“Experts” who tell you to do dumb things… are not experts
Dump anything you don’t use. Dump anything with a proven track record of failure which you don’t need (for example, if you don’t need Java, uninstall it). That’s the easy bit, the rest requires thought and effort. If you need Java for desktop apps, but don’t need Java in your browser – disable the browser plugins.
You might find it a bit strange when we tell you to beware of experts – especially because we are often hyped as experts. But it’s not. The day we start believing our hype and calling ourselves experts in anything beside pontificating and drinking coffee, we’re done in this business. We’re fortunate to know a lot of experts, but knowing and being are very different things.
Jack’s point is exactly right. Anyone can talk to the press and that supposedly makes them an expert. It would be funny except that many of these folks say stupid and wrong things, and because they show up in reputable publications they must be right. Not so much. It’s easy to say things. It’s hard to do things, especially restrictive things like eliminating Java and IE from your environment. Is almost impossible to do these resrictive things on an enterprise scale. And that triggers Jack’s point about dumping software you don’t use. It’s convenient to have a standard desktop image, but that will involve basically allowing everything on it. That’s not a path to security success.
And how to deal with experts providing bad advice? Triangulate everything. Everyone has an opinion. Solicit a variety of different folks and see what they have to say. The more weighty the decision, the more folks you should talk to. Sometimes the opinions will be consistent and that makes the decision easy. Sometimes they aren’t, and then you have to figure out what’s right in the context of that decision. Which is why you make the big bucks.
Reader interactions
One Reply to “Beware of Self-Proclaimed Experts”
I’ve seen a lot of people saying it’s impossible to get rid of IE and Java in an enterprise, but we’re actually on a path to do it (company size ~500 employees). We have one department that needs IE, and one application used company-wide that uses a Java browser plug-in.
We’re in the process of migrating off the application that requires Java browser plug-in, then we’ll shut it off enterprise-wide and require exceptions for the inevitable handful of people who “need” it for some niche process. Similarly, we’re deploying system management software that will allow us to restrict software by department, so only the departments who can’t migrate off flagrantly unsafe software will be able to use it.
Giving impossible advice is problematic, but I’m reminded of the thought “The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.” If no one actually tries to do any of these unreasonable things, nothing substantial will change.
Remember, everyone thought Apple was insane to ban Flash, but the result was Adobe working much, much harder to make Flash safer and industry-wide migration away from it as a platform. Arguably user experience is much better today since developers can no longer take the lazy route of assuming every device will have Flash support.
TL;DR Practical is good, but great gains are rarely made by being pragmatic.