Check out the new USENIX Web site.
USENIX Security Symposium, August 9-13, 2004, San Diego, CA, USA
USENIX '03 Home  | USENIX Home  | Events  | Publications  | Membership


Register Now!     TRAINING PROGRAM

Overview | By Day (Monday, Tuesday) | By Instructor | All in One File

Monday, August 9, 2004    
M1 Network Security Monitoring with Open Source Tools 
Richard Bejtlich, TaoSecurity

Who should attend: This tutorial is designed for engineers and analysts who detect and respond to security incidents. Participants should be familiar with TCP/IP. Command-line knowledge of FreeBSD is a plus, although any UNIX background should be sufficient. A general knowledge of offensive and defensive security principles is helpful.

This tutorial will equip participants with the theory and software to detect and respond to security incidents. NSM is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is an operational model partially inspired by the United States Air Forces signals intelligence collection methods. Signals intelligence, or SIGINT, is the collection of information on communications and the transformation of that information into intelligence products. Similarly, NSM is a method of collecting and analyzing network traffic for the purpose of identifying and validating intrusions. NSM relies upon alert data, session data, full content data, and statistical data to provide analysts with the information needed to make escalation decisions. Whereas intrusion detection cares more about identifying successful attacks, NSM is more concerned with providing evidence to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps.

NSM theory will help participants understand the different sorts of data that must be collected. The tutorial will bring theory to life by introducing the installation and use of numerous open source tools for each category of NSM data. FreeBSD will be the reference platform, and nearly every tool discussed will be in the FreeBSD ports tree.

Topics include:

  • Building and deploying NSM sensors, accessing wired and wireless traffic
  • Full-content tools like tcpdump, ethereal/tethereal, tcpflow, and snort as a packet logger
  • Alert data generators: e.g., bro, prelude-ids, and snort as network IDS
  • Session-based tools that work with NetFlow data, such as fprobe and flow-tools, argus and tcptrace
  • Statistical data tools like iftop, tcpdstat, and MRTG
  • Finally, sguil, an nearly-complete graphical NSM implementation for alert, full content, and session data
During the day I'll also integrate case studies on how various forms of NSM data was used to resolve incident response scenarios.

Richard Bejtlich (M1) is a security engineer at National Security Solutions, a ManTech group. He was previously a principal consultant at Richard Bejtlich Foundstone, performing incident response, emergency network security monitoring, and security research. Prior to joining Foundstone in 2002, Richard served as senior engineer for managed network security operations at Ball Aerospace & Technologies Corporation. From 1998 to 2001 Richard defended global American information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). He led the AFCERT's real time intrusion detection mission, supervising 60 civilian and military analysts.

Formally trained as a military intelligence officer, Richard holds degrees from Harvard University and the United States Air Force Academy. He wrote original material for Hacking Exposed, 4th Ed., and Incident Response, 2nd Ed., both published by Osborne McGraw-Hill. Richard is the co-author of Real Digital Forensics and the author of The Tao of Network Security Monitoring, separate books to be published in 2004. He acquired his CISSP certification in 2001. His home page is

M2 Intrusion Detection and Prevention Systems
Marcus Ranum, Trusecure Corp.

Who should attend: Network or security managers responsible for an IDS roll-out, security auditors interested in assessing IDS capabilities, security managers involved in IDS product selection.

Overview: This workshop covers the real-world issues you'll encounter as part of doing an intrusion detection roll-out or product selection. Attendees will learn the advantages and disadvantages of popular approaches to Intrusion Detection Systems (IDSes), how to deal with false positives and noise, where to deploy IDSes, how to test them, how to build out-of-band IDS management networks, and how they interact with switches, routers, and firewalls.

