17th Annual Computer Security Applications Conference
December 10-14, 2001
New Orleans, Louisiana

Tutorials


Monday
  M1   Hacking Techniques for the Good Guys (CANCELLED)   M2   Denial of Service Attacks: Background, Diagnosis & Mitigation
M3 Introduction To Cryptography and Public Key Infrastructure
M4 Intrusion Detection Systems
M5 Security Technologies for the World Wide Web
 
Tuesday
  T6   Mobile and Wireless Security   T7   Information Assurance "Metrics"
T8 Building Secure Software
T9 Introduction to Windows 2000 Security Features

[ TOP ]

Tutorial M1 (Half Day - Morning)

Tutorial M1 has been cancelled.

Hacking Techniques for the Good Guys

Dr. Ellsworth Minor and Scott Zimmerman
Concurrent Technologies Corporation

Abstract

Awareness of gaps in network and computer security has grown exponentially in the past few years. Unfortunately, general understanding of attack methodology and technique has not grown as well. Network security professionals in large numbers have recently come to recognize this need. Consequently, great interest in how the hacker does his mischief currently exists. Understanding hackers' goals and methods will increase network defenders' ability to prevent attacks, to fend off attacks in progress and to garner forensic evidence against perpetrators. This tutorial will assist the network defender in protecting his or her network from the hacker. It will lift the shroud of mystery from the attack process and will strengthen the defender's ability to ward off or respond to attacks. A network consisting of a few machines will be used to demonstrate attack executions and results. A variety of basic technology areas will be covered, including TCP/IP, Unix(Linux), Windows NT and applications (such as Internet Information Server).

Prerequisites:

Background in network security, working familiarity with either Unix or Windows NT.

Outline:

  1. Introductory Remarks
  2. TCP/IP Hacks
  3. Unix(Linux) Hacks
  4. Win NT and Win 2000 Hacks
  5. Application Hacks (Buffer overflows and other invalid inputs)
  6. Controls and Protection
  7. Concluding Remarks

About the Instructors:

Dr. Ellsworth D. Minor has worked on technical aspects of network and computer security for eleven years. He is currently Technical Director for a federal program developing detection and response technologies for computer attack. Dr. Minor is a certified instructor for a nationally recognized organization that provides training for effective public speakers. As a result he brings crispness and excitement to his tutorial sessions.

Mr. Scott Zimmerman has ten years experience in computer security and seventeen years experience in information technology. As a Senior Network Systems Analyst, Mr. Zimmerman has worked for the past few years as a technical lead in a government-sponsored Information Assurance laboratory that focuses on Attack Sensing, Warning and Response (ASWR) technologies.


[ TOP ]

Tutorial M2 (Half Day - Afternoon)

Denial of Service Attacks: Background, Diagnosis and Mitigation

Dr. Sven Dietrich and Dr. John McHugh
CERT/CC

Abstract

In the beginning, security was equated to confidentiality and it was considered better for a system to fail (or be forced into failure) than to leak protected information. Later, the emphasis changed and additional weight was given to concepts such as integrity and assured service became acceptable. Concurrently, adversaries realized that attacks that reduced the utility of computing systems to authorized users could be as effective as attacks that compromised sensitive information. In the past year, brute force denial of service attacks based on the exhaustion of the victim's processing or communication resources have become commonplace.

The tutorial traces the development of denial of service attacks from early, machine crashing exploits to attacks that based on the exploitation of server vulnerabilities or protocol pathologies to consume excessive computing resources to the present day distributed denial of service (DDoS) attacks. Self-imposed denial of service attacks in which a system administrator suspends a necessary service in the face of a real or threatened attack will also be considered. A substantial portion of the tutorial will be devoted to understanding DDoS attacks and developing appropriate responses. Among the issues to be addressed are preparing for a DDoS attack, recognizing the attack type and probable attack pattern, designing appropriate filter rules to mitigate the attack, and working with upstream providers.

Prerequisites:

A basic understanding of IP networking, network protocols, and routing as well as an understanding of computer security fundamentals is required.

Outline:

  1. Fundamentals
  2. Denial of Service
  3. Classes of DDoS tools
  4. Diagnosis of the problem
  5. Mitigation
  6. Political hurdles
  7. The bright road ahead

About the Instructor:

Dr. Sven Dietrich is a member of the technical staff (MTS) at CERT, part of the Software Engineering Institute at Carnegie Mellon University. His work has included intrusion detection, distributed denial of service analysis, and the security of Internet Protocol (IP) communications in space. His research interests include computer security, cryptographic protocols, and quantum cryptography, and he randomly gives presentations and talks on the subject. He has a Doctor of Arts in Mathematics, an MS in Mathematics, and a BS in Computer Science and Mathematics from Adelphi University.

