One of the challenges faced in the IT industry is to break poorly conceived or mistaken preconceptions held by others. What happens when were the ones holding on to out dated ideas or are just wrong, as technology has taken another huge leap forward and were left standing clutching on to something thats now infective?
I have been reviewing some documentation I wrote three years ago and at a glance it appeared to be valid, using correct assumptions and only needing minor tweaks to bring it up to date.
John, an ISC reader,emailed in a great comment from a discussion about best practices he was involved in re-enforcing this. Smart people in that room brought out timeless best practice statements such as:
'Logs should be stored separate from the application to prevent out of control logs from filling up the system and causing other components to crash.'
All of which makes perfect sense from a best practice point of view, and I follow this principle for many of the systems I install and manage. Lets attempt to see if this best practice statement is still valid by asking some simple questions:
Why are we creating logs in the first place?
Who looks at them?
Do the right people have access to the logs?
Are they of any use?
Is there any need to archive them or can they be deleted after x amount of time?
Are we asking the right people about the logs in the first place?
It may come out that having 300 GB of logs, that are on their own fast RAID-ed disks and are backed up nightlyis a huge waste of time, money and resources, as no-one every looks, uses or know what to do with them. Having only a weeks worth of logs, taking up 10MB of disk, used only for possible troubleshooting might be the best solution.
So going back to my documentation, I took a hard look at what Id written. Almost immediately I found Id fallen in to the generic best practice assumptions pit. They were good at the time, but not now, given the way the business, processes and technology had changed. Needless to say the quick document update stretched in to a number of hours of re-writes, onlyafter talking to various people on a string of questions I need to address. Once the documents had been peer reviewed, signed offand finally upload, I added an entry in to my diary to take time to review and, if necessary, amend these documents six months from now.
Do you apply a review process to security policies, procedures, documentsand best practices to ensure they still meet the measures and metrics that make them still relevant, meaningful and fit current business needs?
How do can you ensure that youre not clinging to best practices or policies that are well past their sell by date?
Can you share any pearls of wisdom to help others avoid automatic adoptions of reasonable sounding, yet poorly thought out, best practices?
Chris Mohan --- ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.