It's the rare technical expert who can make complex topics clear to anyone. Even rarer is the guru who can hit that mark while drawing a laugh from his or her audience. The concluding keynote address (whose title also provides the title for this very story) at Altiris ManageFusion in Orlando, Florida, by Laura Chappell showed such a pundit at work. A protocol analyst and security expert extraordinaire who's worked with financial and government institutions, branches of the US and other militaries, and all kinds of other commercial clients, Chappell gave conference attendees a well-rehearsed "wake-up call" designed to illustrate the dangers that unwary or unprepared companies and organizations face.
Starting with a typical-enough litany of scary security statistics from the FBI's and the Computer Security Institute's (CSI) annual "Computer Crime and Security Survey," she laid the groundwork by stating the most common causes of security woes—namely, viruses, theft of proprietary information and attacks from inside the firewall. By then launching into concrete examples from her own experience - including amusing anecdotes about accessing a bank's wireless access point from her hotel room while attending a security conference, tapping into the network at the organization where she was speaking by hooking her laptop into a jack thoughtfully provided on her podium, and sniffing packets from the wireless traffic at the Altiris conference itself - she made it crystal clear that one need never look far to find sources for security concerns or reasons for remediation.
Though much of her advice is well-known and –understood, she also made it clear that best practices continue to be honored more in their breach than in their observance. She cited pressing needs to conduct regular security audits, penetration tests and vulnerability scans, while handing out an outstanding DVD-based collection of tools to perform those and many other security tasks. Laura's Lab Kit, as this collection is known, includes a plethora of security scanning and penetration testing tools such as keyloggers, password crackers, scanners and various types of exploits, as well as the Ethereal Open Source protocol analyzer and an evaluation copy of the outstanding NetScanTools that can be used for network analysis and web site reconnaissance. She also discussed how important it is to scan all software images and packages before deploying them through any kind of automated software distribution system, to avoid spreading infection inadvertently—a lesson conference sponsor Altiris not only endorses but has taken to heart in its own toolsets and environments.
After stressing the fundamental principles of security—including performing a risk assessment, valuing assets and setting policy to manage or mitigate risks—she went on to illustrate how important these concepts really are by talking about what can happen to a company or organization should the CEO's laptop be lost or stolen. She also provided lots of useful advice about specific things to look for, problems to anticipate, and practices to implement that readers will also find covered in detail in books and courses that she teaches around the world on a regular basis. A full audio version of her presentation is also available online from Altiris.
Ed Tittel is a full-time freelance writer, trainer and consultant who specializes in matters related to information security, markup languages, and networking technologies. He's a regular contributor to numerous TechTarget Web sites, technology editor for Certification Magazine, and writes an e-mail newsletter for CramSession called "Must Know News."