Tutorials
Monday | |||
---|---|---|---|
M1 | Information System Security Basics | ||
M2 | Understanding Biometric Technology and Its Implementation | ||
M3 | Denial of Service Attacks: Background, Diagnosis and Mitigation | ||
M4 | XML Security | ||
Tuesday | |||
T5 | Cryptography and PKI Basics | ||
T6 | Mobile and Wireless Security Issues, Threats and Countermeasures | ||
T7 | How to Successfully Assess Business and Automation Risks |
T8 | Survivable Systems Analysis |
[ TOP ]
Dr. Steven J. Greenwald
Independent Consultant
Abstract
Designed for the person who is new to the field of Information Systems Security, this is an intensive one-day survey of the most important fundamentals of our field. It is designed to bring the students up to speed on important basic issues, and otherwise fill fundamental gaps in their knowledge. Therefore, its emphasis will be mostly historical in nature, and not necessarily topical. However, it will contain material that every effective practitioner in our field needs to know.
The ideal student is someone who is either entering the field for the first time, needs a refresher regarding the basics, or is starting to prepare for the CISSP exam. This will be a high-speed low-drag course covering a very broad range of material. Since it is unrealistic to assume that the students can absorb all of this material in a one-day tutorial, each will be given, in addition to a textbook, an annotated bibliography of seminal papers and reports (most available on the web) that will be covered during the tutorial and which they may use for future study and reference. A major goal of this tutorial is that the student should be able to effectively understand, research, and apply such material when it is later encountered.
Prerequisites:
None
Outline:
About the Instructor:
Dr. Steven J. Greenwald is an Independent Consultant in the field of Information Systems Security specializing in distributed security, formal methods, security policy modeling, resource based security and related areas. He also works with organizational security policy consulting, evaluation, training, and auditing. He is a Research Fellow at Virginia's Commonwealth Information Security Center (CISC) and on the adjunct faculty at James Madison University's Computer Science department teaching in their graduate INFOSEC program (a National Security Agency designated Center Of Academic Excellence in Information Security Assurance). Dr. Greenwald was formerly employed as a computer scientist in the Formal Methods Section of the U.S. Naval Research Laboratory, and is also past general chair and past program chair of the New Security Paradigms Workshop (NSPW). Dr. Greenwald earned his Ph.D. degree in Computer and Information Science from the University of Florida (with a dissertation in the field of information systems security).
[ TOP ]
Ms. Catherine J. Tilton
SAFLINK Corp.
Abstract
This tutorial provides a technical overview of biometric technologies - what they are, how they work, what kinds there are and the characteristics of each, how accuracy is measured - as well as an overview of the considerations for selection and deployment. It also covers the current technical and market trends in terms of applications for the technology, privacy and ethics, biometric standards, and testing/certification.
The role of biometrics in IT security is addressed as is the integration of biometrics with smart cards and PKI. References and sources of further information are provided.
Prerequisites:
None. Technical background suggested, but not required.
Outline:
About the Instructor:
Ms. Catherine J. Tilton is the Director of Special Projects at SAFLINK Corp., a multi-biometric computer security software company. She also chairs the steering committee of the BioAPI Consortium, and is active in the US Biometric Consortium, the International Biometric Industry Association (IBIA), ANSI X9F4, the Intel/Open Group CDSA Human Recognition Services (HRS) working group, the INCITS M1 committee. She formerly served as technical editor of the Human Authentication API. She has a BS in nuclear engineering from Mississippi State and an MS in systems engineering from Virginia Tech.
[ TOP ]
Dr. Sven Dietrich and Dr. John McHugh
CERT/CC
Abstract
In the beginning, security was equated to confidentiality and it was considered better for a system to fail (or be forced into failure) than to leak protected information. As the field matured, the emphasis changed and concepts such as "Security-*" giving equal weight to integrity and assured service became acceptable. Concurrently, adversaries realized that attacks that reduced the utility of computing systems to authorized users could be as effective as attacks that compromised sensitive information. In the past year, brute force denial of service attacks based on the exhaustion of the victim's processing or communication resources have become commonplace.
