M1 Botnets: Understanding and Defense
NEW!
Bruce Potter, The Shmoo Group
9:00 a.m.–5:00 p.m.
Who should attend: IT security professionals, system administrators,
and network administrators who want to learn the inner workings of
botnets and how to defend against them.
Described by some as the largest threat to the global Internet,
botnets are largely hidden from the average Internet user. Botnets
have a long legacy and initially were not used for malicious
purposes. However, as bots have evolved, they have taken on sinister
uses. Using thousands of compromised machines, botnets can be used
for a variety of tasks including sending mountains of spam, launching
crushing denial-of-service attacks, and harvesting massive amounts
of personal information. One of the unfortunate aspects of botnets
is that many individuals are active participants in botnets and do
not even know it. Bots have become very sophisticated at hiding
themselves from anti-virus and security programs. Also, many bots
have even become resilient to large-scale network security systems
and represent problems to not just home users but to large enterprises
as well.
Take back to work: A broad understanding of the current threat from
botnets, how they work, and how to defend against them.
Topics include:
- History of botnets: From their innocuous roots to the current worldwide threat
- Botnet uses: A broad view of the actual threats from current bots, including network and system analysis
- Scope of the current botnet problem: The current problem is larger than you may think
- Botnet communications: Command and control of botnets exposed
- Internal structure: A breakdown of the functionality of modern botnets, including hiding, propagation, and modularity
- Examination of some standard bots: We will look at some of the classic bots (Agobot, SDBot, Storm, etc.) in order to gain a better understanding of what we're defending against
- Host-based botnet defenses: Practical guidance on what can really be done to detect and defend against bots at the host level
- Networked-based botnet defenses: More practical guidance, but this time at the network level
- Future of botnets: A brief discussion of where bots are going so that we can arm ourselves against future outbreaks
M2 Computer Forensics NEW!
Simson L. Garfinkel, Naval Postgraduate School
9:00 a.m.–5:00 p.m.
Who should attend: Anyone interested in forensics: recovering lost or deleted data, hunting for clues, and tracking information.
Take back to work:
- Modern forensic tools, including both open source
and commercial
- Drill-down familiarity with disk forensics, including specific tools and techniques
- The history of computer forensics (celebrated cases)
- The legal environment that governs forensics in the U.S.
- Enough information about operating systems to understand why forensic tools are possible, what they can do, and their limits
Computer forensics is the study of information stored in computer
systems for the purpose of learning what happened to that computer at
some point in the past—and for making a convincing argument about
what was learned in a court of law. Today computer forensics covers
four broad categories:
- Hard drive forensics, which aims to inventory and locate information that is on a computer's hard drive, whether or not the information is visible to the computer's user. Hard drive forensics includes the recovery of deleted files and file fragments, the construction of timelines, and the creation of profiles of a computer's user.
- Memory forensics, which analyzes the memory (or memory dump) of a computer system to reveal information about what the computer has been doing.
- Network forensics, which captures and analyzes information moving over a computer network. Network forensics can be based on full-content analysis or the analysis of network flows.
- Document forensics, in which specific files are analyzed for subtle and possibly hidden information. Document forensics can recover deleted information from Microsoft Word files or reveal which computers were used to create an individual file.
Topics include:
- Introduction to computer forensics
- What is forensics?
- Why is information left behind on computer systems?
- Forensics history
- Computer forensics vs. physical forensics
- ASCII and Unicode
- Memory forensics and file carving
- Memory hierarchy, swap space, sleep and hibernation
- Tools for understanding:
- Microsoft memory
- UNIX memory
- Carving memory and disk partitions
- Forensics and policy
- Forensics and the law (discovery, criminal law, etc.)
