(ISC)2 Certification Updates
Dow Williamson, Director of Communications, ISC2

Security Transcends Technology Network break-ins, digital theft, denial of service, virus infections and malicious codes are very real threats in todays global virtual environment, and a single password inadvertently divulged by an employee to a potential hacker can dismantle the worth of the best firewalls and intrusion detection systems. As public and private sector enterprises continue to adopt new business models driven by the Internet, employees, customers, vendors, shareholders and even competitors can access their information assets. Advances in information access and sharing also pose new threats to ensuring privacy and security. The risks associated with IT infrastructure and Internet security must be managed by qualified professionals to meet the business and legal requirements for protecting information and making it highly available globally. With the advances in connectivity and convenience, the ROI must be calculated based on the value of being able to perform all of the communication, information access and financial transactions the Internet makes possible, versus being restricted from performing these familiar online functions because of the security implications. This equation makes a very strong case for investing in the training and certification of information security professionals who are qualified to implement and manage the security policy throughout the organization.

Windows Firewall -- Deployment and Use in the Enterprise
Bob McCoy, Microsoft Corporation

In addition to rolling up the many fixes since Service Pack 1, SP2 includes several new features geared specifically toward increasing security on the desktop. The biggest change is in the implementation of the Windows Firewall. This presentation discusses what changes in going from the Internet Connection Firewall to the Windows Firewall. Additionally, it cover deployment techniques, operational considerations, and possible impacts in the enterprise space.

Real World Linux System(s) Auditing - A View from the Field
Michael T. Hoesing CISSP, CISA, CCP, CIA, CMA, CPA
Information Systems Audit Manager First National Nebraska Inc.

Auditing LINUX - This class will review the objectives of an audit of the LINUX operating system including a take-away audit program. The class will describe the Audit process and steps system administrators and security staff can take to make the review more efficient and less mysterious. LINUX command examples will be demonstrated to gather the information necessary to complete the review. All commands will be included in a take-away script. This open-ended methodology will be compared and contrasted with the CISecurity LINUX script and other measurement resources will be discussed.

Electronic Interception - From POTS to PINS
Doug Ellsworth

First segment will explore real world risks of technical/electronic intercept (free space, VOX/FAX telecom, photocopier, etc) Objectives, vulnerabilities, likelihood, consequences, effective and ineffective countermeasures. Policy-making and enforcement flaws as a countermeasure - can you REALLY get senior management to refrain from using FAX/Voice telecom in discussing sensitive matters, or from photocopying and taking home? (Remember John Deutsch when he was DCI?). Basically risk assessment using models all attendees will already be familiar with, only juxtapositioning them against physical layers.
Second section will explore the "mind of the information thief", and reasons to support their feelings of impunity from detection, prosecution, conviction. This will define do-it-yourselfers as well as pro and semi-pro intercept practitioners. (Do they exist?) (Where do they come from?) The focus on this section mainly deals with predictability of targets from pre-attack postures through early suspicions, through how most targets handle themselves. In other words, the wrong things that victims will ALWAYS do.

Your Information Security Silver Bullet
George McMullin, Executive Director NEbraskaCERT

Security Basics: Putting the Pieces Together
James Brooks, Senior Security Product Manager for Verio Enterprise Hosting
Rick Miller, Vice President, Managed Security Services ISS

This presentation will provide an in-depth look at the key elements of a comprehensive security program, including firewalls, intrusion prevention, vulnerability management and VPNs. The session will also examine a new and viable approach to security that enables organizations to transfer the risk of network protection to a third party. With this approach, organizations can apply security standards that go beyond the typical monitoring and management found in most security programs providing organizations with protection guarantees. Attendees will learn how to identify security issues and will gain a basic understanding of security-related technologies and latest approaches to improve their organization's security posture. Case studies will be provided.

Tools and Techniques for Open Source Package and Patch Management
Mat Caughron, PHP Consulting

Mr. Caughron will discuss the "Rosetta Stone Methodology" for Open Source package management tools (rpm,deb,ports,pkg,pax,etc.). He will contrast several current mainstream tools for source and binary change control and will feature a comparison of various approaches to everyday systems maintenance challenges.

