Check out the new USENIX Web site.
TRAINING PROGRAM

Overview | By Day (Sunday, Monday, Tuesday) | By Instructor | All in One File

  Sunday, July 31, 2005    
S1 Hands-on Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 1 of 2) NEW!
Rik Farrow, Security Consultant
9:00 a.m.–5:00 p.m.

Who should attend: System administrators of Linux and other UNIX systems; anyone who runs a public UNIX server.

Few people enjoy learning how to swim by being tossed into the ocean, but that's what happens if a system you manage gets hacked. You often have little choice other than to reload that system, patch it, and get it running again. This two-day class gives you a chance to work with systems that have been "hacked," letting you search for hidden files or services or other evidence of the intrusion. Examples are taken from real, recent attacks on Linux systems. You will perform hands-on exercises with dual-use tools to replicate what intruders do as well as with tools dedicated to security. The tools vary from the ordinary, such as find and strings, to less familiar but very important ones, such as lsof, scanners, sniffers, and the Sleuth Kit.

The lecture portion of this class covers the background you need to understand UNIX security principles, TCP/IP, scanning, and popular attack strategies.

Day Two will explore the defenses for networks and individual systems. The class will end with a discussion of the use of patching tools for Linux, including cfengine.

Class exercises will require that you have an x86-based laptop computer that can be booted from a KNOPPIX CD. Students will receive a version of Linux on CD that includes the tools, files, and exercises used in the course. If you have a laptop but don't know whether it can run a bootable Linux CD (that will not have an impact on your installed hard drive or operating systems), please download a copy of KNOPPIX (https://www.knoppix.org), burn it, and try it out. KNOPPIX support for wireless is the same as common Linux kernels (not exciting), but KNOPPIX does a superb job of handling most other hardware found in laptops.

Exercises include:

DAY ONE:

  • Finding hidden files and evidence of intrusion
  • TCP/IP and its abuses
  • hping2 probes, or xprobe with ethereal again
  • nmap while watching with ethereal or tcpdump (connect and SYN scans)
  • Working with buffer-overflow exploit examples
  • Apache servers and finding bugs in scripts
  • John the Ripper, password cracking
DAY TWO:
  • Elevation of privilege and suid shells
  • Rootkits, and finding rootkits (chkrootkit)
  • Sleuth Kit (looking at intrusion timelines)
  • iptables and netfilter
  • Tracking down DoS floods
  • cfengine configuration
  • Vulnerability scanning with nessus
Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. Rik Farrow He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.


S3 System Log Aggregation, Statistics, and Analysis
Marcus Ranum, Tenable Security, Inc.
9:00 a.m.–5:00 p.m.

Who should attend: System and network administrators who are interested in learning what's going on in their firewalls, servers, network, and systems; anyone responsible for security and audit or forensic analysis.

This tutorial covers techniques and software tools for building your own log analysis system, from aggregating all your data in a single place, through normalizing it, searching, and summarizing, to generating statistics and alerts and warehousing it. We will focus primarily on open source tools for the UNIX environment, but will also describe tools for dealing with Windows systems and various devices such as routers and firewalls.

Topics include:

  • Estimating log quantities and log system requirements
  • Syslog: mediocre but pervasive logging protocol
  • Back-hauling your logs
  • Building a central loghost
  • Dealing with Windows logs
  • Logging on Windows loghosts
  • Parsing and normalizing
  • Finding needles in haystacks: searching logs
  • I'm dumb, but it works: artificial ignorance
  • Bayesian spam filters for logging
  • Storage and rotation
  • Databases and logs
  • Leveraging the human eyeball: graphing log data
  • Alerting
  • Legalities of logs as evidence
Marcus Ranum (S3) is Chief Security Officer at Tenable Security, Inc., Marcus Ranumand a world-renowned expert on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.


S4 Network Security Monitoring with Open Source Tools
Richard Bejtlich, TaoSecurity.com
9:00 a.m.–5:00 p.m.

Who should attend: Engineers and analysts who detect and respond to security incidents. Participants should be familiar with TCP/IP. Command-line knowledge of BSD, Linux, or another UNIX-like operating system is a plus. A general knowledge of offensive and defensive security principles is helpful.