- The federal rules of evidence
- Forensics history
- The C.S.I. effect
- Disk forensics
- Understanding file systems
- ASCII and Unicode
- Recovery of deleted files without the use of forensic
tools
- Recovery of deleted files with commercial and open source tools
- What to do when you can't recover an entire file
- Hash code databases
- Network forensics
- Understanding IP packets, UDP, TCP, protocols (in 5 minutes)
- Understanding network hubs, switches, where you monitor
- Data rates
- Flows vs. full-content
- Using commercial and open source tools
- Wireshark (Ethereal)
- NetIntercept
- Document and Web forensics
- MS Word structure
- PDF structure
- Identifying similar documents
- Anti-forensics
M3 Securing Virtual Environments NEW!
Phil Cox, SystemExperts Corporation
9:00 a.m.–5:00 p.m.
Who should attend: Site managers charged with selecting and setting virtual environment security
requirements, general users who want to know more about the security features
of popular virtual environments, and system administrators who are tasked with
implementing or maintaining the security of virtual environments.
Take back to work:
A familiarity with
current virtualization and popular technical implementations of it, as well as an understanding of how to secure virtual environments that
use those current technologies.
Virtualization is popping up all over corporate networks and may soon
comprise a significant proportion of the services provided by a company.
As virtual environments become more pervasive, the proper administration
and security of them becomes critical to the security of the entire
corporate network. The instructors of this tutorial present the problems
and solutions surrounding the security of virtual environments. They
will focus on the three main virtualization products in use today:
VMware, Xen, and Microsoft Virtual Server. The instructors will focus on
practical information and solutions that people who use the technologies
(or are tasked with providing it to their companies) can use. Some of
the topics will be demonstrated live during the course.
This course assumes no previous knowledge or experience with virtual
server technologies.
Topics include:
- Virtualization 101
- What is it?
- Who's using what?
- What really matters?
- Threats
- What are the issues?
- How can configuration problems hurt you?
- Popular technologies
- VMware
- Xen
- Microsoft Virtual Server
-
Configuring a secure virtual environment
- Securing the host OS
- Securing the guest machine
- Miscellaneous Topics
|
T1 Network Flow Analysis NEW!
Bruce Potter, The Shmoo Group
9:00 a.m.–5:00 p.m.
Who should attend: IT security professionals, network engineers,
and IT managers who want to learn how to analyze and learn from the
traffic on their networks.
Take back to work:
An understanding of how to deploy NetFlow capability
within your network, as well as tools and techniques for analyzing
the resulting data.
We put a great deal of effort into controlling the data we have on
our networks. Firewalls attempt to keep out the bad guys, proxies
inspect traffic that goes in and out of the enterprise, and intrusion
detection systems attempt to find attacks as they occur. But do
you know what's really going on inside your network? Are your
policies and protections keeping out the bad guys, or do you have
problems that you are unaware of?
Most modern networks have the ability to view deep into your traffic,
but many organizations don't even know it. Most routers and even
some firewalls can export network flow data, information about the
type of traffic, and where it's going. By analyzing this data, you
can quickly find interesting traffic including use of unauthorized
software, malware, and malfunctioning systems.
This tutorial will guide attendees through the basics of network
flows, how to configure systems to export flow data, and how to
examine flows to look for anomalous and malicious behavior.
Topics include:
- Network analysis basics: What network analysis is, when it is appropriate, and its role in IT security
- Understanding NetFlow: A primer on Cisco's NetFlow implementation, the various NetFlow versions, and other flow-based architectures
- NetFlow sensor placement: Where to deploy NetFlow sensors for maximum effectiveness
- Configuring Cisco devices for NetFlow: How to configure and customize various versions of NetFlow using a Cisco router
- Using softflowd on Linux: For times when you don't have access to a NetFlow-capable router, the OSS package softflowd can do the job instead
- NetFlow analysis with Psyche: Psyche is an OSS tool for basic statistical analysis of NetFlow; the tutorial will include analysis of "known bad" data
- NetFlow analysis with SiLK: SiLK is a more advanced NetFlow tool; the tutorial will including analysis of more "known bad" data
- Future ideas: A brief discussion on other uses for NetFlow in your network
T2 Forensics Lab (Hands-on) NEW!
Simson L. Garfinkel, Naval Postgraduate School
9:00 a.m.–5:00 p.m.
