@srcasm

I came across a very interesting read at Marcus Ranum's blog about the 6 dumbest ideas in computer security.  His number 1 idea was by far one of my biggest pet peeves:

#1) Default Permit

The most recognizable form in which the "Default Permit" dumb idea manifests itself is in firewall rules. Back in the very early days of computer security, network managers would set up an internet connection and decide to secure it by turning off incoming telnet, incoming rlogin, and incoming FTP. Everything else was allowed through, hence the name "Default Permit." This put the security practitioner in an endless arms-race with the hackers. Suppose a new vulnerability is found in a service that is not blocked - now the administrators need to decide whether to deny it or not, hopefully, before they got hacked. A lot of organizations adopted "Default Permit" in the early 1990's and convinced themselves it was OK because "hackers will never bother to come after us." The 1990's, with the advent of worms, should have killed off "Default Permit" forever but it didn't. In fact, most networks today are still built around the notion of an open core with no segmentation. That's "Default Permit."

This could not be truer.  I find every time I go into a meeting to discuss, setup, introduce or roll out the newest and greatest product, this comes into play.  Most people want to roll it out without thinking about what it actually does.  Take for example a new firewall system.  The new product could be brought in, setup and configured exactly like the old one and everything will probably continue to function.  But in the end, why bother spending $20,000 on the new box if you aren't going to look at what you're using it for.

Please keep this in mind while setting up your new software program, coding your new web application or simply plugging in the greatest computer you have ever owned.  Keep it closed -- open only what you need.