There's a excerpt from a yet-to-be released book by Jesper Johansson and Steve Riley available to read online. The article, entitled "Security Myths," it takes a look at some of the security shortcomings typical to use of security guides and reliance upon following a predefined set of steps without looking at the whole picture. It's a great lesson in how to look at things, rather than how to follow prescriptive

Warning****This section is somewhat (OK, very) cynical. Take it with a grain of salt and laugh at some of the examples we give. Do not lose sight, however, of the message we are trying to get across: These are myths. If you are careful to avoid falling into the trap of believing them, you will be able to focus your efforts on the things that make a real difference instead of being lured like so many others into staring at a single tree and failing to see the security forest.

So what are the myths? Well, for the details go read the article, but at a high level...

  • Myth 1: Security Guides Make Your System Secure

  • Myth 2: If We Hide It the Bad Guys Won’t Find It

  • Myth 3: The More Tweaks the Better

  • Myth 4: Tweaks Are Necessary