Abstracts

Issues relating to PKI enabling applications

By Sudeep Venkatesh

A Public Key Infrastructure (PKI) is not only about issuing and managing digital certificates. It is also about applications that use these digital certificates to solve real life business issues.

This presentation covers the basics of PKI enabling an application, including:

Intrusion Detection Response

By Merik Karman

Modern Intrusion Detection Systems (IDS) have a raft of technical features that allow a wide range of responses according to pre-programmed conditions and events. Assuming that we have tuned the IDS to report only truly informative events, what do we do in response? Logging and alerting are the norm, but what about active response and correlation? The presentation will focus on the pitfalls and benefits of correlation in both near real-time and as a forensic tool, as well as packet logging and active response issues. This discussion will be framed within the context of perimeter defence and cover the necessary interrelationships with vulnerability assessment and traditional firewalling techniques.

Why Open Source does not equal More Security

By Prof. Eugene Spafford

A number of people are claiming that the open or "free" software paradigm is a better, safer way of producing software. The claim is made that it results in software that is more secure than using traditional, proprietary methods.

In the this talk, I will explain why this claim is specious. It is based on a lack of experience and a lack of understanding of what a secure system really entails. The lack of quality in several major proprietary offerings does not help. However, understanding why the perception exists, and what is really involved in producing secure software, help us understand the problem and lead to safer software.

The AFP and high tech crime incident response

By Tim Morris

So you have been the victim of an IT security incident. Why should you report the matter to the AFP? How do you go about it? What information will you need to provide? And what will the AFP do about it? This presentation will provide practical advice on the above questions and highlight the AFP's current and emerging capabilities in high tech crime investigation.

CNCERT/CC: An emerging force for network security in China

By Dr. Shuo Bai

Founded in 2000, CNCERT/CC has experienced several critical security events, including the May hacker attacks between China and US in 2001, the large scale CodeRed and Nimda affection, and SPAM rejection. CNCERT/CC, as the core coordination force in the People's Republic of China, successfully handles these events together with our partners. CNCERT/CC is building a complete set of infrastructure for daily usage, including event management system, a vulnerability database called CN-CVE, an IP database, and an environment for vulnerability verification. CNCERT/CC also carried out several international activities.

How computer security incidents affect enterprises in the Asia Pacific Region

By Graham Ingram

AusCERT is Australia's national Computer Emergency Response Team (CERT) and is a leading computer security incident response team (CSIRT) in the region. In this presentation AusCERT will examine some of the trends, issues and developments arising from IT security incidents in Australia and in the Asia Pacific region. The presentation will include information provided by counterpart regional CSIRTs.

When too much security is barely enough: A review of emerging network attack types and your best possible defence

By David Britt

How can an organisation ever have enough security when 'new and improved' attack types are developed every day?

From Ping of Death to SYN Flood, from Nimda to Polymorphic - Mr Britt's presentation will describe the evolution of modern attack types and explain the best methods for defending corporate networks from the continuing stream of emerging threats.

A case study will serve to illustrate successful, real life instances of attack mitigation.

Enterprise Vulnerability Management - The new wave in managing enterprise security

By George Kurtz

Safe Secure Architecture for Business

By Jason Halpern

Cisco will present SAFE (Secure Architecture for E-Business). The SAFE Blueprint adopts a modular approach to securing the networks in which security design, implementation and management processes are all specified for customers. Each module identifies where and why critical Cisco security and VPN products and technologies, such as Cisco PIX Firewalls, Cisco Intrusion Detection Systems (IDS) or Cisco VPN Concentrators, are needed. Where appropriate, the modules also integrate best-in-class third-party ecosystem solutions, such as anti-virus protection, public key infrastructure (PKI), host-based intrusion detection and application-level security systems.

The SAFE Blueprint provides maximum flexibility for customers, enabling them to adopt the appropriate modules in stages for their specific and immediate business needs. This allows organizations to leverage their existing security infrastructure while staying within their security budgets on new e-Business projects.

