About Conference Organisers
A Public Key Infrastructure (PKI) is not only about issuing and managing digital certificates. It is also about applications that use these digital certificates to solve real life business issues.
This presentation covers the basics of PKI enabling an application,
By Merik Karman
Modern Intrusion Detection Systems (IDS) have a raft of technical features
that allow a wide range of responses according to pre-programmed
and events. Assuming that we have tuned the IDS to report only truly
informative events, what do we do in response? Logging and alerting are
the norm, but what about active response and correlation? The presentation
will focus on the pitfalls and benefits of correlation in both near
real-time and as a forensic tool, as well as packet logging and active
response issues. This discussion will be framed within the context of
perimeter defence and cover the necessary interrelationships with
vulnerability assessment and traditional firewalling techniques.
A number of people are claiming that the open or "free" software paradigm is a better, safer way of producing software. The claim is made that it results in software that is more secure than using traditional, proprietary methods.
In the this talk, I will explain why this claim is specious. It is
based on a lack of experience and a lack of understanding of what a
secure system really entails. The lack of quality in several major
proprietary offerings does not help. However, understanding why the
perception exists, and what is really involved in producing secure
software, help us understand the problem and lead to safer software.
By Tim Morris
So you have been the victim of an IT security incident. Why should you
report the matter to the AFP? How do you go about it? What information
will you need to provide? And what will the AFP do about it? This
presentation will provide practical advice on the above questions and
highlight the AFP's current and emerging capabilities in high tech
By Dr. Shuo Bai
Founded in 2000, CNCERT/CC has experienced several critical
security events, including the May hacker attacks between China and US
2001, the large scale CodeRed and Nimda affection, and SPAM rejection.
CNCERT/CC, as the core coordination force in the People's Republic of
successfully handles these events together with our partners. CNCERT/CC
building a complete set of infrastructure for daily usage, including
management system, a vulnerability database called CN-CVE, an IP
and an environment for vulnerability verification. CNCERT/CC also
out several international activities.
AusCERT is Australia's national Computer Emergency Response Team (CERT) and is a leading computer security incident response team (CSIRT) in the region. In this presentation AusCERT will examine some of the trends, issues and developments arising from IT security incidents in Australia and in the Asia Pacific region. The presentation will include information provided by counterpart regional CSIRTs.
By David Britt
How can an organisation ever have enough security when 'new and improved' attack types are developed every day?
From Ping of Death to SYN Flood, from Nimda to Polymorphic - Mr Britt's presentation will describe the evolution of modern attack types and explain the best methods for defending corporate networks from the continuing stream of emerging threats.
A case study will serve to illustrate successful, real life instances of
By George Kurtz
Cisco will present SAFE (Secure Architecture for E-Business). The SAFE Blueprint adopts a modular approach to securing the networks in which security design, implementation and management processes are all specified for customers. Each module identifies where and why critical Cisco security and VPN products and technologies, such as Cisco PIX Firewalls, Cisco Intrusion Detection Systems (IDS) or Cisco VPN Concentrators, are needed. Where appropriate, the modules also integrate best-in-class third-party ecosystem solutions, such as anti-virus protection, public key infrastructure (PKI), host-based intrusion detection and application-level security systems.
The SAFE Blueprint provides maximum flexibility for customers, enabling them to adopt the appropriate modules in stages for their specific and immediate business needs. This allows organizations to leverage their existing security infrastructure while staying within their security budgets on new e-Business projects.
By Patrick Fair
Until recently, the way business collected, used and otherwise handled personal information was unregulated. In December 2000 the Federal Parliament passed the Privacy Amendment (Private Sector) Act 2000 imposing privacy regulation on the sector private sector with effect from 21 December 2001. The new law regulates the collection, secure keeping and use of personal information among other things. It also requires that individuals be given access to information held about them and have the opportunity to correct it. The cost and organisational challenge of meeting these requirements is only now being fully appreciated. The decision to legislate for the protection of privacy was driven in part by concerns regarding the ease with which personal information can be captured and exploited on-line. The speaker will explain the core provisions of the new Privacy Act, focussing on the types of data that must be secured, the level of security required and the challenge to introduce efficient and secure personal information management on-line in response to the new law.
