M1 Botnets: Understanding and Defense NEW!
Bruce Potter, The Shmoo Group
9:00 a.m.–5:00 p.m.

Who should attend: IT security professionals, system administrators, and network administrators who want to learn the inner workings of botnets and how to defend against them.

Described by some as the largest threat to the global Internet, botnets are largely hidden from the average Internet user. Botnets have a long legacy and initially were not used for malicious purposes. However, as bots have evolved, they have taken on sinister uses. Using thousands of compromised machines, botnets can be used for a variety of tasks including sending mountains of spam, launching crushing denial-of-service attacks, and harvesting massive amounts of personal information. One of the unfortunate aspects of botnets is that many individuals are active participants in botnets and do not even know it. Bots have become very sophisticated at hiding themselves from anti-virus and security programs. Also, many bots have even become resilient to large-scale network security systems and represent problems to not just home users but to large enterprises as well.

Take back to work: A broad understanding of the current threat from botnets, how they work, and how to defend against them.

Topics include:

• History of botnets: From their innocuous roots to the current worldwide threat
• Botnet uses: A broad view of the actual threats from current bots, including network and system analysis
• Scope of the current botnet problem: The current problem is larger than you may think
• Botnet communications: Command and control of botnets exposed
• Internal structure: A breakdown of the functionality of modern botnets, including hiding, propagation, and modularity
• Examination of some standard bots: We will look at some of the classic bots (Agobot, SDBot, Storm, etc.) in order to gain a better understanding of what we're defending against
• Host-based botnet defenses: Practical guidance on what can really be done to detect and defend against bots at the host level
• Networked-based botnet defenses: More practical guidance, but this time at the network level
• Future of botnets: A brief discussion of where bots are going so that we can arm ourselves against future outbreaks

M2 Computer Forensics NEW!
Simson L. Garfinkel, Naval Postgraduate School
9:00 a.m.–5:00 p.m.

Who should attend: Anyone interested in forensics: recovering lost or deleted data, hunting for clues, and tracking information.

Take back to work:

• Modern forensic tools, including both open source and commercial
• Drill-down familiarity with disk forensics, including specific tools and techniques
• The history of computer forensics (celebrated cases)
• The legal environment that governs forensics in the U.S.
• Enough information about operating systems to understand why forensic tools are possible, what they can do, and their limits

Computer forensics is the study of information stored in computer systems for the purpose of learning what happened to that computer at some point in the past—and for making a convincing argument about what was learned in a court of law. Today computer forensics covers four broad categories:

• Hard drive forensics, which aims to inventory and locate information that is on a computer's hard drive, whether or not the information is visible to the computer's user. Hard drive forensics includes the recovery of deleted files and file fragments, the construction of timelines, and the creation of profiles of a computer's user.
• Memory forensics, which analyzes the memory (or memory dump) of a computer system to reveal information about what the computer has been doing.
• Network forensics, which captures and analyzes information moving over a computer network. Network forensics can be based on full-content analysis or the analysis of network flows.
• Document forensics, in which specific files are analyzed for subtle and possibly hidden information. Document forensics can recover deleted information from Microsoft Word files or reveal which computers were used to create an individual file.

Topics include:

• Introduction to computer forensics
  • What is forensics?
  • Why is information left behind on computer systems?
  • Forensics history
  • Computer forensics vs. physical forensics
  • ASCII and Unicode
• Memory forensics and file carving
  • Memory hierarchy, swap space, sleep and hibernation
  • Tools for understanding:
    • Microsoft memory
    • UNIX memory
  • Carving memory and disk partitions
• Forensics and policy
  • Forensics and the law (discovery, criminal law, etc.)
  • The federal rules of evidence
  • Forensics history
  • The C.S.I. effect
• Disk forensics
  • Understanding file systems
  • ASCII and Unicode
  • Recovery of deleted files without the use of forensic tools
  • Recovery of deleted files with commercial and open source tools
    • Sleuth Kit
    • EnCase
    • FTK
  • What to do when you can't recover an entire file
  • Hash code databases
• Network forensics
  • Understanding IP packets, UDP, TCP, protocols (in 5 minutes)
  • Understanding network hubs, switches, where you monitor
  • Data rates
  • Flows vs. full-content
  • Using commercial and open source tools
    • Wireshark (Ethereal)
    • NetIntercept
• Document and Web forensics
  • MS Word structure
  • PDF structure
  • Identifying similar documents
• Anti-forensics

M3 Securing Virtual Environments NEW!
Phil Cox, SystemExperts Corporation
9:00 a.m.–5:00 p.m.

Who should attend: Site managers charged with selecting and setting virtual environment security requirements, general users who want to know more about the security features of popular virtual environments, and system administrators who are tasked with implementing or maintaining the security of virtual environments.

Take back to work: A familiarity with current virtualization and popular technical implementations of it, as well as an understanding of how to secure virtual environments that use those current technologies.