This tutorial will equip participants with the theory, tools, and techniques to detect and respond to security incidents. Network Security Monitoring (NSM) is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM relies upon alert data, session data, full content data, and statistical data to provide analysts with the information needed to achieve network awareness. Whereas intrusion detection cares more about identifying successful and usually known attack methods, NSM is more concerned with providing evidence to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps.

NSM theory will help participants understand the various sorts of data that must be collected. This tutorial will bring theory to life by introducing numerous open source tools for each category of NSM data. Attendees will be able to deploy these tools alongside existing commercial or open source systems to augment their network awareness and defensive posture.

Topics include:

  • NSM theory
  • Building and deploying NSM sensors
  • Accessing wired and wireless traffic
  • Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger
  • Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude
  • Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP
  • Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records
  • Sguil (sguil.sf.net)
  • Case studies, personal war stories, and attendee participation
Material in the class is supported by the author's book The Tao of Network Security Monitoring: Beyond Intrusion Detection (Addison-Wesley, 2005; https://www.taosecurity.com/books.html).

Richard Bejtlich (S4, M4) is founder of TaoSecurity LLC, a company that helps clients detect, Richard Bejtlich contain, and remediate intrusions using network security monitoring (NSM) principles. He was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He has created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001, Richard defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT), performing and supervising the real-time intrusion detection mission. Formally trained as an intelligence officer, he holds degrees from Harvard University and the United States Air Force Academy. Richard wrote The Tao of Network Security Monitoring: Beyond Intrusion Detection and the forthcoming Extrusion Detection: Security Monitoring for Internal Intrusions and Real Digital Forensics. He also wrote original material for Hacking Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular Web log resides at https://taosecurity.blogspot.com.

 

  Monday, August 1, 2005    
M1 Hands-On Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 2 of 2) NEW!
Rik Farrow, Security Consultant
9:00 a.m.–5:00 p.m.

See Part 1, S1, for the description of the first day of this tutorial.

Day two of this class focuses on practical forensics, that is, how to analyze a possibly hacked Linux or UNIX system from a system administrator's perspective. As a system administrator, you will not be acting as law enforcement, trying to find the perpetrator, but instead will be working as quickly as possible with the goal of uncovering what went wrong. Finding rootkits and backdoors on a sample hacked system gives you an idea of what you might find on other similar systems. You can also get clues about the nature of the attack by discovering the tools left behind on a system by an attacker.

The final portion of this class focuses on patching, with a discussion of cfengine. As this is the second day of a two-day, hands-on course, we will not repeat material covered on the first day, including getting the CD working with your laptop. If you plan on attending the course only the second day, you might want to contact the instructor before the class and get a test CD to ensure that your laptop will work in the classroom environment.

Exercises include:

  • Elevation of privilege and suid shells
  • Rootkits, and finding rootkits (chkrootkit)
  • Sleuth Kit (looking at intrusion timelines)
  • iptables and netfilter
  • Tracking down DoS floods
  • Cfengine configuration
  • Vulnerability scanning with nessus

Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. Rik Farrow He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.


M2 Endpoint Enforcement & Network Access Control NEW!
Tina Bird, InfoExpress
9:00 a.m.–5:00 p.m.

Who should attend: Security, desktop, and network administrators responsible for implementing end-user security mechanisms; anyone who's been wondering about the NAC and NAP hullabaloo.

Most network architectures and operating systems still rely solely on relatively simple-minded, identity-based mechanisms to grant access. IPsec and other remote access technologies, SSL/TLS and 802.1x (in most currently shipping implementations), enable decisions based on user and host identity to grant network connectivity. These tools greatly increase enterprise security. They allow access decisions to be based on an endpoint's identification as a trusted participant in the organization, no matter where the endpoint is located. But we've learned the hard way that identity-based authorization isn't enough.

Identity-based authorization doesn't help much with a Blaster-infected laptop. Once that machine connects to your network, the infection will spread to whatever it can reach behind your firewall, and user authentication can make that situation worse. Valid user credentials on an infected machine may allow the infection to spread through network file shares and other common resources. Even on UNIX desktops, widely regarded as less threatening to a production environments than their Microsoft countertops, configuration and update management can challenge an IT department's ability to safeguard themselves from compromised or risky machines, as the recent outbreak of UNIX attacks at supercomputing centers and research institutions reveals.

In this tutorial, Dr. Tina Bird will present emerging technologies in the area of endpoint security enforcement and network-based dynamic access control.

