Check out the new USENIX Web site.

Overview | By Day (Sunday, Monday, Tuesday) | By Instructor | All in One File

  Monday, August 1, 2005    
M1 Hands-On Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 2 of 2) NEW!
Rik Farrow, Security Consultant
9:00 a.m.–5:00 p.m.

See Part 1, S1, for the description of the first day of this tutorial.

Day two of this class focuses on practical forensics, that is, how to analyze a possibly hacked Linux or UNIX system from a system administrator's perspective. As a system administrator, you will not be acting as law enforcement, trying to find the perpetrator, but instead will be working as quickly as possible with the goal of uncovering what went wrong. Finding rootkits and backdoors on a sample hacked system gives you an idea of what you might find on other similar systems. You can also get clues about the nature of the attack by discovering the tools left behind on a system by an attacker.

The final portion of this class focuses on patching, with a discussion of cfengine. As this is the second day of a two-day, hands-on course, we will not repeat material covered on the first day, including getting the CD working with your laptop. If you plan on attending the course only the second day, you might want to contact the instructor before the class and get a test CD to ensure that your laptop will work in the classroom environment.

Exercises include:

  • Elevation of privilege and suid shells
  • Rootkits, and finding rootkits (chkrootkit)
  • Sleuth Kit (looking at intrusion timelines)
  • iptables and netfilter
  • Tracking down DoS floods
  • Cfengine configuration
  • Vulnerability scanning with nessus

Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. Rik Farrow He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.

M2 Endpoint Enforcement & Network Access Control NEW!
Tina Bird, InfoExpress
9:00 a.m.–5:00 p.m.

Who should attend: Security, desktop, and network administrators responsible for implementing end-user security mechanisms; anyone who's been wondering about the NAC and NAP hullabaloo.

Most network architectures and operating systems still rely solely on relatively simple-minded, identity-based mechanisms to grant access. IPsec and other remote access technologies, SSL/TLS and 802.1x (in most currently shipping implementations), enable decisions based on user and host identity to grant network connectivity. These tools greatly increase enterprise security. They allow access decisions to be based on an endpoint's identification as a trusted participant in the organization, no matter where the endpoint is located. But we've learned the hard way that identity-based authorization isn't enough.

Identity-based authorization doesn't help much with a Blaster-infected laptop. Once that machine connects to your network, the infection will spread to whatever it can reach behind your firewall, and user authentication can make that situation worse. Valid user credentials on an infected machine may allow the infection to spread through network file shares and other common resources. Even on UNIX desktops, widely regarded as less threatening to a production environments than their Microsoft countertops, configuration and update management can challenge an IT department's ability to safeguard themselves from compromised or risky machines, as the recent outbreak of UNIX attacks at supercomputing centers and research institutions reveals.

In this tutorial, Dr. Tina Bird will present emerging technologies in the area of endpoint security enforcement and network-based dynamic access control.

Topics include:

  • A short history of computer intrusions, common features across all operating systems, and what you'd like to be able to control on all the end user machines in your organization
  • Specific configuration requirements for Windows- and Linux-based desktops to reduce the likelihood of auto-propagating exploits and rooted boxen
  • New security architectures and network protocols that enable endpoint configuration and access control, including the non-proprietary Trusted Network Connect specification from the Trusted Computing Group, an intro to 802.1x, Cisco's Network Admission Control initiative, and Microsoft's Network Access Protection
  • Developing manageable endpoint policies in a heterogeneous computing environment
  • Integrating dynamic access control management into your network infrastructure, focusing on the most effective places to start and how to manage end-user training as you implement this new technology
  • Mechanisms for remediation, ranging from URL redirects to home-grown scripting to an overview of commercial patch/configuration management systems
  • Use cases: a home grown prototype system used during the Blaster outbreak of 2003, implementing quarantine and remediation in a remote access scenario, and using policy enforcement to detect compromised machines quickly.
Tina Bird (M2) brings rigorous scientific discipline, a wealth of network administration Tina Bird and Internet security expertise, and substantial teaching experience to her role as the Security Architect for InfoExpress. At InfoExpress, Tina provides strategic guidance in the development of the CyberGatekeeper product line, as well as researching new vulnerabilities and exploits. She represents InfoExpress in the Trusted Computing Group's Trusted Network Connect subgroup. She also writes and speaks about policy enforcement technologies in general, including 802.1x, standards-based enforcement mechanisms and Cisco's Network Admission Control, as well as talks specifically geared towards InfoExpress products. Tina moderates the Log Analysis and VPN mailing lists; with Marcus Ranum, she runs Previously she was responsible for technical review and implementation of Internet firewalls, virtual private networks, and authentication systems at Cerner Corporation, and subsequently for Secure Network Group; the Director of Network Intelligence at Counterpane Internet Security; and a Computer Security Officer for Stanford University.

