Jeffrey Palermo (.com)

Sponsors

The Lounge

Wicked Cool Jobs

News

Recent Posts

Syndication

Tags

View more

Archives

Advertisement

Jeffrey Palermo (.com) » Tech Ed 2005 Day 4 - Q&A with Steve Riley and Jesper Johansson - Security myths
Images in this post missing? We recently lost them in a site migration. We're working to restore these as you read this. Should you need an image in an emergency, please contact us at imagehelp@codebetter.com
Tech Ed 2005 Day 4 - Q&A with Steve Riley and Jesper Johansson - Security myths

Steve Riley and Jesper Johansson gave a cabana talk on security myths. It moved to a big room because you can't fit 700 people in a cabana room. It evolved into a breakout session.

They defined a triangle between usable, secure, and cheap. You can't have all three. You can pick 2. Usable and secure are opposites. If it is both, it's prohibitively expensive.

Network security claims:  Our network/software/hardware is "secure", "impenetrable", "unbreakable".

Newsflash: Security is Hard! There is no easy fix.

The security myths:

  • Security guides make your system secure.
    • Hiding: Security by obscurity is weak defense.
    • Rename Administrator account
    • Turn off SSID Broadcast
    • Do not display last logged on user
    • Change your web/ftp banner
  • If we hide, the bad guys won't find us.
    • Hiding: Security by obscurity is weak defense.
    • Rename Administrator account
    • Turn off SSID Broadcast
    • Do not display last logged on user
    • Change your web/ftp banner
  • The more tweaks the better.
  • All environments should follow the advice of <insert guide here>.
    • Turn on account lockout after 3 bad tries.
      Password reset calls cost $70/call.
      Hackers can use that it as denial of service.
      It covers up the real problem: weak passwords. Instead, use pass phrases.
  • High security is an end goal for all environments.
  • Security tweaks can fix physical security problems.
  • The lemming security model - always follow the expert recommendations.
  • We need to audit _everything_.
  • Password cracking is our biggest problem.
    • Passwords need to be uncrackable.
      If you can crack a password, you need access to the hashes. If that is the case, you have a bigger problem.
      If you have the hash, you can use a tool to calculate an authentication.
      Smart card readers help this, but biometrics don't because if you use a fingerprint for authorization, and it gets
      ompromised, you can't throw it away and get another one.
      If the bad guys have your password hash, you have already lost.
  • Security tweaks will stop worms and viruses.
  • Technology can fix user problems.
  • Friends will always be by your side: what is the basis of your trust?
  • Encrypted attack traffic is much better than plain text.

Protect your Windows Network by Steve Riley and Jesper Johansson.

Posted Thu, Jun 9 2005 3:55 PM by Jeffrey Palermo

[Advertisement]

Comments

Jeffrey Palermo wrote Steve Riley and Jesper dispell security myths @ TechEd USA
on Fri, Jun 10 2005 6:34 AM
Jeffery Palermo has posted a nice summary of the myths Steve and Jesper dispelled @ TechEd USA. Like...
Patrick Hynds wrote re: Tech Ed 2005 Day 4 - Q&A with Steve Riley and Jesper Johansson - Security myths
on Fri, Aug 12 2005 10:41 AM
While I understand that Steve and Jesper are trying to get people to address real security issues, I think to dismiss obscurity as a measure is not the best tenet. When I served in the Infantry in Iraq we did not depend on secrecy (obscurity) to protect us, but we also did our best to deny information to the enemy to force mistakes on their part. There is a place in a layered defense for measures such as administrator rename, but you have to know what it will and won't get you.

I have a copy of Steve and Jesper's book, "Protect your Windows Network" on my desk and it is a must read! Just don't abandon denying information to the bad guys once you implement real security.
Jeffrey Palermo wrote re: Tech Ed 2005 Day 4 - Q&A with Steve Riley and Jesper Johansson - Security myths
on Fri, Aug 12 2005 3:09 PM
Patrick, I have to agree with you. I also spent a year in Iraq in 2003-04. From my hearing, they didn't say "make everything obvious", but they criticized people who depended on it for everything.
Devlicio.us