Windows Server & Desktop Lockdown - from DMZ to the Desktop
Rick Kingslan

Security Opinion Letters: Practical tips regarding what to look for and what to give.
James E. O'Connor

Recent regulatory enactments such as SOX, HIPAA and G-L-B require companies to evaluate the adequacy of their security controls. Many companies will engage outside consultants to evaluate their security programs. This should prove to be a growing service area for security consultants both large and small. But how much liability does a security consultant take on when giving such an opinion? How much can a company rely on an outside consultant's opinion? Should the company expect the consultant to "guarantee" security? What kind of guarantees can the company expect? Should the consultant have insurance to cover potential losses?

Sarbanes Oxley compliance
Joan Ross, CISSP; NSA IAM; MBAc; enCircle Corporation

CIRC/NSOC Proven and Innovative Practices)
Robert Dao, CISSP, Vice President of Security Technologies and Operations

SecureInfo Corporation has designed, built and managed successful enterprise CIRC and SOC capabilities for both Department of Defense and Federal Civilian Agencies. In this briefing, SecureInfo will share their best practices model on effectively managing a proven cybersecurity operation consisting of three interactive elements; Establishing multi-vector visibility, maturing and cultivating relevant, early warning threat intelligence, and Proactive response and remediation The first critical layer involves establishing and operating a practical centralized capability to gain multidimensional visibility of the security posture of an enterprise. The second layer combines this visibility with relevant threat intelligence so that precious security resources are not wasted on irrelevant threats. Discussion of the final layer will cover the intended product of the first two layers; a proactive and deliberate response and remediation of relevant threats and vulnerabilities.

CryptoAPI in Linux 2.6
Matthew G. Marsh, Paktronix Systems LLC

Linux Kernel 2.6 released in December of 2003. One of the new security features is a comprehensive CryptoAPI that enables any kernel mode system access to an API for general Cryptography functions within the kernel. This includes cipher, digest, and compression algoithms as well as user defined. This session is a hands on discussion and tutorial on how to use the encryption and IPSec structures.

"BS7799: From Initial Review to Certification"
Leonardo garcia Rojas, Strategic Projects Director, Innovaciones Telematica

The objective of this session is to share the knowledge of an implementation of BS7799 in the real world from the initial review of controls to the certification. To deal with information security in the daily operation efficiently we need to think that the information security is a capability of the organization to secure INFORMATION and when the organization wants to implement this capability, it should think of the implementation of a new support process and not of a project with a start, development end, and rollout to production. During this session we will talk about the 10 domains, 36 control objectives and the 127 controls that include the BS7799 standard, and of the different phases, documents and phases that we need to consider in order to implement the ISMS (Information Security Management System) as required on BS7799-2:2002 to the certification conducted for a Certification Body.

Hidden Concerns of Outsourcing Data Center Operations
Joan Ross, CISSP; NSA IAM; MBAc; enCircle Corporation

Network Security in a Patched Environment
Guy Helmer, Ph.D., Principal System Architect, Palisade Systems, Inc.

The goal of this session is to educate network administrators on network-layer techniques to defend against the vulnerabilities before, during, and after applying system patches as well as protecting against likely future security problems. Both legitimate security researchers and criminal hackers are finding and reporting critical security vulnerabilities in widely deployed business-critical systems on a daily basis. Over the past several years, vendors have developed reasonably effective mechanisms for providing corrective patches. However, windows of vulnerability still exist prior to applying patches, and sometimes the patches are not effective. By presenting a layered defense focusing on Layers 4 and 7, administrators can significantly reduce the potential future risks and disasters they may face. Perimeter security by itself helps mitigate the risk, but organizations have found they are still at risk if, for example, infected laptops attach to the network.

Conducting a Security Audit: An Introductory Overview
Bill Hayes

The word "audit" can send shivers down the spine of the most battle-hardened executive. It means that an outside organization is going to conduct a formal written examination of one or more crucial components of the organization. Financial audits are the most common examinations a business manager encounters. This is a familiar area for most executives: they know that financial auditors are going to examine the financial records and how those records are used. They may even be familiar with physical security audits. However, they are unlikely to be acquainted with information security audits; that is, an audit of how the confidentiality, availability and integrity of an organization's information is assured. In this session we will define a computer security audit as a systematic, measurable technical assessment of an organization's security policy. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.

