Computer Security: Myths and Mistakes Mark “Simple Nomad” Loveless Hacker Hello • • • • Current employer, MITRE Corporation1 I am not doing a “soft sell” I do not consult I have not written a book 1 - The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or viewpoints expressed by the author. Myth #1 • My company is small, no one will attack us • • • • Yes they will Botnets Bandwidth for spam Identity theft Myth #2 • My firewall will protect me • • • • • • No it will not E-mail Ingress vs. Egress and web surfing Trusted partners, vendors, clients Rogue wireless Even old dialup Myth #3 • My IDS/IPS will protect me • Hackers know how to not only avoid these systems, but can actually fingerprint them • Using the fingerprint information, an attack can be tailored to avoid detection Fun Fact #1 • Hackers have jobs, and any company that says they don’t hire them are lying, or they don’t know • There are blackhats out there working in IT, for security vendors, and even auditing firms Myth #4 • My anti-virus software will protect me • No it will not • All anti-virus companies miss things • By the time you get updated signatures, the new variant is out, and the new malware code is updated in the field • 0day is big business • Bad guys are aware of how the AV vendors operate and have changed tactics • Spear phishing is an excellent example Myth #5 • Wireless is mature and ready for the enterprise • • • • • Not exactly WEP is broken WPA2 or nothing Key management is difficult at best Consider an additional layer, such as a VPN as well • And don’t make the VPN PPTP Myth #6 • That plastic reader on the outside of my building is safe • Hardly • If it is on the outside of the building, inexpensive hardware can be used to render it a massive security liability Fun Fact #2 • “Modern jazz isn’t dead, it just smells funny” • Frank Zappa • “Perimeter security isn’t dead, it just smells funny” • Me, in early 2000’s • “Perimeter security is dead” • Me, in 2005 Myth #7 • Road warriors are safer than ever • They are more at risk than ever before • Targeted as a group via wireless/bluetooth issues • Targeted individually or as an industry at conventions Myth #8 • Getting compliant with <acronym> will hurt and take forever • Yes and no, but mainly “no” if you have been doing Security 101 stuff all along • Don’t let vendors or consultants tell you otherwise • Most vendors “invent” compliance packages based upon Security 101 stuff anyway (I have worked for some of those vendors in the past) • No one tool, appliance, or software product will make you compliant • Learn where you are decent, and use these technologies solely as tools to fill the gaps Fun Fact #3 • Money is ruining the hacker underground Questions? • mloveless@mitre.org