R1 Hacking & Securing Web-based Applications
David Rhoades, Maven Security Consulting, Inc.
9:00 a.m.5:00 p.m.
Who should attend: People who are auditing Web application security,
developing Web applications, or managing the development of a Web
Is your Web application secure? CD Universe, CreditCard.com, and
others have found out the hard way: encryption and firewalls are
not enough. Numerous commercial and freeware tools assist in locating network-level
security vulnerabilities. However, these tools are incapable of
locating security issues for Web-based applications.
With numerous real-world examples from the instructor's years of
experience with security assessments, this informative and entertaining
course is based on fact, not theory. The course material is
presented in a step-by-step approach, and will apply to Web portals,
e-commerce (B2B or B2C), online banking, shopping, subscription-based
services, or any Web-enabled application.
Students will learn:
Students will be shown several target Web applications.
Some of these applications are real applications with known security
issues. Others are mock applications
designed by Maven Security to simulate real security issues. At
each step, the instructor will demonstrate the tools needed and
the required techniques. All software demonstrated will be publicly available freeware.
- The primary risks facing Web applications
and session tracking
- Tools, techniques, and methodologies required to locate weaknesses
- Recommendations for mitigating exposures found
- Best practices for Web application security
- OS vulnerabilities
- Web server security highlights
Web server and Web application output
- HTTP headers
- Encryption ciphers
- Error messages
- Authentication: digital certificates; form-based; HTTP basic
- Threats to authentication
- User name harvesting
- Brute-force password guessing
- Password harvesting
- Resource exhaustion
- Session tracking mechanisms
- Session ID best practices
- Session cloning
- Malicious user input
- Hidden form elements
- GET vs. POST
- Improper application logic
- Cross-site scripting (XSS)
- Third-party products
- Testing procedures
- Methodology and safety
David Rhoades (R1) is a principal consultant with Maven Security
Consulting, Inc. Since 1996, David has provided information protection services
for various FORTUNE 500 customers. His work has taken him across the US
and abroad to Europe and Asia, where he has lectured and consulted in
various areas of information security. David has a B.S. in computer
engineering from the Pennsylvania State University and has taught
for the SANS Institute, the MIS Training Institute, and ISACA.
R2 Network Security Monitoring with Open Source Tools
Richard Bejtlich, TaoSecurity.com
9:00 a.m.5:00 p.m.
Who should attend: Engineers and analysts
who detect and respond to security incidents. Participants should be
familiar with TCP/IP. Command-line knowledge of BSD, Linux, or another
UNIX-like operating system is a plus. A general knowledge of offensive
and defensive security principles is helpful.
This tutorial will equip participants with the theory, tools, and
techniques to detect and respond to security incidents. Network
Security Monitoring (NSM) is the collection, analysis, and escalation of
indications and warnings to detect and respond to intrusions. NSM
relies upon alert data, session data, full content data, and statistical
data to provide analysts with the information needed to achieve network
awareness. Whereas intrusion detection cares more about identifying
successful and usually known attack methods, NSM is more concerned with
providing evidence to scope the extent of an intrusion, assess its
impact, and propose efficient, effective remediation steps.
NSM theory will help participants understand the various sorts of data
that must be collected. This tutorial will bring theory to life by
introducing numerous open source tools for each category of NSM data.
Attendees will be able to deploy these tools alongside existing
commercial or open source systems to augment their network awareness and
Material in the class is supported by the author's book The Tao of
Network Security Monitoring: Beyond Intrusion Detection
(Addison-Wesley, 2005; http://www.taosecurity.com/books.html).
- NSM theory
- Building and deploying NSM sensors
- Accessing wired and wireless traffic
- Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger
- Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude
- Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP
- Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records
- Sguil (sguil.sf.net)
- Case studies, personal war stories, and attendee participation
Richard Bejtlich (R2) is technical director for specialized security
monitoring in ManTech International Corporation's Computer Forensics
and Intrusion Analysis division. He was previously a principal
consultant at Foundstone, performing incident response, emergency
network security monitoring, and security research. Prior to joining
Foundstone in 2002, Richard served as senior engineer for managed
network security operations at Ball Aerospace & Technologies
Corporation. From 1998 to 2001 Richard defended global American
information assets as a captain in the Air Force Computer Emergency
Response Team (AFCERT). He led the AFCERT's real time intrusion
detection mission, supervising 60 civilian and military analysts.
He is the author of The Tao of Network Security Monitoring:
Beyond Intrusion Detection and the co-author of the forthcoming
Real Digital Forensics, both published by Addison-Wesley. He
also wrote original material for Hacking Exposed, 4th Edition, and
Incident Response, 2nd Edition, both published by McGraw-Hill/Osborne.
He acquired his CISSP certification in 2001 and CIFI credentials
in 2004. His home page is http://www.taosecurity.com and his popular Web
log resides at http://taosecurity.blogspot.com.
R3 Configuration Management with Cfengine
Mark Burgess, Oslo University College
9:00 a.m.5:00 p.m.
Who should attend: System administrators with a basic
knowledge of scripting who wish to get to grips with cfengine to
automate the maintenance and security of their systems. UNIX
administrators will be most at home in this tutorial, but cfengine can
also be used on Windows 2000 and above. This tutorial works as a guide to the
extensive documentation, focusing pragmatically on the key issues and
filtering out details.
Cfengine is a tool for setting up and maintaining a configuration
across a network of hosts. It is sometimes called a tool for "Computer
Immunology"your computer's own immune system. You can think of
cfengine as a very high-level language, much higher-level than Perl
or shell, together with a smart agent. The idea behind cfengine is to
create a single "policy" or set of configuration files that describes
the setup of every host on your network, without sacrificing their
Cfengine runs on every host and makes sure that it is in a
policy-conformant state; if necessary, any deviations from policy
rules are fixed automatically. Unlike tools such as rdist, cfengine does
not require hosts to open themselves to any central authority nor to
subscribe to a fixed image of files. It is a modern tool, supporting
state-of-the-art encryption and IPv6 transport, that can handle
distribution and customization of system resources in huge networks
(tens of thousands of hosts). Cfengine runs on hundreds of thousands
of computers all over the world.
- The components of cfengine and how they are used
- How to get the system running
- How to develop a suitable policy, step by step
- Organizing configuration files (updating and configuring)
- Ordering issues in configuration management
- Cfservd security and key deployment
- Searching for data with filters
- Special functions and arrays
- Alerts and persistent classes
- Multi-homed host issues
- IPv6 issues
- Methods and modules and when to use them
- Host monitoring with FriendStatus
- Anomaly detection and response with cfenvd
- What is coming in cfengine?
Mark Burgess (R3) is a professor at Oslo University College and is the
cfengine. He has been researching the
principles of network
and system administration for over ten years and is the author
of Principles of Network and System Administration (John Wiley & Sons).
He is frequently invited to speak at conferences.