Tutorials


Monday
M1 Information System Security Basics
M2 Network Security Protocols: Theory and Current Standards
M3 Distributed Denial of Service Attacks: Background, Diagnosis and Mitigation
M4 The Worm & Virus Threat
 
Tuesday
T5 Web Application Security
T6 Golden Rules of Secure Software Development
  T7   Information Assurance in the
US Department of Defense
  T8   Computer and Intrusion Forensics


[ TOP ]

Tutorial M1 (Full Day)

Information System Security Basics

Dr. Steven J. Greenwald
Independent Consultant

Abstract

Designed for the person who is new to the field of Information Systems Security, this is an intensive one-day survey of the most important fundamentals of our field. It is designed to bring the students up to speed on important basic issues, and otherwise fill fundamental gaps in their knowledge. Therefore, its emphasis will be mostly historical in nature, and not necessarily topical. However, it will contain material that every effective practitioner in our field needs to know.

The ideal student is someone who is either entering the field for the first time, needs a refresher regarding the basics, or is starting to prepare for the CISSP exam. This will be a high-speed low-drag course covering a very broad range of material. Since it is unrealistic to assume that the students can absorb all of this material in a one-day tutorial, each will be given, in addition to a textbook, an annotated bibliography of seminal papers and reports (most available on the web) that will be covered during the tutorial and which they may use for future study and reference. A major goal of this tutorial is that the student should be able to effectively understand, research, and apply such material when it is later encountered.

Prerequisites:

None

Outline:

  1. Introduction. Overview/refresher of the necessary CS background, common definitions, and historical overview and perspectives.
  2. Fundamentals. Covers Identification & Authentication, Access Control, Security Kernels, and Security Models.
  3. Practice. Provides a brief overview of Unix and Windows NT Security, as well as common errors (e.g., buffer overflows) and security software.
  4. Cryptography. A brief overview of cryptography, PKI and standards.
  5. Distributed Systems. Covers Web security and other aspects of network and distributed system security.
  6. Database Systems. Explores DBMS models and problems.
  7. Conclusions and Questions. Seeing the forest for the trees, professional development options, and if time permits any topical or other areas that may be of particular interest.

About the Instructor:

Dr. Steven J. Greenwald is an Independent Consultant in the field of Information Systems Security specializing in distributed security, formal methods, security policy modeling, resource based security and related areas. He also works with organizational security policy consulting, evaluation, training, and auditing. He is a Research Fellow at Virginia's Commonwealth Information Security Center (CISC) and on the adjunct faculty at James Madison University's Computer Science department teaching in their graduate INFOSEC program (a National Security Agency designated Center Of Academic Excellence in Information Security Assurance). Dr. Greenwald was formerly employed as a computer scientist in the Formal Methods Section of the U.S. Naval Research Laboratory, and is also past general chair and past program chair of the New Security Paradigms Workshop (NSPW). Dr. Greenwald earned his Ph.D. degree in Computer and Information Science from the University of Florida (with a dissertation in the field of information systems security).


[ TOP ]

Tutorial M2 (Full Day)

Network Security Protocols: Theory and Current Standards

Radia Perlman
Sun Microsystems

Charlie Kaufman
Microsoft

Abstract

This tutorial covers the concepts in network security protocols as well as describing the current standards. It approaches the problems first from a generic conceptual viewpoint, covering the problems and the types of technical approaches for solutions. For example, how would encrypted email work with distribution lists? What are the performance and security differences in basing authentication on public key technology versus secret key technology? What kinds of mistakes do people generally make when designing protocols?

Armed with a conceptual knowledge of the toolkit of tricks that allow authentication, encryption, key distribution, etc., we describe the current standards, including Kerberos, S/MIME, SSL, IPsec, PKI, and web security.

Prerequisites:

Nothing other than intellectual curiosity and a good night's sleep in the recent past.