Dr. John McHugh is also an MTS at CERT. He was a professor and former chairman of the Computer Science Department at Portland State University in Portland, Oregon. His research interests include computer security, software engineering, and programming languages. He has been an active researcher in the application of formal methods to the construction of dependable and secure systems for many years. He was the architect of the Gypsy code optimizer and Covert Channel Analysis tool. He has a PhD in computer science from the University of Texas at Austin; an MS in computer science from the University of Maryland; and a BS in physics from Duke University.


[ TOP ]

Tutorial M3 (Full Day)

Introduction To Cryptography and Public Key Infrastructure

Mr. Ron Tencati
Cygnacom/Entrust

Abstract

This tutorial introduces participants to the theories and applications of Cryptography and Public Key Infrastructure (PKI). This tutorial covers Cryptographic Techniques, VPN Concepts including TLS (SSL), WAP and IPSEC; a study of encryption and basic key recovery techniques; a study of public key concepts and systems including key generation and exchange methods; PKI concepts including the use and management of digital signatures, certificate authorities, registration authorities and directory services; PKI implementation issues including policy, liability, deployment and interoperability concerns.

This tutorial makes use of easy-to-understand illustrations and animated graphics to help simplify the complex nature of a discussion of technical concepts and techniques. Anyone who would like an increased understanding of how cryptographic and PKI systems can be used to provide secure electronic commerce will benefit from this tutorial.

Prerequisites:

There are no prerequisites for this tutorial. A knowledge of mathematics is not necessary.

Outline:

  1. Cryptology
  2. Encryption Algorithms
  3. Public Key Cryptography
  4. Key Management and Handling
  5. Cryptographic Authentication - The Roots of PKI
  6. Public Key Infrastructure - PKI

About the Instructor:

Mr. Ron Tencati is the manager of the Cygnacom/Entrust's Cryptographic Equipment Assessment Laboratory. He also developed the Key Ceremony, Cryptographic and Physical Security procedures for the company's commercial outsourced PKI offering. Ron has formerly served as Global Training Manager at Spyrus and as senior technical course developer and instructor for Cylink Corporation. He is a co-founder of both the Forum of Incident Response and Security Teams (FIRST) and the NASA Automated Systems Incident Response Capability (NASIRC). Ron an extensive career background in network security, system administration, and system security engineering. He is a recipient of two NASA Group Achievement Awards, as well as a past recipient of FEDSECURITY's "Unsung Heroes in Computer Security" Award.


[ TOP ]

Tutorial M4 (Full Day)

Intrusion Detection Systems

Dr. Tasneem G. Brutch
Hewlett-Packard

Abstract

With an increase in the frequency and severity of both system and network intrusions, intrusion detection systems (IDSs) have become a necessary component of organizational security infrastructure. IDSs monitor events on computer system and network, and are used to provide automated monitoring and analysis of systems and networks, for any possible intrusion attempts. They provide mechanisms for both accountability and response.

This tutorial provides an overview of Intrusion Detection Systems. It includes discussions of classification mechanisms for IDSs, including the architecture, the locations of the host and target systems, the timing of detection, the information sources, and the analysis approaches. The tutorial also discusses how IDSs respond to attacks. Lastly, the tutorial review the additional tools that may be used to complement intrusion detection systems. These include vulnerability analysis or assessment systems, file integrity checkers, honey pots, and padded cells (also known as electronic quarantines).

Prerequisites:

A general understanding of computer security concepts.

Outline:

  1. Overview of Intrusion Detection Systems
  2. Various Classifications of IDSs
  3. Attacks commonly detected by IDSs
  4. Capabilities of IDSs to look for
  5. How to select an intrusion detection system
  6. Types of system vulnerabilities
  7. Supporting Tools

About the Instructor:

Tasneem G. Brutch received a B.S. in Computer Science and Engineering and an M.S. in Computer Science from Texas A&M University. She has a Ph.D. from Texas A&M University in Computer Engineering in the area of wireless communication security. She is currently working for Hewlett-Packard as Security Software Design Engineer on the IDS/9000 intrusion detection product.


[ TOP ]

Tutorial M5 (Full Day)

Security Technologies for the World Wide Web

Dr. Rolf Oppliger
eSECURITY Technologies

Abstract

The World Wide Web (WWW) is getting increasingly important for all kinds of Internet applications. These applications must be secured in terms of access control (e.g., firewalls) and communication security (e.g., cryptographic security protocols). In addition, there are questions related to electronic payment systems, certificate management, executable content, mobile code and agent-based systems, copyright protection, as well as privacy and anonymity. The aim of this tutorial is to provide an overview and discussion about the security technologies that are available today and that are relevant for the WWW and Web-based Internet applications.

