Check out the new USENIX Web site.
TRAINING PROGRAM

Overview | Monday | Tuesday | By Instructor

  Monday, August 6, 2007    
M1 TCP/IP Weapons School, Layers 4–7 (Day 1 of 2) NEW!
Richard Bejtlich, TaoSecurity.com
9:00 a.m.–5:00 p.m.

Who should attend: Junior and intermediate analysts and system administrators who detect and respond to security incidents.

TWS is the right way for junior and intermediate security personnel to learn the fundamentals of TCP/IP networking. Students learn how to interpret network traffic by analyzing packets generated by network security tools. Examples of normal, suspicious, and malicious traffic teach analysts how to identify security events on the wire. Students will analyze traffic using open source tools.

The point of the class is to teach TCP/IP by looking at nontraditional TCP/IP traffic. I will make comparisons to normal TCP/IP traffic for reference purposes. The name of the course is related to the U.S. Air Force Weapons School, which is the "Top Gun" of the Air Force.

Course plan: The class will concentrate on the protocols and services most likely to be encountered when performing system administration and security work. Students will inspect traffic such as would be seen in various malicious security events.

Topics for Day 1 include:

  • Layer 4
    • TCP ISN: Isnprober
    • TCP Fragmentation: Fragroute
    • TCP Manipulation: Fragroute and Snort Flexresp2
    • TCP Windows: LaBrea
    • Port Scanning: JavaScript, Nmap
    • Host OS Fingerprinting: Nmap, Xprobe2, SinFP, P0f
  • Layer 5
    • SunRPC-NFS
    • DCE/RPC-SMB
    • DCE/RPC-SMB: Impacket Exploit
    • XML-RPC: Monkeyshell

Richard Bejtlich (M1, T1) is founder of TaoSecurity LLC (https://www.taosecurity.com). Richard Bejtlich He was previously a principal consultant at Foundstone. Richard created network security monitoring operations for ManTech and Ball Corporations. From 1998 to 2001 then-Captain Bejtlich defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote The Tao of Network Security Monitoring and Extrusion Detection, and co-authored Real Digital Forensics. He also writes for his Web log (taosecurity.blogspot.com).


M2 Measuring Security
Dan Geer, Geer Risk Services
9:00 a.m.–5:00 p.m.

Who should attend: Operations and security managers who need to design or interpret a metric structure for security risk management.

"You cannot manage what you cannot measure": every business school says this, so it must be true. "Cyber security is about risk management": almost everyone believes this, and for good reason. The sum of the two says that with respect to computer-related security we are hosed if we don't get on the ball and design some decent security metrics. So far, so good, but what in tarnation is that? "Ay, there's the rub," as Hamlet would say. This tutorial makes a healthy stab in the direction of security metrics and hopes that its students soon surpass their teacher, which may not be all that hard, as security metrics design is somewhere between infancy and toddlerhood.

Topics include:

  • Where You Stand Depends on Where You Sit: What management texts/schools mean when they say, "Measure what you manage"
  • Good Artists Create, Great Artists Steal: Styles and methods of measurements used in other fields that are applicable to security risk, and how to steal them
  • Modeling: Is there any point in lifecycle or other models of how security works; is there any unifying abstraction worth using?
  • Large Numbers: The state of the world and how to compare yourself to it
  • Information Sharing: Data fusion is dangerously powerful but essential (with a sidebar on de-identification as a pre-sharing safety mechanism)
  • Where to Begin: How to roll your own, and a few pitfalls to avoid, assuming that decision support is your real deliverable
  • How to Communicate What You Find: Being simple without being simplistic

Topics do not include:

  • Secure coding standards, disaster recovery planning, firewall log analysis, or anything else that is already a solved problem or a side effect of low/no discipline

Dan Geer (M2)—Milestones: The X Window System and Kerberos (1988), the first information Dan Geer security consulting firm on Wall Street (1992), convenor of the first academic conference on electronic commerce (1995), the "Risk Management Is Where the Money Is" speech that changed the focus of security (1998), the presidency of the USENIX Association (2000), the first call for the eclipse of authentication by accountability (2002), principal author of and spokesman for Cyberinsecurity: The Cost of Monopoly (2003), and co-founder of SecurityMetrics.Org (2004).