By Dan Farmer
In this talk I will discuss some basics of digital laying and computer
architecture and their impact on forensic computing as well as explore
file access times and how they may be used to analyze systems in general
as well as security incidents.
Much has been said about computer crime and its impact, yet very few people know how to react when an incident actually occurs. This discussion will introduce the concepts of incident response and computer forensics, and educate the audience as to the appropriate steps to take once an incident occurs. It will also discuss how evidence may be collected such that there is a possibility of punishing the perpetrator in a court of law.
By Art Money
Mr. Money will briefly review the nature and significance of the
to national and international information infrastructures. He will then
discuss current responses within and between Western government,
and academic organizations. Finally, he will suggest areas in which
additional collaboration is required.
By Ron Brandis
Effective defence against attacks demands an awareness of e-security issues and risks. Modern attackers successfully exploit operating systems, web servers, services and components. To defend against these exploits, organizations must apply security countermeasures. These countermeasures are usually designed to secure internal servers by placing them deep within security perimeters established by firewalls and DMZs. Within this security perimeter, organizations also deploy N-tier solutions to meet their business requirements. Attackers are now faced with the new challenge of defeating these N-tier solutions. One way they do this is by directing surgical attacks at application servers.
In this session, Bridge Point personnel will illustrate some of the N-tier SQL Injection attacks faced by organizations. These attacks can penetrate an organization's intranet. This session will also outline some countermeasures that can be deployed to reduce the security risk posed by SQL Injection attacks.
The aim of this presentation is to discuss the security issues, both negative and positive, that AMCOR IT dealt with when AMCOR Australasia outsourced its IT operations. The presentation will look at the outsourcing procedure from a security perspective, and "life after outsourcing".
Some areas to be covered will be:
Tactics to address IT security issues are ever-changing, but if you believe that computer security threats can be addressed by throwing technology at the problem, think again.
What are the alternatives for coping with a network intrusion you ask? Join a distinguished panel of world experts as they discuss a hypothetical network attack made against a large corporation.
You may be surprised what you learn about coping with this complex dilemma!
By Andrew Rosen
A brief presentation addressing the existing and emerging challenges facing Law Enforcement and Computer Security professionals.
Data Forensics (aka Computer Forensics) is a broad and generic term that encompasses numerous disciplines. As with any scientific endeavor or legal system, there are evolutionary forces at work, just below the surface.
We tend to believe that the science and technology parts of the equation are more static, particularly when juxtaposed with the fast-paced, dynamic world of computers. Moving slowest of all is the legal system. The inherent problem with our technological capabilities outpacing our social, political, economic and legal systems is the stuff of so many dark futuristic science fiction plots.
So forensics has to do with court. Lets back up a step: Why are we in court? We are likely in court to seek an equitable resolution to a dispute. This often times means money in a civil court and protecting society and punishing offenders in a criminal court.
Just for fun, lets freely associate with the following terms: Network intrusion, theft of trade secrets, child exploitation, identity theft, fraud, copyright theft, hacking, lying, cheating, stealing.
Not pretty eh? The classic ?Somebody done somebody wrong? song. Most Social Anthropologists will agree that when someone knowingly commits a crime or a ?bad act?, they are more likely than not hoping they won't get caught or get in trouble and they will attempt to conceal their crime or bad act.
So lets begin. We have a court system (adversarial by nature), a computer system and a theory of how the two are related. Data Forensic practitioners often establish and quantify those relationships. Good ones do it in a way that is easily digested by the court.
If, as part of our equation, we have an individual who is committing bad acts and does not want to be detected, caught, prosecuted or convicted, things can get very dodgy very quickly. The good news is that you've already got a computer to start with, and presumably that means you have a suspect, a search warrant or a court order granting you authority to look at the computer and a hypothesis or theory of what the central issues are.
