| Monday | Tuesday | ||||||
|---|---|---|---|---|---|---|---|
| M1 | Investigating Computer Virus and Other Malware Incidents | T4 | Intrusion Detection and Network Forensics | ||||
| M2 | Using the Common Criteria v2.1 | T5 | Writing Secure Software | ||||
| M3 | Introduction to Cryptography and Public Key Infrastructure | T6 | Introduction to Java Security and Access Control Issues | T7 | Online Privacy | ||
[ TOP ]
Christine Orshensky, i-Secure Corporation
Abstract
With the increasing spread of computer viruses and worms that can lurk in an organization, it is no longer feasible to rely solely on single point of detection and repair techniques. Virus-related incidents must be investigated within an organization to determine where it originated, where it spread, and what damage it may have caused along the way or may still be to come. This workshop is designed to provide the attendee with the ability to make those determinations through effective response and investigation techniques for computer virus and other malware incidents within their organizations.
The attendee will be given the opportunity to participate as a member of an incident response team for several computer virus and malware incidents and will be asked to define the appropriate response and investigation techniques -- ultimately providing the source and scope of the incident with an aim toward complete and effective eradication.
Prerequisites
Attendees should possess a basic familiarity with computer functionality and information/ network security topics, such as directory listings, file attributes, access control mechanisms, and audit logs. They should also have some basic familiarity with computer viruses and other forms of malware, e.g., Trojan horse programs, worms, hoaxes, et cetera, and some familiarity with anti-virus protection techniques and products. Lastly, attendees should have a basic experience in detecting and repairing a virus-infected file.
Outline
The tutorial will be broken into 3 main parts covering
Biographical Information
Christine M. Orshesky is currently the President of i-secure Corporation, a company she founded to bring anti-virus protection strategies and education to a broader portion of the online community. She, however, started her career in Information Security with the FBI working on intrusion detection and computer virus response initiatives. Ms. Orshesky, then, transitioned to the private sector working as a consultant performing security assessments, participating in certification and accreditation efforts, and developing virus response initiatives. Ms. Orshesky has most recently performed malicious logic incident management support and program development for the Department of Defense at the Pentagon. She is a recognized name in the anti-virus industry and has achieved professional recognition through publication and participation in international virus prevention and national information security conferences. In addition, Ms. Orshesky maintains professional certification as a Certified Information Systems Security Professional (CISSP) and a Certified Quality Analyst (CQA).
[ TOP ]
Using the Common Criteria v2.1
Lynne Ambuel, Decisive Analytics and Murray Donaldson, CESG
Abstract
The approach to information technology security evaluation has changed. Version 2.1 of the Common Criteria (CC) for Information Technology Security Evaluation has been issued, and is an accepted ISO standard (15408). Both the DoD and GSA have issued formal statements on the timetable for transition to using the CC. This tutorial is intended to provide the attendees with the technical understanding of how to develop product and system security requirements, and be able to meet the timetable.
The tutorial will be based on hands-on exercises intended to guide the attendee through the development of a simple Protection Profile (PP). A Target of Evaluation (TOE) description will be provided to the students, and throughout the remainder of the tutorial the attendees will focus on developing the required content of a PP that eventually describes the security requirements for that TOE description. The attendee will gain an understanding of how to:
Prerequisites
Students taking this course should have a general knowledge of IT Security principles as well as an introductory knowledge of the CC Protection Profile (PP) concept.
Biographical Information
Lynne Ambuel is the Director of Information Security at Decisive Analytics Corporation (DAC), where she leads technical teams in the application of IT Security and the Common Criteria for both government and commercial organizations. She has participated in all of the CC Project criteria and methodology working groups - Common Criteria Editorial Board (CCEB), the Common Criteria Implementation Board (CCIB), the Common Criteria Interpretations Management Board (CCIMB), and the Common Evaluation Methodology Editorial Board (CEMEB). She also serves in the role of the technical and executive support to the CC Project. She is also the ISO Working Group Rapporteur for the study period on the Common Evaluation Methodology.
Murray Donaldson is a Principal Information Security Consultant with the UK Communications-Electronics Security Group (CESG). He is the CC Project Coordinator and Chair of the Common Evaluation Methodology Editorial Board. He was an original member of the CC Editorial and Implementation Boards, which wrote CC versions 1.0 and 2.1. Murray is the Chair of the NATO working group developing the transition plan for NATO to move to the CC. He is also the ISO Project Editor of the draft Technical Report, Guide for Production of Protection Profiles and Security Targets.
[ TOP ]
Introduction to Cryptography and Public Key Infrastructure
Ron Tencati, Cygnacom
Abstract
This full-day tutorial course introduces participants to the background and application of cryptography and Public Key Infrastructure (PKI). A study of both historical and present-day cryptographic applications is presented. Students explore both conventional and public key encryption schemes, study the differences between Diffie-Hellman and RSA public key technologies, and explore modern cryptographic applications such as SSL, IPSEC, Elliptic Curves and Digital Signatures. A discussion of the components of a Public Key Infrastructure (PKI) system is also included in this tutorial, including Certification and Registration Authorities, Directory Services, and Certificate Policy and Practice Statements.
Prerequisites
There are no prerequisites for this seminar. A knowledge of mathematics is not necessary.
Outline
This tutorial covers Cryptographic Techniques, VPN Concepts including TLS (SSL), WAP and IPSEC; a study of encryption and basic key recovery techniques; a study of public key concepts and systems including key generation and exchange methods; PKI concepts including the use and management of digital signatures, certificate authorities, registration authorities and directory services; PKI implementation issues including policy, liability, deployment and interoperability concerns.
The seminar makes use of easy-to-understand illustrations and animated graphics to help simplify the complex nature of a discussion of technical concepts and techniques. Anyone who would like an increased understanding of how cryptographic and PKI systems can be used to provide secure electronic commerce will benefit from this tutorial.
Biographical Information
Ron Tencati works at CygnaCom Solutions Inc, a subsidiary of Entrust Technologies in McLean, VA, where he is the manager of the company's Cryptographic Equipment Assessment Laboratory. He also developed the Key Ceremony, Cryptographic and Physical Security procedures for the company's commercial outsourced PKI offering. Ron has formerly served as Global Training Manager at Spyrus and as senior technical course developer and instructor for Cylink Corporation. He is a co-founder of both the Forum of Incident Response and Security Teams (FIRST) and the NASA Automated Systems Incident Response Capability (NASIRC). Ron has over 16 years experience in network security, system administration, and system security engineering.
[ TOP ]
Marcus Ranum, NFR
Abstract
What can intrusion detection do for you? Intrusion detection systems are designed to alert network managers to the presence of unusual or possibly hostile events within the network. Once you've found traces of a hacker, what should you do? What kind of tools can you deploy to determine what happened, how they got in, and how to keep them out? This tutorial provides a highly technical overview of the state of intrusion detection software and the types of products that are available, as well as the basic principles to apply for building your own intrusion detection alarms. Methods of recording events during an intrusion are also covered.
Prerequisites
This tutorial will assume some knowledge of TCP/IP networking and client/server computing.
Outline
Biographical Information
Marcus Ranum is CEO of Network Flight Recorder, Inc., and has been specializing in Internet security since he built the first commercial firewall product in 1990. He has acted as chief architect and implementer of several other notable security systems, including the TIS firewall toolkit, the TIS Gauntlet firewall, whitehouse.gov, and the Network Flight Recorder. Marcus frequently lectures on Internet security issues, and is co-author of the Web Site Security Sourcebook with Avi Rubin and Dan Geer, published by John Wiley and Sons.
[ TOP ]
Writing Secure Software
John Viega, Widevine Technologies
Abstract
Bugs in networks do not often lead to security problems. Problems usually come from the software that you run on the network. Security scanners such as ISS are great for checking for known problems with off-the-shelf software, but they don't help protect the code you write from hackers. In the real world, developers tend to know a little bit about security, but not enough to be able to write secure code consistently. For example, there are many developers who have read an introductory book on cryptography, but few of those developers seem to realize that software security is a far broader topic than just cryptography. The weakest parts of a system are those that are going to get attacked; cryptography is rarely the target of attack, because it is rarely the weakest part of a system.
