The NEbraskaCERT Conference:
August 14, 2007
at the Peter Kiewit Institute's
Scott Conference Center
Omaha, NE USA
NEbraskaCERT

CONFERENCE
SPONSORS
PAST CONFERENCES


 talks
Keynote
 Presenter
TK-1
 pdf_icon.gif		 Blaine Burnham, Ph.D.

Session
 TITLE Presenter
TA-3
pdf_icon.gif
Basic Cell Phone and PDA Forensics
 Churchill, Matt
TC-3
pdf_icon.gif
 Basic Linux Security, or What Every Linux User Should Know About Security - Part 1
 Haeder, Adam
TC-4
pdf_icon.gif 		Basic Linux Security, or What Every Linux User Should Know About Security - Part 2
 Haeder, Adam
TD-4
pdf_icon.gif 		Hacking 432: A Discussion of Advanced Techniques
 Woerner, Ron
TC-1
pdf_icon.gif
Identity and Access Managment Technologies
 James, Adam
TA-4
pdf_icon.gif
Live Response for Windows Systems
 Churchill, Matt
TB-3
pdf_icon.gif
Managing Business Partner Risks
 Schreiner, Jeff
TC-2
pdf_icon.gif
 Metrics for Information Security Management
 Garcia, Leonardo
TD-2
pdf_icon.gif
 Outsourcing: Financial Dream or Security Nightmare
 Belani, Rohyt
TD-3
pdf_icon.gif
PCI/DSS, Current Developments
 Hoesing, Mike
TB-2
pdf_icon.gif
Playing with Network Captures
 O'Gorman, James
TA-2
pdf_icon.gif
Reach out and touch someone:  Telephone Interviewing Techniques
 Pearson, Lee
TB-1
pdf_icon.gif
Reading Hex Packets Version 2.0
 O'Gorman, James
TB-4
pdf_icon.gif
 Reassembling the Onion: Event and Log Correlation
 Zill, Greg
TD-1
pdf_icon.gif
 Spyware and Targeted attacks
 Hayes, Bill
TA-1
pdf_icon.gif
Checklist
pdf_icon.gif
 What to do after you find the smoking gun? or Fraud Interview Techniques
 Kothz, Don

Abstracts

Basic Cell Phone and PDA Forensics - Churchill, Matt

This presentation will highlight the basics of cell phone and PDA forensics.  Topics covered will consist of forensic methodologies, current practices, available tools, and upcoming trends in the acquisition and analysis of mobile devices.

Basic Linux Security, or What Every Linux User Should Know About Security - Haeder, Adam

Adam will be going over Linux Security concepts, including such topics as firewalls, patching, and providing an overview of more advanced topcis such as SELinux.

Hacking 432: A Discussion of Advanced Techniques

The talk includes some Web hacking, plus other kinds of hacking.  The talk also include concepts and philosophies for security best practices.

Identity and Access Managment Technologies - James, Adam

Identity and Access Management (IAM) technologies, a vendor neutral discussion on IAM technologies, User Provisioning, Workflow, Roles, Access Modeling, Single Sign-On, Federation, and Access Reporting.  Different approaches to utilizing IAM technologies for providing access to servers, applications, and databases in a efficient and effective matter.

Live Response for Windows Systems - Churchill, Matt

This presentation will focus on volatile information, how first responders can collect that information, and tools they can use to analyze what was collected.  The order of volatility, memory analysis, and current methodologies will also be discussed.  This information will be useful for anyone that currently conducts or is interested in conducting incident response activities.

Managing Business Partner Risks - Dixon, Bill

The sessions will provide attendees with the risks that are associated with buinsess partners and approaches to identify, assess, monitor, and measure business partner risk.  The sessions will also provide guidelines on how to integrate a business partner risk management program into an existing risk management program along with a brief case study of an implementation.  Topics included in the sessions will cover the following:

Identifying requirements for managing business partner risk such as:
  • Legal Requirements for new business partner contracts, i.e. Right to Audit, Exit Clause
  • Keys for developing internal business unit relationships
  • Business partner discovery techniques and resources through the use of existing organizational resources such as legal and accounts payable.
  • Methods for gathering information from business partners such as Due Diligence Questionnaires, Internal Business Process Owner Questionnaires, On-Site Interviews
  • Risk Rating Examples for a business partner.  The factors for determining what type of risk a business partner poses based on volume of transactions, type of information passed to the business partner, dollars involved in relationship.
  • Key steps in on-going monitoring of business partner relationships
  • Developing exit strategies for business partner relationships.
Metrics for Information Security Management - Garcia, Leonardo
 
 This presentation is related on how to measure the effectiveness of information security process controls that are used by an organization in order to precise the level of risk minimized and to give to information security management the strategy in the following topics: information security management system; organizational structure; asset management; human resources; physical and environmental security; telecommunications & computer operations; access control; information systems acquisitions, development lifecycle and information systems maintenance; business continuity management and compliance.
 