Topics include:

  • A short history of computer intrusions, common features across all operating systems, and what you'd like to be able to control on all the end user machines in your organization
  • Specific configuration requirements for Windows- and Linux-based desktops to reduce the likelihood of auto-propagating exploits and rooted boxen
  • New security architectures and network protocols that enable endpoint configuration and access control, including the non-proprietary Trusted Network Connect specification from the Trusted Computing Group, an intro to 802.1x, Cisco's Network Admission Control initiative, and Microsoft's Network Access Protection
  • Developing manageable endpoint policies in a heterogeneous computing environment
  • Integrating dynamic access control management into your network infrastructure, focusing on the most effective places to start and how to manage end-user training as you implement this new technology
  • Mechanisms for remediation, ranging from URL redirects to home-grown scripting to an overview of commercial patch/configuration management systems
  • Use cases: a home grown prototype system used during the Blaster outbreak of 2003, implementing quarantine and remediation in a remote access scenario, and using policy enforcement to detect compromised machines quickly.
Tina Bird (M2) brings rigorous scientific discipline, a wealth of network administration Tina Bird and Internet security expertise, and substantial teaching experience to her role as the Security Architect for InfoExpress. At InfoExpress, Tina provides strategic guidance in the development of the CyberGatekeeper product line, as well as researching new vulnerabilities and exploits. She represents InfoExpress in the Trusted Computing Group's Trusted Network Connect subgroup. She also writes and speaks about policy enforcement technologies in general, including 802.1x, standards-based enforcement mechanisms and Cisco's Network Admission Control, as well as talks specifically geared towards InfoExpress products. Tina moderates the Log Analysis and VPN mailing lists; with Marcus Ranum, she runs https://www.loganalysis.org. Previously she was responsible for technical review and implementation of Internet firewalls, virtual private networks, and authentication systems at Cerner Corporation, and subsequently for Secure Network Group; the Director of Network Intelligence at Counterpane Internet Security; and a Computer Security Officer for Stanford University.


M3 Building Security In: How You Can Do Software Security NEW!
Gary McGraw, Cigital
9:00 a.m.–5:00 p.m.

Who should attend: Because the best practices described in this tutorial are applied to software artifacts, they make sense whether you're an XP cowboy or a CMMi heavy lifter. When you attend this session, you will come away with a clear action plan for attacking the software security problem in your organization.

During the past 5 years, software security has evolved from good philosophy into a technical necessity. This tutorial describes in detail what your organization can do to meet its software security goals. From straightforward and easy advice (use a code scanning tool for security code review) to trickier undertakings (build abuse cases and misuse stories to drive security testing), software security best practices allow you to build better code from the ground up by building security in. A software security program involves five major components:

  1. A process agnostic framework and plan that fits how you build software, based on the software artifacts that you already produce.
  2. Development resources, class files, sample code, documents, and policies that make building secure software easier, by example.
  3. Training to promote software security awareness among developers and architects who need more exposure to security engineering concepts.
  4. Adoption of artifact-based software security best practices that focus attention on the software product and ignore process-based religious warfare.
  5. Continuous improvement through the application of risk-based measurement and metrics.
Topics include:

  • Requirements analysis and abuse cases
  • Architectural risk analysis
  • Risk-based security testing
  • Code review using static analysis technology (e.g., Fortify Source Code Analysis)
  • Penetration testing and software exploit
  • Post facto application security (during deployment)

Gary McGraw (M3) Cigital, Inc.'s CTO, researches software security and sets technical vision Gary McGraw in the area of Software Quality Management. Dr. McGraw is co-author of five best selling books: Exploiting Software (Addison-Wesley, 2004), Building Secure Software (Addison-Wesley, 2001), Software Fault Injection (Wiley 1998), Securing Java (Wiley, 1999), and Java Security (Wiley, 1996). A noted authority on software and application security, Dr. McGraw consults with major software producers and consumers. He has written over sixty peer-reviewed technical publications and functions as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on Advisory Boards of Authentica, Counterpane, and Fortify Software, as well as advising the CS Department at UC Davis. Dr. McGraw holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He writes a monthly security column for Network magazine, is the editor of "Building Security In" for IEEE Security & Privacy magazine, and is often quoted in national press articles.


M4 Network Incident Response NEW!
Richard Bejtlich, TaoSecurity.com
9:00 a.m.–5:00 p.m.

