CyberSec Tips: Follow the rules – and advice
A recent story (actually based on one from several years ago) has pointed out that, for years, the launch codes for nuclear missiles were all set to 00000000. (Not quite true: a safety lock was set that way.)
Besides the thrill value of the headline, there is an important point buried in the story. Security policies, rules, and procedures are usually developed for a reason. In this case, given the importance of nuclear weapons, there is a very real risk from a disgruntled insider, or even simple error. The safety lock was added to the system in order to reduce that risk. And immediately circumvented by people who didn’t think it necessary.
I used to get asked, a lot, for help with malware infestations, by friends and family. I don’t get asked much anymore. I’ve given them simple advice on how to reduce the risk. Some have taken that advice, and don;t get hit. A large number of others don’t ask because they know I will ask if they’ve followed the advice, and they haven’t.
Security rules are usually developed for a reason, after a fair amount of thought. This means you don’t have to know about security, you just have to follow the rules. You may not know the reason, but the rules are actually there to keep you safe. It’s a good idea to follow them.
(There is a second point to make here, addressed not to the general public but to the professional security crowd. Put the thought in when you make the rules. Don’t make stupid rules just for the sake of rules. That encourages people to break the stupid rules. And the necessity of breaking the stupid rules encourages people to break all the rules …)