Security Not Guaranteed - 2017 Cleveland GiveCamp Presentation

Transcript

1. Security Not Guaranteed Or, how to hold off the bad

   guys for another day.

2. James Gifford Software developer, startups, 7-time GiveCamper.

3. This Talk is NOT About... A. Protecting Against Three Letter

   Agencies (KGB, FSB, CIA, NSA, FBI, DOJ) B. Protecting Against a Targeted Attack C. Protecting Your Corporation D. How The Cloud Is Evil And Should Be Avoided At All Costs™

4. Would it surprise you if...

5. 67% of consumers... Don’t have password protection on their devices.

   (Sophos, August 2011)

6. Now, this isn’t a problem in itself... But, it can

   be disastrous if your device is LOST or, STOLEN.

7. All devices can be Password Protected

8. { 9/10 } The estimated number of break-in attempts that

   would be thwarted if people simply locked their computers.

9. And, it doesn’t have to be too complicated.

10. The password: do graze irk has 49 bits of entropy.

11. It’s also a password that can be remembered, in some

    way.

12. And it can be typed fairly quickly.

13. It really takes about as much effort as: password1234 But,

    is far more secure.

14. Now, you’re probably wondering about fingerprint unlocks: The short answer

    is...

15. Please don't.

16. Video

17. Passwords are a start.

18. How do you keep your passwords together?

19. Believe it or not… Some people still use pencil, and

    paper, or try to keep it in their heads.

20. There are a lot of good password managers.

21. Raise your hand if you’re using KeePass.

22. KeePass is very popular.

23. KeePass is also probably not secure.

24. The French ANSSI (Their version of the FBI) Did an

    Audit...

25. And it checked out.

26. All of these are pretty cool.

27. Password managers are flawed.

28. It doesn’t often matter to the consumer which manager they

    use.

29. Just as long as it works. For consumers stuff like

    LastPass is a good start.

30. Just as long as it’s not a notebook.

31. Mr. T. pities the fool who doesn’t have a password

    manager.

32. Mentioning passwords...

33. Device encryption is an important security tool.

34. Many people fail to encrypt even the most important data.

35. Or, overlook critical points.

36. You can encrypt almost anything.

37. Desktops, phones, tablets; OS X, Windows, etc

38. If you do it, do it right.

39. Sometimes built in tools are the best you’ve got.

40. None

41. It’s still just a deterrent.

42. None

43. Enough about passwords.

44. Let’s talk about two-factor authentication.

45. First off, what is it?

46. 2 factor is: 1. Something you know (password) 2. Something

    you have (token)

47. Now we know what it is...

48. Let’s talk about why.

49. It’s mostly to make your password half-useless.

50. There are many different “tokens”.

51. The Text Message

52. The App

53. None

54. The RSA Token

55. The Hardware Token

56. None
57. None

58. Malicious Program Protection

59. There are different kinds of threats, and different solutions.

60. Anti-Malware Versus Anti-Virus

61. It helps consumers to understand the threats out there.

62. It helps to have multiple lines of defense.

63. There are some fairly decent products.

64. And, some questionable services.

65. Product choice starts fights.

66. There are different measures of success.

67. Nothing’s perfect.

68. Fin.

69. Resources page is at: j.mp/SecurityNotGuaranteed

70. Tomatoes? James Gifford james@armyofminions.com