Gary McGraw, Cigital
Who should attend: Software developers who want to improve the securityand salabilityof their products. You will learn current best practices and come away with a clear action plan for attacking the software
security problem in your organization.
This tutorial explains why the key to proactive computer security is
making software behave, and then goes on to tell you how to do it.
Microsoft's Trustworthy Computing Initiative, begun in January 2002, has
changed the way Microsoft builds software. To date, Microsoft has spent
over $500 million (2000 worker years) on their software security push.
Given the emerging importance of software security and reliability to
high-profile software vendors, you need to figure out what to do about the software you develop.
Topics include:
- The role of awareness and training (for development staff)
- The importance of technology choices (language, OS, development tools, testing tools)
- How to weave security analysis throughout the software development lifecycle
- Building abuse and misuse cases
- The role of architectural risk analysis: who, how, and when
- The role of code review: use of advanced tools
- Security testing (and how it differs from functional testing)
- Post facto application security (deployment issues)
- Measuring return on investment
Gary McGraw (T1), Cigital, Inc.'s CTO, researches software security and sets
technical vision in the area of Software Quality Management. Dr. McGraw
is co-author of four popular books: Java Security (Wiley, 1996),
Securing Java (Wiley, 1999), Software Fault Injection (Wiley 1998), and
Building Secure Software (Addison-Wesley, 2001). His fifth book,
Exploiting Software (Addison-Wesley), was released in February 2004. A
noted authority on software and application security, Dr. McGraw
consults with major software producers and consumers. Dr. McGraw has
written over sixty peer-reviewed technical publications and functions as
principal investigator on grants from Air Force Research Labs, DARPA,
National Science Foundation, and NIST's Advanced Technology Program. He
serves on Advisory Boards of Authentica, Counterpane, Fortify Software,
and Indigo Security as well as advising the CS Department at UC Davis.
Dr. McGraw holds a dual Ph.D. in Cognitive Science and Computer Science
from Indiana University and a B.A. in Philosophy from UVa. He regularly
contributes to popular trade publications and is often quoted in
national press articles.
T2
System Log Aggregation, Statistics, and Analysis
Marcus Ranum, Trusecure Corp.
Who should attend: System and network administrators who are interested in
learning what's going on in their firewalls, servers, network,
and systems; anyone responsible for security and audit or
forensic analysis.
This tutorial covers techniques and software tools for
building your own log analysis system, from aggregating
all your data in a single place, through normalizing it,
searching, and summarizing, to generating statistics and
alerts and warehousing it. We will focus primarily on
open source tools for the UNIX environment, but will
also describe tools for dealing with Windows systems
and various devices such as routers and firewalls.
Topics include:
- Estimating log quantities and log system requirements
- Syslog: mediocre but pervasive logging protocol
- Back-hauling your logs
- Building a central loghost
- Dealing with Windows logs
- Logging on Windows loghosts
- Parsing and normalizing
- Finding needles in haystacks: searching logs
- I'm dumb, but it works: artificial ignorance
- Bayesian spam filters for logging
- Storage and rotation
- Databases and logs
- Leveraging the human eyeball: graphing log data
- Alerting
- Legalities of logs as evidence
Marcus Ranum (M2, T2) is senior scientist at Trusecure Corp. and a world-renowned expert
on security system design and implementation.
He is recognized as the inventor of the proxy firewall and the
implementer of the first commercial firewall product. Since the
late 1980s, he has designed a number of groundbreaking security
products, including the DEC SEAL, the TIS firewall toolkit, the
Gauntlet firewall, and NFR's Network Flight Recorder intrusion
detection system. He has been involved in every level of operations
of a security product business, from developer, to founder and CEO
of NFR. Marcus has served as a consultant to many FORTUNE 500 firms
and national governments, as well as serving as a guest lecturer
and instructor at numerous high-tech conferences. In 2001, he was
awarded the TISC Clue award for service to the security community,
and he holds the ISSA lifetime achievement award.
T3
Network Security Assessments Workshop
David Rhoades, Maven Security Consulting, Inc.
Who should attend: Anyone who needs to understand how to perform an effective and safe network assessment.
How do you test a network for security vulnerabilities? Just plug some IP addresses into a network-scanning tool and click SCAN, right? If only it were that easy. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are fraught with dangers: accidental denial-of-service, false positives, false negatives, and long-winded reporting, to name but a few. Performing a security assessment (a.k.a. vulnerability assessment or penetration test) against a network environment requires preparation, the right tools, methodology, knowledge, and more. This workshop will cover the essential topics for performing
an effective and safe network assessment.
Key concepts will be demonstrated on a target network consisting of
several Windows and UNIX-based servers, as well as various routing
components. The instructor will demonstrate selected steps of a general
network assessment against this target network. All software described will
be publicly available freeware, although some mention will be made of
commercially available tools.
Topics include:
-
Preparation: What is needed before getting started
-
Safety Measures: This often overlooked topic will cover important yet
practical steps to ensuring that adverse effects on critical networks
and systems are minimized (if not eliminated).
-
Architecture Considerations: Where you scan from effects how you perform
the assessment.
-
Inventory: Taking an accurate inventory of active systems and protocols
on the target network.
-
Tools of the Trade: How to effectively use various security tools
(commercial and freeware) will be demonstrated. Common pitfalls to
avoid will be highlighted.
-
Automated Scanning: Best-of-class scanning tools will be covered,
including valuable tips on their proper use. These tips are mostly
vendor-neutral, and can be applied to any automated scanning tool.
-
Research and Development: High-level overview of what to do when you
encounter unknown services or existing tools are insufficient for
proper testing.
-
Documentation and Audit Trail: How to simply and effectively record
your actions. Accurate audit logs will prevent overlooking valuable
results or forgetting key tests.
-
Reporting: How to compile results into a format useful for corrective
action and trending your security posture over time.
David Rhoades (T3) is a principal consultant with Maven Security Consulting, Inc.
Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore).
T4
Malicious Cryptography
Moti Yung, Columbia University
Who should attend: Security professionals who are involved in various aspects of securing
software and hardware systems. Minimal knowledge of cryptography is
required.
In the public eye, cryptography is virtually synonymous with security:
it hides, protects, assures integrity, and enables trust relationships
within information systems. We have asked "are there other uses
of cryptography that security professionals need to be aware of?"
This question led us to investigate unorthodox uses of cryptography
that will be covered in this tutorial. We will discuss information
security threats that result from combining strong cryptography
with malware to attack information systems; we call this phenomenon
"cryptovirology".
Further attacks will be presented that pit cryptography against
cryptography itself by maliciously utilizing cryptographic techniques
to attack implementations of cryptosystems (called "kleptographic
attacks"). Malicious cryptographic mechanisms exploit modern
cryptographic notions, constructions and tools that have been
developed in the last 25 years to assure system security. But they
utilize them as a "dark side" technology (i.e., as methods that
increase threats and, perhaps paradoxically, reduce overall system
security). The need for guarding and employing countermeasures
against such potential threats will be discussed as well.
Moti Yung (T4) received a Ph.D. in Computer Science from Columbia
University.
He is currently a Senior Visiting Researcher at Columbia
University's Computer Science Department and an Industry Consultant.
Previously, he was a cryptographer and V.P. with CertCo and with IBM
Research Division, where he received IBM's outstanding innovation
award for his research contributions leading to products. He is an
editor of the Journal of Cryptology and of the International Journal
on Information Security, and served as Program Chair for Crypto
2002. He has published works on numerous aspects of cryptography,
security, and on foundations of computer science; recently he
coauthored a book on Malicious Cryptography (Wiley 2004).