Prerequisites:

None, although the tutorial is primarily intended for security managers, network practitioners, professional system and network administrators, product implementors, Webmasters, and users who want to learn more about the rationale behind and the possibilities of security technologies for the WWW.

Outline:

  1. Introduction
  2. HTTP User Authentication and Authorization
  3. Proxy Servers and Firewalls
  4. Cryptographic Techniques
  5. Internet Security Protocols
  6. The SSL and TLS Protocols
  7. Electronic Payment Systems
  8. Managing Certificates
  9. Executable Content
  10. CGI and API Scripts
  11. Mobile Code and Agent-based Systems
  12. Copyright Protection
  13. Privacy Protection and Anonymity Services
  14. Censorship on the WWW
  15. Conclusions and Outlook

About the Instructor:

Rolf Oppliger studied computer science, mathematics, and economics at the University of Berne, Switzerland, where he received M.Sc. and Ph.D. degrees in computer science in 1991 and 1993, respectively. In 1999, he received the Venia legendi for computer science from the University of Zurich, Switzerland. The focus of his professional activities is IT security in general, and network security in particular. He has authored seven books, regularly publishes papers and articles in scientific magazines and journals, and frequently speaks at security-related conferences. He's the founder and owner of eSECURITY Technologies. Rolf Oppliger, works for the Swiss Federal Strategy Unit for Information Technology (FSUIT), teaches at the University of Zurich, and serves as computer security series editor for Artech House.


[ TOP ]

Tutorial T6 (Half Day - Morning)

Mobile and Wireless Security

Dr. Frank Adelstein
Odyssey Research Associates

Abstract

The growth in the popularity of laptop and handheld devices, coupled with the increase in use of wireless technologies, is driving mobile computing closer to the ubiquitous presence predicted by early visionaries. The downside to the readily available technology is that it is equally accessible to adversaries for use against us. Thus there is a growing need for better security for mobile computing. This tutorial surveys some of the general issues in computer security, then focuses on the security mechanisms available for several popular mobile technologies.

This tutorial provides an overview of the state of the art in computer security and then examines the specific problems introduced by mobile devices and wireless network access.

Prerequisites:

There are no prerequisites for this tutorial. This tutorial will appeal to a broad audience, including students, developers, and researchers interested in mobile security.

Outline:

  1. Computer Security
    "Traditional" Issues, Problems, Attacks, Vulnerabilities; Problems introduced by wirelessness and mobility
  2. Security issues for mobile protocols
    WPAN (Wireless Personal Area Network ~10m radius); WLAN (Wireless Local Area Network ~100m radius); WWAN (Wireless Wide Area Network ~10km radius)
  3. Final Wrap up

About the Instructor:

Dr. Frank Adelstein works at Odyssey Research Associates (ORA) in Ithaca, NY. At ORA, he has been involved in many computer security projects, including intrusion detection with computational immunology and computer forensics using automated reasoning. He has participated in Red Team exercises, as well as the penetration testing of the security of a Fortune 500 company. He has also conducted research in wireless security on a project to provide multipolicy information assurance for microsensors, autonomous wireless local area networks. His current research in computer security involves increasing the effectiveness of techniques to correlate reconnaissance probes and attacks, and the creation of a mobile computer forensics platform. Prior to joining ORA, Dr. Adelstein was a postdoctoral associate with the Cornell Computer Science Department, working for the Xerox Design Research Institute (DRI). At DRI, he was the primary contributor for projects involving the integration of heterogeneous database resources and the creation of a web-based metadata repository. His PhD work involved protocols for real-time data, as well as formulating metrics for describing multicast efficiency.


[ TOP ]

Tutorial T7 (Half Day - Afternoon)

Information Assurance "Metrics"

Ms. Deb Bodeau and Ms. Julie Connolly
The MITRE Corporation

Abstract

Government and industry need Information Assurance (IA) metrics to support decision making, from purchasing and policy to training and deployment decisions. Others rely on metrics to determine changes in readiness, to lessen down time, to improve profits, to improve deterrence, and to improve productivity. Unlike engineering and other hard sciences, precise, quantifiable measures are not widely agreed upon in the IA arena and some would argue that none exist. In the absence of exacting metrics, a viable system of measurement is needed to specify "a pound of IA."

This tutorial will review what is meant by Information Assurance "metrics", characterize the different needs for IA "metrics", describe a framework for managing the IA measurement problem domain, examine current IA measurement approaches, highlight current IA measurement needs, and look to other industries for measurement lessons learned. The tutorial will include findings from the May 2001 Workshop on Information-Security-System Rating and Ranking.

