Tech Ed 2005 Day 4 – Q&A with Steve Riley and Jesper Johansson – Security myths

Steve Riley and Jesper Johansson gave a cabana talk on security myths. It moved to a big room because you can’t fit 700 people in a cabana room. It evolved into a breakout session.


They defined a triangle between usable, secure, and cheap. You can’t have all three. You can pick 2. Usable and secure are opposites. If it is both, it’s prohibitively expensive.


Network security claims:  Our network/software/hardware is “secure”, “impenetrable”, “unbreakable”.


Newsflash: Security is Hard! There is no easy fix.


The security myths:



  • Security guides make your system secure.


    • Hiding: Security by obscurity is weak defense.

    • Rename Administrator account

    • Turn off SSID Broadcast

    • Do not display last logged on user

    • Change your web/ftp banner

  • If we hide, the bad guys won’t find us.


    • Hiding: Security by obscurity is weak defense.

    • Rename Administrator account

    • Turn off SSID Broadcast

    • Do not display last logged on user

    • Change your web/ftp banner

  • The more tweaks the better.

  • All environments should follow the advice of <insert guide here>.


    • Turn on account lockout after 3 bad tries.
      Password reset calls cost $70/call.
      Hackers can use that it as denial of service.
      It covers up the real problem: weak passwords. Instead, use pass phrases.

  • High security is an end goal for all environments.

  • Security tweaks can fix physical security problems.

  • The lemming security model – always follow the expert recommendations.

  • We need to audit _everything_.

  • Password cracking is our biggest problem.


    • Passwords need to be uncrackable.
      If you can crack a password, you need access to the hashes. If that is the case, you have a bigger problem.
      If you have the hash, you can use a tool to calculate an authentication.
      Smart card readers help this, but biometrics don’t because if you use a fingerprint for authorization, and it gets
      ompromised, you can’t throw it away and get another one.
      If the bad guys have your password hash, you have already lost.

  • Security tweaks will stop worms and viruses.

  • Technology can fix user problems.

  • Friends will always be by your side: what is the basis of your trust?

  • Encrypted attack traffic is much better than plain text.

Protect your Windows Network by Steve Riley and Jesper Johansson.