Who should attend: Security staff and sys admins who detect and respond to intrusions. Participants should be familiar with TCP/IP. Command- line knowledge of BSD, Linux, or a UNIX-like operating system is a plus. A general knowledge of offensive and defensive security principles is helpful. The author's USENIX course "Network Security Monitoring with Open Source Tools" (S4) and his book The Tao of Network Security Monitoring: Beyond Intrusion Detection are very helpful pre-requisites, but they are not mandatory.

You've just discovered that one or more of your systems has been compromised. Now what? This tutorial will answer that question from a network-centric approach. It is based on the author's experience handling multiple systematic, long-term compromises at a variety of enterprises. The majority of the course will approach the incident response (IR) problem from the network perspective; host-based forensics will not be a priority.

Attendees will first learn the basic steps needed to facilitiate incident response prior to any compromise. Thoughts on the sorts of threats likely to be faced, common intrusion scenarios, and ways to be aware of intruder activities will be discussed. Next, attendees will hear about various means by which incidents are discovered, all based on real life intrusions. The course will cover how to perform first response actions from the network perspective, and how to make the "pursue and prosecute" or "recover and remediate" decision. Attendees will learn how to eject determined, patient, and stealthy intruders from the enterprise, and how to verify the effectiveness of ongoing defensive measures.

Topics include:

  • Simple steps to take now that make incident response easier later
  • Characteristics of intruders, such as their motivation, skill levels, and techniques
  • Common ways intruders are detected, and reasons they are often initially missed
  • Improved ways to detect intruders based on network security monitoring principles
  • First response actions and related best practices
  • Secure communications among IR team members, and consequences of negligence
  • Approaches to remediation when facing a high-end attacker
  • Short, medium, and long-term verification of the remediation plan to keep the intruder out

Richard Bejtlich (S4) is founder of TaoSecurity LLC, a company that helps clients detect, Richard Bejtlich contain, and remediate intrusions using network security monitoring (NSM) principles. He was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He has created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001, Richard defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT), performing and supervising the real-time intrusion detection mission. Formally trained as an intelligence officer, he holds degrees from Harvard University and the United States Air Force Academy. Richard wrote The Tao of Network Security Monitoring: Beyond Intrusion Detection and the forthcoming Extrusion Detection: Security Monitoring for Internal Intrusions and Real Digital Forensics. He also wrote original material for Hacking Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular Web log resides at https://taosecurity.blogspot.com.

 

  Tuesday, August 2, 2005    
T1 Solaris 10 Security Features Workshop NEW!
Peter Baer Galvin, Corporate Technologies
9:00 a.m.–5:00 p.m.

Who should attend: Solaris systems managers and administrators interested in the new security features in Solaris 10 (and features in previous Solaris releases that they may not be using).

This course covers a variety of topics surrounding Solaris 10 and security. Solaris 10 includes many new features, and there are new issues to consider when deploying, implementing, and managing Solaris 10. This will be a workshop featuring instruction and practice/exploration. Each student should have a laptop with wireless access for remote access into a Solaris 10 machine.

Topics include:

  • Solaris cryptographic framework
  • NFSv4
  • Solaris privileges
  • Solaris Flash archives and live upgrade
  • Moving from NIS to LDAP
  • Dtrace
  • WBEM
  • Smartcard interfaces and APIs
  • Kerberos enhancements
  • Zones
  • FTP client and server enhancements
  • PAM enhancements
  • Auditing enhancements
  • Password history checking
  • ipfilters

Peter Baer Galvin (T1) is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR, Peter Baer Galvin and was the Systems Manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines. He wrote the "Pete's Wicked World" and "Pete's Super Systems" columns at SunWorld. He is currently contributing editor for Sys Admin, where he manages the Solaris Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials on security and system administration and has given talks at many conferences and institutions on such topics as Web services, performance tuning, and high availability.


T2 DDoS for Fun and Profit NEW!
Sven Dietrich, CERT Research, Carnegie Mellon University; David Dittrich, University of Washington
9:00 a.m.–5:00 p.m.

Who should attend: System administrators, network administrators, and computer security practitioners. A basic understanding of IP networking, network protocols, and routing as well as an understanding of computer security fundamentals is required.

