The Peter Kiewit Institute
Scott Conference Center
Omaha, NE USA
|
Conference: August 5 - 7, 2003 The Peter Kiewit Institute Scott Conference Center Omaha, NE USA |
|
Home Page
CONTACT INFO CONFERENCE |
Keynote Sessions TK-1:Ray Semko WK-2: Jim Christy HK-3: Georgia Killcrece Sessions TT-1:Introduction to Forensics 101 Joseph A. Juchniewicz, Americredit Abstract The ability to have a valid, reliable medium for information transfer has grown from a select group of universities, into the juggernaut of today’s information highway. As with any kind of technology, some individuals may corrupt the system and use it for malicious or illegal activities. These threats need to be examined to discover if they are internal “employees” or external “hackers”. To create a defense against these threats, today’s security professionals require the ability to not only gather information, but to be able to present the data to management, lawyers or even a judge and jury at a level that they can understand and make valid conclusions if called upon to do so. In the current environment computer forensics is in its’ infancy, but is starting to be a widely used tool. Its importance is starting to take shape and be recognized, for its importance and within the next five years, will be an integral part of any computer investigation. TT-2: Methodology for Incident Prevention & Response (MIPR) Robert Bagnall, IDefense Abstract The MIPR is a process for standardizing how contractors deliver CERT services at customer locations. The analogy is that McDonald's became a global American icon by making sure that the burger you order in California tastes the same as the one you order in Nebraska - or Washington, DC. You expect the same level of service delivery everywhere you see their sign, and it should be no different with CERT operations delivered by the same company. Through a series of steps with consistent processes and supportive technologies [such as asymmetrical agent defenses], Bagnall demonstrates how to standardize CERT delivery, regardless of customer, as well as how to provide a consistent level of skilled personnel to each operation. TT-3: Process Capability for Information Assurance: Security Engineering Practices for Better Bottom-Line Results Matthew O’Brien, SAIC Abstract Assessments of an enterprise’s security posture have historically taken a balance sheet approach: listing discrete technical strengths and weaknesses at a specified point in time. This emphasis often obscures the issue of an enterprise’s ability to consistently execute security-engineering practices that prevent, identify and remedy security vulnerabilities. Capability maturity models provide a framework to build process capability. For Information Assurance, process capability maturity is the heart of the matter--the robustness of an enterprise’s security posture is ultimately dependent upon consistent execution of security engineering practices. TT-4 & TT-5: Best Practices for Secure Development, Free Security Ron Woerner, Solutionary Abstract The National Strategy to Secure Cyberspace says, "An important goal of cybersecurity will be the development of highly secure, trustworthy, and resilient computer systems." But how do we do that?! This session will discuss general security guidelines for developers and will explain methods of security and software engineering. The presenter will give specific tips on secure programming that will benefit developers, program managers and project leaders alike. You will leave this session understanding how to develop your own methodology for creating secure code to help meet this critical goal of the Cybersecurity Strategy. WT-1: Using Cryptographic Methods to Verify the Authenticity of Mobile Agents Dr. Volker Roth, CRCG Omaha and Fraunhofer, Germany WT-2: Wireless LANs, Lessons Learned David Borden, ACS Defense Abstract After hearing the session, the student should be able to describe a wireless network and enumerate how it differs from a wired network. They should understand the various relevant IEEE Protocols dealing with wireless networking. The student should be able to describe good wireless network security practices and know why they are important. They should be able to list adversaries’ attacks on the wireless network and describe the defense against each attack. The student should be able to describe wireless intrusion detection system techniques and know how they differ from wired systems. They should leave the session with a feeling that they could employ wireless networking without fear of hacker attack using the techniques enumerated. WT-3: Web Application Security: Risks and Concepts of Security Kris Drent, Partner, Information Security Consultant, Security PS, Inc. Abstract Drawing from years of field experience and research, this eye-opening session puts web applications security in perspective and presents an overview of the kinds of vulnerabilities and risks that are prevalent in web applications today. The topics of this event include: application of information security principles, web application risks and vulnerability examples, network/host security versus web application security, and first steps toward mitigating web application security risk. This seminar is designed for anyone actively involved with designing, developing, auditing, or deploying web applications within their organization. WT-4: Kerberos and Active Directory Interop Bob McCoy, Microsoft Corporation Abstract Everyone is looking for a single sign-on solution. This session will look at using Kerberos for authenticating to Active Directory. We will also explore the mechanics and available tools for managing UNIX/Linux users in an AD environment. WT-5: Effective Use of SNORT IDS System Aaron Grothe, President/CEO of Heimdall Linux Incorporated Abstract This talk will go into some of the lessons learned and experiences gathered during the process of running Snort in a large enterprise company. A rough comparison of Snort to other IDS systems will be included. During its initial six month run quite a bit of data was gathered and several changes to policy and network infrastructure were implemented. This talk will also cover some of