Deloitte Touche Tohmatsu and AusCERT, in consultation with the NSW Police Commercial Crime Agency, have collaborated to produce the 2002 Australian Computer Crime and Security Survey. The survey, which follows the format of the well-known annual CSI/FBI Computer Crime and Security Survey, provides the most up to date and authoritative analysis of computer network attack and computer misuse trends in Australia over the last 12 months. The survey provides insight into the number and type of organisations which have experienced network attacks, the type of attacks and more.
Above all, the survey aims to raise awareness of the complex nature of
computer security issues and explores the reasons why, despite a high
uptake of computer security technologies, we continue to experience
computer network attacks and abuse.
By Eric Halil
In the commercial world business needs often require that corporations
take a balanced approach to security risk acceptance. This managed
approach includes monitoring, response, audit and vigilance. Effective
and efficient corporate response means having a computer security
incident response team (CSIRT) in place to address the threats posed by
the accepted risks. This talk discusses our experiences in implementing a
CSIRT within a large corporation - Sun Microsystems.
The increase in use of the Internet for commerce and mission critical business operations has seen the emergence of a new type of organisation - the Computer Security Incident Response Team (CSIRT). There are around 100 of these organisations involved in the Forum of Incident Response and Security Teams (FIRST); an international organisation intent on encouraging cooperation between CSIRTs. There are also a number of other CSIRTs around the world, focussed mainly on a deterministic constituency, such as internal corporate or institution-based incident response requirements.
All such teams exist to address a particular problem - namely the response to intruder activity in a complex network computing environment. Many nations and organisations have chosen to establish a central CSIRT whose sole purpose is to monitor network health and to coordinate response to attacks in their country or region. Such teams are required because of the complicated processes involved in tracking many potential sources of attack, and of managing the number of people required for response. The problem of coordinating this activity is a non-trivial exercise.
This workshop highlights the issues faced in establishing and running a CSIRT. It provides a basic framework for thinking about operational computer security issues, the client education and awareness, team environment, logistical arrangements and core services required to make a CSIRT effective.
Malaysia is moving into the "information age" and reliance
and dependencies on electronic information is becoming
prevalent. This presentation highlights some of the
daunting findings of our survey on Information Security
experience, responses, expectations and trends among
Malaysian organizations. We will also share our
experience in case studies and lesson learned in "battling"
Code Red Worm and NIMDA attacks. The presentation
also identify what are the contributing factors to
security breach and what are the approach to improving
security practices among the multinationals and local
By Leigh Costin
A blended threat utilizes multiple methods and techniques to transmit and spread an attack. The rapid and widespread damage caused by these sophisticated attacks can send the cost of lost business, productivity, clean up and recovery into the millions, even billions of dollars worldwide. Effective protection from blended threats requires a comprehensive security solution that contains multiple layers of defense and response mechanisms.
Anti-virus software alone is not a magic bullet. To effectively manage blended threats organisations have to implement and manage a whole raft of associated working practises, policies and procedures. You have to think about infrastructure, applications, backups, security and usability before you start to evaluate a particular vendors anti-virus product. Once it's installed you need to manage it, update it and police working policies and procedures before you can be confident you have an effective defense solution.
This presentation will visit many of the things which are often
or given little thought when implementing a indepth security policy that
can provide a solution to the new threats facing corporations today..
By Gene Kim
The reality for IT managers, administrators, and auditors is that IT infrastructure and data integrity are continually threatened. The certainty that an administrator feels upon configuring a brand new server or computing system, is often lost shortly after deployment due to inadequate controls and lack of awareness of the need to assure data integrity. Despite being one entire triad of the "Confidentiality / Integrity / Availability" security triangle, integrity continues to be the most misunderstood; most inaccurately measured, and most inadequately implemented security discipline. The result is compromised systems, time to full recovery after attacks taking days, weeks, even months, and often, continuing poor security measures. The purpose of this session is to provide practical background and methods to properly protect the integrity of data throughout the enterprise.
The reality of modern computing environments is that whenever the underlying integrity of a mission-critical server is in question ("have we been hacked?"), more often than not, the server must be rebuilt from scratch. Worse, the core of any data center, the corporate database, provides very few tools to determine whether unauthorized changes have been made.
