The Internet is Evil
John Strand

        Back by popular demand!!  SANS professor and technical guru extraordinaire, John Strand, joined us again this year to share more of his in-depth technical knowledge and rock-n-roll personality.   John currently teaches the SANS GCIH and CISSP classes, and is a key player in their local mentor program.  His extensive experience in computer security and education encompasses the areas of intrusion detection, incident response, vulnerability assessment/penetration testing, specialized multi-level security solutions, security architectures, program certifications and accreditation.  Whew!  But that's not all.  He holds a Masters degree from Denver University, where he is also a professor.  Amazingly, he still finds 'spare time' to write loud rock music and make futile attempts at fly-fishing.

 Paul Asadorian wrote on his blog -

        "While all of the presentations got rave reviews, one of the keynote speeches was particularly interesting. John Strand gave a keynote speech titled "The Internet is Evil". Most of us know that the Internet is evil, but John wants us to do something about it. He challenges us to think differently about defense, question how much, if any, Internet access your users should have. He also brings up a good point about the perceptions of users. Many believe that the average user is not knowledgeable about computers, when in reality they are using anonymizing proxies to bypass corporate web filtering. John then went on to identify two areas of "security" that need improvement. I put "security" in quotes, because it's a false sense of security that the following provide:

• Anti-virus - John points out a new service that allows you to upload your binary and have it encoded by several different programs, then review a report of which Anti-virus engines caught it, and which ones did not. You can find more information on the PolyPack web site.
• SSL - SSLStrip is a tool that tricks the user into running a connection over HTTP instead of HTTPS. You can watch a video demonstration of this tool in action to get a better idea how it works. John then goes on to show how this could be combined with attacks against BGP to intercept traffic without having to be on the same subnet as your victims.

        John then went on to cover defensive techniques that work, such as using firewalls not only to restrict outgoing access, but also to enable the built-in firewall on all of your hosts (especially desktops). The other interesting idea he presented was to treat your user desktop subnets as hostile. I know this may sound like a radical idea, but if the users are accessing the Internet and exposing their systems to malicious code, it's best to treat them as if they are already infected with malware. I've used this tactic when developing security strategies for universities and it works quite well."

 

Download link: http://blip.tv/file/get/Irongeek-2009LMIJohnStrand243.mp4

Descriptions and details from http://www.louisvilleinfosec.com, with small edits.
Thanks to Lee Pfeiffer and the student volunteers for handling the video the day of the conference, and Brian Blankenship for editing the videos.

Printable version of this article