Don’t turn your nose up to “old” infosec ideas

I recently pinned a tweet to my Twitter account. Here is a picture of that tweet:

I pinned that because I found myself turning my nose up at some ideas/articles/posts from smart people with somewhat dated subjects. I also found myself not writing or tweeting about a subject because I wrote about it a long time ago and I considered it old material. Essentially, I was dismissing anything that wasn’t new. What I figured out after a while is that a lot of those “old” ideas and thoughts still have merit.

Let’s take defense in depth for instance. An issue has popped up recently about AT&T Uverse routers being vulnerable (and I mean REALLY vulnerable). Home routers being vulnerable is not a new thing, but because this is Uverse, and because so many homes connect their home computers directly to the router either via hard wire or wireless, it is a big deal for these routers to be so easy to smack down.

My first thought when I saw the issue start being discussed was that there is no way I would ever connect my home computers/devices to my provider’s router. I always have an extra router on my network that I use as the point of connection. I make sure it is one with a good reputation for security (as much as I can with that market), has a strong firewall and other security features, and I update it regularly. This is defense in depth in my home.

But I didn’t write about it because it felt like an old argument (defense in depth). But you know what? Someone out there may not have thought to do this. Or they may not have heard about the AT&T router issue. Or they may have just been connecting directly to their provider’s router for convenience and my post changed their mind. Or maybe they are new to infosec and this kind of thing is still new to them. Who knows? The key point is that this is still a valid issue, and it is worth the time to talk about.

So TL/DR, don’t deprive yourself or others of your thoughts and ideas on infosec issues. Someone will get something out of it, even if it is just to remind them that they forgot about that “old” idea. Don’t ignore others when they talk about “old” ideas. Sometimes we old infosec folks need reminding too.

*** This is a Security Bloggers Network syndicated blog from An Information Security Place authored by Michael Farnum. Read the original post at: