M1 Botnets: Understanding and Defense NEW!
Bruce Potter, The Shmoo Group
9:00 a.m.–5:00 p.m.

Who should attend: IT security professionals, system administrators, and network administrators who want to learn the inner workings of botnets and how to defend against them.

Described by some as the largest threat to the global Internet, botnets are largely hidden from the average Internet user. Botnets have a long legacy and initially were not used for malicious purposes. However, as bots have evolved, they have taken on sinister uses. Using thousands of compromised machines, botnets can be used for a variety of tasks including sending mountains of spam, launching crushing denial-of-service attacks, and harvesting massive amounts of personal information. One of the unfortunate aspects of botnets is that many individuals are active participants in botnets and do not even know it. Bots have become very sophisticated at hiding themselves from anti-virus and security programs. Also, many bots have even become resilient to large-scale network security systems and represent problems to not just home users but to large enterprises as well.

Take back to work: A broad understanding of the current threat from botnets, how they work, and how to defend against them.

Topics include:

• History of botnets: From their innocuous roots to the current worldwide threat
• Botnet uses: A broad view of the actual threats from current bots, including network and system analysis
• Scope of the current botnet problem: The current problem is larger than you may think
• Botnet communications: Command and control of botnets exposed
• Internal structure: A breakdown of the functionality of modern botnets, including hiding, propagation, and modularity
• Examination of some standard bots: We will look at some of the classic bots (Agobot, SDBot, Storm, etc.) in order to gain a better understanding of what we're defending against
• Host-based botnet defenses: Practical guidance on what can really be done to detect and defend against bots at the host level
• Networked-based botnet defenses: More practical guidance, but this time at the network level
• Future of botnets: A brief discussion of where bots are going so that we can arm ourselves against future outbreaks

M2 Computer Forensics NEW!
Simson L. Garfinkel, Naval Postgraduate School
9:00 a.m.–5:00 p.m.

Who should attend: Anyone interested in forensics: recovering lost or deleted data, hunting for clues, and tracking information.

Take back to work:

• Modern forensic tools, including both open source and commercial
• Drill-down familiarity with disk forensics, including specific tools and techniques
• The history of computer forensics (celebrated cases)
• The legal environment that governs forensics in the U.S.
• Enough information about operating systems to understand why forensic tools are possible, what they can do, and their limits

Computer forensics is the study of information stored in computer systems for the purpose of learning what happened to that computer at some point in the past—and for making a convincing argument about what was learned in a court of law. Today computer forensics covers four broad categories:

• Hard drive forensics, which aims to inventory and locate information that is on a computer's hard drive, whether or not the information is visible to the computer's user. Hard drive forensics includes the recovery of deleted files and file fragments, the construction of timelines, and the creation of profiles of a computer's user.
• Memory forensics, which analyzes the memory (or memory dump) of a computer system to reveal information about what the computer has been doing.
• Network forensics, which captures and analyzes information moving over a computer network. Network forensics can be based on full-content analysis or the analysis of network flows.
• Document forensics, in which specific files are analyzed for subtle and possibly hidden information. Document forensics can recover deleted information from Microsoft Word files or reveal which computers were used to create an individual file.

Topics include:

• Introduction to computer forensics
  • What is forensics?
  • Why is information left behind on computer systems?
  • Forensics history
  • Computer forensics vs. physical forensics
  • ASCII and Unicode
• Memory forensics and file carving
  • Memory hierarchy, swap space, sleep and hibernation
  • Tools for understanding:
    • Microsoft memory
    • UNIX memory
  • Carving memory and disk partitions
• Forensics and policy
  • Forensics and the law (discovery, criminal law, etc.)
  • The federal rules of evidence
  • Forensics history
  • The C.S.I. effect
• Disk forensics
  • Understanding file systems
  • ASCII and Unicode
  • Recovery of deleted files without the use of forensic tools
  • Recovery of deleted files with commercial and open source tools
    • Sleuth Kit
    • EnCase
    • FTK
  • What to do when you can't recover an entire file
  • Hash code databases
• Network forensics
  • Understanding IP packets, UDP, TCP, protocols (in 5 minutes)
  • Understanding network hubs, switches, where you monitor
  • Data rates
  • Flows vs. full-content
  • Using commercial and open source tools
    • Wireshark (Ethereal)
    • NetIntercept
• Document and Web forensics
  • MS Word structure
  • PDF structure
  • Identifying similar documents
• Anti-forensics

M3 Securing Virtual Environments NEW!
Phil Cox, SystemExperts Corporation
9:00 a.m.–5:00 p.m.

Who should attend: Site managers charged with selecting and setting virtual environment security requirements, general users who want to know more about the security features of popular virtual environments, and system administrators who are tasked with implementing or maintaining the security of virtual environments.

Take back to work: A familiarity with current virtualization and popular technical implementations of it, as well as an understanding of how to secure virtual environments that use those current technologies.

Virtualization is popping up all over corporate networks and may soon comprise a significant proportion of the services provided by a company. As virtual environments become more pervasive, the proper administration and security of them becomes critical to the security of the entire corporate network. The instructors of this tutorial present the problems and solutions surrounding the security of virtual environments. They will focus on the three main virtualization products in use today: VMware, Xen, and Microsoft Virtual Server. The instructors will focus on practical information and solutions that people who use the technologies (or are tasked with providing it to their companies) can use. Some of the topics will be demonstrated live during the course.

This course assumes no previous knowledge or experience with virtual server technologies.

Topics include:

• Virtualization 101
  • What is it?
  • Who's using what?
  • What really matters?
• Threats
  • What are the issues?
  • How can configuration problems hurt you?
• Popular technologies
  • VMware
  • Xen
  • Microsoft Virtual Server
• Configuring a secure virtual environment
  • Securing the host OS
  • Securing the guest machine
• Miscellaneous Topics

T1 Network Flow Analysis NEW!
Bruce Potter, The Shmoo Group
9:00 a.m.–5:00 p.m.

Who should attend: IT security professionals, network engineers, and IT managers who want to learn how to analyze and learn from the traffic on their networks.

Take back to work: An understanding of how to deploy NetFlow capability within your network, as well as tools and techniques for analyzing the resulting data.

We put a great deal of effort into controlling the data we have on our networks. Firewalls attempt to keep out the bad guys, proxies inspect traffic that goes in and out of the enterprise, and intrusion detection systems attempt to find attacks as they occur. But do you know what's really going on inside your network? Are your policies and protections keeping out the bad guys, or do you have problems that you are unaware of?

Most modern networks have the ability to view deep into your traffic, but many organizations don't even know it. Most routers and even some firewalls can export network flow data, information about the type of traffic, and where it's going. By analyzing this data, you can quickly find interesting traffic including use of unauthorized software, malware, and malfunctioning systems.

This tutorial will guide attendees through the basics of network flows, how to configure systems to export flow data, and how to examine flows to look for anomalous and malicious behavior.

Topics include:

• Network analysis basics: What network analysis is, when it is appropriate, and its role in IT security
• Understanding NetFlow: A primer on Cisco's NetFlow implementation, the various NetFlow versions, and other flow-based architectures
• NetFlow sensor placement: Where to deploy NetFlow sensors for maximum effectiveness
• Configuring Cisco devices for NetFlow: How to configure and customize various versions of NetFlow using a Cisco router
• Using softflowd on Linux: For times when you don't have access to a NetFlow-capable router, the OSS package softflowd can do the job instead
• NetFlow analysis with Psyche: Psyche is an OSS tool for basic statistical analysis of NetFlow; the tutorial will include analysis of "known bad" data
• NetFlow analysis with SiLK: SiLK is a more advanced NetFlow tool; the tutorial will including analysis of more "known bad" data
• Future ideas: A brief discussion on other uses for NetFlow in your network

T2 Forensics Lab (Hands-on) NEW!
Simson L. Garfinkel, Naval Postgraduate School
9:00 a.m.–5:00 p.m.