Outline:

  1. What is the problem? A quick overview of why network security is needed (remote authentication, private and authenticated email, etc)
  2. Overview of cryptography: public key, secret key, hash.
  3. Secure email issues (including complications such as distribution lists). Also overview of S/MIME and PGP.
  4. Key distribution (PKI and secret-key based systems such as Kerberos).
  5. Kerberos details (including Microsoft Kerberos)
  6. PKI details (including X.509 and PKIX)
  7. Concepts in real-time protocols: authentication handshakes, perfect forward secrecy, session resumption, identity hiding, plausible deniability, denial of service protection. Implications of choosing "layer 3" approach (IPsec) vs "layer 4 approach" (SSL, SSH). How export rules have affected designs.
  8. IPsec details: data packet formats (AH and ESP), IKE (key establishment protocol). Problems with IKE. Possible successors to IKE.
  9. SSL
  10. Web: URLs, HTTP, cookies

About the Instructors:

Dr. Radia Perlman is a Distinguished Engineer at Sun Microsystems. She also teaches network security protocols at Harvard University. She is known for her contributions to bridging (spanning tree algorithm) and routing (link state routing) as well as security (sabotage-proof networks). She is the author of "Interconnections: Bridges, Routers, Switches, and Internetworking Protocols", and co-author of "Network Security: Private Communication in a Public World". She is one of the 25 people whose work has most influenced the networking industry, according to Data Communications Magazine. She has an B.S. and M.S. in mathematics and a Ph.D. in computer science from MIT, about 50 issued patents, and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.

Mr. Charlie Kaufman is a former Distinguished Engineer at IBM, where he was Chief Security Architect for Lotus Notes and Domino, as well as having worked within IBM in other security-related areas. Recently he has been involved in analyzing IKE, the authentication portion of IPsec, and designing a replacement protocol which has been adopted by IETF. He is co-author of the book "Network Security: Private Communication in a Public World". He served on the National Academy of Sciences expert panel that wrote the book "Trust In Cyberspace". He currently serves on the IAB, the architecture board of the IETF. Within IETF he has contributed to a number of efforts, including chairing the Web Transaction Security working group. He is currently the editor of the new Internet Key Exchange protocol document for IP Security Protocol Working Group (Ipsec). He holds over 25 patents in the fields of computer security and computer networking.


[ TOP ]

Tutorial M3 (Full Day)

Distributed Denial of Service Attacks: Background, Diagnosis and Mitigation

Dr. Sven Dietrich and Dr. John McHugh
CERT Research Center

Abstract

In the beginning, security was equated to confidentiality and it was considered better for a system to fail (or be forced into failure) than to leak protected information. As the field matured, the emphasis changed and concepts such as "Security-*" giving equal weight to integrity and assured service became acceptable. Concurrently, adversaries realized that attacks that reduced the utility of computing systems to authorized users could be as effective as attacks that compromised sensitive information. In the past year, brute force denial of service attacks based on the exhaustion of the victim's processing or communication resources have become commonplace.

The tutorial will trace the development of denial of service attacks from early, machine crashing exploits to attacks that based on the exploitation of server vulnerabilities or protocol pathologies to consume excessive computing resources to the present day distributed denial of service (DDoS) attacks. Self imposed denial of service attacks in which a system administrator suspends a necessary service in the face of a real or threatened attack will also be considered. A substantial portion of the tutorial will be devoted to understanding DDoS attacks and developing appropriate responses. Among the issues to be addressed are preparing for a DDoS attack, recognizing the attack type and probable attack pattern, designing appropriate filter rules to mitigate the attack, and working with upstream providers. We will also survey current research that may lead to ways of thwarting such attacks in the future.

Prerequisites:

A basic understanding of IP networking, network protocols, and routing as well as an understanding of computer security fundamentals is required. The tutorial is intended to be useful to system administrators, network administrators and computer security practitioners.

Outline:

  1. Fundamentals. Basic networking and routing protocols.
  2. Denial of Service. Basic concepts. Vulnerabilities and pathologies. OS support. The jump from DoS to DDoS. Evolution of attack tools.
  3. Classes of DDoS tools. What they do. Choices in the attack space. How they work. Currently available tools.
  4. Diagnosis of the problem. How do you know you are under attack. Symptoms in your own operational and system monitoring data. Differentiating between flash crowds and attacks. Advances in research. Inspecting a compromised system. Building a monitoring/traffic capture facility.
  5. Mitigation. Recognition of the attack. Attack signatures and attack tool identification. DoS vs. DDoS. Indications of single and multiple sources. Creating countermeasures. Techniques for limiting the damage. Characterizing the attacked resources. Infrastructure changes. Traceback. Filtering. Active response. Strikeback.
  6. Political hurdles. Dealing with your ISP. Dealing with management.
  7. The bright road ahead. DDoS and beyond. Prospects for future advances in attacker tools, Technical, legal, and political mitigation strategies.