Virtualization is popping up all over corporate networks and may soon comprise a significant proportion of the services provided by a company. As virtual environments become more pervasive, the proper administration and security of them becomes critical to the security of the entire corporate network. The instructors of this tutorial present the problems and solutions surrounding the security of virtual environments. They will focus on the three main virtualization products in use today: VMware, Xen, and Microsoft Virtual Server. The instructors will focus on practical information and solutions that people who use the technologies (or are tasked with providing it to their companies) can use. Some of the topics will be demonstrated live during the course.

This course assumes no previous knowledge or experience with virtual server technologies.

Topics include:

• Virtualization 101
  • What is it?
  • Who's using what?
  • What really matters?
• Threats
  • What are the issues?
  • How can configuration problems hurt you?
• Popular technologies
  • VMware
  • Xen
  • Microsoft Virtual Server
• Configuring a secure virtual environment
  • Securing the host OS
  • Securing the guest machine
• Miscellaneous Topics

M4 Solaris 10 Security Features Workshop (Hands-on)
Peter Baer Galvin, Corporate Technologies
9:00 a.m.–5:00 p.m.

Who should attend: Solaris systems managers and administrators interested in the new security features in Solaris 10 (and features in previous Solaris releases that they might not be using).

Take back to work: During this exploration of the important new features of Solaris 10, you'll not only learn what it does and how to get it done, but also best practices. Also covered is the status of each of these new features, how stable it is, whether it is ready for production use, and expected future enhancements.

Solaris has always been the premier commercial operating system, but it is also somewhat different from other UNIX/Linux systems. It has novel features and applications (some have been copied in other operating systems), and there are things you need to know to use them effectively and securely.

This course covers a variety of topics surrounding Solaris 10 and security. Note that this is not a class about specific security vulnerabilities and hardening; rather, it examines new features in Solaris 10 for addressing the entire security infrastructure, as well as new issues to consider when deploying, implementing, and managing Solaris 10. This will be a workshop featuring instruction and practice/exploration.

Topics include:

• Overview
• Virtualization
  • Containers (a.k.a. Zones), light-weight virtual environments for application isolation and resource management
  • Installation
  • Management
  • Resource management
  • Other Solaris virtualizations: LDOMs, Xen
• RBAC: Role Based Access Control (giving users and application access to data and functions based on the role they are filling, as opposed to their login name)
• Privileges: A new Solaris facility based on the principle of least privilege; instead of being root (or not), users are accorded 43 distinct bits of privilege, sometimes spanning classes of actions and sometimes being confined to a specific system call
• NFSv4: The latest version of NFS (based on an industry standard), featuring stateful connection, more and better security, write locks, and faster performance
• Flash archives and live upgrade (automated system builds)
• Moving from NIS to LDAP
• DTrace: Solaris 10's system profiling and debugging tool
• FTP client and server enhancements for security, reliability, and auditing
• PAM (the Pluggable Authentication Module) enhancements, for more detailed control of access to resources
• Auditing enhancements
• BSM (the Basic Security Module), providing a security auditing system (including tools to assist with analysis) and a device allocation mechanism (providing object-reuse characteristics for removable or assignable devices)
• Service Management Facility (a replacement for rc files)
  • New "Secure By Default" settings
• Solaris Cryptographic Framework: A built-in system for encrypting anything, from files on disks to data streams between applications
• Kerberos enhancements
• Packet filtering with IPfilters
• BART (Basic Audit Reporting Tool): similar to Tripwire, BART enables you to determine what file-level changes have occurred on a system, relative to a known baseline
• Trusted Extension: Additions to Solaris 10 to make it "Trusted Solaris"
• Securing a Solaris 10 system

Laptop Requirements: Each student should have a laptop with wireless access for remote access into an instructor-provided Solaris 10 machine (if you do not have a laptop, we will make every effort to pair you up with another student to work as a group; your laptop does not need to be running Solaris).

T1 Network Flow Analysis NEW!
Bruce Potter, The Shmoo Group
9:00 a.m.–5:00 p.m.

Who should attend: IT security professionals, network engineers, and IT managers who want to learn how to analyze and learn from the traffic on their networks.

Take back to work: An understanding of how to deploy NetFlow capability within your network, as well as tools and techniques for analyzing the resulting data.

We put a great deal of effort into controlling the data we have on our networks. Firewalls attempt to keep out the bad guys, proxies inspect traffic that goes in and out of the enterprise, and intrusion detection systems attempt to find attacks as they occur. But do you know what's really going on inside your network? Are your policies and protections keeping out the bad guys, or do you have problems that you are unaware of?

Most modern networks have the ability to view deep into your traffic, but many organizations don't even know it. Most routers and even some firewalls can export network flow data, information about the type of traffic, and where it's going. By analyzing this data, you can quickly find interesting traffic including use of unauthorized software, malware, and malfunctioning systems.

This tutorial will guide attendees through the basics of network flows, how to configure systems to export flow data, and how to examine flows to look for anomalous and malicious behavior.

