Note: at one time or another in my career I have truly heard all of these.
In no particular order...
- Disable AV altogether, its inconvenient when moving malware samples around.
- Passwords longer than eight characters make it hard to do your job.
- Don't worry about chain of custody or evidence integrity, cases rarely go to court anyway.
- When a concerned user calls about a potentially compromised system, tell them to just run McAfee Stinger.
- Why would you want to keep DNS logs?
- Go ahead and give developers the ability to deploy code to straight to production from their desktops. It helps them be agile and creates efficiency.
- Proxying egress web traffic is an invasion of privacy and makes users mad, so don't do it.
- Your vulnerability scanner is causing my service to crash! Turn it off!
- We don't need to fix XSS. You can't hack a server with it.
- But it is encrypted. We used MD5 hashing to store the credit cards in the database.
Welcome back, NFL refs. :-)