About the Instructors:

Dr. Sven Dietrich is a member of the technical staff at the CERTŪ Research Center, where he does research in survivability and network security. His work has included intrusion detection, distributed denial-of-service analysis, and the security of Internet Protocol (IP) communications in space. He was a senior security architect at the NASA Goddard Space Flight Center and has taught mathematics and computer science at Adelphi University. His research interests include, but are not limited to, computer security, cryptographic protocols, and quantum cryptography, and he randomly gives presentations and talks on the subject. Dr. Dietrich has a Doctor of Arts degree in Mathematics, a MS degree in Mathematics, and a BS degree in Computer Science and Mathematics from Adelphi University in Garden City, New York.

Dr. John McHugh is a senior member of the technical staff at the CERTŪ Research Center, where he does research in survivability, network security, and intrusion detection. He was a professor and former chairman of the Computer Science Department at Portland State University in Portland, Oregon. His research interests include computer security, software engineering, and programming languages. He has previously taught at The University of North Carolina and at Duke University. He was the architect of the Gypsy code optimizer and the Gypsy Covert Channel Analysis tool. Dr. McHugh received his PhD degree in computer science from the University of Texas at Austin. He has a MS degree in computer science from the University of Maryland, and a BS degree in physics from Duke University.


[ TOP ]

Tutorial M4 (Full Day)

The Worm & Virus Threat

Mr. Daniel Ellis
MITRE

Dr. Nicholas Weaver
UC Berkeley

Abstract

Mobile malicious code (mobile malcode) has resulted in the loss of tens of billions of dollars to the international economy. Far more devastating worms are feasible. Four observations lead us to believe that mobile malcode is a significant and increasing threat. First, many instances of mobile malcode could have caused much greater damage than they did. Second, advancements in malcode technology are making for far more potent attacks. Third, the vulnerabilities which pervade our infrastructure and the fabric of modern life are not being adequately removed and instead are becoming more tightly coupled. And, fourth, users and economies are becoming more dependent on fragile infrastructure.

In this tutorial we present different types of mobile malcode, including viruses and network worms. We focus more on the latter, as the antivirus industry offers reasonably robust defenses against viruses but much poorer defenses against worms. We explain the history of worms and viruses, the anatomy of malicious malcode, what postures and countermeasures help mitigate the threat, and an overview of current efforts to combat the threat. We provide detailed analysis of several examples of contemporary mobile malcode. A student will come away from this tutorial understanding what the threat is, why the threat exists, and what can be done now to help protect their organization from the threat, as well as research areas which might offer substantial protection in the future.

Prerequisites:

A student should have a general understanding of networking, including TCP/IP. An understanding of software and the anatomy of a process will also be helpful.

Outline:

  1. Overview. Definition of Mobile Malcode. Subclasses of mobile malcode. Anatomy of mobile malcode. Generalized Worm Strategies. Buffer Overflow Primer
  2. Virus History. Early viruses. Fred Cohen's work. Viruses of the late 80's and early 90's. Antivirus technology. Email borne viruses of the 90's.
  3. Worm History. Shoch and Hupp's early experiments with worms. The Morris/Internet Worm of 1988. Linux worms of 1999. Windows worms of the same era. Hybrid malcode. Active worms of 2000-2003. Hypothetical Worms proposed in research literature and on the Web. Target discovery strategies.
  4. Observations About Technological Malcode Advances. Attributes seen in the wild. Potential features from the underground. Potential features from the goodguys.
  5. Defensive Postures & Reactions. Configuration & Risk Management. Perimeters & Least Privilege.
  6. Current Research Efforts. DARPA DQ. HP Connection Throttling. IBM Virus Research. Other Research Possibilities?

About the Instructors:

Mr. Dan Ellis is a Ph.D. student at George Mason University and a researcher at MITRE. His interests are in information security, intrusion detection, and malicious code. His research is focused on developing defensive postures and countermeasures that are adequate to combat the worm threat in an enterprise setting.

Dr. Nicholas Weaver is currently completing his Ph.D. at the University of California at Berkeley. His research interests involve FPGA (Field Programmable Gate Arrays) and computer security. His FPGA work is focused on high performance applications, alternate FPGA architectures, and performance-enhancing FPGA tools. His security work has focused on the threat of high-speed worms and other Internet-scale attacks, and automatic, network level defenses to counter these threats.


[ TOP ]

Tutorial T5 (Full Day)

Web Application Security

Mr. David Wichers
Aspect Security

Abstract

The security of an organization's web applications is critical to a successful online presence. In fact, for some organizations, particularly e-commerce and financial organizations, the security of their web sites may be the most important IT security issue they are facing today. Unfortunately, the security of their custom web applications is frequently an organization's weakest area.