A User-Centric Approach to Encrypted E-Mail
Dr. Volker Roth, OGM Labs

Support for strong electronic mail security is widely available yet only few communicants appear to make use of these features. Apparently, the operational overhead of security outweighs its perceived benefits. Towards increasing the benefits versus overhead ratio we follow an approach that considers security and usability tradeoffs from the outset. We separate key management from key authentication. The opportunistic key management and key update scheme that we devise operates transparently for the user, and we describe its conceptual implementation. We also describe complementary visualization and interaction techniques that communicate the security state of sent and received mail to users in a non-intrusive fashion. Towards a practical assessment of the overheads of key authentication, we conducted a quantitative analysis of users' mail behavior of which we present the results. We argue that for individual non-commercial users, out-of-band verification of keys could be more economical than building trust in public key certificates issued by third parties.

A PIN-Entry Method Resilient Against Shoulder Surfing
Dr. Volker Roth, OGM Labs

Magnetic stripe cards are in common use for electronic payments and cash withdrawal. Reported incidents document that criminals easily pickpocket cards or skim them by swiping them through additional card readers. Personal identification numbers (PINs) are obtained by shoulder surfing, through the use of mirrors or conceiled miniature cameras. Both elements, the PIN and the card, are generally sufficient to give the criminal full access to the victim's account. In this talk, we present alternative PIN entry methods to which we refer as cognitive trapdoor games. These methods make it significantly harder for a criminal to obtain PINs even if he fully observes the entire input and output of a PIN entry procedure. We also introduce the idea of probabilistic cognitive trapdoor games, which offer resilience to shoulder surfing even if the criminal records a PIN entry procedure with a camera. We studied the security as well as the usability of our methods, the results of which we also present in the talk.

Preventing the next blast - Intrusion Prevention Systems
Brian Gault, CISSP, CCSE, CCSA, NSA

Organizations are continuing to struggle with vulnerabilities, intrusions, and attacks that cripple their network performance and connectivity. This session will provide the audience with an overview of Intrusion Prevention technologies for hosts and networks that can help organizations avoid or mitigate day zero attacks and enforce enterprise policies. These technologies will be compared with widely implemented Intrusion Detection technologies. The session will explore ROI issues between Intrusion Prevention and Detection technologies. The audience will leave this session with the key characteristics necessary for implementing successful host and network Intrusion Prevention Systems including essential behaviors to monitor and possibly block.

Wireless LANs, Lessons Learned
David Borden, ACS Defense

After hearing the tutorial, the attendee should be able to describe a wireless network and enumerate how it differs from a wired network. They should understand the various relevant IEEE Protocols dealing with wireless networking. The attendee should be able to describe good wireless network security practices and know why they are important. They should be able to list adversaries' attacks on the wireless network and describe the defense against each attack. The attendee should be able to describe wireless intrusion detection system techniques and know how they differ from wired systems. They should leave the tutorial with a feeling that they could employ wireless networking without fear of hacker attack using the techniques enumerated in the tutorial.

The Approach to Risk & Security Metrics
Predrag Zivic, CISSP - COO Scienton

This research paper presentation will feature current frameworks to addressing risk and security baseline and metrics. The paper will analyze technical level security metrics of Common Criteria/ISO15408, Centre for Internet Security guidelines, NSA configuration guidelines and metrics used at this level. Information Technology standards view on security metrics such as GMITS/ISO13335, ITIL/ITMS and architectural guidelines such as ISO7498-2 will be explained. Business process level standards like ISO17799 and CobiT will be presented with their control approach to security metrics. Top level, the maturity standards such as SSE-CMM/ISO21827, NSA Infosec Assessment and CobiT will be explored and analyzed. For each defined level of security metrics the research presentation will explore the appropriate usage of these standards to conduct security metrics. In addition, the need for common baseline for both risk and security metrics will be explored. This research paper will demonstrate the need for the attribute based common baseline for risk and security metrics that spans over all mentioned standards.

SQL Injection Attack: Are your Applications Vulnerable?
Dennis Hurst, Senior Security Engineer SPI Dynamics

SQL Injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping potentially harmful characters first. Despite being remarkably simple to protect against, there is an astonishing number of production systems connected to the Internet that are vulnerable to this type of attack. The objective of this session is to educate the professional security and development community on the techniques that can be used to take advantage of a web application that is vulnerable to SQL injection, and to make clear the correct mechanisms that should be put in place to protect against SQL injection and input validation problems in general.

OracleX - Security & Operability
Aaron Grothe, President/CEO of Heimdall Linux Incorporated

With Oracle 10g Oracle has made the maintenance much easier for DBAs. One of the benefits of Oracle 10g version is the new version of Oracle Enterprise Management console is the ability to easily keep systems updated with patches and the ability to rollback patches that result in problems. 10g has also addressed some security issues such as default accounts in an improved manner over earlier Oracle releases.