 Attendees will know topics on how to create and perform and manage the information security process through metrics and indicators of the different controls that are part of the architecture of information security.

Outsourcing: Financial Dream or Security Nightmare - Belani, Rohyt

As IT budgets continue to be squeezed and organizations struggle to find new ways to grow and innovate, identifying potential candidates for outsourcing moves higher on the CIO’s “to do” list. Application development “including web applications seems a logical choice considering the potential cost and timesavings. But at what expense? Although there may be clear benefits to outsourcing web application development, there are also significant security risks to be considered. This presentation will discuss real world cases of security failures due to the neglegence of security in the outsourcing process and how such situations can be avoided through appropriate contract terms and technical assurance.

PCI/DSS, Current Developments - Hoesing, Mike

While most security professionals are aware of the 12 "digital dozen"domains of the Payment Card Industry Data Security Standard (PCI/DSS),an understanding of the history and evolution of the standard, thecurrent  PCI Security Council role, recent legislative developments andthe card association's role serves as a foundation to explore:
  • implementation of the standard (assessors and assessments)
  • interpretations of the standard (scope and compensating controls)
  • correlate with SOX (mapping to COBIT 4.1)
  • nuances of the standard (probably the nicest way I can put this).
As an extra bonus, specific test procedures to assess compliance of anESX host in all of it's virtualization glory, will be detailed againstthe DSS standard.

Playing with Network Captures - O'Gorman, James

A follow up from the Reading Hex Packets session, now that we have done division long hand, its time to use a calculator! We will work with various open source tools to see what we can do with a full session network trace. If you work with networking or security, you will gain practical knowledge you can use right away.

This is not network forensics, but we will cover how it could be. Just don’t break the law and respect others privacy with what you learn here.

Reach out and touch someone:  Telephone Interviewing Techniques - Pearson, Lee

Take Aways

The attendees will:

  • Learn how to start a telephone interview (you only get one chance
     to make a first impression)
  • Learn how to detect deception during the interview
  • Learn how to evaluate verbal behavior
  • Learn what is a symptom of deceptive behavior
  • Learn how to evaluate paralinguistic behaviors and conduct linguistic statement analysis
  • Learn specific questioning techniques to improve the outcome of your investigation

Detailed outline of the presentation

  • Introduction (advantages, disadvantages)
  • Goals of the telephone interview
  • Interrogation over the telephone
  • Making assessments of the subject
  • Appropriate & inappropriate use of telephone interviews
  • Starting the interview (establishing rapport, procedural considerations
  • during a telephone interview, electronically recording a telephone interview)
  • Detecting deception during telephone interviews (general assessments vs. specific event assessments, evaluating attitudes, spontaneous vs. guarded, concerned vs. unconcerned, open vs. defensive)
  • Evaluating verbal behavior (psychological principles of verbal behavior,  truthful behavior symptoms, deceptive behavior symptoms)
  • Evaluating paralinguistic behaviors (response latency, identifying delayed response, early denials, voice characteristics, clarity & volume, erasure behavior)
  • Linguistic statement analysis (use of pronouns "I", use of possessive pr
  • onouns, edited account, use of the phrase "I remember")
  • Questioning techniques (interview structure, introduction, initial open question, techniques to draw out a complete response, listen for a closing remark to signal when to move to the next stage of the interview, clarifying questions, questions to elicit explanations for events, questions to elicit feelings or reactions, asking direct questions, start out specific move to broad, examples of direct questions, beware of limitations of opinion questions, summary statements)
  • Listing of interviewing resources
Reading Hex Packets Version 2.0 - O'Gorman, James

Ever get curious as to what is going over the wire, what is being sent from machine to machine on your network? If so, chances are you have ran a packet sniffer. Even though many network sniffers will interpret the data for you, odd are you have also seen the packet represented in hex as well. These hex dumps show up a quite a bit, and anyone using an IDS is sure to be very familiar with them.