Topics include:

  • Technologies
    • IDS and IPS: what they are and how they work
    • Burglar alarms and honeypots—low-rent IDS
    • Misuse detection and anomaly detection
    • False positives, noise, and false alarms
    • Does freeware stack up to the commercial products?
  • Deployment issues
    • Where to place IDS within the network
    • Alert tuning: what it is and how it works
    • How to estimate the size of an IDS deployment
    • How to size and design a logging / management architecture
    • Tools and tricks for logging and event correlation
    • A typical IDS roll-out
    • How to test an IDS for correct function
    • IDS benchmarks: bogus and bogusest
  • Management issues
    • How to justify the expenditures on an IDS to management
    • Cyclical maintenance
    • Alert management procedures

Marcus Ranum (M2, T2) is senior scientist at Trusecure Corp. and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.

M3 Network Security Protocols: Theory and Current Standards
Radia Perlman, Sun Microsystems

Who should attend: Anyone who wants to understand the theory behind network security protocol design, with an overview of the alphabet soup of standards and cryptography. This tutorial is especially useful for anyone who needs to design or implement a network security solution, but it is also useful to anyone who needs to understand existing offerings in order to deploy and manage them. Although the tutorial is technically deep, no background other than intellectual curiosity and a good night's sleep in the recent past is required.

First, without worrying about the details of particular standards, we discuss the pieces out of which all these protocols are built.

We then cover subtle design issues, such as how secure email interacts with distribution lists, how designs maximize security in the face of export laws, and the kinds of mistakes people generally make when designing protocols.

Armed with this conceptual knowledge of the toolkit of tricks, we describe and critique current standards.

Topics include:

  • What problems are we trying to solve?
  • Cryptography
  • Key distribution
    • Trust hierarchies
    • Public key (PKI) vs. secret key solutions
  • Handshake issues
    • Diffie-Hellman
    • Man-in-middle defense
    • Perfect forward secrecy
    • Reflection attacks
  • PKI standards
    • X.509
    • PKIX
  • Real-time protocols
    • SSL/TLS
    • IPsec (including AH, ESP, and IKE)
  • Secure email
  • Web security
    • URLs
    • HTTP, HTTPs
    • Cookies

Radia Perlman (M3) is a Distinguished Engineer at Sun Microsystems. Radia Perlman She is known for her contributions to bridging (spanning tree algorithm) and routing (link state routing), as well as security (sabotage-proof networks). She is the author of Interconnections: Bridges, Routers, Switches, and Internetworking Protocols and co-author of Network Security: Private Communication in a Public World, two of the top ten networking reference books, according to Network Magazine. She is one of the twenty-five people whose work has most influenced the networking industry, according to Data Communications Magazine. She has about fifty issued patents, an S.B. and S.M. in mathematics and a Ph.D. in computer science from MIT, and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.

M4 Network Security Profiles: Protocol Threats, Intrusion Classes, and How Hackers Find Exploits 
Brad C. Johnson, SystemExperts Corporation

Who should attend: Administrators, managers, auditors, those being audited, those responsible for responding to intrusions or responsible for network resources that might be targets for crackers, hackers, or determined intruders.

Participants should understand the basics of TCP/IP networking. Examples will use actual tools and will include small amounts of HTML, JavaScript, and Tcl code and show command line arguments and GUI based applications.

This tutorial is focused on helping you understand how people profile your network to identify resources that might be vulnerable to attack. Simply, the more information that somebody can generate about your site (by profiling it), the more likely it is that they will be able to exploit something on it. This course will also help you recognize common protocol threats and intrusion classes.

The course consists of four segments: tools and methods used to profile your resources, examples of common intrusion areas, specific tools that are used to discover information about your environment, and vulnerabilities in pervasive protocols (such as DNS and the Web).

The following topics are expected to be covered in this full day tutorial. Approximately one quarter of the day will be used for each of the four major topic areas.

