Steve Riley and Jesper Johansson gave a cabana talk on security myths. It moved to a big room because you can’t fit 700 people in a cabana room. It evolved into a breakout session.
They defined a triangle between usable, secure, and cheap. You can’t have all three. You can pick 2. Usable and secure are opposites. If it is both, it’s prohibitively expensive.
Network security claims: Our network/software/hardware is “secure”, “impenetrable”, “unbreakable”.
Newsflash: Security is Hard! There is no easy fix.
The security myths:
- Security guides make your system secure.
- Hiding: Security by obscurity is weak defense.
- Rename Administrator account
- Turn off SSID Broadcast
- Do not display last logged on user
- Change your web/ftp banner
- If we hide, the bad guys won’t find us.
- Hiding: Security by obscurity is weak defense.
- Rename Administrator account
- Turn off SSID Broadcast
- Do not display last logged on user
- Change your web/ftp banner
- The more tweaks the better.
- All environments should follow the advice of <insert guide here>.
- Turn on account lockout after 3 bad tries.
Password reset calls cost $70/call.
Hackers can use that it as denial of service.
It covers up the real problem: weak passwords. Instead, use pass phrases. - High security is an end goal for all environments.
- Security tweaks can fix physical security problems.
- The lemming security model – always follow the expert recommendations.
- We need to audit _everything_.
- Password cracking is our biggest problem.
- Passwords need to be uncrackable.
If you can crack a password, you need access to the hashes. If that is the case, you have a bigger problem.
If you have the hash, you can use a tool to calculate an authentication.
Smart card readers help this, but biometrics don’t because if you use a fingerprint for authorization, and it gets
ompromised, you can’t throw it away and get another one.
If the bad guys have your password hash, you have already lost. - Security tweaks will stop worms and viruses.
- Technology can fix user problems.
- Friends will always be by your side: what is the basis of your trust?
- Encrypted attack traffic is much better than plain text.
Protect your Windows Network by Steve Riley and Jesper Johansson.