to enter a building, I give out my British driver's license, not my New York license. I started doing this after a few instances where I handed over my N.Y. ID only to have it scanned into a database without my permission. Once dipped into the scanner, my ID number and a whole host of other information were in a database of unknown security. Both British and N.Y. ID establish identity, but only the N.Y. ID number is used by U.S. banks as a unique individual identifier. Also, I doubt the British ID can be scanned in the same scanners.
I sometimes get asked for a Social Security number by someone who clearly has no valid reason to ask. The most ridiculous example of this was a neighborhood dry cleaner that used the SSN as a convenient "customer number" in its database. In cases like those, I provide a fake SSN (my phone number, minus one digit) -- easy to remember, useless if compromised. Less information about me floating around equals more security for my identity.
I take a similar approach to my corporate security policies. For example, we standardize on Firefox as our company browser. This is not because Firefox is better (though it is) or more secure (though it is), but because it is less entangled with the operating system and less "enriched" with code-execution features. On top of the basic installation, we add a little plug-in called NoScript. What NoScript does is strip pages down to basic HTML: no Java, no Javascript, no other code or embedded objects. Every page visit by default is minimized to the bare essentials of HTML. If you need code for a menu or a fancy feature, you can decide to enable it just for a session or permanently. Even though the user can override the protection, the vast majority of sites are visited in a "less is more" posture. As a result, the incidence of spyware, viruses and other nasties is shockingly low in our environment.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment