|
TRAINING PROGRAM
Sunday, July 31, 2005
|
|
S1
Hands-on Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 1 of 2)
Rik Farrow, Security Consultant
9:00 a.m.5:00 p.m.
Who should attend: System administrators of Linux and other UNIX systems; anyone who runs a public UNIX server.
Few people enjoy learning how to swim by being tossed into the ocean, but that's what happens if a system you manage gets hacked. You often have little choice other than to reload that system, patch it, and get it running again. This two-day class gives you a chance to work with systems that have been "hacked," letting you search for hidden files or services or other evidence of the intrusion. Examples are taken from real, recent attacks on Linux systems. You will perform hands-on exercises with dual-use tools to replicate what intruders do as well as with tools dedicated to security. The tools vary from the ordinary, such as find and strings, to less familiar but very important ones, such as lsof, scanners, sniffers, and the Sleuth Kit.
The lecture portion of this class covers the background you need to understand UNIX security principles, TCP/IP, scanning, and popular attack strategies.
Day Two will explore the defenses for networks and individual systems. The class will end with a discussion of the use of patching tools for Linux, including cfengine.
Class exercises will require that you have an x86-based laptop
computer that can be booted from a KNOPPIX CD. Students will receive
a version of Linux on CD that includes the tools, files, and exercises
used in the course. If you have a laptop but don't know whether it
can run a bootable Linux CD (that will not have an impact on your
installed hard drive or operating systems), please download a copy
of KNOPPIX (https://www.knoppix.org), burn it, and try it out. KNOPPIX
support for wireless is the same as common Linux kernels (not
exciting), but KNOPPIX does a superb job of handling most other
hardware found in laptops.
Exercises include:
DAY ONE:
- Finding hidden files and evidence of intrusion
- TCP/IP and its abuses
- hping2 probes, or xprobe with ethereal again
- nmap while watching with ethereal or tcpdump (connect and SYN scans)
- Working with buffer-overflow exploit examples
- Apache servers and finding bugs in scripts
- John the Ripper, password cracking
DAY TWO:
- Elevation of privilege and suid shells
- Rootkits, and finding rootkits (chkrootkit)
- Sleuth Kit (looking at intrusion timelines)
- iptables and netfilter
- Tracking down DoS floods
- cfengine configuration
- Vulnerability scanning with nessus
Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.
S3 System Log Aggregation, Statistics, and Analysis
Marcus Ranum, Tenable Security, Inc.
9:00 a.m.5:00 p.m.
Who should attend: System and network administrators who are interested in
learning what's going on in their firewalls, servers, network,
and systems; anyone responsible for security and audit or
forensic analysis.
This tutorial covers techniques and software tools for
building your own log analysis system, from aggregating
all your data in a single place, through normalizing it,
searching, and summarizing, to generating statistics and
alerts and warehousing it. We will focus primarily on
open source tools for the UNIX environment, but will
also describe tools for dealing with Windows systems
and various devices such as routers and firewalls.
Topics include:
- Estimating log quantities and log system requirements
- Syslog: mediocre but pervasive logging protocol
- Back-hauling your logs
- Building a central loghost
- Dealing with Windows logs
- Logging on Windows loghosts
- Parsing and normalizing
- Finding needles in haystacks: searching logs
- I'm dumb, but it works: artificial ignorance
- Bayesian spam filters for logging
- Storage and rotation
- Databases and logs
- Leveraging the human eyeball: graphing log data
- Alerting
- Legalities of logs as evidence
Marcus Ranum (S3) is Chief Security Officer at Tenable Security, Inc., and a world-renowned expert on security system design and implementation. He is recognized as the inventor of the proxy firewall and the
implementer of the first commercial firewall product. Since the
late 1980s, he has designed a number of groundbreaking security
products, including the DEC SEAL, the TIS firewall toolkit, the
Gauntlet firewall, and NFR's Network Flight Recorder intrusion
detection system. He has been involved in every level of operations
of a security product business, from developer, to founder and CEO
of NFR. Marcus has served as a consultant to many FORTUNE 500 firms
and national governments, as well as serving as a guest lecturer
and instructor at numerous high-tech conferences. In 2001, he was
awarded the TISC Clue award for service to the security community,
and he holds the ISSA lifetime achievement award.
S4 Network Security Monitoring with Open Source Tools
Richard Bejtlich, TaoSecurity.com
9:00 a.m.5:00 p.m.
Who should attend: Engineers and analysts
who detect and respond to security incidents. Participants should be
familiar with TCP/IP. Command-line knowledge of BSD, Linux, or another
UNIX-like operating system is a plus. A general knowledge of offensive
and defensive security principles is helpful.
This tutorial will equip participants with the theory, tools, and
techniques to detect and respond to security incidents. Network
Security Monitoring (NSM) is the collection, analysis, and escalation of
indications and warnings to detect and respond to intrusions. NSM
relies upon alert data, session data, full content data, and statistical
data to provide analysts with the information needed to achieve network
awareness. Whereas intrusion detection cares more about identifying
successful and usually known attack methods, NSM is more concerned with
providing evidence to scope the extent of an intrusion, assess its
impact, and propose efficient, effective remediation steps.
NSM theory will help participants understand the various sorts of data
that must be collected. This tutorial will bring theory to life by
introducing numerous open source tools for each category of NSM data.
Attendees will be able to deploy these tools alongside existing
commercial or open source systems to augment their network awareness and
defensive posture.
Topics include:
- NSM theory
- Building and deploying NSM sensors
- Accessing wired and wireless traffic
- Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger
- Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude
- Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP
- Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records
- Sguil (sguil.sf.net)
- Case studies, personal war stories, and attendee participation
Material in the class is supported by the author's book The Tao of
Network Security Monitoring: Beyond Intrusion Detection
(Addison-Wesley, 2005; https://www.taosecurity.com/books.html).
Richard Bejtlich (S4, M4) is founder of TaoSecurity LLC, a company
that helps clients detect, contain, and remediate intrusions using network
security monitoring (NSM) principles. He was previously a principal
consultant at Foundstone, performing incident response, emergency NSM, and
security research and training. He has created NSM operations for ManTech
International Corporation and Ball Aerospace & Technologies Corporation. From
1998 to 2001, Richard defended global American information assets
in the Air Force Computer Emergency Response Team (AFCERT), performing and
supervising the real-time intrusion detection mission.
Formally trained as an intelligence officer, he holds degrees from Harvard
University and the United States Air Force Academy. Richard wrote The Tao of Network
Security Monitoring: Beyond Intrusion Detection and the forthcoming
Extrusion Detection: Security Monitoring for Internal Intrusions and Real
Digital Forensics. He also wrote original material for Hacking
Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular
Web log resides at https://taosecurity.blogspot.com.
|
Monday, August 1, 2005
|
|
M1 Hands-On Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 2 of 2)
Rik Farrow, Security Consultant
9:00 a.m.5:00 p.m.
See Part 1, S1, for the description of the first day of this tutorial.
Day two of this class focuses on practical forensics, that is, how to analyze a possibly hacked Linux or UNIX system from a system administrator's perspective. As a system administrator, you will not be acting as law enforcement, trying to find the perpetrator, but instead will be working as quickly as possible with the goal of uncovering what went wrong. Finding rootkits and backdoors on a sample hacked system gives you an idea of what you might find on other similar systems. You can also get clues about the nature of the attack by discovering the tools left behind on a system by an attacker.
The final portion of this class focuses on patching, with a discussion of cfengine. As this is the second day of a two-day, hands-on course, we will not repeat material covered on the first day, including getting the CD working with your laptop. If you plan on attending the course only the second day, you might want to contact the instructor before the class and get a test CD to ensure that your laptop will work in the classroom environment.
Exercises include:
- Elevation of privilege and suid shells
- Rootkits, and finding rootkits (chkrootkit)
- Sleuth Kit (looking at intrusion timelines)
- iptables and netfilter
- Tracking down DoS floods
- Cfengine configuration
- Vulnerability scanning with nessus
Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.
M2 Endpoint Enforcement & Network Access Control
Tina Bird, InfoExpress
9:00 a.m.5:00 p.m.
Who should attend: Security, desktop, and network administrators
responsible for implementing end-user security mechanisms; anyone who's been wondering about the
NAC and NAP hullabaloo.
Most network architectures and operating systems still rely solely
on relatively simple-minded, identity-based mechanisms to grant
access. IPsec and other remote access technologies, SSL/TLS and
802.1x (in most currently shipping implementations), enable decisions
based on user and host identity to grant network connectivity. These
tools greatly increase enterprise security. They allow access
decisions to be based on an endpoint's identification as a trusted
participant in the organization, no matter where the endpoint is
located. But we've learned the hard way that identity-based
authorization isn't enough.
Identity-based authorization doesn't help much with a Blaster-infected
laptop. Once that machine connects to your network, the infection
will spread to whatever it can reach behind your firewall, and user
authentication can make that situation worse. Valid user credentials
on an infected machine may allow the infection to spread through
network file shares and other common resources. Even on UNIX desktops,
widely regarded as less threatening to a production environments
than their Microsoft countertops, configuration and update management
can challenge an IT department's ability to safeguard themselves
from compromised or risky machines, as the recent outbreak of UNIX
attacks at supercomputing centers and research institutions reveals.
In this tutorial, Dr. Tina Bird will present emerging technologies
in the area of endpoint security enforcement and network-based
dynamic access control.
Topics include:
- A short history of computer intrusions, common features across all operating systems, and what you'd like to be able to control on all the end user machines in your organization
- Specific configuration requirements for Windows- and Linux-based desktops to reduce the likelihood of auto-propagating exploits and rooted boxen
- New security architectures and network protocols that enable endpoint configuration and access control, including the non-proprietary Trusted Network Connect specification from the Trusted Computing Group, an intro to 802.1x, Cisco's Network Admission Control initiative, and Microsoft's Network Access Protection
- Developing manageable endpoint policies in a heterogeneous computing environment
- Integrating dynamic access control management into your network infrastructure, focusing on the most effective places to start and how to manage end-user training as you implement this new technology
- Mechanisms for remediation, ranging from URL redirects to home-grown scripting to an overview of commercial patch/configuration management systems
- Use cases: a home grown prototype system used during the Blaster outbreak of 2003, implementing quarantine and remediation in a remote access scenario, and using policy enforcement to detect compromised machines quickly.
Tina Bird (M2) brings rigorous scientific discipline, a wealth of network
administration and Internet security expertise, and substantial
teaching experience to her role as the Security Architect for
InfoExpress. At InfoExpress, Tina provides strategic guidance in the development
of the CyberGatekeeper product line, as well as researching new
vulnerabilities and exploits. She represents InfoExpress in the
Trusted Computing Group's Trusted Network Connect subgroup. She also writes and speaks about policy enforcement technologies in
general, including 802.1x, standards-based enforcement mechanisms
and Cisco's Network Admission Control, as well as talks specifically
geared towards InfoExpress products.
Tina moderates the Log Analysis and VPN mailing lists; with Marcus Ranum, she
runs https://www.loganalysis.org.
Previously she was responsible for technical review and implementation
of Internet firewalls, virtual private networks, and authentication
systems at Cerner Corporation, and subsequently for
Secure Network Group; the Director of Network
Intelligence at Counterpane Internet Security; and a Computer
Security Officer for Stanford University.
M3 Building Security In: How You Can Do Software Security
Gary McGraw, Cigital
9:00 a.m.5:00 p.m.
Who should attend: Because the best practices described in this tutorial are applied to software artifacts, they
make sense whether you're an XP cowboy or a CMMi heavy lifter. When you
attend this session, you will come away with a clear action plan for
attacking the software security problem in your organization.
During the past 5 years, software security has evolved from good
philosophy into a technical necessity. This tutorial describes in
detail what your organization can do to meet its software security
goals. From straightforward and easy advice (use a code scanning tool
for security code review) to trickier undertakings (build abuse cases
and misuse stories to drive security testing), software security best
practices allow you to build better code from the ground up by building
security in. A software security program involves five major
components:
- A process agnostic framework and plan that fits how you build software, based on the software artifacts that you already produce.
- Development resources, class files, sample code, documents, and policies that make building secure software easier, by example.
- Training to promote software security awareness among developers and architects who need more exposure to security engineering concepts.
- Adoption of artifact-based software security best practices that focus attention on the software product and ignore process-based religious warfare.
- Continuous improvement through the application of risk-based measurement and metrics.
Topics include:
- Requirements analysis and abuse cases
- Architectural risk analysis
- Risk-based security testing
- Code review using static analysis technology (e.g., Fortify Source Code Analysis)
- Penetration testing and software exploit
- Post facto application security (during deployment)
Gary McGraw (M3) Cigital, Inc.'s CTO, researches software security and sets
technical vision in the area of Software Quality Management. Dr. McGraw is co-author of five best selling books: Exploiting Software
(Addison-Wesley, 2004), Building Secure Software (Addison-Wesley, 2001),
Software Fault Injection (Wiley 1998), Securing Java (Wiley, 1999), and
Java Security (Wiley, 1996). A noted authority on software and
application security, Dr. McGraw consults with major software producers
and consumers. He has written over sixty peer-reviewed
technical publications and functions as principal investigator on grants
from Air Force Research Labs, DARPA, National Science Foundation, and
NIST's Advanced Technology Program. He serves on Advisory Boards of
Authentica, Counterpane, and Fortify Software, as well as advising the
CS Department at UC Davis. Dr. McGraw holds a dual PhD in Cognitive
Science and Computer Science from Indiana University and a BA in
Philosophy from UVa. He writes a monthly security column for Network
magazine, is the editor of "Building Security In" for IEEE Security &
Privacy magazine, and is often quoted in national press articles.
M4 Network Incident Response
Richard Bejtlich, TaoSecurity.com
9:00 a.m.5:00 p.m.
Who should attend: Security staff and sys admins who detect and
respond to intrusions. Participants should be familiar with TCP/IP. Command-
line knowledge of BSD, Linux, or a UNIX-like operating system is a plus. A
general knowledge of offensive and defensive security principles is helpful.
The author's USENIX course "Network Security Monitoring with Open Source Tools" (S4) and his book The Tao of Network Security Monitoring: Beyond Intrusion
Detection are very helpful pre-requisites, but they are not mandatory.
You've just discovered that one or more of your systems has been compromised.
Now what? This tutorial will answer that question from a network-centric
approach. It is based on the author's experience handling multiple systematic,
long-term compromises at a variety of enterprises. The majority of the course
will approach the incident response (IR) problem from the network perspective;
host-based forensics will not be a priority.
Attendees will first learn the basic steps needed to facilitiate incident
response prior to any compromise. Thoughts on the sorts of threats likely to
be faced, common intrusion scenarios, and ways to be aware of intruder
activities will be discussed. Next, attendees will hear about various means by
which incidents are discovered, all based on real life intrusions. The course
will cover how to perform first response actions from the network perspective,
and how to make the "pursue and prosecute" or "recover and remediate" decision.
Attendees will learn how to eject determined, patient, and stealthy intruders
from the enterprise, and how to verify the effectiveness of ongoing defensive
measures.
Topics include:
- Simple steps to take now that make incident response easier later
- Characteristics of intruders, such as their motivation, skill levels, and techniques
- Common ways intruders are detected, and reasons they are often initially missed
- Improved ways to detect intruders based on network security monitoring principles
- First response actions and related best practices
- Secure communications among IR team members, and consequences of negligence
- Approaches to remediation when facing a high-end attacker
- Short, medium, and long-term verification of the remediation plan to keep the intruder out
Richard Bejtlich (S4) is founder of TaoSecurity LLC, a company
that helps clients detect, contain, and remediate intrusions using network
security monitoring (NSM) principles. He was previously a principal
consultant at Foundstone, performing incident response, emergency NSM, and
security research and training. He has created NSM operations for ManTech
International Corporation and Ball Aerospace & Technologies Corporation. From
1998 to 2001, Richard defended global American information assets
in the Air Force Computer Emergency Response Team (AFCERT), performing and
supervising the real-time intrusion detection mission.
Formally trained as an intelligence officer, he holds degrees from Harvard
University and the United States Air Force Academy. Richard wrote The Tao of Network
Security Monitoring: Beyond Intrusion Detection and the forthcoming
Extrusion Detection: Security Monitoring for Internal Intrusions and Real
Digital Forensics. He also wrote original material for Hacking
Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular
Web log resides at https://taosecurity.blogspot.com.
|
Tuesday, August 2, 2005
|
|
T1 Solaris 10 Security Features Workshop
Peter Baer Galvin, Corporate Technologies
9:00 a.m.5:00 p.m.
Who should attend: Solaris systems managers and administrators interested in
the new security features in Solaris 10 (and features in previous Solaris
releases that they may not be using).
This course covers a variety of topics surrounding Solaris 10 and security.
Solaris 10 includes many new features, and there are new issues to consider
when deploying, implementing, and managing Solaris 10. This will be a workshop featuring instruction and practice/exploration. Each student should have a laptop with wireless access for remote access into a Solaris 10 machine.
Topics include:
- Solaris cryptographic framework
- NFSv4
- Solaris privileges
- Solaris Flash archives and live upgrade
- Moving from NIS to LDAP
- Dtrace
- WBEM
- Smartcard interfaces and APIs
- Kerberos enhancements
- Zones
- FTP client and server enhancements
- PAM enhancements
- Auditing enhancements
- Password history checking
- ipfilters
Peter Baer Galvin (T1) is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR, and was the Systems Manager for Brown University's Computer Science Department. He has written articles
for Byte and other magazines. He wrote the "Pete's Wicked World" and
"Pete's Super Systems" columns at SunWorld. He is currently
contributing editor for Sys Admin, where he manages the Solaris
Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials on security and system administration and has given talks at many conferences and institutions on such topics as Web
services, performance tuning, and high availability.
T2 DDoS for Fun and Profit
Sven Dietrich, CERT Research, Carnegie Mellon University; David Dittrich, University of Washington
9:00 a.m.5:00 p.m.
Who should attend: System administrators, network
administrators, and computer security practitioners. A basic understanding of IP networking, network protocols, and routing as
well as an understanding of computer security fundamentals is required.
The tutorial will trace the development of denial of service attacks from
early, machine-crashing exploits to the present day distributed denial of
service (DDoS) attacks. A substantial portion of the tutorial will be
devoted to understanding DDoS attacks and developing appropriate
responses. Among the issues to be addressed are preparing for a DDoS
attack, recognizing the attack type and probable attack pattern, designing
appropriate filter rules to mitigate the attack, and working with upstream
providers. We will also survey current research that may lead to ways of
thwarting such attacks in the future.
Topics include:
-
Fundamentals: Basic networking and routing protocols
-
Denial of Service:
- Basic concepts
- Vulnerabilities and pathologies
- OS support
- The jump from DoS to DDoS
- Evolution of attack tools
-
Classes of DDoS tools:
- What they do
- Choices in the attack space
- How they work
- Currently available tools and bots
-
Diagnosis of the problem:
- How do you know you are under attack?
- Symptoms in your own operational and system monitoring data
- Differentiating between flash crowds and attacks
- Advances in research
- Inspecting a compromised system
- Building a monitoring/traffic capture facility
-
Mitigation:
- Recognition of the attack
- Attack signatures and attack tool identification
- DoS vs. DDoS
- Indications of single and multiple sources
- Creating countermeasures
- Techniques for limiting the damage
- Characterizing the attacked resources
- Infrastructure changes
- Traceback
- Filtering
- Active response
- Strikeback
-
Political hurdles:
- Dealing with your ISP
- Dealing with management
-
The bright road ahead
- DDoS and beyond
- Prospects for future advances in attacker tools
- Technical, legal, and political mitigation strategies
Sven Dietrich (T2) is a senior member of the technical staff at CERT Research at
Carnegie Mellon University and also holds an appointment at the Carnegie
Mellon University CyLab, a university-wide cybersecurity research and
education initiative. Previously he was
a senior security architect at the NASA Goddard Space Flight Center, where
he observed and analyzed the first distributed denial-of-service attacks
aainst the University of Minnesota in 1999. He taught Mathematics and
Computer Science as adjunct faculty at Adelphi University, his alma mater,
from 1991 to 1997.
His research interests include survivability, computer and network
security, anonymity, cryptoraphic protocols, and cryptography. His
previous work has included a formal analysis of the secure sockets layer
protocol (SSL), intrusion detection, analysis of distributed
denial-of-service tools, and the security of IP communications in space.
His publications include the recent book Internet Denial of Service:
Attack and Defense Mechanisms (Prentice Hall, 2004), as well as
the articles "Analyzing Distributed Denial of Service Tools: The Shaft
Case" (2000) and "The 'mstream' Distributed Denial of Service Tool"
(2000), and others on Active Network Defense, DDoS tool analysis, and
survivability.
David Dittrich (T2) is a Senior Security Engineer and Researcher for the UW
Center for Information Assurance and Cybersecurity and the Information
School at the University of Washington, where he has worked since 1990. Dave is also a member of the
Honeynet Project and Seattle's "Agora" security group.
He is most widely known for his research into Distributed Denial of
Service (DDoS) attack tools and host & network forensics. He has
presented talks and courses at dozens of computer security
conferences, workshops, and government/private organizations
worldwide. He has been a prolific self-publisher of white papers, FAQs,
and malware tool analyses, all intended to make his (and everyone
else's) life easier in dealing with computer intrusions. Dave has
contributed to the books Know Your Enemy, by the Honeynet Project
(Addison-Wesley, 2001), The Hacker's Challenge, edited by Mike
Schiffman (McGraw Hill, 2001), and two articles in the Handbook of
Information Security, edited by Hossein Bidoli (John Wiley & Sons,
2005), and was another co-author of Internet Denial of Service:
Attack and Defense Mechanisms (Prentice Hall, 2004).
T3 Organizing a Cybersecurity Exercise
Ron Dodge and Dan Ragsdale, United States Military Academy
9:00 a.m.5:00 p.m.
Who should attend: System administrators and security professionals
involved in the design and management and security of information
systems. A general familiarity with security tools, network
fundamentals, and operating systems is assumed. Students will leave
this tutorial with a framework that can be used to conduct a local
cyber exercise.
The security of our information systems is constantly under attack.
We propose that to make them safer, they should be attacked even
more. A competition where teams defend a network against skilled
adversaries provides an excellent means to develop the skills
necessary to defend real networks. In addition, such a competition
provides a safe environment to test and evaluate new and emerging
defensive techniques and technologies. Similar events that have
been publicized recently are the DEFCON "Capture the Flag" (CTF)
competition, the military Cyber Defense Exercise, and the Collegiate
Cyber Defense Competition. These competitions follow different
paradigms. The DEFCON event set all teams to be both attackers and
defenders, while the latter two focus the teams on defensive
operations only.
This tutorial explores the various organizational and administrative
options available when organizing an exercise. Representative exercise schemes will be discussed in detail. An
example network will be demonstrated and available for experimentation.
Topics include:
- Exercise scope
- Hardware and software
- Scoring
- Legal considerations
- Organizational structure
Ron Dodge (T3) is the director of the Information Technology Operations Center and
an assistant professor in the Department of Electrical Engineering and
Computer Science at the US Military Academy. His research
interests include information warfare, security protocols, Internet
technologies, and performance planning and capacity management. Dodge
received a PhD in computer science from George Mason University. Contact him
at ronald.dodge@usma.edu.
Dan Ragsdale (T3) is the director of the Information Technology Program and an
associate professor at the US Military Academy. His
research interests include information assurance, network security, intrusion
detection, and artificial intelligence. Ragsdale received a PhD in computer
science from Texas A&M. Contact him at daniel.ragsdale@usma.edu.
T4 Security Standards and Why You Need to Understand Them
Brad C. Johnson and Richard E. Mackey, Jr., SystemExperts Corporation
9:00 a.m.5:00 p.m.
Who should attend: Administrators, technicians, and managers at any
level who need to understand the gist of the key security standards
and the laws and industry trends that are making these standards
critical to doing business.
Organizations are turning
to security standards both to measure and to document the completeness
and adequacy of their security program. You may need to simply put
a check in the box that says you "substantially comply" with a
particular standard or you may need to prove to yourself, customers, and
partners that you follow acceptable security practices. Unfortunately, organizations do not have a
widely accepted method to prove they are secure. We look to security
standards to meet this need.
Computer security has seen a number of standards, compliance
specifications, and certification authorities. Today, a few are beginning
to gain acceptance by industry groups, but it is still difficult to tell
which of these will stand the test of time and practicality.
Consequently, it's important to understand, at least at a high
level, what the most popular initiatives are attempting to do, what
problems these standards address, and the value they provide.
Topics include:
-
Security standards review
-
Why: The motivations
- Laws: Sarbanes-Oxley, Gramm-Leach-Bliley
- Partnerships and mergers
- Internal and external audits
-
What: The standards
- ISO 17799
- COBIT
- SAS 70
- Information Criticality Assessment (e.g., NSA IAM)
-
How: The mechanisms
- ISO 17799 reviews and certifications
- Security audits
- Security assessments
- Penetration and application testing
-
Practicum and Drill Downs
-
Standards motivation: Intrusion preparation
- Homeland security
- Intrusion awareness
- Common intrusion areas
- Intrusion example
-
Security assessments: Drill Down exercises
- ISO 17799 Drill Down
- IAM Drill Down
- COBIT Drill Down
- Risk analysis Drill Downs
Brad C. Johnson (T4) is vice president of SystemExperts Corporation. He has participated in seminal industry initiatives such as the Open Software
Foundation, X/Open, and the IETF, and has been published in such journals as
Digital Technical Journal, IEEE Computer Society Press, Information Security
Magazine, Boston Business Journal, Mass High Tech Journal, ISSA Password
Magazine, and Wall Street & Technology. Brad is a regular tutorial instructor and conference speaker on topics
related to practical network security, penetration analysis, middleware,
and distributed systems. He holds a B.A. in computer science from Rutgers University and an M.S. in
applied management from Lesley University.
Richard E. Mackey, Jr. (T4) is principal of SystemExperts Corporation.
Dick Mackey is regarded as one of the industry's foremost authorities on
distributed computing infrastructure and security. Before joining
SystemExperts, he worked in leading technical and director positions at The
Open Group, The Open Software Foundation (DCE), and BBN Corporation (Cronus
Distributed Computing Environment). He has been published often in security
magazines such as ISSA Password, .NET, Information Security, and SC Secure
Computing. He is a regular speaker on computer security topics at various
industry conferences. Dick has a B.S. and an M.S. in Electrical and Computer Engineering from the University of Massachusetts at Amherst.
|
|
|