Computer Security: Myths and Mistakes

advertisement
Computer Security:
Myths and Mistakes
Mark “Simple Nomad” Loveless
Hacker
Hello
•
•
•
•
Current employer, MITRE Corporation1
I am not doing a “soft sell”
I do not consult
I have not written a book
1 - The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is
not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions or
viewpoints expressed by the author.
Myth #1
• My company is small, no one will attack us
•
•
•
•
Yes they will
Botnets
Bandwidth for spam
Identity theft
Myth #2
• My firewall will protect me
•
•
•
•
•
•
No it will not
E-mail
Ingress vs. Egress and web surfing
Trusted partners, vendors, clients
Rogue wireless
Even old dialup
Myth #3
• My IDS/IPS will protect me
• Hackers know how to not only avoid these
systems, but can actually fingerprint them
• Using the fingerprint information, an attack can be
tailored to avoid detection
Fun Fact #1
• Hackers have jobs, and any company that says
they don’t hire them are lying, or they don’t
know
• There are blackhats out there working in IT, for
security vendors, and even auditing firms
Myth #4
• My anti-virus software will protect me
• No it will not
• All anti-virus companies miss things
• By the time you get updated signatures, the new
variant is out, and the new malware code is updated in
the field
• 0day is big business
• Bad guys are aware of how the AV vendors operate
and have changed tactics
• Spear phishing is an excellent example
Myth #5
• Wireless is mature and ready for the enterprise
•
•
•
•
•
Not exactly
WEP is broken
WPA2 or nothing
Key management is difficult at best
Consider an additional layer, such as a VPN as
well
• And don’t make the VPN PPTP
Myth #6
• That plastic reader on the outside of my
building is safe
• Hardly
• If it is on the outside of the building, inexpensive
hardware can be used to render it a massive
security liability
Fun Fact #2
• “Modern jazz isn’t dead, it just smells funny”
• Frank Zappa
• “Perimeter security isn’t dead, it just smells
funny”
• Me, in early 2000’s
• “Perimeter security is dead”
• Me, in 2005
Myth #7
• Road warriors are safer than ever
• They are more at risk than ever before
• Targeted as a group via wireless/bluetooth issues
• Targeted individually or as an industry at
conventions
Myth #8
• Getting compliant with <acronym> will hurt and
take forever
• Yes and no, but mainly “no” if you have been doing
Security 101 stuff all along
• Don’t let vendors or consultants tell you otherwise
• Most vendors “invent” compliance packages based
upon Security 101 stuff anyway (I have worked for
some of those vendors in the past)
• No one tool, appliance, or software product will make
you compliant
• Learn where you are decent, and use these
technologies solely as tools to fill the gaps
Fun Fact #3
• Money is ruining the hacker underground
Questions?
• mloveless@mitre.org
Download