As a result, virtually every experienced IT manager and practitioner has spent large amounts of time and money rebuilding infrastructure to restore the integrity of their system. During an information security crisis, determining the scope of damage and integrity breach often stretches from weeks to months, with little assurance of the accuracy of the results.
In this discussion, we will present the concept of data integrity and security from a foundational perspective. To better understand the issues surrounding integrity in the enterprise, the evolution from mainframes to a distributed computing model will be presented. How technology and organizational forces have changed IT and the IT audit models are emphasized with specific attention given to effective IT audit strategies.
The forces that put integrity at risk will be described using real-world examples and framed within the context of deployment lifecycles. In addition, the various methods of effectively controlling and mitigating the risks from an IT audit and control perspective will be covered. How to employ these methods to meet various regulatory and industry control guidelines, including HIPPA, BS7799, GLBH, and the guidelines from Visa and ITIL, will also be presented.
The use of SSL on the Internet has grown significantly in recent years as more organisations use the Internet to deliver services which require traffic to be confidential. Also, the number of people using Internet services such as encrypted web email and e-commerce sites is rapidly growing. We will explore security risks which arise from the use of SSL, even if the SSL protocol is implemented correctly with appropriate key lengths and encryption algorithms. Firstly, Internet users who visit SSL enabled web sites might be tricked into providing sensitive information to an attacker performing a man-in-the-middle attack. Secondly, the use of the CONNECT method may provide further risks such as allowing arbitrary traffic to be tunnelled over the network, circumventing the firewall's policy.
Finally, both firewalls and intrusion detection systems are rendered useless since SSL traffic is encrypted, therefore traffic cannot be inspected for attack signatures. All of these risks should be considered before SSL is used.
In earlier times a firewall was seen as the prime security device for a network. That was a reasonable view given the much lower population of systems and the simpler protocol environment. Firewalls would be carefully crafted by the site guru and lovingly cared for. Unfortunately that same perception is being applied to shrink wrapped products installed by part time system administrators today.
Such expectations are often not met. Rather you just build a false sense of security. A firewall is no longer the sole device you need to lock everything down.
It is important to understand just what a firewall can and cannot do in the current deployment of networking technology. This session will lead you through realistic application of firewall technology, showcasing scenarios that demonstrate the limitations of firewall technology.
Three major trends/concerns may be readily discerned in the commercial cryptography area over the next three to five years. These include:
The paper surveys current and developing cipher structures in the commercial arena, particularly in relation to high-speed data stream performance and digital "signature" requirements. It also analyses current and developing standards for the evaluation of trust in such systems including developments related to ISO 15408 (the "Common Criteria") and the USA's FIPS-140 standard for cryptographic modules. The paper concludes with some comments on further research being undertaken with longer timeframes, including quantum cryptography.
The presentation outlines an approach for gathering and presenting the information that aids in the calculation of risk factors associated with Internet connectivity. The product of the GTOC and ISAC effort is intended to assist business and government CISOs/IT security staff in the calculation of Internet risk factors and to help them manage that risk more efficiently. Given that at one end of the chart you cannot achieve perfect Internet security and at the other end that you won't have an unlimited budget, the GTOC/ISAC goal is to help find the right balance between operational efficiency, cost, and risk mitigation (Internet security). The presentation includes some conclusions about the Internet threat witnessed by the GTOC during the year 2001, and some predictions for threat activity and issues for 2002 and beyond.
Andrew will present over the course of half a day, all the necessary tools to properly secure a Windows 2000 network, concentrating on the following topics:
Andrew will be concentrating only on the Windows 2000 environment, but will briefly touch upon other products as necessary (such as SMS or ISA server) as the need arises.
By Rob McMillan
In recent times we have seen an increasing commitment to IT security issues on the part of vendors and government. However responsibility for the secure application of IT infrastructure ultimately rests with the organisation using it. Many of the challenges that arise in an installation of any significant size are not technical. Rather, they are issues around the management of the infrastructure. There is a need to recognise threats, control vulnerabilities and plan for adverse events.