M3 Building Security In: How You Can Do Software Security NEW!
Gary McGraw, Cigital
9:00 a.m.–5:00 p.m.

Who should attend: Because the best practices described in this tutorial are applied to software artifacts, they make sense whether you're an XP cowboy or a CMMi heavy lifter. When you attend this session, you will come away with a clear action plan for attacking the software security problem in your organization.

During the past 5 years, software security has evolved from good philosophy into a technical necessity. This tutorial describes in detail what your organization can do to meet its software security goals. From straightforward and easy advice (use a code scanning tool for security code review) to trickier undertakings (build abuse cases and misuse stories to drive security testing), software security best practices allow you to build better code from the ground up by building security in. A software security program involves five major components:

  1. A process agnostic framework and plan that fits how you build software, based on the software artifacts that you already produce.
  2. Development resources, class files, sample code, documents, and policies that make building secure software easier, by example.
  3. Training to promote software security awareness among developers and architects who need more exposure to security engineering concepts.
  4. Adoption of artifact-based software security best practices that focus attention on the software product and ignore process-based religious warfare.
  5. Continuous improvement through the application of risk-based measurement and metrics.
Topics include:

  • Requirements analysis and abuse cases
  • Architectural risk analysis
  • Risk-based security testing
  • Code review using static analysis technology (e.g., Fortify Source Code Analysis)
  • Penetration testing and software exploit
  • Post facto application security (during deployment)

Gary McGraw (M3) Cigital, Inc.'s CTO, researches software security and sets technical vision Gary McGraw in the area of Software Quality Management. Dr. McGraw is co-author of five best selling books: Exploiting Software (Addison-Wesley, 2004), Building Secure Software (Addison-Wesley, 2001), Software Fault Injection (Wiley 1998), Securing Java (Wiley, 1999), and Java Security (Wiley, 1996). A noted authority on software and application security, Dr. McGraw consults with major software producers and consumers. He has written over sixty peer-reviewed technical publications and functions as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on Advisory Boards of Authentica, Counterpane, and Fortify Software, as well as advising the CS Department at UC Davis. Dr. McGraw holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He writes a monthly security column for Network magazine, is the editor of "Building Security In" for IEEE Security & Privacy magazine, and is often quoted in national press articles.

M4 Network Incident Response NEW!
Richard Bejtlich,
9:00 a.m.–5:00 p.m.

Who should attend: Security staff and sys admins who detect and respond to intrusions. Participants should be familiar with TCP/IP. Command- line knowledge of BSD, Linux, or a UNIX-like operating system is a plus. A general knowledge of offensive and defensive security principles is helpful. The author's USENIX course "Network Security Monitoring with Open Source Tools" (S4) and his book The Tao of Network Security Monitoring: Beyond Intrusion Detection are very helpful pre-requisites, but they are not mandatory.

You've just discovered that one or more of your systems has been compromised. Now what? This tutorial will answer that question from a network-centric approach. It is based on the author's experience handling multiple systematic, long-term compromises at a variety of enterprises. The majority of the course will approach the incident response (IR) problem from the network perspective; host-based forensics will not be a priority.

Attendees will first learn the basic steps needed to facilitiate incident response prior to any compromise. Thoughts on the sorts of threats likely to be faced, common intrusion scenarios, and ways to be aware of intruder activities will be discussed. Next, attendees will hear about various means by which incidents are discovered, all based on real life intrusions. The course will cover how to perform first response actions from the network perspective, and how to make the "pursue and prosecute" or "recover and remediate" decision. Attendees will learn how to eject determined, patient, and stealthy intruders from the enterprise, and how to verify the effectiveness of ongoing defensive measures.

Topics include:

  • Simple steps to take now that make incident response easier later
  • Characteristics of intruders, such as their motivation, skill levels, and techniques
  • Common ways intruders are detected, and reasons they are often initially missed
  • Improved ways to detect intruders based on network security monitoring principles
  • First response actions and related best practices
  • Secure communications among IR team members, and consequences of negligence
  • Approaches to remediation when facing a high-end attacker
  • Short, medium, and long-term verification of the remediation plan to keep the intruder out

Richard Bejtlich (S4, M4) is founder of TaoSecurity, a company that helps clients detect, Richard Bejtlich contain, and remediate intrusions using network security monitoring (NSM) principles. He was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He has created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001, Richard defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT), performing and supervising the real-time intrusion detection mission. Formally trained as an intelligence officer, he holds degrees from Harvard University and the United States Air Force Academy. Richard wrote The Tao of Network Security Monitoring: Beyond Intrusion Detection and the forthcoming Extrusion Detection: Security Monitoring for Internal Intrusions and Real Digital Forensics. He also wrote original material for Hacking Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular Web log resides at


?Need help? Use our Contacts page.

Last changed: 1 Aug. 2005 ch