Topics include:

• Network analysis basics: What network analysis is, when it is appropriate, and its role in IT security
• Understanding NetFlow: A primer on Cisco's NetFlow implementation, the various NetFlow versions, and other flow-based architectures
• NetFlow sensor placement: Where to deploy NetFlow sensors for maximum effectiveness
• Configuring Cisco devices for NetFlow: How to configure and customize various versions of NetFlow using a Cisco router
• Using softflowd on Linux: For times when you don't have access to a NetFlow-capable router, the OSS package softflowd can do the job instead
• NetFlow analysis with Psyche: Psyche is an OSS tool for basic statistical analysis of NetFlow; the tutorial will include analysis of "known bad" data
• NetFlow analysis with SiLK: SiLK is a more advanced NetFlow tool; the tutorial will including analysis of more "known bad" data
• Future ideas: A brief discussion on other uses for NetFlow in your network

T2 Forensics Lab (Hands-on) NEW!
Simson L. Garfinkel, Naval Postgraduate School
9:00 a.m.–5:00 p.m.

Who should attend: Anyone interested in forensics: recovering lost or deleted data, hunting for clues, and tracking information.

Take back to work: Experience using forensic tools you can apply to your work and home systems; a deeper understanding of what computer forensics can do and how it's done.

This tutorial will give participants hands-on experience using commercial and open source forensics tools. The lab will consist of two parts. In the first part of the lab the students will be given a CD-ROM containing tools and test data. The instructor will go through the tools with the students following along. In the second half of the lab the students will be given a second CD-ROM containing data from a fictional case involving an abducted teenager. A second case will involve a financial crime. The students will then be asked to "solve the crime."

Tools we will use:

• Guidance Software's EnCase, academic edition (commercial tool)
• VMware Player (to play the virtual machine)
• Helix Boot CD (open source Linux bootable CD with many forensics tools pre-installed)
• Fedora Core 8 virtual machine with pre-installed tools, including:
  • SleuthKit
  • AFF
  • WireShark

Topics include:

• Introduction to Encase
• Lab 1: Using EnCase—basic exercises
• Lab 2: Find the missing child
• Lab 3: Financial crime—a complicated case with many pieces of evidence

T3 SOA, Web Services, and XML Security NEW!
Gunnar Peterson, Arctec Group
9:00 a.m.–5:00 p.m.

Who should attend: Security people, software developers, and systems architects who are interested in learning about vulnerabilities and in how to build security into the Web services environment.

Take back to work: An understanding of how an attacker looks at Web services, how to architect security services in Web services and SOA, and how to use best practices in your architecture.

Learn the real risks in SOA, Web services, and XML, not just the hype! This session takes a pragmatic approach toward identifying those security risks and selecting and applying countermeasures to the application, code, Web, database, and identity servers and related software. Many enterprises are currently developing new Web services or adding Web services functionality into existing applications. Now is the time to build security into the system!

Topics include:

• Understanding how Web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web services world
• Web services attack patterns
• Common XML attack patterns
• Data and XML security using WS-Security, SAML, XML Encryption, and XML
• Digital signatures
• Identity services and federation with SAML and Liberty
• Hardening Web services servers
• Input validation for Web services
• Integrating Web services securely with backend resources and applications using WS-Trust
• Secure exception handling in Web services
• The impact of Web 2.0 technologies such as Ajax and REST on distributed systems security

T4 Understanding and Deploying Trusted Hardware (Hands-on) NEW!
Radu Sion, Stony Brook Trusted Hardware Lab; Sean Smith, Darthmouth PKI/Trust Laboratory
9:00 a.m.–5:00 p.m.

Who should attend: Programmers and managers involved in the architectural design, specification, deployment, or maintenance of financial, healthcare, and governmental applications handling security-sensitive data. No specific security or cryptography knowledge is required, although a basic understanding of operating systems and data management will help. An introduction to prerequisite concepts in computer security (applied cryptography and system security) will be provided as part of the tutorial, to facilitate a thorough understanding of its core.

Take back to work: The basic knowledge and hands-on experience to understand, architect, and deploy trusted hardware-aware infrastructures as part of legacy or novel applications.

The tutorial offers a thorough exploration, with selected hands-on demonstrations, of existing trusted hardware components, associated threat and deployment models, limitations, security certification processes, and programming models. The tutorial will feature a multi-level approach, allowing both an overview understanding of trusted hardware geared to IT management participants and a set of demonstrative incursions into threat and programming models for a more technically oriented audience.

Topics include:

• Quick primer on applied cryptography
• Quick primer on operating systems security
• Trusted hardware threat and deployment model
• Certification standards
  • CCA
  • FIPS 140-2
• Hardware design challenges
• Hardware details
  • Encryption disks
  • Smartcards
  • TPMs
  • Network Appliances
  • Cryptographic co-processors
• Trusted hardware-aware application design challenges
• Applications
  • Regulatory-compliant systems
  • Financial transaction management
  • Secure storage
• Programming demonstration