Argus is a tool for recording an audit trail for all IP traffic flows visible at some point in a network. This paper seeks to explain why having an audit trail of your network traffic is a good thing and how argus can be used to implement such an audit trail for your network.
The paper is illustrated by several real life examples of where argus has helped solve problems on our network at the University of Auckland.
In a time where organisations are looking for ways of improving efficiency, the outsourcing of "non-core" functions has become a common consideration. While efficiency gains and cost savings are primary concerns, the security of critical information must also given high priority.
This presentation explores the business, technical and legal issues that arise in the context of information security in outsourced environments and will propose solutions for managing the associated risks.
By Neal Wise
The ease and functionality of wireless networking has led to many home users and corporations trialing and deploying this new technology. But what are the risks?
As wireless technology becomes more pervasive, there is likely to be an increase in security incidents as a result of the ease with which many wireless networks can be compromised.
This presentation covers the issues and risks associated with deploying this technology. It also covers best practice methods for authentication, authorisation, and access. Real life compromises will be discussed (no names of course!), as well as examples drawn from recent war-driving activities.
By Mark Ames
The numerous system settings, rules, access control lists, and admin procedures across your organisation make your security policy effective. It is essential to have a policy that can translate into your organisation's security configuration settings, and even more important to make sure your security configuration is appropriate and maintained. This presentation looks at what policies you need to determine configuration settings and the operational practices necessary to maintain them.
By Kim Duffy
Information is the currency that drives today's networked business operations. Protection for key online assets is as fundamental as locking the doors, as essential as auditing the books. No organisation would even consider opening operations without securing all facilities against theft, fire and vandalism. Nevertheless, companies engaging in online business routinely shortchange their protection of key online assets and systems. Like any other threat in business, online risk can be effectively managed. Speaker, Kim Duffy will present a holistic view of creating, implementing and managing the online security lifecycle. Duffy will illustrate through case studies methods of closing the security gap between policy and practice.
Mobile Commerce (mCommerce) and micropayments are some of the most promising wireless applications on the horizon - but they are known to be at the mercy of their own "security": real and perceived. MCommerce will bring a whole new type of transaction to consumers, and a whole new market to merchants - estimated to be worth over $100Billion world wide by 2005. The most significant challenge to mCommerce will be security: authentication of the players and confidentiality of the transaction information. Security topics covered will include: Wireless LAN (WLAN) technology like 802.11, Bluetooth and 3G Mobile phone services. which will extent networking capabilities to the metropolitan (WWAN) level. This presentation will outline the security challenges facing wireless applications as a whole, and use mCommerce as the overall context for discussion.
By Ajoy Ghosh
This is a critical examination of 200-odd commercial "penetration test" engagements. After analysing the results of the engagements, I will examine the lessons learnt in:
To assist the presentation, I will use two cases studies (i) a real engagement (ii) a hypothetical engagement derived from a composite of real engagements.
In October 2001, Vitek Boden was convicted of 30 charges involving computer hacking of the Maroochy Shire sewerage system. The attacks, which commenced in late 1999, involved using remote radio transmissions to alter the actions of the sewerage pumping stations and caused hundreds of thousands of litres of raw sewage to be pumped into public waterways.
This presentation will acquaint the audience with the concepts of Information Operations (IO) in the context of the Military Decision-Making Cycle. The presentation will cover topics essential to understanding IO, such as the elements of IO (Psychological Operations, Electronic Warfare, Physical Destruction, Deception, Civil/Military Affairs, and Operational Security) and their application in the IO planning cycle. Using a series of practical scenarios, the presenter will conduct a real-world related mission analysis focusing on: Intelligence Preparation of the Battlefield: determining IO tasks, assets and constraints; preparing a risk analysis; determining the commander's critical information requirements; and developing the course of action.
This presentation provides a solid background for understanding the principles of malicious software functionality and behavior, as well as explaining security and system integrity threats related to virus infections and Trojan horse activation. It will explain the most common attacks and the most interesting ones. Presented by CA's experienced anti-virus researchers, this session not only provides reliable, up-to-date information, but also gives participants the opportunity to see practical demonstrations, including virus payloads, a working email worm, a backdoor security exploit, and an HTML/script attack.