Most developers learn what they know about security on the job, usually by making mistakes. Security is just not a part of many computer science curricula today. This is a powerful one day course that focuses on the most common application security problems facing custom web applications today. It describes the most common vulnerabilities present in today's web applications and practical techniques for identifying and removing such vulnerabilities from web applications.

Prerequisites:

None. Technical background suggested, but not required.

Outline:

This course starts with material designed to raise awareness of just how insecure most web applications are. The tutorial then demonstrates how hackers are able to attack web applications, and what some of the common vulnerabilities are. The next modules detail a number of specific security areas. We discuss the foundational principles, describe best practices, and review code examples of design patterns for solutions. The course covers the following areas:

  • Authentication
  • Access Control
  • Parameter Use
  • Cross Site Scripting
  • Buffer Overflows
  • Command Injection
  • Error Handling
  • Cryptography
  • System Administration
  • Server Configuration
  •        
  • Unnecessary and Malicious Code
  • Thread Safety
  • Denial of Service
  • Privacy and Legislative Compliance
  • Accountability and Logging
  • Integrity
  • Caching, Pooling, and Reuse
  • Code Quality
  • and more...
  • About the Instructor:

    Mr. David Wichers is the COO of Aspect Security, a company that specializes in web application security. Mr. Wichers has over fourteen years of experience in the information security field, in areas such as application security, security architectures, secure designs, security policies, models, database security, multilevel security, system and software development, and security testing. He has supported the design and development of trusted operating systems, trusted databases, secure routers, secure guards, and large integrated systems for a wide variety of Government customers. He previously ran the Exodus. Application Security Services Group. Mr. Wichers has a Bachelors of Science in Computer Systems Engineering from Arizona State University and a Masters degree in Computer Science from the University of California at Davis.


    [ TOP ]

    Tutorial T6 (Full Day)

    Golden Rules of Secure Software Development

    Dr. Holger Peine
    Fraunhofer IESE Research Institute

    Abstract

    This tutorial will teach important guiding principles to avoid security problems in the design and implementation of software. It does not address finding security problems in existing systems. No specific technology is taught, but general principles of good security engineering. We start with a short refresher on what software security is, motivated by the flaws found in a small piece of real-world software (a Java applet for login).

    The main part of the tutorial will then present 19 rules of secure software development in the form of Do's and Don'ts. Each rule is illustrated by examples of good and bad practice, and enriched by discussions of inherent problems and possible trade-offs against other goals of software development. The audience is invited to contribute their own experience and opinion in these discussions. We will continue with some considerations on the general benefits and limitations of such a rule-based approach. The rules part is then rounded off by naming the various sources for the rules and mentioning what other rules have been suggested and why they were not included here.

    Finally, the initial example of the login application is revisited, and the audience is invited to critique the application's design in the light of the new knowledge. The tutorial will close with a short direction to security patterns as "the next step" from the general rules.

    Prerequisites:

    The tutorial assumes a general knowledge of programming and software structuring beyond that of a programming novice. Intermediate-level programming experience in a procedural or OO programming language is recommended, as well as experience from developing at least medium-sized systems. Not required, but useful in places to understand examples in complete detail: Java, C, Perl, Unix.

    Outline:

    1. Refresher on software security. Example of an insecure system. Abstract goals of software security. Typical attacks against software security. Which software must be secure.
    2. The Rules. Assess your threats. Secure the weakest link, not the easiest or most obvious one. Validate all external input. Make your components run with different privileges. Use several layers of defence. Minimize your attack surface. Use the least possible privilege for each operation. Fail securely. Don't be more general than necessary. Employ secure defaults. Avoid to store secrets. Make the secure way the easy way. Beware of backward compatibility. Don't depend on security by obscurity. Recognize and react on attacks. Separate code and data. Don't reveal more than necessary. Use only publicly scrutinized cryptography. Use a truly random source to create secrets.
    3. Benefits and limitations of "golden rules".
    4. Additional rules from other sources.
    5. Applying the rules in analysis: Revisiting the initial example.
    6. The next step beyond rules: Security patterns

    About the Instructor:

    Dr. Holger Peine has studied and worked as a research assistant at the University of Kaiserslautern (Germany), doing research in operating systems, distributed systems, networking, and security. He received a Ph.D. in computer science ("with distinction") for his award-winning research in run-time support for mobile code, and is the designer and principal implementer of the Ara platform for secure execution of general mobile code. He currently works with the IT security department at the Fraunhofer IESE research institute in Kaiserlautern, concerned with security evaluations of IT systems, software and processes, and with developing tools for such tasks. Lately he became the lead of a newly-founded task force of nine people researching techniques and tools for the development of secure software.