the ideas considered for the next six months. HT-1, HT-2: Open Source and Incident Response Joe Loftshult, InteliData Technologies Abstract When you know, or suspect, that one or more of your systems has been compromised and you want to investigate the incident, how do you do it? You can buy a commercial product (hardware and/or software) that will assist you in the incident response and/or forensic analysis process, but why spend thousands of dollars on such products when you can achieve the same results using open source tools. The open source community has provided many terrific tools ranging from the standard Unix/GNU tools to toolkits such as TASK to bootable, all-inclusive toolkits such as F.I.R.E. This presentation will describe some of the tools available in the open source world, with an emphasis on the F.I.R.E. (Forensic and Incident Response Environment) toolkit. This presentation is targeted at those who are in positions in which they may need to respond to security incidents and don’t want to spend a fortune putting together a good jump kit. HT-3: A Methodology to Implement, Operate, and Maintain an Information Security Process Leonardo Garcia, Intelematica Abstract The main objective of this session is to share with the audience the experience at the Mexico Federal Government projects. This session will cover implementation, operation, and maintenance of information security processes and will explain the methodology and how this methodology has fundament on an strategic, tactic and operative program. HT-4, HT-5: System and Network Hacking David Askey, TechNow, Inc. Abstract This two-hour tutorial exposes the strategies and attacks of the hacker. Question and answer session follows the tutorial. Attendees do not just get lectured on vulnerabilities and exploits, but see hands-on demos of network attacks utilizing systems, routers, and switches. This inspires the attendee to really think about their enterprise implementations. The specific attacks demonstrated are ARP spoofing, switch attacks, router attacks, session hijacking, and the effects of network visibility (including wireless) in viewing file, web traffic displayed in a browser, and email. Also a step-by-step demo is given on how Trojans and backdoors that circumvent Firewalls and Router access control lists are deployed. The presenter then discusses how the backdoor and Trojans are used to deploy agents that perform the network attacks presented earlier in the tutorial. The technical process of the attacks is discussed prior to each demo and live packet traces are displayed during the demo. This tutorial tells the story of attacks, from beginning to end, demonstrated with working exploits from a highly qualified presenter. TM-1 TM-2: Solaris 8 Tom Roehr, Physicians Mutual TM-3: Organizational Issues of Implementing IDS Shayne Pitcock, First Data Corporation Abstract Companies are aware of the need for a firewall to deny unauthorized access, computing hacking, or intrusions to their computing systems. Companies may also be aware of the need for Intrusion Detection Systems (IDS) to monitor possible computing intrusions. Most companies don’t understand the total commitment and extensive requirements to implement IDS tools. The key factor is that someone must monitor the IDS tools for effective, proactive monitoring of possible computing intrusions. IDS tools are useful for monitoring the network traffic allowed to pass a company firewall. IDS tools are also useful for monitoring the critical system files of a company's business. The company that wishes to implement IDS tools must understand that installing the IDS tools is only 20% of the effort. The remaining 80% of the effort to implement IDS tools requires that a company must work through issues identified in this report. An adequate systems and programmatic approach will address the problems around the installation of IDS tools. TM-4: Day in the Life of a Hacker Michael Endrizzi, InterSec Abstract "Day in the Life of a Hacker" is an interactive introduction to the techniques of Internet hackers and the serious dangers they pose to organizations. This interactive presentation designed to be understood by the CEO, technical workers, or your everyday employee, challenges the audience to play the roles of a hacker versus security analyst in a game of measures, attacks and countermeasures. The audience attempts to identify defenses as the hackers work to find these major weaknesses. Highlights include a detailed analysis of buffer overflow and Malicious Mobile Code (Java/ActiveX) attacks that have crippled the Pentagon and Microsoft. Most of the demonstrated attacks are not stopped by firewalls or intrusion detection systems. As a result, anyone from a CEO to your Network Administrator will understand that technical countermeasures are self-defeating and that the people, processes, procedures and technology aspects of security must be addressed in an effective security program. TM-5: Security Policies: Your First Line of Defense Bruce Hartley, Privisec Abstract The foundation of a successful information security program is a strong security policy. Without one, your company’s systems are more vulnerable to attack, both internally and externally. The initial policy must also be continually reviewed, updated, and communicated to ensure it addresses your changing business needs and/or regulatory requirements, such as the Gramm-Leach-Bliley Act and HIPAA. An equally important part of an effective security policy is the development of implementation standards, which are designed to translate the policy into operating system-specific configuration guidelines. These guidelines ensure that IT professionals can easily implement the policy for each operating system on the network. This session will address the basic steps of developing an enterprise-wide security policy, including the following: Reviewing existing security relevant policies and procedures; defining protection requirements; developing the security policy document; and developing the implementation standards. WM-1: Justify the Return on Investment Chris Shepherd, ICCT Corp Abstract Security investment is hard to quantify. The need is