This document discusses information security threats facing organizations. It begins by defining security as freedom from risk or danger and the application of safeguards to prevent loss. It then discusses the types of threats including hackers, vandals, insiders, and espionage. It emphasizes the importance of knowing potential enemies and one's own weaknesses. Emerging threats discussed include social engineering, wireless networks, and lack of security on many wireless access points. The document stresses taking a defense-in-depth approach using administrative, physical, and technical controls to mitigate risks.

1. Information Security in the
Starbucks Generation
Anthony Lauro
Anthony.Lauro@dfwwireless.org

2. Overview
• What is security?
• Who are the threats?
• Know thy enemy
• Know thyself
• Emerging threats
• Plan of defense
• Security Management
• Defense in depth

3. What Is “Security”?
• “Freedom from risk or danger”*
• The application of safeguards to
prevent loss
• A subjective measurement of
preparedness for risk
• A feeling of safety 
* The American Heritage Dictionary of the English Language.

4. What is Risk?
• A potential for loss or harm
• An exposure to a threat
• Risk is subjective
• Dependent on situation and
circumstances

5. What’s the big deal?
• Loss of company assets
• Loss of revenue/market
share
• Loss of intellectual property
• Loss of privacy
• Damage to reputation

6. Who is a threat?
• Hackers
• Vandals
• Espionage
• Insiders
• Everyone*
* This depends on how paranoid you are.

7. Know Thy Enemy

8. Knowing your Enemy
Not knowing who the enemy is can be a bad thing
• Vietnam
• “War on Drugs”
• Vezzini - from The Princess Bride

9. Know Thyself
• "Well, cyberterrorists may be difficult to capture in the act,
but from what I know about people who are highly skilled
with computers, they should be easy to beat up."
– Ernest Cey, Speechwriter
• "You mean some hacker could disrupt the computerized
billing and record-keeping of my local phone company,
costing them millions of dollars? That's awesome."
– Frank Moreland, Piano Teacher
• "This is not a tool we should take seriously, or our customers
should take seriously..."
– Edmund Muth, Microsoft, as reported by the New York Times,
referring to Back Orifice.

10. History of the Hack
1960: The Dawn of Hacking
1970: Phone Phreaks and Cap'n
Crunch
1980: Hacker Message Boards and
Groups
1983: Kids' Games
1984: Hacker 'Zines- Birth of the 2600
group
1986: Use a Computer, Go to Jail
1988: The Morris Worm
1989: The Germans and the KGB
1990: Operation Sundevil
1993: Why Buy a Car When You Can
Hack One?
1994: Hacking Tools R Us
1995: The Mitnick Takedown
1997: Hacking AOL
1998: The Cult of Hacking and the
Israeli Connection
1999: Software Security Goes
Mainstream
2000: Service Denied (DDOS)
2001: DNS Attacks

11. Hacking is not that hard to do!
• Openly displayed information
• Easily available tools
• Dumpster Diving
• Shoulder Surfing

12. Search online, see what you find

13. • Go to http://neworder.box.sk/ and search for your favorite
operating system or program. Chances are it’s already been
hacked.
• Find tools to secure your network and test your system for
vulnerabilities. http://packetstorm.dnsi.info
• Tools and info on security research. http://blacksun.box.sk/
• News and Info on wireless hacking and security. Tools to
audit wireless networks. Home of the DFW Wireless Users
Group.
http://www.dfwwireless.org
• Daily news, vulnerability listings, and advisories.
http://www.net-security.org/
Resources

14. Social Engineering
• Using social interaction to get information
• Plays upon people’s good intentions
• Extremely effective in many situations
• Common ploys
– The Dumb User
– The VIP
– The Lost Puppy
– The Prize

15. Social Engineering
• Attempt to manipulate or trick a person into
providing information or access
• Bypass network security by exploiting human
vulnerabilities
• Human-based
– Impersonation
– Third-person authorization
• Computer-based
– Popup windows
– Mail attachments

16. Wireless Networks
• Different technology, same threat
• Out of sight out of mind
• “Gee Wiz” technology
• Increases attack accessibility
• Unauthorized clients
• Misconfigurations

17. Consumer Wireless Products
Local Area NetworkLocal Area Network
TechnologyTechnology
802.11 (FHSS) 2.4 GHz802.11 (FHSS) 2.4 GHz
1 Mbps1 Mbps
Freq. Hopped Spread SpectrumFreq. Hopped Spread Spectrum
802.11 (DSSS) 2.4 GHz802.11 (DSSS) 2.4 GHz
1 or 2 Mbps1 or 2 Mbps
Direct Sequence Spread SpectrumDirect Sequence Spread Spectrum
HiperlanHiperlan
23.5 Mbps23.5 Mbps
High Performance Radio LANHigh Performance Radio LAN
P802.11b (DSSS) 2.4 GHzP802.11b (DSSS) 2.4 GHz
11 Mbps11 Mbps
Direct Sequence Spread SpectrumDirect Sequence Spread Spectrum
P802.11a 5 GHzP802.11a 5 GHz
InitialInitial
ShipmentsShipments
InitialInitial
ShipmentsShipments
FinalFinal
SpecificationSpecification
SpecificationsSpecifications
ApprovedApproved
Initial MobileInitial Mobile
ShipmentsShipments
19991999 20002000 20012001 20022002 20032003
Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4 Q1Q1 Q2Q2 Q3Q3 Q4Q4
54 Mbps54 Mbps
Direct Sequence Spread SpectrumDirect Sequence Spread Spectrum

18. !! WIRELESS GONE WILD !!

19. Wireless Access Points

20. Wireless Usage Statistics
• 35.8% of Access points are
running with default
configurations
• 65% of networks are NOT
using WEP

21. Basic Security Management

22. Defense in Depth
• Administrative Controls
• Physical Controls
• System Access
• File Access
• Authorization Tables
• Transmission Protocols
• Encryption

23. My crime is that of curiosity. My crime is
that of judging people by what they say and
think, not what they look like. My crime is
that of outsmarting you, something that you
will never forgive me for.
Mentor – Hackers Manefisto