I always enjoy hearing about interesting UserGroup sessions that have gone on from any of the groups I stay connected with. This post came in my mail last night from Graham Jones - president of VANTUG. I did a little reading about Ryan and some of the services his company offers - very interesting.

Do you have any security experts in your membership or neighbourhood who could present to your local group?

On Wednesday, March 29th Ryan Purita made his annual visit to present to VANTUG on security. Ryan is very well known in security circles (click his name link to see) and has appeared on the CBC and is often quoted in the Vancouver Sun. Ryan was as entertaining and informative as he always is and the approx. 70 attendees were clamouring for more. He generously spent a lot of time talking to people after the meeting since the interest level was so high. Ryan spends a large part of his time doing security audits especially for larger companies.

He covered pretty much the usual gamut of security topics (viruses, adware, phishing, etc.) spending a good part of the time demonstrating via video clips that he had made (using Camtasia) how easy it is for people to compromise systems, steal credit card numbers, break into wifi (pretty much regardless of common encryption methods including WPA2) and so on. My purpose is not to try and paraphrase his talk here (his presentation is available in the Public  Documents folder of the VANTUG website) but more to highlight the main takeaways.

You can spend as much money, time and effort as you like but the ultimate weaknesses today are the same as they have been for a long time:

1. If your system is fully patched then there are no obvious vulnerabilities to explore. This doesn’t mean that you shouldn’t take all of the obvious precautions when it comes to preventing the little “darlings” from getting in but they will get in one way or another if they are knowledgeable and determined! The outer “perimeter” is basically like the steering wheel lock on your car. It won’t really stop them stealing it if they really want to but they may just look further down the street for a car that doesn’t have one and take the line of least resistance. Wifi access points are a perfect example of that since so many have no protection. Incidentally he said that basically there is no such thing as a secure wifi connection – just less insecure ones.
To take the car analogy a little further. If they get in but can’t start the car then they can’t steal it. So it is with computer data if the systems are fully patched. Less and less intrusions are purely malicious in nature. They are after the valuable data so that they can make money from it! Microsoft’s current patch management products were given high marks by Ryan but of course you have to use them! But what about newly discovered vulnerabilities where a patch is not yet available you are probably asking? Well, then your “perimeter” defenses obviously become important until a patch is available (hopefully quickly). So make sure that your computer “steering wheel lock” is on and locked as best that you can.

2. Social Engineering is very much alive and well and we hear of incredible stories every day about how gullible people are when it comes to parting with their password for example. Ryan quoted an example of people giving out chocolate bars in the street in exchange for their password! It would seem that many people still don’t understand its value or importance. But most people don’t have admin access you say. That’s true but if the little “darlings” can get in at all they have some pretty neat, and alarmingly easy, ways of getting it especially if you haven’t paid attention to item 1. An inevitable question about the UAC in Vista came up. Ryan’s response was that as a user it annoyed him (actually he was less polite than that) but said it was one of the best things that Microsoft did from a security standpoint.

The bottom line is that there is no such thing as absolute security and probably never will be. When it comes to spending money there comes a point where it is diminishing returns. The last thing that you should do is think that you can sleep at night (or worse still tell the CEO that he can) because you have the best “perimeter” defenses that money can buy. From the outside it is like scaling the castle walls and there are plenty of examples from history where overconfidence about defenses was someone’s downfall. Today’s most unwitting Trojan Horse is still probably the lack of understanding and education of your own employees!

Ryan will be back next year and I am sure that he will be equally entertaining. If Ryan is ever in your neck of the woods try and get him to come along and talk to your UG Members. You will find it very enlightening but also a little scary!

Graham Jones
President, VANTUG