    [ TOP ]

    Tutorial T7 (Half Day - Morning)

    Information Assurance in the US Department of Defense

    Mr. Timothy Lelesi and Mr. Charles Lavine
    The Aerospace Corporation

    Abstract

    This tutorial presents an overview of the DoD's approach to information assurance (IA). Recently signed DoD policy outlines a new framework for achieving IA, describes responsibilities and procedures for its implementation, and functions as an umbrella under which existing and forthcoming, lower level IA-related policy will be integrated. This tutorial describes how DoD Directive 8500.1 and Instruction 8500.2 implement a defense in depth approach for IA through integration of processes and mechanisms, including system certification and accreditation, and IA product acquisition and evaluation.

    The ideal student is someone who needs to specify, design, operate, or evaluate a DoD network or information system. A goal of this tutorial is to provide a high level understanding of the DoD's new direction and primary policy and processes associated with it.

    Prerequisites:

    None.

    Outline:

    1. Introduction to DoD Information Assurance
    2. DoD Directive 8500.1 – Policy
    3. DoD Instruction 8500.2 – Implementation
    4. Associated policy and guidance

    About the Instructors:

    Mr. Timothy Lelesi has worked in the Information Assurance industry for over 10 performing vulnerability assessments and system security engineering. Last year, he joined The Aerospace Corporation's Trusted Computer Security Department where he performs system security engineering and assessment for major space system programs.

    Mr. Charles Lavine has worked in the Information Assurance industry for the past 15 years – all at The Aerospace Corporation. He has participated in the NSA's product evaluation programs as well as performing system security engineering support for space systems. Mr. Lavine is the Director of The Aerospace Corporation's Trusted Computer Systems Department.


    [ TOP ]

    Tutorial T8 (Half Day - Afternoon)

    Computer and Intrusion Forensics

    Prof. George Mohay
    Queensland University of Technology

    Abstract

    Computer forensics relates to the investigation of situations where there is possible evidence of computer crime. Such evidence is often referred to as digital or electronic evidence. Computer crime in its broad sense includes crimes in which:

    This tutorial focuses on the principles which should direct the collection, analysis and presentation of the digital evidence available to an investigator and the techniques that are used in order to ensure that those principles are met. It is increasingly the case that IT professionals especially those with a responsibility for computer security are required to gather, analyze and present evidence of computer crime.

    Prerequisites:

    Tutorial participants will have already achieved a sound foundation in computer software, computer communications, and computer security thus enabling you to relate to the principles and practice of computer forensics which builds on that foundation.

    Outline:

    1. Computer security and its relationship to computer forensics. The nature of computer crime and digital evidence; establishing a case in computer forensics; definitions; legal considerations including those relating to evidence collection; computer forensics accreditation and expert witness issues
    2. Electronic Evidence. Discovery of electronic evidence; file deletion, media sanitization; mobile telephones, PDAs; emerging procedures and standards; seizure, retrieval and analysis of electronic evidence; principles of evidence; forensic examination
    3. Tools and Techniques. Monitoring of computer networks and systems; attack types, attacks and system vulnerabilities; vulnerability analysis; incident response, incident response procedures and incident investigation; event and network log analysis; time-lining; evolution of intrusion detection systems (IDS), interoperability and correlation of IDS; network forensics, intrusion forensics; analyzing computer intrusions; intrusion detection, computer forensics, and information warfare

    About the Instructor:

    Prof. George Mohay is an Adjunct Professor in the Information Security Research Center and at the Queensland University of Technology (QUT) in Brisbane, Australia. He was previously Head of the School of Software Engineering and Computing Science at QUT for the period 1992 - 2002. His teaching and research interests lie in the areas of concurrency, distributed systems, security, intrusion detection, and computer forensics. He has worked as a visiting researcher while on sabbatical leave at Stanford University in 1981, Loughborough University in1986, Bristol University in 1990, and the Australian National University in2000. He received a B.Sc. (Honors) (UWA) in 1966 and Ph.D. (Monash) in 1970. He supervises Ph.D. and master's students in the areas of security, intrusion detection and computer forensics and is involved as chief investigator in several security and forensics related research projects.