M3 DNSSEC: Designing, Deploying, and Auditing DNS Security NEW!
David Rhoades and Steve Pinkham, Maven Security Consulting
9:00 a.m.–5:00 p.m.

Who should attend: System administrators, security consultants, and policymakers and implementers.

DNS is one of the fundamental building blocks of the Internet. Currently, there is no strong system in place to prevent attacks against the system, creating a cat and mouse game of attacks and workarounds, with many end users and server deployments constantly at risk. DNSSEC changes the playing field, creating a strongly auditable chain of signatures from each domain down to a trusted root.

New NIST FISMA requirements for government installation take affect by the end of 2007, increasing the desire and need for implementation knowledge. Implementation in the private sector is also becoming increasingly common as the technology matures, and current weaknesses in DNS have exposed companies to measurable financial loses.

Objectives for this class include:

  • Discuss current attack vectors into the DNS system
  • Show where DNSSEC adds protection and where other methods are still employed
  • Discuss the new record types in DNSSEC
  • Demonstrate the chain of trust and implementation of key management
  • New tools for dealing with DNSSEC
  • Signing and deploying DNSSEC zones to BIND and Microsoft DNS servers
  • Brief coverage of appliance-based DNS
  • Auditing techniques to determine if a domain has DNSSEC configured properly
  • Implementing DNSSEC on resolving nameservers
  • Using trusted anchors and DNSSEC Lookaside Validation
  • Overview on how to use a DNSSEC system to provide SSH authentication, IPsec VPNs, and spam protection through SPF

David Rhoades (M3, T3) is a principal consultant with Maven Security Consulting, Inc. Since 1996, David has providedDavid Rhoades information protection services for various FORTUNE 500 customers. His work has taken him across the U.S. and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and has taught for the SANS Institute, the MIS Training Institute, and ISACA.

Steve Pinkham (M3) is a security researcher for Maven Security Consulting Inc. (https://www.mavensecurity.com). Steve knows things, and would like to know more. He has spent time in systems administration, programming, security research, and consulting. He dabbles in electronics and philosophy, and enjoys cheese and fine tea. If you're unlucky you might run into him wearing a backpack in some remote corner of the world. He can be contacted at steve.pinkham@mavensecurity.com.


M4 Incident Response NEW!
Abe Singer, San Diego Supercomputer Center
9:00 a.m.–5:00 p.m.

Who should attend: Security folks, system administrators, and operations staff (e.g., help desk). Examples are primarily from UNIX systems, but most of what is discussed will be operating system neutral. Note that this is not a forensics class. Although some forensic analysis will be discussed, especially with regard to examples, it is only a small portion of the class.

You get a complaint that seems to indicate that you have one or more compromised machines. What do you do? Where do you start? How do you proceed? Do you have the tools that you need and the authority to use them?

Responding to an incident can be very stressful and, without the right tools and procedures in place in advance, very difficult. It can be easy to panic, and there is a lot of pressure to "do something" even when you don't know what's actually going on. Often, sites that do react rashly end up in a worse state and do not completely remove the intruder from their systems.

This course will cover putting together a comprehensive incident response program, from identifying the policies and tools you need, to assessing the situation and determining an effective, measured response. Some examples from real intrusions will be provided.

Topics include:

  • Goals: What results do you want?
  • Policies: Having the authority to do the job
  • Tools: Having the stuff to do the job
  • Intelligence: Having the information to do the job
  • Initial suspicion: Complaints, alarms, anomalies
  • The "Oh, sh*t" moment: When you realize it's a compromise
  • Gathering information on your attacker
  • Assessing the extent of the compromise
  • Communicating: Inquiring minds want to know
  • Recovery: Kicking 'em out and fixing the damage
  • Evidence handling
  • The law: Dealing with law enforcement, lawyers, and HR

Abe Singer (M4) is a Computer Security Researcher in the Security Technologies Group Abe Singerat the San Diego Supercomputer Center. In his operational security responsibilities, he participates in incident response and forensics and in improving the SDSC logging infrastructure. His research is in pattern analysis of syslog data for data mining. He is co-author of of the SAGE booklet Building a Logging Infrastructure and author of a forthcoming O'Reilly book on log analysis.