Topics include:

  • Profiling Your Network and System
    • Methods and Tools
    • An Example Profile
  • Intrusions
    • Awareness and Statistics
    • Example Intrusions
    • Common Intrusion Areas (Web Servers, Web Applications, Wireless Infrastructure, Modems)
  • Discovery/Profiling Tools
    • Tools such as sscan, typhoon, nessus, dsniff, whisker, Sam Spade, Satan/Saint/Sara, nmap, Paros, cain, and Websleuth
    • Understanding Protocol Tunneling
  • Protocol Profiling Threats
    • DNS (the name service)
    • SNMP (system and network management)
    • Handheld (PocketPC) Issues
    • Web Infrastructure

Brad C. Johnson (M4) is vice president of SystemExperts Corporation. Brad Johnson He has participated in seminal industry initiatives such as the Open Software Foundation, X/Open, and the IETF, and has been published often including in the Digital Technical Journal, IEEE Computer Society Press, Information Security Magazine, Boston Business Journal, Mass High Tech Journal, ISSA Password Magazine, and Wall Street & Technology. Brad is a regular tutorial instructor and conference speaker on topics related to practical network security, penetration analysis, middleware, and distributed systems. Brad holds a B.A. in computer science from Rutgers University and an M.S. in applied management from Lesley University.

Tuesday, August 10, 2004    
T1 Building a Software Security Capability: How to Foster Best Practices in Software Security 
Gary McGraw, Cigital

Who should attend: Software developers who want to improve the security—and salability—of their products. You will learn current best practices and come away with a clear action plan for attacking the software security problem in your organization.

This tutorial explains why the key to proactive computer security is making software behave, and then goes on to tell you how to do it. Microsoft's Trustworthy Computing Initiative, begun in January 2002, has changed the way Microsoft builds software. To date, Microsoft has spent over $500 million (2000 worker years) on their software security push. Given the emerging importance of software security and reliability to high-profile software vendors, you need to figure out what to do about the software you develop.

Topics include:

  • The role of awareness and training (for development staff)
  • The importance of technology choices (language, OS, development tools, testing tools)
  • How to weave security analysis throughout the software development lifecycle
  • Building abuse and misuse cases
  • The role of architectural risk analysis: who, how, and when
  • The role of code review: use of advanced tools
  • Security testing (and how it differs from functional testing)
  • Post facto application security (deployment issues)
  • Measuring return on investment

Gary McGraw (T1), Cigital, Inc.'s CTO, researches software security and sets technical vision in Gary McGraw the area of Software Quality Management. Dr. McGraw is co-author of four popular books: Java Security (Wiley, 1996), Securing Java (Wiley, 1999), Software Fault Injection (Wiley 1998), and Building Secure Software (Addison-Wesley, 2001). His fifth book, Exploiting Software (Addison-Wesley), was released in February 2004. A noted authority on software and application security, Dr. McGraw consults with major software producers and consumers. Dr. McGraw has written over sixty peer-reviewed technical publications and functions as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on Advisory Boards of Authentica, Counterpane, Fortify Software, and Indigo Security as well as advising the CS Department at UC Davis. Dr. McGraw holds a dual Ph.D. in Cognitive Science and Computer Science from Indiana University and a B.A. in Philosophy from UVa. He regularly contributes to popular trade publications and is often quoted in national press articles.

T2 System Log Aggregation, Statistics, and Analysis 
Marcus Ranum, Trusecure Corp.

Who should attend: System and network administrators who are interested in learning what's going on in their firewalls, servers, network, and systems; anyone responsible for security and audit or forensic analysis.

This tutorial covers techniques and software tools for building your own log analysis system, from aggregating all your data in a single place, through normalizing it, searching, and summarizing, to generating statistics and alerts and warehousing it. We will focus primarily on open source tools for the UNIX environment, but will also describe tools for dealing with Windows systems and various devices such as routers and firewalls.

Topics include:

  • Estimating log quantities and log system requirements
  • Syslog: mediocre but pervasive logging protocol
  • Back-hauling your logs
  • Building a central loghost
  • Dealing with Windows logs
  • Logging on Windows loghosts
  • Parsing and normalizing
  • Finding needles in haystacks: searching logs
  • I'm dumb, but it works: artificial ignorance
  • Bayesian spam filters for logging
  • Storage and rotation
  • Databases and logs
  • Leveraging the human eyeball: graphing log data
  • Alerting
  • Legalities of logs as evidence
Marcus Ranum (M2, T2) is senior scientist at Trusecure Corp. and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.