Who should attend: Anyone interested in forensics: recovering lost or deleted data, hunting for clues, and tracking information.

Take back to work: Experience using forensic tools you can apply to your work and home systems; a deeper understanding of what computer forensics can do and how it's done.

This tutorial will give participants hands-on experience using commercial and open source forensics tools. The lab will consist of two parts. In the first part of the lab the students will be given a CD-ROM containing tools and test data. The instructor will go through the tools with the students following along. In the second half of the lab the students will be given a second CD-ROM containing data from a fictional case involving an abducted teenager. A second case will involve a financial crime. The students will then be asked to "solve the crime."

Tools we will use:

• Guidance Software's EnCase, academic edition (commercial tool)
• VMware Player (to play the virtual machine)
• Helix Boot CD (open source Linux bootable CD with many forensics tools pre-installed)
• Fedora Core 8 virtual machine with pre-installed tools, including:
  • SleuthKit
  • AFF
  • WireShark

Topics include:

• Introduction to Encase
• Lab 1: Using EnCase—basic exercises
• Lab 2: Find the missing child
• Lab 3: Financial crime—a complicated case with many pieces of evidence

T3 SOA, Web Services, and XML Security NEW!
Gunnar Peterson, Arctec Group
9:00 a.m.–5:00 p.m.

Who should attend: Security people, software developers, and systems architects who are interested in learning about vulnerabilities and in how to build security into the Web services environment.

Take back to work: An understanding of how an attacker looks at Web services, how to architect security services in Web services and SOA, and how to use best practices in your architecture.

Learn the real risks in SOA, Web services, and XML, not just the hype! This session takes a pragmatic approach toward identifying those security risks and selecting and applying countermeasures to the application, code, Web, database, and identity servers and related software. Many enterprises are currently developing new Web services or adding Web services functionality into existing applications. Now is the time to build security into the system!

Topics include:

• Understanding how Web application risks (such as those in OWASP Guide and OWASP Top Ten) apply in a Web services world
• Web services attack patterns
• Common XML attack patterns
• Data and XML security using WS-Security, SAML, XML Encryption, and XML
• Digital signatures
• Identity services and federation with SAML and Liberty
• Hardening Web services servers
• Input validation for Web services
• Integrating Web services securely with backend resources and applications using WS-Trust
• Secure exception handling in Web services
• The impact of Web 2.0 technologies such as Ajax and REST on distributed systems security

T4 Understanding and Deploying Trusted Hardware (Hands-on) NEW!
Radu Sion, Stony Brook Trusted Hardware Lab; Sean Smith, Darthmouth PKI/Trust Laboratory
9:00 a.m.–5:00 p.m.

Who should attend: Programmers and managers involved in the architectural design, specification, deployment, or maintenance of financial, healthcare, and governmental applications handling security-sensitive data. No specific security or cryptography knowledge is required, although a basic understanding of operating systems and data management will help. An introduction to prerequisite concepts in computer security (applied cryptography and system security) will be provided as part of the tutorial, to facilitate a thorough understanding of its core.

Take back to work: The basic knowledge and hands-on experience to understand, architect, and deploy trusted hardware-aware infrastructures as part of legacy or novel applications.

The tutorial offers a thorough exploration, with selected hands-on demonstrations, of existing trusted hardware components, associated threat and deployment models, limitations, security certification processes, and programming models. The tutorial will feature a multi-level approach, allowing both an overview understanding of trusted hardware geared to IT management participants and a set of demonstrative incursions into threat and programming models for a more technically oriented audience.

Topics include:

• Quick primer on applied cryptography
• Quick primer on operating systems security
• Trusted hardware threat and deployment model
• Certification standards
  • CCA
  • FIPS 140-2
• Hardware design challenges
• Hardware details
  • Encryption disks
  • Smartcards
  • TPMs
  • Network Appliances
  • Cryptographic co-processors
• Trusted hardware-aware application design challenges
• Applications
  • Regulatory-compliant systems
  • Financial transaction management
  • Secure storage
• Programming demonstration