Real Life Forensics
Brian Wiese

Brian will lead you through the application of forensics to modern systems. He will show you tools and methods that are applicable both from informal and rigorous perspectives.

Solaris Security
Roy Gertig - CISSP, SCSA, IAM, Security+

Over time, Solaris has become the operating system of choice for those with medium to high-end servers. It was born as an "open-source" program, which has given way to certain security issues. Solaris out-of-the-box is not a "secure" operating system, so this beginner-intermediate level presentation is designed give you some understanding of Solaris' weakness and what you can do to help protect your host based workstations, servers, and network from certain security weaknesses. This presentation will guide you through a step-by-step approach on securing directories and files, and will include a discussion of some tools that can be used to analyze your system.

Secure OpenBSD Installation and Operation
Bob Dunn

With its reputation for high security and operational complexity, OpenBSD is seen as a serious approach/avoidance conflict for technicians looking for greater system security. Some of what is said about OpenBSD is true. Some of it is not. The rest is a matter of opinion and discussion. In this brief look at OpenBSD from the first timer's vantage we will attempt to confirm the truths, debunk the myths, take a glance at the pitfalls and perils, and unearth the real "gems", available to OpenBSD administrators.

Wireless and WiFi: The Good, the Bad, and the Ugly
Timothy "Irish" O'Brien, NSA-IAM

Why a presentation on wireless? The local implications for wireless and WiFi are mind blowing. Any opportunity to raise the awareness of the good & bad around wireless, and to detail some suggestions and benchmarks for an effective deployment is a good thing. The objective is to have the attendees of the presentation overcome the normal paradigm and determine the good, the bad, & the ugly surrounding wireless. Starting with early wireless technologies, then continuing on to and concentrating on 802.11 WiFi, we will touch on network detection, vulnerabilities, risks, common mistakes & stupidity while covering effective placement and deployment of wireless technology. Further discussion will ensure you are not one of the 'low hanging fruit' but also capable of meeting your business or personal objectives with wireless.

Security Conscious Software Development
T. Steven Barker, CISSP

This presentation makes the case for software designers and developers to build secure principles into software from the beginning. Security requirements should be built, budgeted, and scheduled into the project development just like all other requirements. Early integration reduces risk and improves end product security.

DCID Certification Procedures
T. Steven Barker, CISSP

This presentation makes the case for software designers and developers to build secure principles into software from the beginning. Security requirements should be built, budgeted, and scheduled into the project development just like all other requirements. Early integration reduces risk and improves end product security.

Working Together Securely
Kent Tegels & Matt Payne

Interested in learning how to use Web Services securely between Open Source Unix platforms and Windows using the .NET platform? This talk is for you. On the Windows Platform, we will demonstrate the Web Services Extensions, Version 2.0. Client and servers will also be demonstrated in Java, C++, and PHP. We will discuss our experiences testing the interoperability between SOAP implementations.

Compromising Wetware - Plugging the Human Leaks
Ron Woerner, Security Analyst ConAgra Foods Inc.

Humans are the greatest threat to security. No matter how well the administrators lock down the systems and network, humans will find a way around it. This presentation will address that problem and will provide solutions for handling your "humans." The presenter will discuss both malicious attacks on human foibles (social engineering) for profit and non-malicious attempts by users who are just trying to circumvent the system. Attendees will see a number of scenarios that show the exploitation of human weaknesses and methods to reduce the exposure through procedures, awareness, and training.

MudSlide - No not the drink, the software
Matt Payne

MudSlide provides an encrypted file system to any operating system that can mount a webdav server. MudSlide works with Linux, OS X, and Windows. MudSlide is good for encrypting files on a USB thumbdrive or CD ROM. The encrypted files can then be read on a Linux, OS X, or Windows system. MudSlide is built upon http://jakarta.apache.org/slide/ and the encryption libraries packaged with Java. MudSlide runs as a WAR inside either tomcat or another servlet container. The WAR is configured so that only the local machine may mount the webdav server.

PGP Encryption Details
John Chesters

We will present a brief background on the history and details of PGP and the Web of Trust, how GPG is different and the same to PGP (perhaps how it relates to S/MIME and other crypto-email), how to professionally use it in daily email habits, verify signatures and create them for files, installing and using on several diverse email clients and platforms.