M1 Hands-On Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 2 of 2)
Rik Farrow, Security Consultant
9:00 a.m.5:00 p.m.
See Part 1, S1, for the description of the first day of this tutorial.
Day two of this class focuses on practical forensics, that is, how to analyze a possibly hacked Linux or UNIX system from a system administrator's perspective. As a system administrator, you will not be acting as law enforcement, trying to find the perpetrator, but instead will be working as quickly as possible with the goal of uncovering what went wrong. Finding rootkits and backdoors on a sample hacked system gives you an idea of what you might find on other similar systems. You can also get clues about the nature of the attack by discovering the tools left behind on a system by an attacker.
The final portion of this class focuses on patching, with a discussion of cfengine. As this is the second day of a two-day, hands-on course, we will not repeat material covered on the first day, including getting the CD working with your laptop. If you plan on attending the course only the second day, you might want to contact the instructor before the class and get a test CD to ensure that your laptop will work in the classroom environment.
- Elevation of privilege and suid shells
- Rootkits, and finding rootkits (chkrootkit)
- Sleuth Kit (looking at intrusion timelines)
- iptables and netfilter
- Tracking down DoS floods
- Cfengine configuration
- Vulnerability scanning with nessus
Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.
M2 Endpoint Enforcement & Network Access Control
Tina Bird, InfoExpress
9:00 a.m.5:00 p.m.
Who should attend: Security, desktop, and network administrators
responsible for implementing end-user security mechanisms; anyone who's been wondering about the
NAC and NAP hullabaloo.
Most network architectures and operating systems still rely solely
on relatively simple-minded, identity-based mechanisms to grant
access. IPsec and other remote access technologies, SSL/TLS and
802.1x (in most currently shipping implementations), enable decisions
based on user and host identity to grant network connectivity. These
tools greatly increase enterprise security. They allow access
decisions to be based on an endpoint's identification as a trusted
participant in the organization, no matter where the endpoint is
located. But we've learned the hard way that identity-based
authorization isn't enough.
Identity-based authorization doesn't help much with a Blaster-infected
laptop. Once that machine connects to your network, the infection
will spread to whatever it can reach behind your firewall, and user
authentication can make that situation worse. Valid user credentials
on an infected machine may allow the infection to spread through
network file shares and other common resources. Even on UNIX desktops,
widely regarded as less threatening to a production environments
than their Microsoft countertops, configuration and update management
can challenge an IT department's ability to safeguard themselves
from compromised or risky machines, as the recent outbreak of UNIX
attacks at supercomputing centers and research institutions reveals.
In this tutorial, Dr. Tina Bird will present emerging technologies
in the area of endpoint security enforcement and network-based
dynamic access control.
Tina Bird (M2) brings rigorous scientific discipline, a wealth of network
administration and Internet security expertise, and substantial
teaching experience to her role as the Security Architect for
InfoExpress. At InfoExpress, Tina provides strategic guidance in the development
of the CyberGatekeeper product line, as well as researching new
vulnerabilities and exploits. She represents InfoExpress in the
Trusted Computing Group's Trusted Network Connect subgroup. She also writes and speaks about policy enforcement technologies in
general, including 802.1x, standards-based enforcement mechanisms
and Cisco's Network Admission Control, as well as talks specifically
geared towards InfoExpress products.
Tina moderates the Log Analysis and VPN mailing lists; with Marcus Ranum, she
Previously she was responsible for technical review and implementation
of Internet firewalls, virtual private networks, and authentication
systems at Cerner Corporation, and subsequently for
Secure Network Group; the Director of Network
Intelligence at Counterpane Internet Security; and a Computer
Security Officer for Stanford University.
- A short history of computer intrusions, common features across all operating systems, and what you'd like to be able to control on all the end user machines in your organization
- Specific configuration requirements for Windows- and Linux-based desktops to reduce the likelihood of auto-propagating exploits and rooted boxen
- New security architectures and network protocols that enable endpoint configuration and access control, including the non-proprietary Trusted Network Connect specification from the Trusted Computing Group, an intro to 802.1x, Cisco's Network Admission Control initiative, and Microsoft's Network Access Protection
- Developing manageable endpoint policies in a heterogeneous computing environment
- Integrating dynamic access control management into your network infrastructure, focusing on the most effective places to start and how to manage end-user training as you implement this new technology
- Mechanisms for remediation, ranging from URL redirects to home-grown scripting to an overview of commercial patch/configuration management systems
- Use cases: a home grown prototype system used during the Blaster outbreak of 2003, implementing quarantine and remediation in a remote access scenario, and using policy enforcement to detect compromised machines quickly.
M3 Building Security In: How You Can Do Software Security
Gary McGraw, Cigital
9:00 a.m.5:00 p.m.
Who should attend: Because the best practices described in this tutorial are applied to software artifacts, they
make sense whether you're an XP cowboy or a CMMi heavy lifter. When you
attend this session, you will come away with a clear action plan for
attacking the software security problem in your organization.