Prerequisites:

1-2 years work experience in Information Security

Outline:

  1. Background: Information Assurance "Metrics"
  2. Measuring Information Assurance
  3. Current IA Measurement Approaches and Needs
  4. Lessons Learned from Other Industries
  5. Wrap-up and Questions

About the Instructors:

Ms. Julie Connolly is a Principal Information Systems Security Engineer at The MITRE Corporation. Ms. Connolly has been working in the Information Security field for more than 11 years. She has been involved with a number of IA measurement and assessment activities, to include the System Security Engineering Capability Maturity Model (SSE-CMM), the Trust Technology Assessment Program, the Dept. of Energy Cyber Security Protection Plan assessment effort, and the Defense-IA Red Team methodology and metrics.

Ms. Deb Bodeau is a Senior Principal IA/IO Risk Analyst at The MITRE Corporation. Ms. Bodeau has worked in Information Security field since 1984. She has developed and used a number of different IA risk assessment processes and measures. She has also participated in assessments of information system security programs, plans, and products.


[ TOP ]

Tutorial T8 (Full Day)

Building Secure Software

John Viega
Secure Software Solutions

Abstract

Bugs in networks do not often lead to security problems. Problems usually come from the software that you run on the network. Security scanners such as ISS are great for checking for known problems with off-the-shelf software, but they don't help protect the code you write from hackers. In the real world, developers tend to know a little bit about security, but not enough to be able to write secure code consistently. For example, there are many developers who have read an introductory book on cryptography, but few of those developers seem to realize that software security is a far broader topic than just cryptography. The weakest parts of a system are those that are going to get attacked; cryptography is rarely the target of attack, because it is rarely the weakest part of a system. In the field, we see the same sorts of problems crop up repeatedly, even in high-profile applications such as Netscape, Internet Explorer, and Microsoft's web server, IIS. The goal of this tutorial is to educate software architects and developers on what they need to know if they are going to write secure software in a networked world.

Prerequisites:

Solid programming skills would be useful. Most examples will be in C, but C knowledge is not a requirement; all examples should be comprehensible by anyone with a reasonable understanding of programming. A basic understanding of Cryptography is assumed. The author will make a tutorial available online before class for those without such a background.

Outline:

  1. Introduction
    Overview of Software Security; Software risk management for security; Basic principles for building secure software
  2. Basic Tools
    Access Control models; Setuid Programming; Authentication
  3. Common problems
    Buffer Overflows; Race Conditions; Randomness Problems; Trust Management Problems
  4. Applying Cryptography
  5. Other Advice
    Client-side Security; Dealing with Firewalls; Auditing Software

About the Instructor:

Mr. John Viega is the CTO of Secure Software Solutions (www.securesw.com), where he is the Principal Investigator on a DARPA-funded grant to build analysis tools for finding security vulnerabilities in software. He is co-author of Building Secure Software (Addison Wesley, 2001), and Java Enterprise Architecture (O'Reilly and Associates, 2002). John has authored more than 50 technical publications, primarily in the area of software security. He also wrote Mailman, the GNU Mailing List Manager, and has written several tools to help developers write more secure software.



[ TOP ]

Tutorial T9 (Full Day)

Introduction to Windows 2000 Security Features

Mr. Philip Cox
SystemExperts Corporation

Abstract

Windows 2000 is the foundation that all Microsoft products will have in common. Windows 2000 is the present "best" from Microsoft, and is the foundation of the future "Whistler" OS, as well as the .NET initiative. Anyone that wants to securely use Microsoft products in the future will need to know Windows 2000 security. This course is designed to give you the fundamental building blocks that can be used to understand the many security features in Win2K, as well as practical uses for those features. It will cover the design of Win2K from a security standpoint and outline what Win2K has "out of the box" for security.

Prerequisites:

Although the course is designed for system and network administrators who will need to implement or maintain Windows 2000-based systems and networks, it is appropriate for anyone wanting to understand the building blocks of Windows 2000 security.

Outline:

  1. Overview of Win2K Security Model and Systems; NT File System; Encrypting File System; Active Directory; Domains; Forests; Trees; Group Policy; Organizational Units
  2. Authentication Kerberos; NTLM; Smart cards; Certificates; PKI
  3. Authorization Access Control Lists; User Rights; User Permissions; Running in multiple user contexts
  4. Auditing Event auditing; WEBM/WMI; SNMP; Third party consolidation tools
  5. Network services Core services; BackOffice services

About the Instructor:

Mr. Philip Cox is a consultant of SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security. He is the lead author of "Windows 2000 Security Handbook" and Technical Editor of "Hacking Linux Exposed", both from Osborne McGraw-Hill. His experience includes Windows NT/2000, UNIX, and IP based networks integration, Secure network design and implementation, and Information Security Policy development. Phil frequently writes and lectures on issues dealing with UNIX & NT integration, and Information Security. He holds a BS in Computer Science.