1 / 14

Computer Security: Myths and Mistakes

Computer Security: Myths and Mistakes. Mark “Simple Nomad” Loveless Hacker. Hello. Current employer, MITRE Corporation 1 I am not doing a “soft sell” I do not consult I have not written a book.

luann
Download Presentation

Computer Security: Myths and Mistakes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer Security:Myths and Mistakes Mark “Simple Nomad” Loveless Hacker

  2. Hello • Current employer, MITRE Corporation1 • I am not doing a “soft sell” • I do not consult • I have not written a book 1 - The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.

  3. Myth #1 • My company is small, no one will attack us • Yes they will • Botnets • Bandwidth for spam • Identity theft

  4. Myth #2 • My firewall will protect me • No it will not • E-mail • Ingress vs. Egress and web surfing • Trusted partners, vendors, clients • Rogue wireless • Even old dialup

  5. Myth #3 • My IDS/IPS will protect me • Hackers know how to not only avoid these systems, but can actually fingerprint them • Using the fingerprint information, an attack can be tailored to avoid detection

  6. Fun Fact #1 • Hackers have jobs, and any company that says they don’t hire them are lying, or they don’t know • There are blackhats out there working in IT, for security vendors, and even auditing firms

  7. Myth #4 • My anti-virus software will protect me • No it will not • All anti-virus companies miss things • By the time you get updated signatures, the new variant is out, and the new malware code is updated in the field • 0day is big business • Bad guys are aware of how the AV vendors operate and have changed tactics • Spear phishing is an excellent example

  8. Myth #5 • Wireless is mature and ready for the enterprise • Not exactly • WEP is broken • WPA2 or nothing • Key management is difficult at best • Consider an additional layer, such as a VPN as well • And don’t make the VPN PPTP

  9. Myth #6 • That plastic reader on the outside of my building is safe • Hardly • If it is on the outside of the building, inexpensive hardware can be used to render it a massive security liability

  10. Fun Fact #2 • “Modern jazz isn’t dead, it just smells funny” • Frank Zappa • “Perimeter security isn’t dead, it just smells funny” • Me, in early 2000’s • “Perimeter security is dead” • Me, in 2005

  11. Myth #7 • Road warriors are safer than ever • They are more at risk than ever before • Targeted as a group via wireless/bluetooth issues • Targeted individually or as an industry at conventions

  12. Myth #8 • Getting compliant with <acronym> will hurt and take forever • Yes and no, but mainly “no” if you have been doing Security 101 stuff all along • Don’t let vendors or consultants tell you otherwise • Most vendors “invent” compliance packages based upon Security 101 stuff anyway (I have worked for some of those vendors in the past) • No one tool, appliance, or software product will make you compliant • Learn where you are decent, and use these technologies solely as tools to fill the gaps

  13. Fun Fact #3 • Money is ruining the hacker underground

  14. Questions? • mloveless@mitre.org

More Related