140 likes | 239 Views
Computer Security: Myths and Mistakes. Mark “Simple Nomad” Loveless Hacker. Hello. Current employer, MITRE Corporation 1 I am not doing a “soft sell” I do not consult I have not written a book.
E N D
Computer Security:Myths and Mistakes Mark “Simple Nomad” Loveless Hacker
Hello • Current employer, MITRE Corporation1 • I am not doing a “soft sell” • I do not consult • I have not written a book 1 - The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.
Myth #1 • My company is small, no one will attack us • Yes they will • Botnets • Bandwidth for spam • Identity theft
Myth #2 • My firewall will protect me • No it will not • E-mail • Ingress vs. Egress and web surfing • Trusted partners, vendors, clients • Rogue wireless • Even old dialup
Myth #3 • My IDS/IPS will protect me • Hackers know how to not only avoid these systems, but can actually fingerprint them • Using the fingerprint information, an attack can be tailored to avoid detection
Fun Fact #1 • Hackers have jobs, and any company that says they don’t hire them are lying, or they don’t know • There are blackhats out there working in IT, for security vendors, and even auditing firms
Myth #4 • My anti-virus software will protect me • No it will not • All anti-virus companies miss things • By the time you get updated signatures, the new variant is out, and the new malware code is updated in the field • 0day is big business • Bad guys are aware of how the AV vendors operate and have changed tactics • Spear phishing is an excellent example
Myth #5 • Wireless is mature and ready for the enterprise • Not exactly • WEP is broken • WPA2 or nothing • Key management is difficult at best • Consider an additional layer, such as a VPN as well • And don’t make the VPN PPTP
Myth #6 • That plastic reader on the outside of my building is safe • Hardly • If it is on the outside of the building, inexpensive hardware can be used to render it a massive security liability
Fun Fact #2 • “Modern jazz isn’t dead, it just smells funny” • Frank Zappa • “Perimeter security isn’t dead, it just smells funny” • Me, in early 2000’s • “Perimeter security is dead” • Me, in 2005
Myth #7 • Road warriors are safer than ever • They are more at risk than ever before • Targeted as a group via wireless/bluetooth issues • Targeted individually or as an industry at conventions
Myth #8 • Getting compliant with <acronym> will hurt and take forever • Yes and no, but mainly “no” if you have been doing Security 101 stuff all along • Don’t let vendors or consultants tell you otherwise • Most vendors “invent” compliance packages based upon Security 101 stuff anyway (I have worked for some of those vendors in the past) • No one tool, appliance, or software product will make you compliant • Learn where you are decent, and use these technologies solely as tools to fill the gaps
Fun Fact #3 • Money is ruining the hacker underground
Questions? • mloveless@mitre.org