Reassembling the Onion: Event and Log Correlation - Zill, Greg

"Reassembling the Onion: Event Log Correlation" has to do with the layers of logs and events that can go into investigating the trail of a hacker and while each individual layer may not show incriminating evidence, reassembling several layers may be necessary to get the complete picture.

Spyware and Targeted attacks

Spyware has become more sophisticated and its identification and removal presents the technician and end user with unique challenges. This talk will acquaint the listener with common anti-spyware tools and techniques to identify spyware communication. Recent targeted attacks featuring "extortionware" will be discussed.

What to do after you find the smoking gun? or Fraud Interview Techniques - Kothz, Don

You’ve found the proverbial “smoking gun”.  It might have been a damaging email or a crumb-like trail of numerous incidents of unauthorized system access; or evidence of embezzlement.  Are you done yet?  Probably not.  You need to confront your suspect(s).  You need to interview them.  How do you tell if they are being truthful or being deceptive?
Presenters

The NEbraskaCERT Conference is very fortunate to get some of the best speakers to present at our conference.  Here is the Class of 2007:

Belani, Rohyt

Rohyt Belani is a Managing Partner and co-founder of the Intrepidus Group, a boutique information security consulting company. Prior to starting Intrepidus, Mr. Belani was the Managing Director at Mandiant. Before joining Mandiant, he worked as a Principal Consultant at Foundstone and Researcher at the US-CERT.
He is a contributing author for Osborne's Hack Notes “Network
 Security”, as well as Addison Wesley's Extrusion Detection: Security
 Monitoring for Internal Intrusions.

Mr. Belani is a regular speaker at various industry conferences including Black Hat, OWASP, ASIS, Hack In The Box, Infosec World, DallasCon, CPM and several forums catering to the FBI and US Secret Service agents. He currently teaches a class at Carnegie Mellon University and has been invited to guest lecture at the University of Wisconsin.

As an industry expert he has opined on security issues via columns for online publications like Securityfocus and SC magazine, and interviews with BBC UK Radio.

Mr. Belani holds a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. He currently leads the OWASP Java Project a world-wide consortium of Java security experts.

Churchill, Matt

Matt Churchill is a Douglas County Deputy Sheriff and is assigned to the Criminal Investigation Division.  As part of his duties Matt works with the Nebraska Cyber Crimes Task Force and is a computer forensic analyst.  Matt has received the Certified Forensic Computer Examiner and Certified Computer Examiner certifications.  He is a member of IACIS, ISFCE, HTCIA, and Infragard.


Garcia, Leonardo
 
Studied engineering at ESIME-UC obtaining his bachelor in 1992, the the ISC2 CISSP certification on November 2000, the CISM certification on March 2004 under the ISACA Godfathering program. BS7799LA on June 2005, IRCA ISMS LA on February 2006, and PMP on December 2005.
 
During his professional career has worked for PMI Comercio Internacional (A Mexican Oil Trading Company), Phibro the Energy Division of Salomon Inc., the National Bank of Mexico, Pemex Gas y Petroquimica Basica.
 
 His experience includes implementation & operation of Information Technology Architectures, Information Security Architectures & Management Systems under BS7799 / ISO 17799, ITIL, COBIT, NFPA1600, DRII, RAD

Haeder, Adam

Adam Haeder is the Vice President of Information Technology at the AIM Institute and is the Vice President of the Omaha Linux User's Group. Adam has been active in the technology and open source communities in greater Nebraska for 10 years. He holds numerous networking and Linux certifications, and sits on many IT boards, including the technology advisory boards for UNO, UNL and UNK, and the Linux Professional Institute Global Advisory Committee. Adam recently was a contributing author to the O'Reilly book LPI Linux Certification in a Nutshell.

Hayes, Bill

Bill Hayes has worked nearly six years for the Omaha World Herald Company corporate security department as an information security specialist where he conducts security audits for the World Herald's  nationwide firms. For the past 20 years, he has performed a variety of  information technology and information security duties in the corporate  and academic environments. Bill has a Bachelors degree in Journalism  from the University of Nebraska Lincoln and is a CISSP. He also does freelance writing  for computer magazines and web sites. His byline has appeared most  recently in Processor Magazine.

