Tech Ed 2005 Day 4 – Q&A with Steve Riley and Jesper Johansson – Security myths

Steve Riley and Jesper Johansson gave a cabana talk on security myths. It moved to a big room because you can’t fit 700 people in a cabana room. It evolved into a breakout session.

They defined a triangle between usable, secure, and cheap. You can’t have all three. You can pick 2. Usable and secure are opposites. If it is both, it’s prohibitively expensive.

Network security claims: Our network/software/hardware is “secure”, “impenetrable”, “unbreakable”.

Newsflash: Security is Hard! There is no easy fix.

The security myths:

Security guides make your system secure.

Hiding: Security by obscurity is weak defense.

Rename Administrator account

Turn off SSID Broadcast

Do not display last logged on user

Change your web/ftp banner

If we hide, the bad guys won’t find us.

Hiding: Security by obscurity is weak defense.

Rename Administrator account

Turn off SSID Broadcast

Do not display last logged on user

Change your web/ftp banner

The more tweaks the better.

All environments should follow the advice of <insert guide here>.

Turn on account lockout after 3 bad tries.
Password reset calls cost $70/call.
Hackers can use that it as denial of service.
It covers up the real problem: weak passwords. Instead, use pass phrases.

High security is an end goal for all environments.

Security tweaks can fix physical security problems.

The lemming security model – always follow the expert recommendations.

We need to audit _everything_.

Password cracking is our biggest problem.

Passwords need to be uncrackable.
If you can crack a password, you need access to the hashes. If that is the case, you have a bigger problem.
If you have the hash, you can use a tool to calculate an authentication.
Smart card readers help this, but biometrics don’t because if you use a fingerprint for authorization, and it gets
ompromised, you can’t throw it away and get another one.
If the bad guys have your password hash, you have already lost.

Security tweaks will stop worms and viruses.

Technology can fix user problems.

Friends will always be by your side: what is the basis of your trust?

Encrypted attack traffic is much better than plain text.

Protect your Windows Network by Steve Riley and Jesper Johansson.

Steve Lamb's Blog<br><br><br>&lt 10:34 am on June 10, 2005

Jeffery Palermo has posted a nice summary of the myths Steve and Jesper dispelled @ TechEd USA. Like…
Patrick Hynds 2:41 pm on August 12, 2005

While I understand that Steve and Jesper are trying to get people to address real security issues, I think to dismiss obscurity as a measure is not the best tenet. When I served in the Infantry in Iraq we did not depend on secrecy (obscurity) to protect us, but we also did our best to deny information to the enemy to force mistakes on their part. There is a place in a layered defense for measures such as administrator rename, but you have to know what it will and won’t get you.

I have a copy of Steve and Jesper’s book, “Protect your Windows Network” on my desk and it is a must read! Just don’t abandon denying information to the bad guys once you implement real security.
Jeffrey Palermo 7:09 pm on August 12, 2005

Patrick, I have to agree with you. I also spent a year in Iraq in 2003-04. From my hearing, they didn’t say “make everything obvious”, but they criticized people who depended on it for everything.

Comments are closed.

Programming with Palermo

Jeffrey Palermo, Microsoft MVP, Author, Speaker, Clear Measure Chief Architect, Azure DevOps Expert

Tech Ed 2005 Day 4 – Q&A with Steve Riley and Jesper Johansson – Security myths

Related