T3 Network Security Assessments Workshop 
David Rhoades, Maven Security Consulting, Inc.

Who should attend: Anyone who needs to understand how to perform an effective and safe network assessment.

How do you test a network for security vulnerabilities? Just plug some IP addresses into a network-scanning tool and click SCAN, right? If only it were that easy. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are fraught with dangers: accidental denial-of-service, false positives, false negatives, and long-winded reporting, to name but a few. Performing a security assessment (a.k.a. vulnerability assessment or penetration test) against a network environment requires preparation, the right tools, methodology, knowledge, and more. This workshop will cover the essential topics for performing an effective and safe network assessment.

Key concepts will be demonstrated on a target network consisting of several Windows and UNIX-based servers, as well as various routing components. The instructor will demonstrate selected steps of a general network assessment against this target network. All software described will be publicly available freeware, although some mention will be made of commercially available tools.

Topics include:

  • Preparation: What is needed before getting started
  • Safety Measures: This often overlooked topic will cover important yet practical steps to ensuring that adverse effects on critical networks and systems are minimized (if not eliminated).
  • Architecture Considerations: Where you scan from effects how you perform the assessment.
  • Inventory: Taking an accurate inventory of active systems and protocols on the target network.
  • Tools of the Trade: How to effectively use various security tools (commercial and freeware) will be demonstrated. Common pitfalls to avoid will be highlighted.
  • Automated Scanning: Best-of-class scanning tools will be covered, including valuable tips on their proper use. These tips are mostly vendor-neutral, and can be applied to any automated scanning tool.
  • Research and Development: High-level overview of what to do when you encounter unknown services or existing tools are insufficient for proper testing.
  • Documentation and Audit Trail: How to simply and effectively record your actions. Accurate audit logs will prevent overlooking valuable results or forgetting key tests.
  • Reporting: How to compile results into a format useful for corrective action and trending your security posture over time.
David Rhoades (T3) is a principal consultant with Maven Security Consulting, Inc.David Rhoades Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore).

T4 Malicious Cryptography 
Moti Yung, Columbia University

Who should attend: Security professionals who are involved in various aspects of securing software and hardware systems. Minimal knowledge of cryptography is required.

In the public eye, cryptography is virtually synonymous with security: it hides, protects, assures integrity, and enables trust relationships within information systems. We have asked "are there other uses of cryptography that security professionals need to be aware of?" This question led us to investigate unorthodox uses of cryptography that will be covered in this tutorial. We will discuss information security threats that result from combining strong cryptography with malware to attack information systems; we call this phenomenon "cryptovirology".

Further attacks will be presented that pit cryptography against cryptography itself by maliciously utilizing cryptographic techniques to attack implementations of cryptosystems (called "kleptographic attacks"). Malicious cryptographic mechanisms exploit modern cryptographic notions, constructions and tools that have been developed in the last 25 years to assure system security. But they utilize them as a "dark side" technology (i.e., as methods that increase threats and, perhaps paradoxically, reduce overall system security). The need for guarding and employing countermeasures against such potential threats will be discussed as well.

Moti Yung (T4) received a Ph.D. in Computer Science from Columbia University.Moti Yung He is currently a Senior Visiting Researcher at Columbia University's Computer Science Department and an Industry Consultant. Previously, he was a cryptographer and V.P. with CertCo and with IBM Research Division, where he received IBM's outstanding innovation award for his research contributions leading to products. He is an editor of the Journal of Cryptology and of the International Journal on Information Security, and served as Program Chair for Crypto 2002. He has published works on numerous aspects of cryptography, security, and on foundations of computer science; recently he coauthored a book on Malicious Cryptography (Wiley 2004).

?Need help? Use our Contacts page.

Last changed: 8 June 2004 jel