Hoesing, Mike

Mike has over 30 years of experience in the areas of information systems audit, information systems implementation, and financial audit.

His experiences span a variety of industries during his years with public accounting firms and his last 18 years has focused on the financial services with firms such as First National Nebraska Inc.,Pricewaterhouse Coopers, First Data Corp, and American Express.  Mike has been involved in both the external and internal audit processes and also has served as a software trainer, conference speaker at the Computer Security Conference, VMworld, ISACA's CACS, CERT conference in Omaha Nebraska, University involvement includes membership on the Creighton University College of Business advisory board, and facilitating sessions in their eSecurity lab. At the University of Nebraska at Omaha he developed and delivers the regions only class devoted to Information Systems Audit and has enrolled that school in the ACL partner program.

Mike has been published in the Information Systems Control Journal published by ISACA on network security,  operating systems and virtualization audit topics. Currently Mike leads the Information Systems Audit and Information Assurance groups for First National Nebraska Inc. conducting traditional IS and integrated audit activities, proactive control and risk management consulting, technical assessments, forensics, ediscovery litigation support,  and external assessment liaison with regulatory, financial and credit card association assessors, assessing risk and helping to improve the control environment for  technology sectors at the bank and the related non-banking subsidiaries.

James, Adam

Adam James is a Consultant with Continuum Worldwide. Prior to becoming a Consultant, Adam worked for four years at Mutual of Omaha gaining insight into multiple aspects of a Fortune 500 company while in positions including Provider Analyst, Business Analyst, Computer Programmer/Analyst, and Information Security Analyst. In his most recent position as an Information Security Analyst at Mutual of Omaha Adam was responsible for conducting information security risk assessments, penetration tests, application security assessments, developing audit responses, and providing information security consulting on business and infrastructure projects.

Adam holds a Bachelors of Science in Management Information Services from the University of Nebraska at Omaha and has completed his Masters degree in Information Assurance from the Peter Kiewit Institute at the University of Nebraska at Omaha . Adam also holds CCNA, GCFA, and GSNA certifications.

Kothz, Don

Don Kohtz is the Director of Investigative & Compliance Solutions with Continuum Worldwide.  He was formerly an Assistant Attorney General for the State of Nebraska, the Fraud Bureau Chief at the Nebraska Department of Insurance, and was legal counsel to insurance companies and financial institutions.

Don has presented and published articles on the topics of fraud, risk mitigation, and compliance matters.  He has investigated matters involving fraud, white collar crime and unethical behavior.

Don holds a Bachelor of Science degree, a Doctorate of Jurisprudence, and is certified as a HIPAA Professional (HIPPAP).  He is a member of the Nebraska Power Review Board, which regulates Nebraska’s publicly owned electrical utility industry.  He is a former executive board member of the Nebraska Crime Stoppers, Inc., and the Heartland Chapter of the Association of Certified Fraud Examiners (ACFE).  He is an associate member of both the local chapter and the national organization of the ACFE.  He is a recipient of the Distinguished Achievement Award from the ACFE for his efforts in the fight against fraud.

O'Gorman, James

Jim O'Gorman (GCIA, GCFA, CISSP) is an information security specialist who has been online long enough to remember saying "Who needs this http thing when all the good content is on gopher?". Currently working in Lincoln as IT Director for a local publisher, Jim lives in Omaha, Nebraska with his wife and two sons. Jim works under the two rules of "Learn how the underlying technology works and then you never have to worry about learning a new implementation." and "Security happens as a natural result of doing things right from the beginning, not as a secondary goal to pursue separately.”

Jim can be contacted at http://www.elwood.net/. He will also be running SANS "System Forensics, Investigation and Response" local mentor class in Omaha, NE starting Aug, 30th 2007.
Synop:  Ever get curious as to what is going over the wire, what is being sent from machine to machine on your network? If so, chances are you have ran a packet sniffer. Even though many network sniffers will interpret the data for you, odd are you have also seen the packet represented in hex as well. These hex dumps show up a quite a bit, and anyone using an IDS is sure to be very familiar with them.

Pearson, Lee

Lee Pierce is a consultant with Continuum Worldwide.  He was formerly employed, at two Fortune 500 companies, as a contract coordinator, business analyst and senior special investigator.

Lee’s professional experience includes investigating insurance fraud, white collar crime, and unethical corporate behavior. He has lead professionals through training workshops concerning insurance fraud, employee empowerment and team building.

