Overview | By Day (Monday, Tuesday) | By Instructor | All in One File

Tuesday, August 10, 2004

T1 Building a Software Security Capability: How to Foster Best Practices in Software Security  Gary McGraw, Cigital Who should attend: Software developers who want to improve the security—and salability—of their products. You will learn current best practices and come away with a clear action plan for attacking the software security problem in your organization. This tutorial explains why the key to proactive computer security is making software behave, and then goes on to tell you how to do it. Microsoft's Trustworthy Computing Initiative, begun in January 2002, has changed the way Microsoft builds software. To date, Microsoft has spent over $500 million (2000 worker years) on their software security push. Given the emerging importance of software security and reliability to high-profile software vendors, you need to figure out what to do about the software you develop. Topics include: The role of awareness and training (for development staff) The importance of technology choices (language, OS, development tools, testing tools) How to weave security analysis throughout the software development lifecycle Building abuse and misuse cases The role of architectural risk analysis: who, how, and when The role of code review: use of advanced tools Security testing (and how it differs from functional testing) Post facto application security (deployment issues) Measuring return on investment Gary McGraw (T1), Cigital, Inc.'s CTO, researches software security and sets technical vision in the area of Software Quality Management. Dr. McGraw is co-author of four popular books: Java Security (Wiley, 1996), Securing Java (Wiley, 1999), Software Fault Injection (Wiley 1998), and Building Secure Software (Addison-Wesley, 2001). His fifth book, Exploiting Software (Addison-Wesley), was released in February 2004. A noted authority on software and application security, Dr. McGraw consults with major software producers and consumers. Dr. McGraw has written over sixty peer-reviewed technical publications and functions as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on Advisory Boards of Authentica, Counterpane, Fortify Software, and Indigo Security as well as advising the CS Department at UC Davis. Dr. McGraw holds a dual Ph.D. in Cognitive Science and Computer Science from Indiana University and a B.A. in Philosophy from UVa. He regularly contributes to popular trade publications and is often quoted in national press articles. T2 System Log Aggregation, Statistics, and Analysis  Marcus Ranum, Trusecure Corp. Who should attend: System and network administrators who are interested in learning what's going on in their firewalls, servers, network, and systems; anyone responsible for security and audit or forensic analysis. This tutorial covers techniques and software tools for building your own log analysis system, from aggregating all your data in a single place, through normalizing it, searching, and summarizing, to generating statistics and alerts and warehousing it. We will focus primarily on open source tools for the UNIX environment, but will also describe tools for dealing with Windows systems and various devices such as routers and firewalls. Topics include: Estimating log quantities and log system requirements Syslog: mediocre but pervasive logging protocol Back-hauling your logs Building a central loghost Dealing with Windows logs Logging on Windows loghosts Parsing and normalizing Finding needles in haystacks: searching logs I'm dumb, but it works: artificial ignorance Bayesian spam filters for logging Storage and rotation Databases and logs Leveraging the human eyeball: graphing log data Alerting Legalities of logs as evidence Marcus Ranum (M2, T2) is senior scientist at Trusecure Corp. and a world-renowned expert on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award. T3 Network Security Assessments Workshop  David Rhoades, Maven Security Consulting, Inc. Who should attend: Anyone who needs to understand how to perform an effective and safe network assessment. How do you test a network for security vulnerabilities? Just plug some IP addresses into a network-scanning tool and click SCAN, right? If only it were that easy. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are fraught with dangers: accidental denial-of-service, false positives, false negatives, and long-winded reporting, to name but a few. Performing a security assessment (a.k.a. vulnerability assessment or penetration test) against a network environment requires preparation, the right tools, methodology, knowledge, and more. This workshop will cover the essential topics for performing an effective and safe network assessment. Key concepts will be demonstrated on a target network consisting of several Windows and UNIX-based servers, as well as various routing components. The instructor will demonstrate selected steps of a general network assessment against this target network. All software described will be publicly available freeware, although some mention will be made of commercially available tools. Topics include: Preparation: What is needed before getting started Safety Measures: This often overlooked topic will cover important yet practical steps to ensuring that adverse effects on critical networks and systems are minimized (if not eliminated). Architecture Considerations: Where you scan from effects how you perform the assessment. Inventory: Taking an accurate inventory of active systems and protocols on the target network. Tools of the Trade: How to effectively use various security tools (commercial and freeware) will be demonstrated. Common pitfalls to avoid will be highlighted. Automated Scanning: Best-of-class scanning tools will be covered, including valuable tips on their proper use. These tips are mostly vendor-neutral, and can be applied to any automated scanning tool. Research and Development: High-level overview of what to do when you encounter unknown services or existing tools are insufficient for proper testing. Documentation and Audit Trail: How to simply and effectively record your actions. Accurate audit logs will prevent overlooking valuable results or forgetting key tests. Reporting: How to compile results into a format useful for corrective action and trending your security posture over time. David Rhoades (T3) is a principal consultant with Maven Security Consulting, Inc. Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore). T4 Malicious Cryptography  Moti Yung, Columbia University Who should attend: Security professionals who are involved in various aspects of securing software and hardware systems. Minimal knowledge of cryptography is required. In the public eye, cryptography is virtually synonymous with security: it hides, protects, assures integrity, and enables trust relationships within information systems. We have asked "are there other uses of cryptography that security professionals need to be aware of?" This question led us to investigate unorthodox uses of cryptography that will be covered in this tutorial. We will discuss information security threats that result from combining strong cryptography with malware to attack information systems; we call this phenomenon "cryptovirology". Further attacks will be presented that pit cryptography against cryptography itself by maliciously utilizing cryptographic techniques to attack implementations of cryptosystems (called "kleptographic attacks"). Malicious cryptographic mechanisms exploit modern cryptographic notions, constructions and tools that have been developed in the last 25 years to assure system security. But they utilize them as a "dark side" technology (i.e., as methods that increase threats and, perhaps paradoxically, reduce overall system security). The need for guarding and employing countermeasures against such potential threats will be discussed as well. Moti Yung (T4) received a Ph.D. in Computer Science from Columbia University. He is currently a Senior Visiting Researcher at Columbia University's Computer Science Department and an Industry Consultant. Previously, he was a cryptographer and V.P. with CertCo and with IBM Research Division, where he received IBM's outstanding innovation award for his research contributions leading to products. He is an editor of the Journal of Cryptology and of the International Journal on Information Security, and served as Program Chair for Crypto 2002. He has published works on numerous aspects of cryptography, security, and on foundations of computer science; recently he coauthored a book on Malicious Cryptography (Wiley 2004).