Security Not Guaranteed - 2017 Cleveland GiveCamp Presentation

Security Not Guaranteed - 2017 Cleveland GiveCamp Presentation

De85c185f39ef9feef79d9933409d400?s=128

James Gifford

July 22, 2017
Tweet

Transcript

  1. Security Not Guaranteed Or, how to hold off the bad

    guys for another day.
  2. James Gifford Software developer, startups, 7-time GiveCamper.

  3. This Talk is NOT About... A. Protecting Against Three Letter

    Agencies (KGB, FSB, CIA, NSA, FBI, DOJ) B. Protecting Against a Targeted Attack C. Protecting Your Corporation D. How The Cloud Is Evil And Should Be Avoided At All Costs™
  4. Would it surprise you if...

  5. 67% of consumers... Don’t have password protection on their devices.

    (Sophos, August 2011)
  6. Now, this isn’t a problem in itself... But, it can

    be disastrous if your device is LOST or, STOLEN.
  7. All devices can be Password Protected

  8. { 9/10 } The estimated number of break-in attempts that

    would be thwarted if people simply locked their computers.
  9. And, it doesn’t have to be too complicated.

  10. The password: do graze irk has 49 bits of entropy.

  11. It’s also a password that can be remembered, in some

    way.
  12. And it can be typed fairly quickly.

  13. It really takes about as much effort as: password1234 But,

    is far more secure.
  14. Now, you’re probably wondering about fingerprint unlocks: The short answer

    is...
  15. Please don't.

  16. Video

  17. Passwords are a start.

  18. How do you keep your passwords together?

  19. Believe it or not… Some people still use pencil, and

    paper, or try to keep it in their heads.
  20. There are a lot of good password managers.

  21. Raise your hand if you’re using KeePass.

  22. KeePass is very popular.

  23. KeePass is also probably not secure.

  24. The French ANSSI (Their version of the FBI) Did an

    Audit...
  25. And it checked out.

  26. All of these are pretty cool.

  27. Password managers are flawed.

  28. It doesn’t often matter to the consumer which manager they

    use.
  29. Just as long as it works. For consumers stuff like

    LastPass is a good start.
  30. Just as long as it’s not a notebook.

  31. Mr. T. pities the fool who doesn’t have a password

    manager.
  32. Mentioning passwords...

  33. Device encryption is an important security tool.

  34. Many people fail to encrypt even the most important data.

  35. Or, overlook critical points.

  36. You can encrypt almost anything.

  37. Desktops, phones, tablets; OS X, Windows, etc

  38. If you do it, do it right.

  39. Sometimes built in tools are the best you’ve got.

  40. None
  41. It’s still just a deterrent.

  42. None
  43. Enough about passwords.

  44. Let’s talk about two-factor authentication.

  45. First off, what is it?

  46. 2 factor is: 1. Something you know (password) 2. Something

    you have (token)
  47. Now we know what it is...

  48. Let’s talk about why.

  49. It’s mostly to make your password half-useless.

  50. There are many different “tokens”.

  51. The Text Message

  52. The App

  53. None
  54. The RSA Token

  55. The Hardware Token

  56. None
  57. None
  58. Malicious Program Protection

  59. There are different kinds of threats, and different solutions.

  60. Anti-Malware Versus Anti-Virus

  61. It helps consumers to understand the threats out there.

  62. It helps to have multiple lines of defense.

  63. There are some fairly decent products.

  64. And, some questionable services.

  65. Product choice starts fights.

  66. There are different measures of success.

  67. Nothing’s perfect.

  68. Fin.

  69. Resources page is at: j.mp/SecurityNotGuaranteed

  70. Tomatoes? James Gifford james@armyofminions.com