Jeffrey Palermo (.com)

Blog moved to www.jeffreypalermo.com

Tech Ed 2005 Day 4 - Q&A with Steve Riley and Jesper Johansson - Security myths

Steve Riley and Jesper Johansson gave a cabana talk on security myths. It moved to a big room because you can't fit 700 people in a cabana room. It evolved into a breakout session.

They defined a triangle between usable, secure, and cheap. You can't have all three. You can pick 2. Usable and secure are opposites. If it is both, it's prohibitively expensive.

Network security claims: Our network/software/hardware is "secure", "impenetrable", "unbreakable".

Newsflash: Security is Hard! There is no easy fix.

The security myths:

Security guides make your system secure.

Hiding: Security by obscurity is weak defense.
Rename Administrator account
Turn off SSID Broadcast
Do not display last logged on user
Change your web/ftp banner

If we hide, the bad guys won't find us.

Hiding: Security by obscurity is weak defense.
Rename Administrator account
Turn off SSID Broadcast
Do not display last logged on user
Change your web/ftp banner

The more tweaks the better.
All environments should follow the advice of <insert guide here>.

Turn on account lockout after 3 bad tries.
Password reset calls cost $70/call.
Hackers can use that it as denial of service.
It covers up the real problem: weak passwords. Instead, use pass phrases.

High security is an end goal for all environments.
Security tweaks can fix physical security problems.
The lemming security model - always follow the expert recommendations.
We need to audit _everything_.
Password cracking is our biggest problem.

Passwords need to be uncrackable.
If you can crack a password, you need access to the hashes. If that is the case, you have a bigger problem.
If you have the hash, you can use a tool to calculate an authentication.
Smart card readers help this, but biometrics don't because if you use a fingerprint for authorization, and it gets
ompromised, you can't throw it away and get another one.
If the bad guys have your password hash, you have already lost.

Security tweaks will stop worms and viruses.
Technology can fix user problems.
Friends will always be by your side: what is the basis of your trust?
Encrypted attack traffic is much better than plain text.

Protect your Windows Network by Steve Riley and Jesper Johansson.

Published Jun 09 2005, 03:55 PM by Jeffrey Palermo

Comments

Jeffrey Palermo said:

Jeffery Palermo has posted a nice summary of the myths Steve and Jesper dispelled @ TechEd USA. Like...

# June 10, 2005 6:34 AM

While I understand that Steve and Jesper are trying to get people to address real security issues, I think to dismiss obscurity as a measure is not the best tenet. When I served in the Infantry in Iraq we did not depend on secrecy (obscurity) to protect us, but we also did our best to deny information to the enemy to force mistakes on their part. There is a place in a layered defense for measures such as administrator rename, but you have to know what it will and won't get you.

I have a copy of Steve and Jesper's book, "Protect your Windows Network" on my desk and it is a must read! Just don't abandon denying information to the bad guys once you implement real security.

# August 12, 2005 10:41 AM

Jeffrey Palermo said:

Patrick, I have to agree with you. I also spent a year in Iraq in 2003-04. From my hearing, they didn't say "make everything obvious", but they criticized people who depended on it for everything.

# August 12, 2005 3:09 PM

About Jeffrey Palermo

Jeffrey Palermo is a software management consultant and the CTO of Headspring Systems in Austin, TX. Jeffrey specializes in Agile coaching and helps companies double the productivity of software teams. Jeffrey is an MCSD.Net , Microsoft MVP, Certified Scrummaster, Austin .Net User Group leader, AgileAustin board member, INETA speaker, INETA Membership Mentor, Christian, husband, father, motorcyclist, Eagle Scout, U.S. Army Veteran, and Texas A&M University graduate.