 

  Tuesday, August 7, 2007    

T1 TCP/IP Weapons School, Layers 4–7 (Day 2 of 2) NEW!
Richard Bejtlich, TaoSecurity.com
9:00 a.m.–5:00 p.m.

Who should attend: Junior and intermediate analysts and system administrators who detect and respond to security incidents.

TWS is the right way for junior and intermediate security personnel to learn the fundamentals of TCP/IP networking. Students learn how to interpret network traffic by analyzing packets generated by network security tools. Examples of normal, suspicious, and malicious traffic teach analysts how to identify security events on the wire. Students will analyze traffic using open source tools.

The point of the class is to teach TCP/IP by looking at nontraditional TCP/IP traffic. I will make comparisons to normal TCP/IP traffic for reference purposes. The name of the course is related to the U.S. Air Force Weapons School, which is the "Top Gun" of the Air Force.

Course plan: The class will concentrate on the protocols and services most likely to be encountered when performing system administration and security work. Students will inspect traffic such as would be seen in various malicious security events.

Topics for Day 2 include:

  • Layer 6
    • Decoding SSL: Ssldump and Wireshark
    • Decoding HTTP and Gzip
    • HTTP Chunked Encoding: Metasploit
    • ASN.1 Encoding: Metasploit
    • WMF: Metasploit
  • Layer 7
    • Application Fingerprinting: NTP, DNS, HTTP, PADS, Fl0p
    • Covert Channel: HTTP, DNS
    • Nmap vs. Nepenthes
    • Amap vs. Nepenthes
    • Httprint vs. Nepenthes
    • Metasploit vs. Nepenthes
    • Fuzzing: SNMP

Richard Bejtlich (M1, T1) is founder of TaoSecurity LLC (https://www.taosecurity.com). Richard Bejtlich He was previously a principal consultant at Foundstone. Richard created network security monitoring operations for ManTech and Ball Corporations. From 1998 to 2001 then-Captain Bejtlich defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote The Tao of Network Security Monitoring and Extrusion Detection, and co-authored Real Digital Forensics. He also writes for his Web log (taosecurity.blogspot.com).


T2 They Really Are Out to Get You: How to Think About Computer Security NEW!
Marcus Ranum, Tenable Network Security
9:00 a.m.–5:00 p.m.

Who should attend: Programmers and managers involved in the design, specification, deployment, or maintenance of computer-based applications. Does that sound perhaps overly broad? Well, it is—because virtually any software will, eventually, be security-critical whether you like it or not. Participants do not need any specific knowledge, though a basic understanding of computer security will help. People who attend this tutorial should come away with a high-level view of the pressure points in the development/deployment cycle where they can best stop the bleeding, along with a collection of mental tools that they can employ, and a framework for using them.

This tutorial is a high-level mental toolkit for thinking about security in applications and administration. It's aimed not at the tactical level of security (where most of us spend our time) but at the strategic level, and how to think about security as a problem, overall, rather than getting mired in the details.

After completing this tutorial, participants will either feel much better about their ability to cope with security, or they will be terrified into immobility.

Topics include:

  • The natural laws of security
  • Blocking and carrying
  • Whitelisting and blacklisting
  • Security in the design process
  • Touchpoints for adding security to development cycles
  • Data security
  • Dealing with security data
  • The insider threat and counter-intelligence problem
  • Triage
  • Thinking about risk rationally
  • Mental tricks

Marcus Ranum (T2) has been building and designing security and security systems since 1989. Abe SingerHe is the author of several books on security, and has been, variously: network manager, C programmer, development team leader, VP of engineering, CSO, CEO, and consultant. He is currently the CSO of Tenable Network Security.

 


T3 Remote Testing for Common Web Application Security Threats NEW!
David Rhoades, Maven Security Consulting
9:00 a.m.–5:00 p.m.

Who should attend: People who are auditing Web application security or developing Web applications.