known, the impact is real, justifying it ahead of time is difficult. This session shows how to use business defined return on investment as a core and how to use realistic extrapolations to determine impact and loss deference of investing in appropriate security. WM-2: Wireless Network Security: Technologies, Guidelines & Management Steve A. Rodgers, Security PS, Inc. Abstract This informative session will discuss current wireless network technologies focusing on the security features and benefits of each. Implementation guidelines as well as management issues will also be covered. The topics of this session include: Wireless Network Technology Overview, Wireless Security Technologies, Guidelines for Secure Wireless Implementation, Management Issues, and Wireless Security Resources. WM-3: The Insider Threat – Are You Safe From Internal Attack? Bruce Hartley, Privisec Abstract Most companies recognize the need for network security and continually focus on maintaining adequate protection. Many have taken the steps necessary to safeguard their systems from external attacks. Often, however, these same companies overlook internal security despite the fact that a significant percentage of computer abuse stems from internal problems. These problems range from intentional insider abuses to accidental discoveries and mistakes. Because an insider already has physical and logical access to the system, an understanding of what data is sensitive, and possibly an understanding of the security controls, the potential for misuse is very high. This oversight can unnecessarily expose a company to not only internal threats, but also successful penetration when internal attacks occur. Successful internal attacks are often a result of improper configuration. Additionally, many available security mechanisms, such as minimum password lengths, password histories, and security auditing, are not used. These vulnerabilities are easily preventable when strong internal security is maintained. This session will address the importance of protecting your organization from internal attacks, as well as provide information on how to improve your internal security. WM-4: Ethical Hacking: The Value of Penetration Testing Bruce Hartley, Privisec Abstract For competitive businesses, the goal of technology is to create competitive advantages. Today's powerful computing and networking environments create unlimited opportunities for innovative new customer services, increased employee productivity, and higher profitability. However, all the benefits of advanced technology can disappear in an instant if the system is not secure. As a company's dependence on enterprise computing and network systems increases, so does its dependence on security, data integrity, and reliability mechanisms. Unfortunately, computer crime and abuse is a serious is on the rise. One of the biggest reasons firms are vulnerable is because they have NOT established and implemented a formal security policy. As a result, their systems are NOT consistently configured and weaknesses are common. The session will cover the concepts and the process of both internal and external penetration tests. The main focus will be on the process, tools and techniques used to identify computing devices, scan for vulnerabilities, and to exploit any identified vulnerabilities. Case studies, from multiple industries, will be used to further illustrate both the process and the results that ethical hacking can provide. WM-5: Risk Considerations in Developing Security Ops Center Ed Covert, ICS Corp Abstract For competitive businesses, the goal of technology is to create competitive advantages. Today's powerful computing and networking environments create unlimited opportunities for innovative new customer services, increased employee productivity, and higher profitability. However, all the benefits of advanced technology can disappear in an instant if the system is not secure. As a company's dependence on enterprise computing and network systems increases, so does its dependence on security, data integrity, and reliability mechanisms. Unfortunately, computer crime and abuse is a serious is on the rise. One of the biggest reasons firms are vulnerable is because they have NOT established and implemented a formal security policy. As a result, their systems are NOT consistently configured and weaknesses are common. The session will cover the concepts and the process of both internal and external penetration tests. The main focus will be on the process, tools and techniques used to identify computing devices, scan for vulnerabilities, and to exploit any identified vulnerabilities. Case studies, from multiple industries, will be used to further illustrate both the process and the results that ethical hacking can provide. HM-1, HM-2: Back to the Future John Casciano, SAIC Abstract Mr. Casciano's presentation will draw historical parallels between the role played by Omaha and Nebraska during the Cold War and its new role in helping America cope with Twenty-first Century threats and vulnerabilities. Nebraska's position as both a major financial and security center as well as STRATCOM's new missions place Omaha and Nebraska at the forefront in a newly evolving concept of National Security. Nebraska, Omaha, STRATCOM, and its predecessor Strategic Air Command have a long history of thinking and acting globally, and that is exactly what is required in the first part of this century. Non-kinetic operations in cyberspace, both defensive and offensive, are a central part of Nebraska's future. The presentation will include a view of lessons from the past and their implications for the future as the regional players go forward. HM-3: Information Security Career Guide William Sieglein, Fortrex Technologies Inc. Abstract This tutorial provides: the history of the field and names some successful professionals, an outlook, a description of the current job titles/positions in this field, the minimum skills, knowledge and experience required to be successful in an information security career, a description of the minimal education and training and well as experience required, information on how to decide on goals and how to establish