TRAINING TRACK Overview | By Day (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday) | By Instructor | All in One File Locations: See the overview.

Thursday, July 1, 2004

R1 Hacking & Securing Web-based Applications—Hands-On (Day 1 of 2) David Rhoades, Maven Security Consulting, Inc. 10:30 a.m.–6:00 p.m. Who should attend: People who are auditing Web application security, developing Web applications, or managing the development of a Web application. Is your Web application secure? CD Universe, CreditCard.com, and others have found out the hard way: encryption and firewalls are not enough. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are incapable of locating security issues for Web-based applications. With numerous real-world examples from the instructor's years of experience with security assessments, this informative and entertaining course is based on fact, not theory. The course material is presented in a step-by-step approach, and will apply to Web portals, e-commerce (B2B or B2C), online banking, shopping, subscription-based services, or any Web-enabled application. Class exercises will require that students have an x86-based laptop computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet network card. Please download a copy of KNOPPIX-STD (https://www.knoppix-std.org), burn it to a CD-R, and try to boot your system on a network offering DHCP. Be sure your network card is recognized by Knoppix-STD, otherwise you will not be able to participate in most classroom exercises. Wireless access will not be supported during class. Topics include: The primary risks facing Web applications Exposures and vulnerabilities in HTML and JavaScript, authentication, and session tracking Tools, techniques, and methodologies required to locate weaknesses Recommendations for mitigating exposures found Best practices for Web application security Students will be provided access to several target Web applications. Some of these applications are real applications with known security issues. Others are mock applications designed by Maven Security to simulate real security issues. At each step, the instructor will supply the tools needed and demonstrate the required techniques. All software provided will be publicly available freeware. Day 1 Introduction The problem and root causes Web primer: HTTP and HTML Foundational security OS vulnerabilities Web server security highlights Web server and Web application output HTTP headers HTML and JavaScript Encryption ciphers Error messages Caching Authentication Authentication: digital certificates; form-based; HTTP basic Threats to authentication Sign-on User name harvesting Brute-force password guessing Password harvesting Resource exhaustion Day 2 Session issues Session tracking mechanisms Session ID best practices Session cloning Transaction issues Malicious user input Hidden form elements GET vs. POST JavaScript filters Improper application logic Cross-site scripting (XSS) Third-party products Testing procedures Methodology and safety David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security Consulting, Inc. Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore). R2 Implementing LDAP Directories Gerald Carter, Samba Team/Hewlett-Packard 10:30 a.m.–6:00 p.m. Who should attend: Both LDAP directory administrators and architects. The focus is on integrating standard network services with LDAP directories. The examples are based on UNIX hosts and the OpenLDAP directory server and will include actual working demonstrations throughout the course. System administrators today run a variety of directory services, although these are referred to by names such as DNS and NIS. The Lightweight Directory Access Protocol (LDAP) is the up-and-coming successor to the X500 directory and has the promise of allowing administrators to consolidate multiple existing directories into one. Topics include: Replacing NIS domains Integrating Samba user accounts Authenticating RADIUS clients Integrating MTAs such as Sendmail, Qmail, or Postfix Creating address books for mail clients Managing user access to HTTP and FTP services Storing DNS zone information Managing printer information Gerald Carter (R2, F2) has been a member of the Samba Team since 1998. He has published articles in various Web-based magazines and gives instructional courses as a consultant for several companies. Currently employed by Hewlett-Packard as a Samba developer, Gerald has written books for SAMS Publishing and is the author of the recent LDAP System Administration (O'Reilly & Associates). R4 But Is It UNIX? A Mac OS X Administrator's Survival Guide Aeleen Frisch, Exponential Consulting 10:30 a.m.–6:00 p.m. Who should attend: UNIX system administrators who want or need to administer Macintosh systems running Mac OS X and/or Mac OS X Server. Familiarity with standard UNIX system administration concepts and tasks is assumed. No previous Macintosh experience is necessary. Experienced Macintosh users who want to learn about system administration tasks in the Mac OS X environment will also benefit from this course. People very familiar with Max OS X or with the NeXTSTEP environment will find much of this material to be a review. Note that comparisons with NeXTSTEP will not be made. Topics include: What is this beast and what's Darwin (and why should I care)? System architecture Basic tasks Installation hints and pitfalls Software packages Startup and shutdown File and file systems File system layout File types: resource forks, applications, etc. User management Users and groups Mac OS X shared domains Managed preferences Networking Client configuration Managing standard TCP/IP daemons: DNS, DHCP, NTP, and so on The Mac OS X multiprotocol environment Rendezvous and its implications Process management and performance Managing funky Mac peripherals and user expectations Mac OS X security architecture and implementation We will note interactions between the UNIX implementation and the Mac graphical user/administrative environment. Aeleen Frisch (T3, W3, R4) has been a system administrator for over 20 years. She currently looks after a pathologically heterogeneous network of UNIX and Windows systems. She is the author of several books, including Essential System Administration (now in its 3rd edition).   R5 Intrusion Detection and Prevention Systems Marcus Ranum, Trusecure Corp. 10:30 a.m.–6:00 p.m. Who should attend: Network or security managers responsible for an IDS roll-out, security auditors interested in assessing IDS capabilities, security managers involved in IDS product selection. Overview: This workshop covers the real-world issues you'll encounter as part of doing an intrusion detection roll-out or product selection. Attendees will learn the advantages and disadvantages of popular approaches to Intrusion Detection Systems (IDSes), how to deal with false positives and noise, where to deploy IDSes, how to test them, how to build out-of-band IDS management networks, and how they interact with switches, routers, and firewalls. Topics include: Technologies IDS and IPS: what they are and how they work Burglar alarms and honeypots—low-rent IDS Misuse detection and anomaly detection False positives, noise, and false alarms Does freeware stack up to the commercial products? Deployment issues Where to place IDS within the network Alert tuning: what it is and how it works How to estimate the size of an IDS deployment How to size and design a logging / management architecture Tools and tricks for logging and event correlation A typical IDS roll-out How to test an IDS for correct function IDS benchmarks: bogus and bogusest Management issues How to justify the expenditures on an IDS to management Cyclical maintenance Alert management procedures Marcus Ranum (T5, R5, F5) is senior scientist at Trusecure Corp. and a world-renowned expert on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.