The proliferation of Web-based applications has increased the enterprise's exposure to a variety of threats. There are overarching steps that can and should be taken at various steps in the application's lifecycle to prevent or mitigate these threats, such as implementing secure design and coding practices, performing source code audits, and maintaining proper audit trails to detect unauthorized use.

This workshop will focus on testing the security of Web-based applications from the perspective of the end user. Security testing, or auditing, helps to fulfill industry best practices, as well as legal requirements. Security testing is especially useful since it can be done at various phases within the application's lifecycle (e.g., before deployment), or can be used when the application's source code is not available for review.

The workshop will explain the threats and their potential impact on the security of the application. Demonstrations will be given showing the tools and techniques needed to remotely detect and validate the presence of these threats. The course material will contain references to suitable resources and documentation for fixing and preventing the weaknesses discussed.

By taking this class the student will:

  • Understand the security threats facing Web applications
  • Learn the tools and techniques to remotely validate a Web application's security.
  • Enhance secure programming practices by raising awareness and giving programmers the tools need to audit their code from the user's perspective

David Rhoades (M3, T3) is a principal consultant with Maven Security Consulting, Inc. Since 1996, David has providedDavid Rhoades information protection services for various FORTUNE 500 customers. His work has taken him across the U.S. and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and has taught for the SANS Institute, the MIS Training Institute, and ISACA.


T4 Live Forensics NEW!
Frank Adelstein, ATC-NY; Golden G. Richard, University of New Orleans
9:00 a.m.–5:00 p.m.

Who should attend: Security professionals, CERT members, and security-aware users who would like to know more about live digital forensics investigation.

Traditional digital forensics focuses on analyzing a copy (an "image") of a disk to extract information—e.g., deleted files, file fragments, Web browsing history—and to build a timeline that provides a partial view of what has been done on the computer. Live forensics, an emerging area in which information is gathered on running systems, offers some distinct advantages over traditional forensics. Live forensics can provide information, such as running processes, memory dumps, open network connections, and unencrypted versions of encrypted files, that cannot be gathered by static methods. This information can both serve as digital evidence and help direct or focus traditional analysis methods. Despite the usefulness of live forensics, however, it offers significant challenges, many of which are related to malware.

This tutorial will discuss the types of information that can be gathered, how the evidence can be analyzed, and how it can work in conjunction with traditional methods to satisfy forensic requirements. We will spend approximately 25% of the time on static disk analysis techniques and then move on to gathering and analyzing live data. We will give examples and demonstrations of some techniques and tools. At the end, students should understand what live state information is available on a computer, some of the methods for gathering the information, how this information can be used to build up the picture of what happened, and issues that might affect the integrity of captured evidence.

The tutorial does not assume that students have a background in forensics. Students are assumed to have a reasonably mature knowledge of systems. Familiarity with operating systems structure, disk layouts, and the basic interactions between operating systems and hardware will be beneficial but is not required. Note that the course emphasizes what types of information are available and how this information can be extracted, rather than providing a 10-step checklist of how to investigate cases. Those familiar with traditional forensic analysis will benefit from the course. This course will not cover legal issues.

Frank Adelstein (T4) is the technical director of computer security at ATC-NY in Ithaca, NY. Frank Adelstein He is the principal designer of a live forensic investigation product (marketed as Online Digital Forensic Suite™ and LiveWire Investigator™) and has worked in the area of live investigation for the last 5 years. He has also been the principal investigator on numerous research and development projects including security, wireless networking, intrusion detection, and training.

Golden G. Richard III (T4) is an Associate Professor at the University of New Orleans, Golden G. Richardwhere he developed the Information Assurance curriculum and coordinated the effort to have the University of New Orleans certified by the National Science Foundation as a Center of Academic Excellence. He teaches courses in digital forensics, computer security, and operating systems internals. He is a co-founder of Digital Forensic Solutions, LLC and is the author of the digital forensics tool "Scalpel."

Richard and Adelstein are the chair and vice-chair of the Digital Forensic Research Workshop, the premier workshop on research advances in the area of digital forensics. They have co-authored the book Fundamentals of Mobile and Pervasive Computing (for McGraw-Hill).

?Need help? Use our Contacts page.

Last changed: 27 July 2007 ch