By Max Kilger
The stereotyped computer hacker of the popular media has little to do with the actual reality of the hacker community itself. To many people this community seems like a chaotic, unpredictable group of ill-dressed, ill-behaved individuals many of whom are bent upon less than lawful activities. In this presentation you will have a social scientist as your guide to unravel some of the stereotypes, motivations and behaviors of various-colored "hat wearing" members and hopefully you will come away with a better understanding of the computer hacker community, how it functions and how it affects you.
Information security incidents plague the Internet. Our society depends on phone networks. Today, the Internet has gone mobile. There will be an inevitable clash between these two worlds. Mobile phones have transformed into interconnected computing appliances and information about their security vulnerabilities begins to roll-in.
We explored the vulnerability scene of the mobile phone networks. What would be characteristic to the mobile phone network vulnerabilities? What security problems in mobile phones have been publicly announced? How did WAP implementations survive test-suites constructed to find flaws with security implications? We realised that despite its pecularities, such as patch deployment problems and a lack of real market diversity, the mobile phone vulnerability scene resembles its Internet counterpart. We encourage you to keep-up your security methodology and level of scrunity even in mobile context.
The System Security Engineering Capability Maturity Model (SSE-CMM) is offered by the International Systems Security Engineering Association (ISSEA) to help organizations effectively manage information security. In this practical session, you'll discover what the CMM is and how it can improve the security of your organization. You will also find out:
The GovSecure Project
Jim Meneely, Manager Information Assurance at the WA Department of Industry and Technology (DoIT) will outline the history, purpose and progress of this project.
The GovSecure project has the following major objective:
To establish a consistent standards-based approach to online security across all of government in Western Australia, based on threat assessment and risk management principles.
The standards being adopted include:
ISO 17799:2001, Information Technology - Code of Practice for Information Security Management; and AS/NZS 7799.2:2000, Specification for Information Security Management Systems.
DoIT is developing polices, procedures, a methodolgy and software tools to enable Agencies to achieve compliance with these standards and to address common security risks and concerns expressed by the Auditor General of Western Australia.
The outcomes from the project will be that:
Ongoing online service delivery and operations of government are maintained at a high level of availability; Confidentiality, integrity and authenticity of communications are assured; and
A public perception of trustworthiness in Government online services is created and sustained.
By Paul Young
The management of risk in IT systems forms an integral part of Business Continuity in todays systems. Risk must be addressed from a business perspective, it is not simply a technical issue that can be addressed by firewalls, digital certificates and the like. An appropriate security and risk profile for a IT systems can only be Determined by analysing the underlying business requirements, which then can be translated into technical requirements. Undertaking the development of systems in this manner, usually results in, strong management buyin and commitment to the project, realistic costs and timelines. These are key factors in the success of designing and deploying medium to large scale WWW and eCommerce systems. Too often technical architectures are defined by systems architects that do not address the business requirements. Typically , a Risk analysis (AS 4360) is performed far too late in the systems development life cycle of a WWW project. The system vulnerabilities that are exposed by the Risk assessment usually result in costly changes to the architecture and extension of critical project timelines. This is rarely a desirable situation.
Based upon the experience, outcomes and recommendations from numerous AS4360 Risk Audits conducted across the Commercial and Government Sector, this paper Identifies and develops the issues that need to be considered during the early design phase:
By Gene Spafford
The threats are all around us - hackers, viruses, worms, DDOS systems, rootkits, and more. Sometimes, it seems that all we have time and energy for is applying the next patch, installing the most current anti-virus update, and checking our firewall logs. But is maintaining the status quo of "just-in-time" defenses really what we want to be doing?
In this talk, I will present some figures about the growth in threats and attacks, the nature of new technology, and the role of current defenses in a rapidly-evolving threat environment. From this, I will discuss some basic principles of information security, and how they can be applied to acquiring and configuring your infosystem defenses. Underlying all the advice is the simple maxim: If you aren't vulnerable to the threat de jour, you do not need to expend resources defending against it.
|Maintained by: ITS - University of Queensland|
|Last Updated - 9th August 2002|