Impact of Privacy Laws on IT Security

By Patrick Fair

Until recently, the way business collected, used and otherwise handled personal information was unregulated. In December 2000 the Federal Parliament passed the Privacy Amendment (Private Sector) Act 2000 imposing privacy regulation on the sector private sector with effect from 21 December 2001. The new law regulates the collection, secure keeping and use of personal information among other things. It also requires that individuals be given access to information held about them and have the opportunity to correct it. The cost and organisational challenge of meeting these requirements is only now being fully appreciated. The decision to legislate for the protection of privacy was driven in part by concerns regarding the ease with which personal information can be captured and exploited on-line. The speaker will explain the core provisions of the new Privacy Act, focussing on the types of data that must be secured, the level of security required and the challenge to introduce efficient and secure personal information management on-line in response to the new law.

Layers and Time

By Dan Farmer

In this talk I will discuss some basics of digital laying and computer architecture and their impact on forensic computing as well as explore file access times and how they may be used to analyze systems in general as well as security incidents.

Evidence Preservation in the case of a Computer Incident

By Dick Bussiere

Much has been said about computer crime and its impact, yet very few people know how to react when an incident actually occurs. This discussion will introduce the concepts of incident response and computer forensics, and educate the audience as to the appropriate steps to take once an incident occurs. It will also discuss how evidence may be collected such that there is a possibility of punishing the perpetrator in a court of law.

Defending Cyberspace, Requisite Alliances in Government, Industry and Academia

By Art Money

Mr. Money will briefly review the nature and significance of the threat to national and international information infrastructures. He will then discuss current responses within and between Western government, industry and academic organizations. Finally, he will suggest areas in which additional collaboration is required.

N-tier Attacks using SQL Injection

By Ron Brandis

Effective defence against attacks demands an awareness of e-security issues and risks. Modern attackers successfully exploit operating systems, web servers, services and components. To defend against these exploits, organizations must apply security countermeasures. These countermeasures are usually designed to secure internal servers by placing them deep within security perimeters established by firewalls and DMZs. Within this security perimeter, organizations also deploy N-tier solutions to meet their business requirements. Attackers are now faced with the new challenge of defeating these N-tier solutions. One way they do this is by directing surgical attacks at application servers.

In this session, Bridge Point personnel will illustrate some of the N-tier SQL Injection attacks faced by organizations. These attacks can penetrate an organization's intranet. This session will also outline some countermeasures that can be deployed to reduce the security risk posed by SQL Injection attacks.

Controlling Security when outsourcing IT

By Hayden Bradford

The aim of this presentation is to discuss the security issues, both negative and positive, that AMCOR IT dealt with when AMCOR Australasia outsourced its IT operations. The presentation will look at the outsourcing procedure from a security perspective, and "life after outsourcing".

Some areas to be covered will be:

Computer Security Hypothetical Forum

By Terry Laidler

Tactics to address IT security issues are ever-changing, but if you believe that computer security threats can be addressed by throwing technology at the problem, think again.

What are the alternatives for coping with a network intrusion you ask? Join a distinguished panel of world experts as they discuss a hypothetical network attack made against a large corporation.

You may be surprised what you learn about coping with this complex dilemma!

Issues and Future Trends in Computer Forensics

By Andrew Rosen

A brief presentation addressing the existing and emerging challenges facing Law Enforcement and Computer Security professionals.

Data Forensics (aka Computer Forensics) is a broad and generic term that encompasses numerous disciplines. As with any scientific endeavor or legal system, there are evolutionary forces at work, just below the surface.

We tend to believe that the science and technology parts of the equation are more static, particularly when juxtaposed with the fast-paced, dynamic world of computers. Moving slowest of all is the legal system. The inherent problem with our technological capabilities outpacing our social, political, economic and legal systems is the stuff of so many dark futuristic science fiction plots.

So forensics has to do with court. Lets back up a step: Why are we in court? We are likely in court to seek an equitable resolution to a dispute. This often times means money in a civil court and protecting society and punishing offenders in a criminal court.

Just for fun, lets freely associate with the following terms: Network intrusion, theft of trade secrets, child exploitation, identity theft, fraud, copyright theft, hacking, lying, cheating, stealing.