The tutorial will trace the development of denial of service attacks from early, machine crashing exploits to attacks that based on the exploitation of server vulnerabilities or protocol pathologies to consume excessive computing resources to the present day distributed denial of service (DDoS) attacks. Self imposed denial of service attacks in which a system administrator suspends a necessary service in the face of a real or threatened attack will also be considered. A substantial portion of the tutorial will be devoted to understanding DDoS attacks and developing appropriate responses. Among the issues to be addressed are preparing for a DDoS attack, recognizing the attack type and probable attack pattern, designing appropriate filter rules to mitigate the attack, and working with upstream providers. We will also survey current research that may lead to ways of thwarting such attacks in the future.
Prerequisites:
A basic understanding of IP networking, network protocols, and routing as well as an understanding of computer security fundamentals is required. The tutorial is intended to be useful to system administrators, network administrators and computer security practitioners.
Outline:
About the Instructors:
Dr. Sven Dietrich is a member of the technical staff at the CERTŪ Coordination Center, where he does research in survivability and network security. His work has included intrusion detection, distributed denial-of-service analysis, and the security of Internet Protocol (IP) communications in space. He was a senior security architect at the NASA Goddard Space Flight Center and has taught mathematics and computer science at Adelphi University. His research interests include, but are not limited to, computer security, cryptographic protocols, and quantum cryptography, and he randomly gives presentations and talks on the subject. Dr. Dietrich has a Doctor of Arts degree in Mathematics, a MS degree in Mathematics, and a BS degree in Computer Science and Mathematics from Adelphi University in Garden City, New York.
Dr. John McHugh is a senior member of the technical staff at the CERTŪ Coordination Center, where he does research in survivability, network security, and intrusion detection. He was a professor and former chairman of the Computer Science Department at Portland State University in Portland, Oregon. His research interests include computer security, software engineering, and programming languages. He has previously taught at The University of North Carolina and at Duke University. He was the architect of the Gypsy code optimizer and the Gypsy Covert Channel Analysis tool. Dr. McHugh received his PhD degree in computer science from the University of Texas at Austin. He has a MS degree in computer science from the University of Maryland, and a BS degree in physics from Duke University.
[ TOP ]
Mr. Christian Geuer-Pollmann
University of Siegen
Abstract
The tutorial will give a short introduction into XML and will explain the W3C standards, "XML Signature" and "XML Encryption," in great detail. It will cover introductions into the "XML Key Management Specification" (XKMS), the "Security Assertion Markup Language" (SAML) and describe how these security mechanisms can be integrated into SOAP to create secure web services.
The "eXtensible Markup Language" (XML) is a standard that describes a syntax for structuring data and documents. In early 1999, W3C and IETF officially launched the XML Signature Working Group to develop an XML compliant syntax used for representing the signature of Web resources and portions of protocol messages. All major vendors of cryptographic software have integrated support for the new XML digital signature format into their products. XML Signatures can sign parts of a document, allowing parties to sign only the relevant portions of a contract. XML Signatures help bringing confidence into web transactions. IBM, HP, Microsoft, SUN and the Apache Foundation integrated XML Signature into their respective SOAP based web service architectures.
In 2001, the W3C started the "XML Encryption" task. The mission of this working group is to develop a process for encrypting/decrypting digital content and an XML syntax used to represent the encrypted content and the information that enables an intended recipient to decrypt it. Encryption enables selective-field-confidentiality for XML data. Together with its twin XML Signature, they enable system architects to design applications that provide real end-to-end-security on the application layer.
The "XML Key Management Specification" (XKMS) serves as an XML'ized application protocol to access PKIs and related structures. XKMS enables constrained clients like mobile devices and embedded hardware to outsource security related tasks like certificate validation to trusted hosts, and much more. The "Security Assertion Markup Language" (SAML) is an XML-based tool for exchanging authentication and authorization information in distributed systems, e.g. used by the Liberty Alliance.