Who should attend: Anyone interested in forensics: recovering lost or deleted data, hunting for clues, and tracking information.
Take back to work:
Experience using forensic tools you can apply to your work and home systems; a deeper understanding of what computer forensics can do and how it's done.
This tutorial will give participants hands-on experience using
commercial and open source forensics tools. The lab will consist of
two parts. In the first part of the lab the students will be given a
CD-ROM containing tools and test data. The instructor will go through the
tools with the students following along. In the second half of the lab
the students will be given a second CD-ROM containing data from a
fictional case involving an abducted teenager. A second case will
involve a financial crime. The students will then be asked to "solve
the crime."
Tools we will use:
- Guidance Software's EnCase, academic edition (commercial tool)
- VMware Player (to play the virtual machine)
- Helix Boot CD (open source Linux bootable CD with many forensics tools pre-installed)
- Fedora Core 8 virtual machine with pre-installed tools, including:
Topics include:
- Introduction to Encase
- Lab 1: Using EnCase—basic exercises
- Lab 2: Find the missing child
- Lab 3: Financial crime—a complicated case with many pieces of evidence
T3 SOA, Web Services, and XML Security NEW!
Gunnar Peterson, Arctec Group
9:00 a.m.–5:00 p.m.
Who should attend: Security people, software developers, and systems architects who are
interested in learning about vulnerabilities and in how to build security into the
Web services environment.
Take back to work:
An understanding of how an attacker looks at Web services, how to architect security services in Web services and SOA, and how to use best practices in your architecture.
Learn the real risks in SOA, Web services, and XML, not just the hype! This session takes a pragmatic approach toward
identifying those security risks and selecting and applying
countermeasures to the application, code, Web, database,
and identity servers and related software.
Many enterprises are currently developing new Web services or adding Web services functionality into existing applications. Now is
the time to build security into the system!
Topics include:
- Understanding how Web application risks (such as
those in OWASP Guide and OWASP Top Ten) apply in a Web services world
- Web services attack patterns
- Common XML attack patterns
- Data and XML security using WS-Security, SAML, XML Encryption, and XML
- Digital signatures
- Identity services and federation with SAML and Liberty
- Hardening Web services servers
- Input validation for Web services
- Integrating Web services securely with backend resources and applications using WS-Trust
- Secure exception handling in Web services
- The impact of Web 2.0 technologies such as Ajax and REST on
distributed systems security
T4 Understanding and Deploying Trusted Hardware (Hands-on) NEW!
Radu Sion, Stony Brook Trusted Hardware Lab; Sean Smith, Darthmouth PKI/Trust Laboratory
9:00 a.m.–5:00 p.m.
Who should attend: Programmers and managers involved in the architectural
design, specification, deployment, or maintenance of financial, healthcare,
and governmental applications handling security-sensitive data. No specific
security or cryptography knowledge is required, although a basic understanding
of operating systems and data management will help. An introduction to prerequisite concepts in computer security (applied cryptography
and system security) will be provided as part of the tutorial, to facilitate
a thorough understanding of its core.
Take back to work:
The basic knowledge
and hands-on experience to understand, architect, and deploy
trusted hardware-aware infrastructures as part of legacy or novel
applications.
The tutorial offers a thorough exploration, with selected
hands-on demonstrations, of existing trusted hardware components, associated
threat and deployment models, limitations, security certification processes,
and programming models. The tutorial will feature a multi-level approach, allowing
both an overview understanding of trusted hardware geared to IT management
participants and a set of demonstrative incursions into threat
and programming models for a more technically oriented audience.
Topics include:
- Quick primer on applied cryptography
- Quick primer on operating systems security
- Trusted hardware threat and deployment model
- Certification standards
- Hardware design challenges
- Hardware details
- Encryption disks
- Smartcards
- TPMs
- Network Appliances
- Cryptographic co-processors
- Trusted hardware-aware application design challenges
- Applications
- Regulatory-compliant systems
- Financial transaction management
- Secure storage
- Programming demonstration
|