Not pretty eh? The classic ?Somebody done somebody wrong? song. Most Social Anthropologists will agree that when someone knowingly commits a crime or a ?bad act?, they are more likely than not hoping they won't get caught or get in trouble and they will attempt to conceal their crime or bad act.

So lets begin. We have a court system (adversarial by nature), a computer system and a theory of how the two are related. Data Forensic practitioners often establish and quantify those relationships. Good ones do it in a way that is easily digested by the court.

If, as part of our equation, we have an individual who is committing bad acts and does not want to be detected, caught, prosecuted or convicted, things can get very dodgy very quickly. The good news is that you've already got a computer to start with, and presumably that means you have a suspect, a search warrant or a court order granting you authority to look at the computer and a hypothesis or theory of what the central issues are.

2002 Australian Computer Crime and Security Survey

Deloitte Touche Tohmatsu and AusCERT, in consultation with the NSW Police Commercial Crime Agency, have collaborated to produce the 2002 Australian Computer Crime and Security Survey. The survey, which follows the format of the well-known annual CSI/FBI Computer Crime and Security Survey, provides the most up to date and authoritative analysis of computer network attack and computer misuse trends in Australia over the last 12 months. The survey provides insight into the number and type of organisations which have experienced network attacks, the type of attacks and more.

Above all, the survey aims to raise awareness of the complex nature of computer security issues and explores the reasons why, despite a high uptake of computer security technologies, we continue to experience computer network attacks and abuse.

Computer Security Incident Response in Large Corporations

By Eric Halil

In the commercial world business needs often require that corporations take a balanced approach to security risk acceptance. This managed approach includes monitoring, response, audit and vigilance. Effective and efficient corporate response means having a computer security incident response team (CSIRT) in place to address the threats posed by the accepted risks. This talk discusses our experiences in implementing a CSIRT within a large corporation - Sun Microsystems.

Computer Security Incident Response Team (CSIRT) Design

By Mark McPherson

The increase in use of the Internet for commerce and mission critical business operations has seen the emergence of a new type of organisation - the Computer Security Incident Response Team (CSIRT). There are around 100 of these organisations involved in the Forum of Incident Response and Security Teams (FIRST); an international organisation intent on encouraging cooperation between CSIRTs. There are also a number of other CSIRTs around the world, focussed mainly on a deterministic constituency, such as internal corporate or institution-based incident response requirements.

All such teams exist to address a particular problem - namely the response to intruder activity in a complex network computing environment. Many nations and organisations have chosen to establish a central CSIRT whose sole purpose is to monitor network health and to coordinate response to attacks in their country or region. Such teams are required because of the complicated processes involved in tracking many potential sources of attack, and of managing the number of people required for response. The problem of coordinating this activity is a non-trivial exercise.

This workshop highlights the issues faced in establishing and running a CSIRT. It provides a basic framework for thinking about operational computer security issues, the client education and awareness, team environment, logistical arrangements and core services required to make a CSIRT effective.

Information Security : The Incident Handler's perspective

By Raja Azrina Raja Othman

Malaysia is moving into the "information age" and reliance and dependencies on electronic information is becoming prevalent. This presentation highlights some of the daunting findings of our survey on Information Security experience, responses, expectations and trends among Malaysian organizations. We will also share our experience in case studies and lesson learned in "battling" Code Red Worm and NIMDA attacks. The presentation also identify what are the contributing factors to security breach and what are the approach to improving security practices among the multinationals and local organizations.

Blended Threats - the new risk for the connected world

By Leigh Costin

A blended threat utilizes multiple methods and techniques to transmit and spread an attack. The rapid and widespread damage caused by these sophisticated attacks can send the cost of lost business, productivity, clean up and recovery into the millions, even billions of dollars worldwide. Effective protection from blended threats requires a comprehensive security solution that contains multiple layers of defense and response mechanisms.

Anti-virus software alone is not a magic bullet. To effectively manage blended threats organisations have to implement and manage a whole raft of associated working practises, policies and procedures. You have to think about infrastructure, applications, backups, security and usability before you start to evaluate a particular vendors anti-virus product. Once it's installed you need to manage it, update it and police working policies and procedures before you can be confident you have an effective defense solution.