Lee has a Bachelors degree in Criminal Justice and a Masters Degree in Human Relations.  He is an active member in his community and former chairperson of the Eastern Nebraska Anti-Fraud Association.  He is also an associate member of the Association of Certified Fraud Examiners.

Schreiner, Jeff

Jeff Schreiner (CISSP) worked for Mutual of Omaha Insurance Company for 9 years and now is the president of Continuum Worldwide - a subsidiary of Mutual of Omaha.  He has managed Security Compliance and Risk Management organizations and his responsibilities have included the creation of corporate-wide Information Security programs.  Jeff established information security policies, technology, risk assessment, awareness and incident response programs and has been responsible for compliance efforts related to State and Federal safeguarding regulations.  His programs have received national recognition by the Center for Medicare and Medicaid Services for best practice entity-wide security.  He has presented regionally and nationally on the topic of information safeguarding.

Prior to his current role, Mr. Schreiner served on the Mutual of Omaha’s Systems Management, Disaster Recovery, Infrastructure and Human Resource Advisory boards.  In 2005, Jeff received the Mutual of Omaha Chairman’s leadership award.


Woerner, Ron

Ron Woerner is a CISSP, IAM, CEH and CHFI with over 17 years experience in multiple industries. He graduated from Michigan State and Syracuse Universities and has worked for the US Air Force, State of Nebraska, Mutual of Omaha, and ConAgra Foods. He has spoken at the RSA Conference, the CSI Conference, CERT, Infotec and Information Security Decisions.  He is also on the Information Security Magazine Advisory Board. 

Zill, Greg

After ten years in the restaurant industry, Greg decided to get into technology. After obtaining an Associates Degree, he started programming with UNIX on IBM RS-6000 and some HP RX9000 iron. After a couple of years, he moved into System Administration of about 500 of these AIX and HP-UX systems. Greg has basically been in System Administration ever since for a national telecommunications company, an global cellular hardware provider, a securities broker, a national news organization, an online retailer and, finally, a global security services provider. He acquired the CISSP Security accreditation in 2005 as a result of employer need and has been teetering in both System Administration and Security disciplines exacting security engineering principles and enforcing security policy. Greg later moved into Linux and then Windows Administration and every imaginable enterprise application and network topology in between. Going back to the food metaphor was just too irresistible for this one.

Blaine Burnham, Ph.D.

Director, Nebraska University Consortium on Information Assurance

Senior Research Fellow, College of Information Science & Technology

University of Nebraska at Omaha
 
Areas of Expertise

Information security and cyberterrorism.
 
Perspectives
 
Dr. Burnham's professional experience has provided him with the background to assess issues relating to information security and cyberterrorism:
 Believes that as the world becomes vitally dependent on networks of computers, it at the same time becomes increasingly and dangerously vulnerable to cyberterrorism.
 Thinks the threats of cyberterrorism range from something as simple as the hacking of a home-based personal computer to that of shutting down a company, power grid, communications system, military operation or entire government.
 Believes that in spite of the severity and immediacy of the problems, there is today an acute shortage of people and programs to meet the ever-increasing, critical challenges of cyberterrorism.
 
Academic Credentials
 
Dr. Burnham received a Ph.D. in Mathematics from Arizona State University in 1972, after having earned a M.S. in Mathematics from Arizona State four years earlier. He received a B.S. degree in Mathematics in 1966. He completed three years of post-graduate studies at the University of New Mexico in Heat Transfer, Fluid Mechanics and Thermodynamics.
 
Professional Credentials

Dr. Burnham has been the director of Nebraska University Consortium on Information Assurance and a senior research fellow for the College of Information Science and Technology for three years. He has served as technical advisor for the U.S. delegation to the NATO Office of Security, Technical Working Group (1991- 1992), a member of the Network Security Group of the National Secure Telecommunications Advisory Council and as vice chairman of the Research and Technology Working Group for the Security Policy Board. From 1998-2000, he was director of the Georgia Tech Information Security Center. Previously, Dr. Burnham worked in a variety of information assurance roles at the National Security Agency (NSA), Los Alamos National Laboratory and Sandia Laboratory. He also has done pro bono consulting with Information Security for the oil, gas and defense industries, specifically covering risk management and secure architectures and assurance studies. In addition, Dr. Burnham has been a member of the Computer Science Department Advisory Council for San Jose State University.