The tutorial will trace the development of denial of service attacks from early, machine-crashing exploits to the present day distributed denial of service (DDoS) attacks. A substantial portion of the tutorial will be devoted to understanding DDoS attacks and developing appropriate responses. Among the issues to be addressed are preparing for a DDoS attack, recognizing the attack type and probable attack pattern, designing appropriate filter rules to mitigate the attack, and working with upstream providers. We will also survey current research that may lead to ways of thwarting such attacks in the future.

Topics include:

  • Fundamentals: Basic networking and routing protocols
  • Denial of Service:
    • Basic concepts
    • Vulnerabilities and pathologies
    • OS support
    • The jump from DoS to DDoS
    • Evolution of attack tools
  • Classes of DDoS tools:
    • What they do
    • Choices in the attack space
    • How they work
    • Currently available tools and bots
  • Diagnosis of the problem:
    • How do you know you are under attack?
    • Symptoms in your own operational and system monitoring data
    • Differentiating between flash crowds and attacks
    • Advances in research
    • Inspecting a compromised system
    • Building a monitoring/traffic capture facility
  • Mitigation:
    • Recognition of the attack
    • Attack signatures and attack tool identification
    • DoS vs. DDoS
    • Indications of single and multiple sources
    • Creating countermeasures
    • Techniques for limiting the damage
    • Characterizing the attacked resources
    • Infrastructure changes
    • Traceback
    • Filtering
    • Active response
    • Strikeback
  • Political hurdles:
    • Dealing with your ISP
    • Dealing with management
  • The bright road ahead
    • DDoS and beyond
    • Prospects for future advances in attacker tools
    • Technical, legal, and political mitigation strategies

Sven Dietrich (T2) is a senior member of the technical staff at CERT Research at Carnegie Mellon University Sven Dietrich and also holds an appointment at the Carnegie Mellon University CyLab, a university-wide cybersecurity research and education initiative. Previously he was a senior security architect at the NASA Goddard Space Flight Center, where he observed and analyzed the first distributed denial-of-service attacks aainst the University of Minnesota in 1999. He taught Mathematics and Computer Science as adjunct faculty at Adelphi University, his alma mater, from 1991 to 1997. His research interests include survivability, computer and network security, anonymity, cryptoraphic protocols, and cryptography. His previous work has included a formal analysis of the secure sockets layer protocol (SSL), intrusion detection, analysis of distributed denial-of-service tools, and the security of IP communications in space. His publications include the recent book Internet Denial of Service: Attack and Defense Mechanisms (Prentice Hall, 2004), as well as the articles "Analyzing Distributed Denial of Service Tools: The Shaft Case" (2000) and "The 'mstream' Distributed Denial of Service Tool" (2000), and others on Active Network Defense, DDoS tool analysis, and survivability.

David Dittrich (T2) is a Senior Security Engineer and Researcher for the UW Center for Information Assurance and Cybersecurity and the Information School at the University of Washington, where he has worked since 1990. Dave is also a member of the Honeynet Project and Seattle's "Agora" security group. He is most widely known for his research into Distributed Denial of Service (DDoS) attack tools and host & network forensics. He has presented talks and courses at dozens of computer security conferences, workshops, and government/private organizations worldwide. He has been a prolific self-publisher of white papers, FAQs, and malware tool analyses, all intended to make his (and everyone else's) life easier in dealing with computer intrusions. Dave has contributed to the books Know Your Enemy, by the Honeynet Project (Addison-Wesley, 2001), The Hacker's Challenge, edited by Mike Schiffman (McGraw Hill, 2001), and two articles in the Handbook of Information Security, edited by Hossein Bidoli (John Wiley & Sons, 2005), and was another co-author of Internet Denial of Service: Attack and Defense Mechanisms (Prentice Hall, 2004).


T3 Organizing a Cybersecurity Exercise NEW!
Ron Dodge and Dan Ragsdale, United States Military Academy
9:00 a.m.–5:00 p.m.

Who should attend: System administrators and security professionals involved in the design and management and security of information systems. A general familiarity with security tools, network fundamentals, and operating systems is assumed. Students will leave this tutorial with a framework that can be used to conduct a local cyber exercise.

The security of our information systems is constantly under attack. We propose that to make them safer, they should be attacked even more. A competition where teams defend a network against skilled adversaries provides an excellent means to develop the skills necessary to defend real networks. In addition, such a competition provides a safe environment to test and evaluate new and emerging defensive techniques and technologies. Similar events that have been publicized recently are the DEFCON "Capture the Flag" (CTF) competition, the military Cyber Defense Exercise, and the Collegiate Cyber Defense Competition. These competitions follow different paradigms. The DEFCON event set all teams to be both attackers and defenders, while the latter two focus the teams on defensive operations only.