Prerequisites:
Basic knowledge on cryptography. This tutorial is intended for security people who want to come in touch with XML and the related security specifications.
Outline:
About the Instructor:
Mr. Christian Geuer-Pollmann has a degree in electrical engineering from the University of Wuppertal/Germany, and is currently working on his Ph.D. thesis at the University of Siegen. He created the XML Signature implementation which is now available as part of the Apache XML Project. His main research interest is in encrypting XML. He's maintainer of the "XML Security page", and has presented a similar tutorial at BSI/GISA. Currently, he's writing a book on XML Security for Morgan Kaufmann Publishers. He actively participated in standardization since 1999, especially in the area of W3C for the standards "XML-Signature Syntax and Processing", "Exclusive XML Canonicalization", "XML-Signature XPath Filter 2.0" and "XML Encryption Syntax and Processing". He's in the program committee for the "2002 ACM Workshop on XML Security", held in conjunction with the Ninth ACM Conference on Computer and Communications Security (CCS-9).
[ TOP ]
Dr. Steven J. Greenwald
Independent consultant
Abstract
This tutorial is designed for the person who is new to the area of cryptography and Public Key Infrastructure (PKI). It is an intensive one-day survey of the most important areas of cryptography and PKI, designed to bring the students up to speed on important basic issues, and otherwise fill fundamental gaps in their knowledge. It will contain material that every effective practitioner in our field who deals with cryptographic applications needs to know.
The ideal student is someone who knows nothing (or next to nothing) about cryptography and PKI, or needs a refresher regarding the basics. This will be a high-speed low-drag course covering a very broad range of complex material. Since it is unrealistic to assume that the students can absorb all of this material in a one-day tutorial, each will be given, in addition to a textbook, an annotated bibliography of seminal papers and reports (most available on the web) that will be covered during the tutorial and which they may use for future study and reference. A major goal of this tutorial is that the student should be able to effectively understand, research, and apply such material when it is later encountered.
Prerequisites:
None.
Outline:
About the Instructor:
Dr. Steven J. Greenwald is an Independent Consultant in the field of Information Systems Security specializing in distributed security, formal methods, security policy modeling, resource based security and related areas. He also works with organizational security policy consulting, evaluation, training, and auditing. He is a Research Fellow at Virginia's Commonwealth Information Security Center (CISC) and on the adjunct faculty at James Madison University's Computer Science department teaching in their graduate INFOSEC program (a National Security Agency designated Center Of Academic Excellence in Information Security Assurance). Dr. Greenwald was formerly employed as a computer scientist in the Formal Methods Section of the U.S. Naval Research Laboratory, and is also past general chair and past program chair of the New Security Paradigms Workshop (NSPW). Dr. Greenwald earned his Ph.D. degree in Computer and Information Science from the University of Florida (with a dissertation in the field of information systems security).
[ TOP ]
Dr. Tasneem G. Brutch
Hewlett-Packard
Abstract
The broadcast nature of the communication medium, and the absence of a fixed topology make communication in mobile/wireless networks vulnerable to illegal access, eavesdropping, and both passive and active intrusions. This includes disclosure of information to unauthorized individuals, modification of previously communicated messages, and falsely claiming the identity of a legitimate user. In order to provide adequate protection against these threats, a good understanding of security issues with various mobile and wireless technologies is needed for the provision of a secure environment. However, with the diversity of mobile and wireless standards and technologies available today, it is difficult to gain a complete understanding of the various mobile/wireless technologies, their limitations.
This tutorial is intended to provide an overview of some of the mobile and wireless technologies available today, the security provisions provided by each of these technologies, their limitations and vulnerabilities, and the available mechanisms, which can be used to protect against attacks and intrusions. Main topics discussed will include the Bluetooth standard, 802.11b (or Wi-Fi), and the Wireless Application Protocol (WAP).
Prerequisites:
A general understanding of wireless computer security concepts.