In the field, we see the same sorts of problems crop up repeatedly, even in high-profile applications such as Netscape, Internet Explorer, and Microsoft's web server, IIS. The goal of this tutorial is to educate software architects and developers on what they need to know if they are going to write secure software in a networked world.
Prerequisites
This tutorial is aimed primarily at software architects and developers, though most of the topics in the first half of the day will be interesting to managers. Consequently, solid programming skills would be useful. Most examples will be in C, but C knowledge is not a requirement; all examples should be comprehensible by anyone with a solid understanding of programming.
Outline
Biographical Information
John Viega is a Senior Research Associate and Software Security Group co-founder at Reliable Software Technologies (http://www.rstcorp.com). Mr. Viega is the Principal Investigator on a DARPA-sponsored federal grant charged with developing security extensions for standard programming languages. He has authored over 30 technical publications in the areas of software security and testing, and is currently co-authoring a book on writing secure software for Addison Wesley. Mr. Viega is the co-author of SO WHAT, a buffer overflow prevention tool for Windows NT, Solaris and Irix. He is also the author of ITS4, a tool for finding security vulnerabilities in C and C++ code.
In November 2000, John joined Widevine Technologies where he will be continuing his work in writing secure software.
[ TOP ]
Introduction to Java Security and Access Control Issues
Sub Ramakrishnan, Bowling Green State University
Abstract
Java was introduced as an OOP language less than a decade ago. It is already becoming the preferred language of choice for both stand-alone and web enabled applications. Contrary to popular belief, the security features of Java applications and applets are at two extremes; applets use a sandbox model and enforce tight security, while applications run outside of the sandbox and enforce no security at all.
This tutorial provides an overview and classification of a number of security issues of applets and applications. It develops mechanisms for introspection of default security and access control elements and the process for modifying them under program control. We will use actual code examples to demonstrate these ideas and also show how the code may be integrated in user-written applications and or applets. Though some of these concepts are dependent on the version of Java in use (Java 1.1 or Java 2), we will restrict our attention to Java 2.
Prerequisites
Object oriented concepts. Design and development of Java programs and applets. Web surfing. Knowledge of cryptographic principles is helpful but not necessary. Though we will provide a quick overview of the language, attendees are expected to be fairly proficient with the language basics.
Outline
Biographical Information
Dr. Ramakrishnan's interests include computer security, web-to-database connectivity, three-tier architectures, and secure internet technologies. The National Science Foundation supported his work on distributed systems. He has published widely in the area of distributed systems and complexity of algorithms. He is a professor of Computer Science at Bowling Green State University, Bowling Green, Ohio. He has had consulting opportunities on E-commerce solutions.
[ TOP ]
Online Privacy
Brian Tretick, Ernst & Young
Abstract
Privacy. It's in the media, it's on the Hill, and it's on consumers' minds. A hundred years ago, the word privacy generally referred to dark curtains, thick hedges, and a high fence in order to keep a nosey neighbor in his/her place. Privacy is increasingly problematic in today's connected economy, due to new technology that has enabled more pervasive, detailed, and cost-effective collection and dissemination of data. In the information age, we are witnessing the emergence of new online business models built upon one-to-one marketing and personalization where customer data is a major competitive asset and tradeable commodity. While consumers may enjoy the benefits of precision target-marketing; (i.e. such as only receiving direct marketing information about products or services that are specific or relevant), they are growing increasingly concerned about possible business invasions into their privacy. Consequently, privacy has emerged as a prominent and, as of yet, unresolved trust issue for both consumers and business.
Prerequisites
None
Outline
This tutorial provides fundamental information about online privacy and its roots in fair information practices. Oriented around privacy as a business issue, it explores the history, current state, and direction of privacy and data protection issues. Although the focus is related to eBusiness, the tutorial not only spans industry segments (including financial services, health care, consumer-intensive) but also global jurisdictions (including U.S., Canada, and the European Union).
Biographical Information
Brian Tretick is a leader of Ernst & Young's Privacy Assurance and Advisory Services. He has served clients in the online, financial services, retail, and software industries with the technological, organizational, regulatory, and third party relationship aspects of data privacy for U.S., Canadian, and European companies.