This tutorial explores the various organizational and administrative options available when organizing an exercise. Representative exercise schemes will be discussed in detail. An example network will be demonstrated and available for experimentation.

Topics include:

  • Exercise scope
  • Hardware and software
  • Scoring
  • Legal considerations
  • Organizational structure

Ron Dodge (T3) is the director of the Information Technology Operations Center and an assistant professor in the Department of Electrical Engineering and Computer Science at the US Military Academy. His research interests include information warfare, security protocols, Internet technologies, and performance planning and capacity management. Dodge received a PhD in computer science from George Mason University. Contact him at ronald.dodge@usma.edu.

Dan Ragsdale (T3) is the director of the Information Technology Program and an associate professor at the US Military Academy. His research interests include information assurance, network security, intrusion detection, and artificial intelligence. Ragsdale received a PhD in computer science from Texas A&M. Contact him at daniel.ragsdale@usma.edu.


T4 Security Standards and Why You Need to Understand Them NEW!
Brad C. Johnson and Richard E. Mackey, Jr., SystemExperts Corporation
9:00 a.m.–5:00 p.m.

Who should attend: Administrators, technicians, and managers at any level who need to understand the gist of the key security standards and the laws and industry trends that are making these standards critical to doing business.

Organizations are turning to security standards both to measure and to document the completeness and adequacy of their security program. You may need to simply put a check in the box that says you "substantially comply" with a particular standard or you may need to prove to yourself, customers, and partners that you follow acceptable security practices. Unfortunately, organizations do not have a widely accepted method to prove they are secure. We look to security standards to meet this need.

Computer security has seen a number of standards, compliance specifications, and certification authorities. Today, a few are beginning to gain acceptance by industry groups, but it is still difficult to tell which of these will stand the test of time and practicality. Consequently, it's important to understand, at least at a high level, what the most popular initiatives are attempting to do, what problems these standards address, and the value they provide.

Topics include:

  • Security standards review
    • Why: The motivations
      • Laws: Sarbanes-Oxley, Gramm-Leach-Bliley
      • Partnerships and mergers
      • Internal and external audits
    • What: The standards
      • ISO 17799
      • COBIT
      • SAS 70
      • Information Criticality Assessment (e.g., NSA IAM)
    • How: The mechanisms
      • ISO 17799 reviews and certifications
      • Security audits
      • Security assessments
      • Penetration and application testing
  • Practicum and Drill Downs
    • Standards motivation: Intrusion preparation
      • Homeland security
      • Intrusion awareness
      • Common intrusion areas
      • Intrusion example
    • Security assessments: Drill Down exercises
      • ISO 17799 Drill Down
      • IAM Drill Down
      • COBIT Drill Down
      • Risk analysis Drill Downs

Brad C. Johnson (T4) is vice president of SystemExperts Corporation. Brad C. Johnson He has participated in seminal industry initiatives such as the Open Software Foundation, X/Open, and the IETF, and has been published in such journals as Digital Technical Journal, IEEE Computer Society Press, Information Security Magazine, Boston Business Journal, Mass High Tech Journal, ISSA Password Magazine, and Wall Street & Technology. Brad is a regular tutorial instructor and conference speaker on topics related to practical network security, penetration analysis, middleware, and distributed systems. He holds a B.A. in computer science from Rutgers University and an M.S. in applied management from Lesley University.

Richard E. Mackey, Jr. (T4) is principal of SystemExperts Corporation. Dick Mackey is regarded asRichard E. Mackey, Jr. one of the industry's foremost authorities on distributed computing infrastructure and security. Before joining SystemExperts, he worked in leading technical and director positions at The Open Group, The Open Software Foundation (DCE), and BBN Corporation (Cronus Distributed Computing Environment). He has been published often in security magazines such as ISSA Password, .NET, Information Security, and SC Secure Computing. He is a regular speaker on computer security topics at various industry conferences. Dick has a B.S. and an M.S. in Electrical and Computer Engineering from the University of Massachusetts at Amherst.

?Need help? Use our Contacts page.

Last changed: 1 Aug. 2005 ch