Outline:
About the Instructor:
Dr. Tasneem G. Brutch received her B.S. in Computer Science and Engineering, and an M.S. in Computer Science, from Texas A&M University. She has a Ph.D. from Texas A&M University in Computer Engineering in the area of wireless communication security. She is currently working for Hewlett-Packard as Security Software Design Engineer on the IDS/9000 intrusion detection product.
[ TOP ]
Ms. Marianne Emerson
Federal Reserve Board
Abstract
Although risk assessments are essential to information security, there is little guidance on how to do them. This course uses case studies and the methodology in place in the Federal Reserve System1 for more than ten years and to explain in detail how to analyze and measure risks to information and automation resources. The course starts with a study of the loss of two pieces of automation equipment and asks students to identify what was lost and the size of the loss. The study illustrates the difficulty of identifying which safeguards should be implemented when risks have not been assessed. The results of the case study are used as a frame of reference for introducing the elements of the risk assessment model, which are opportunities, threats, potential losses and offsetting safeguards. After walking through the elements hierarchically from less detail to more, the course returns to the case study to apply the model. Practical application of the model lets the students evaluate their level of understanding of it. Through this exercise and the questions it raises, they strengthen their knowledge of the concepts. This knowledge is reinforced through a final case study, whether or not the senior management of a major hotel chain should allow employees to telecommute from regional telework centers.
Prerequisites:
A general familiarity with automation such as one would gain by using a PC for word processing and email.
Outline:
About the Instructor:
Ms. Marianne Emerson is the deputy director in the Federal Reserve Board's Division of Information Technology. The division provides automation, statistical, and telecommunications services to the Board and to the Federal Financial Institutions Examination Council. Ms. Emerson spent two years on loan to the Board's Division of Banking Supervision and Regulation as an advisor to the supervisory information technology function and ten years as the Board's information security officer. She has e-banking review experience, having led the first information services review of the firm responsible for automating Security First Network Bank, now the e-banking part of the Royal Bank of Canada. She has also participated in a number of operations reviews of information technology at Reserve Banks. She teaches graduate courses in information security at the R. H. Smith Business School of the University of Maryland. Ms. Emerson holds a Bachelor of Arts from Bryn Mawr College and a Master of Business Administration in finance and a Master of Science in Computer Science from the University of Maryland.
[ TOP ]
Dr. Nancy Mead and Dr. Tom Longstaff
CERT/CC
Abstract
Increasing societal dependence on large-scale, distributed information systems amplifies the consequences of intrusions and compromises. It is vital that these critical systems survive to provide essential functions even when operating under adverse circumstances. The tutorial objective is to describe practical techniques for survivability analysis and design that attendees can apply in their own environments. In particular, the tutorial introduces the Survivable Systems Analysis (SSA) method developed by the SEI's CERT/CC, as a means to assess and improve survivability and security characteristics of planned or existing information systems. The tutorial will present a case study and more detailed examples of survivability analysis.
Prerequisites:
No special prerequisites, general understanding of information security desirable. The tutorial is aimed at analysis of abstract system architectures prior to implementation.
Outline:
About the Instructors:
Dr. Nancy Mead is the team leader for the Survivable Systems Analysis (SSA) team as well as a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). She is also a faculty member in the Master of Software Engineering and Master of Information Systems Management programs at Carnegie Mellon University. She is currently involved in the study of survivable systems architectures and the development of professional infrastructure for software engineers. Her research interests are in the areas of software requirements engineering, software architectures, software metrics, and real-time systems. Dr. Mead received her PhD in mathematics from the Polytechnic Institute of New York, and received a BA and an MS in mathematics from New York University.
Dr. Tom Longstaff is a senior member of the technical staff in the Networked Systems Survivability (NSS) Program at the Software Engineering Institute (SEI), where he manages research and development in network security. Publication areas include information survivability, insider threat, intruder modeling, and intrusion detection. Since 1997, Tom has been investigating topics related to information survivability and critical national infrastructure protection. Prior to coming to the Software Engineering Institute, he was the technical director at the Computer Incident Advisory Capability (CIAC) at Lawrence Livermore National Laboratory in Livermore, California. He completed a PhD in 1991 at the University of California, Davis in software environments.