During the past 5 years, software security has evolved from good
philosophy into a technical necessity. This tutorial describes in
detail what your organization can do to meet its software security
goals. From straightforward and easy advice (use a code scanning tool
for security code review) to trickier undertakings (build abuse cases
and misuse stories to drive security testing), software security best
practices allow you to build better code from the ground up by building
security in. A software security program involves five major
- A process agnostic framework and plan that fits how you build software, based on the software artifacts that you already produce.
- Development resources, class files, sample code, documents, and policies that make building secure software easier, by example.
- Training to promote software security awareness among developers and architects who need more exposure to security engineering concepts.
- Adoption of artifact-based software security best practices that focus attention on the software product and ignore process-based religious warfare.
- Continuous improvement through the application of risk-based measurement and metrics.
- Requirements analysis and abuse cases
- Architectural risk analysis
- Risk-based security testing
- Code review using static analysis technology (e.g., Fortify Source Code Analysis)
- Penetration testing and software exploit
- Post facto application security (during deployment)
Gary McGraw (M3) Cigital, Inc.'s CTO, researches software security and sets
technical vision in the area of Software Quality Management. Dr. McGraw is co-author of five best selling books: Exploiting Software
(Addison-Wesley, 2004), Building Secure Software (Addison-Wesley, 2001),
Software Fault Injection (Wiley 1998), Securing Java (Wiley, 1999), and
Java Security (Wiley, 1996). A noted authority on software and
application security, Dr. McGraw consults with major software producers
and consumers. He has written over sixty peer-reviewed
technical publications and functions as principal investigator on grants
from Air Force Research Labs, DARPA, National Science Foundation, and
NIST's Advanced Technology Program. He serves on Advisory Boards of
Authentica, Counterpane, and Fortify Software, as well as advising the
CS Department at UC Davis. Dr. McGraw holds a dual PhD in Cognitive
Science and Computer Science from Indiana University and a BA in
Philosophy from UVa. He writes a monthly security column for Network
magazine, is the editor of "Building Security In" for IEEE Security &
Privacy magazine, and is often quoted in national press articles.
M4 Network Incident Response
Richard Bejtlich, TaoSecurity.com
9:00 a.m.5:00 p.m.
Who should attend: Security staff and sys admins who detect and
respond to intrusions. Participants should be familiar with TCP/IP. Command-
line knowledge of BSD, Linux, or a UNIX-like operating system is a plus. A
general knowledge of offensive and defensive security principles is helpful.
The author's USENIX course "Network Security Monitoring with Open Source Tools" (S4) and his book The Tao of Network Security Monitoring: Beyond Intrusion
Detection are very helpful pre-requisites, but they are not mandatory.
You've just discovered that one or more of your systems has been compromised.
Now what? This tutorial will answer that question from a network-centric
approach. It is based on the author's experience handling multiple systematic,
long-term compromises at a variety of enterprises. The majority of the course
will approach the incident response (IR) problem from the network perspective;
host-based forensics will not be a priority.
Attendees will first learn the basic steps needed to facilitiate incident
response prior to any compromise. Thoughts on the sorts of threats likely to
be faced, common intrusion scenarios, and ways to be aware of intruder
activities will be discussed. Next, attendees will hear about various means by
which incidents are discovered, all based on real life intrusions. The course
will cover how to perform first response actions from the network perspective,
and how to make the "pursue and prosecute" or "recover and remediate" decision.
Attendees will learn how to eject determined, patient, and stealthy intruders
from the enterprise, and how to verify the effectiveness of ongoing defensive
- Simple steps to take now that make incident response easier later
- Characteristics of intruders, such as their motivation, skill levels, and techniques
- Common ways intruders are detected, and reasons they are often initially missed
- Improved ways to detect intruders based on network security monitoring principles
- First response actions and related best practices
- Secure communications among IR team members, and consequences of negligence
- Approaches to remediation when facing a high-end attacker
- Short, medium, and long-term verification of the remediation plan to keep the intruder out
Richard Bejtlich (S4, M4) is founder of TaoSecurity, a company
that helps clients detect, contain, and remediate intrusions using network
security monitoring (NSM) principles. He was previously a principal
consultant at Foundstone, performing incident response, emergency NSM, and
security research and training. He has created NSM operations for ManTech
International Corporation and Ball Aerospace & Technologies Corporation. From
1998 to 2001, Richard defended global American information assets
in the Air Force Computer Emergency Response Team (AFCERT), performing and
supervising the real-time intrusion detection mission.
Formally trained as an intelligence officer, he holds degrees from Harvard
University and the United States Air Force Academy. Richard wrote The Tao of Network
Security Monitoring: Beyond Intrusion Detection and the forthcoming
Extrusion Detection: Security Monitoring for Internal Intrusions and Real
Digital Forensics. He also wrote original material for Hacking
Exposed, 4th Edition, Incident Response, 2nd Edition, and Sys Admin magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular
Web log resides at http://taosecurity.blogspot.com.