Related link: http://www.nwc.securitypipeline.com/159900223
Lots of folks get involved in collecting and creating security “best practice” documents (I have to admit I am guilty of that as well). This fun paper looks at “commonly accepted” security “worst practices”. Here is the list, but do read the paper since it has many fun titbits as well as suggestions on what to do instead of this:
1 If you find a security hole, buy a product to fix it
2 Ignore the human element
3 “Full speed ahead and damn the torpedoes” is our motto
4 To run a tight ship, take an authoritarian approach
5 Make access privileges an all or nothing proposition
6 Treat all data as equal
7 Back up everything, every night
8 Perform audits and penetration tests infrequently, and in-house
9 Endpoints for everyone
10 Make sure security is highly visible, even intrusive
A comment about #10
Sometimes having a visible security isn't necessarily a terrible thing. Some online gambling sites actually post why their games are security, in fact, posting a snippet of an algorithm. For example, one game site posted how they shuffled a deck of cards. Well, the bad thing was that the card shuffling algorithm was found to be faulty! If the algorithm wasn't posted, then people could cheat in the game. The great thing that came out of this was that the company later called Cigital to audit and fix the problem. So yes, visible security can make good sometimes :-)