a strategy and tactics to achieve those goals, insight on improving your overall chances of succeeding in the field of information security, and case studies of various security professionals who have succeeded using diverse approaches. HM-4, HM-5: HM-4 and HM-5 Privacy & Security Laws Kate Wakefield, Costco Abstract The legal landscape for Privacy legislation within the United States is a rapidly changing environment. Recently enacted legislation such as the Gramm-Leach-Bliley Act, and the finalization of HIPAA Privacy and Security rules, combine with existing sector-specific privacy rules to provide a highly regulated environment with serious civil and criminal penalties, as well as increased legal liability. Information security professionals need to be informed about legislation that applies to their organization so that they can implement appropriate policies, procedures, and security architectures. This tutorial will provide an overview of the relevant legislation, the types of information that must be protected in each state, and pointers to best practices for securing information. The prospective audience is information security professionals and managers. No prior legal experience or knowledge of the subject area is required. The tutorial will include a webliography with extensive online resources. TE-1: AI Techniques Steve Nugen, NuGenSoft Abstract Models and methods associated with machine intelligence can be leveraged to create more powerful InfoSec attacks that discover and exploit vulnerabilities, adapting to evade detection. These same methods can also be leveraged for stronger assessments, smarter detection, and adaptive countermeasures. The presenter will review published research in this area and some of his own thoughts on the subject. TE-2: MVS (z/OS) Security Issues Steve Wiggin, Mutual of Omaha Abstract This session addresses the challenges of enterprise security, focusing on how to use comprehensive policy enforcement to impose strict security guidelines for every point on the network, without hampering employee productivity and efficiency. WG-3: Online Education in Security Tom Myers, Bellevue University Abstract The need for security especially in the IT field is rapidly increasing. Much of the need is internal, but some of the need is external as the government adds new regulations such as HIPAA and Sarbanes-Oxley. The costs of hiring a consultant to bring an organization into compliance and set it up to meet its security needs can be prohibitively expensive. It is no secret that there are not enough properly trained security people out there to meet corporate need. Many organizations have put their heads in the sands and have decided to wait it out in hopes that the deadline will be extend--if it is not, the fines will be extensive. Some organizations have put manpower against the problem, but that manpower is not trained to accomplish this task without help. When can they get this kind of help without bleeding away the bottom line? Education. WG-4, WG-5: Building a Viable Information Assurance Program Harry Bouris, Sumaria Abstract This session will provide the student with the requisite knowledge and tools to develop a viable Information Assurance Program. First, will be a brief discussion of US Statute. Next the workshop will cover corporate policy including usage, passwords, screen savers, what not to put in a policy and the importance of a signed acknowledgement statement. Next the workshop will discuss personnel security including background checks, adverse conditions, etc. Additionally physical security will be explored, including the importance of low/no cost elements like locked doors, controlled entry, and visitor sign in. This session will also cover having an awareness program, network policy, continuity of operations plan and system accreditation. HG-1, HG-2: Secured n-Tier Web Services - Case Study Matthew G. Marsh, Paktronix Systems LLC Abstract In these sessions we expose in gory detail the design, planning, and implementation of a secure n-tier web services environment. The environment discussed went into production in March of 2003. It consists of a traditional multi-server distributed system designed and built with confidentiality, integrity, and authentication fully incorporated from the beginning. We expose and illustrate actual security practices running within the context of the system and discuss the real world tradeoffs needed to implement usability. The first session covers the design and planning of the connectivity and security matrix including software selection and design goal tradeoffs. The second session covers the actual implementation with discussion of operating system realities as versus ideal security and interoperability. Where applicable, we illustrate the parametric fitness of the system for consideration under ISN certification structures. HG-3: Application Security S. Ramesh, Razorwire Security Abstract This session is intended for a business audience, and technology will be discussed in terms of its impact on business and the bottom line. Application Security protects server-side applications from attacks that target application weaknesses. Application-based attacks use specialized attack data packets sent within legitimate communications such as web requests. Because the request itself is legitimate, firewalls, server hardening, and other network defenses are inadequate against this type of attack. This session covers strategies to protect you from application weaknesses. We will discuss different strategies that you can use to protect yourself from attacks that target your server applications. These include strategies that are applicable for generalized protection behind your network perimeter, and strategies to limit vulnerabilities of specific types of applications, such as databases and application servers. Additionally, we will discuss some real life situations in the financial, enterprise software, and communications industries, where application security greatly enhanced the security posture of customers who discovered weaknesses in their systems. HG-4, HG-5: Taxonomy of Cryptographic APIs in JAVA Brian Smith, Solutionary, Inc. |