This presentation will visit many of the things which are often forgotten or given little thought when implementing a indepth security policy that can provide a solution to the new threats facing corporations today..

Establishing the Foundation for Data Security through Data Integrity Assurance

By Gene Kim

The reality for IT managers, administrators, and auditors is that IT infrastructure and data integrity are continually threatened. The certainty that an administrator feels upon configuring a brand new server or computing system, is often lost shortly after deployment due to inadequate controls and lack of awareness of the need to assure data integrity. Despite being one entire triad of the "Confidentiality / Integrity / Availability" security triangle, integrity continues to be the most misunderstood; most inaccurately measured, and most inadequately implemented security discipline. The result is compromised systems, time to full recovery after attacks taking days, weeks, even months, and often, continuing poor security measures. The purpose of this session is to provide practical background and methods to properly protect the integrity of data throughout the enterprise.

The reality of modern computing environments is that whenever the underlying integrity of a mission-critical server is in question ("have we been hacked?"), more often than not, the server must be rebuilt from scratch. Worse, the core of any data center, the corporate database, provides very few tools to determine whether unauthorized changes have been made.

As a result, virtually every experienced IT manager and practitioner has spent large amounts of time and money rebuilding infrastructure to restore the integrity of their system. During an information security crisis, determining the scope of damage and integrity breach often stretches from weeks to months, with little assurance of the accuracy of the results.

In this discussion, we will present the concept of data integrity and security from a foundational perspective. To better understand the issues surrounding integrity in the enterprise, the evolution from mainframes to a distributed computing model will be presented. How technology and organizational forces have changed IT and the IT audit models are emphasized with specific attention given to effective IT audit strategies.

The forces that put integrity at risk will be described using real-world examples and framed within the context of deployment lifecycles. In addition, the various methods of effectively controlling and mitigating the risks from an IT audit and control perspective will be covered. How to employ these methods to meet various regulatory and industry control guidelines, including HIPPA, BS7799, GLBH, and the guidelines from Visa and ITIL, will also be presented.

Vulnerabilities in SSL

By Steven McLeod and Michael Cohen

The use of SSL on the Internet has grown significantly in recent years as more organisations use the Internet to deliver services which require traffic to be confidential. Also, the number of people using Internet services such as encrypted web email and e-commerce sites is rapidly growing. We will explore security risks which arise from the use of SSL, even if the SSL protocol is implemented correctly with appropriate key lengths and encryption algorithms. Firstly, Internet users who visit SSL enabled web sites might be tricked into providing sensitive information to an attacker performing a man-in-the-middle attack. Secondly, the use of the CONNECT method may provide further risks such as allowing arbitrary traffic to be tunnelled over the network, circumventing the firewall's policy.

Finally, both firewalls and intrusion detection systems are rendered useless since SSL traffic is encrypted, therefore traffic cannot be inspected for attack signatures. All of these risks should be considered before SSL is used.

Firewall Abuse, Reducing Mistreatment of this Security Tool

By Peter Sandilands

In earlier times a firewall was seen as the prime security device for a network. That was a reasonable view given the much lower population of systems and the simpler protocol environment. Firewalls would be carefully crafted by the site guru and lovingly cared for. Unfortunately that same perception is being applied to shrink wrapped products installed by part time system administrators today.

Such expectations are often not met. Rather you just build a false sense of security. A firewall is no longer the sole device you need to lock everything down.

It is important to understand just what a firewall can and cannot do in the current deployment of networking technology. This session will lead you through realistic application of firewall technology, showcasing scenarios that demonstrate the limitations of firewall technology.

Future Directions in Cryptography

By Professor Bill Caelli

Three major trends/concerns may be readily discerned in the commercial cryptography area over the next three to five years. These include:

The paper surveys current and developing cipher structures in the commercial arena, particularly in relation to high-speed data stream performance and digital "signature" requirements. It also analyses current and developing standards for the evaluation of trust in such systems including developments related to ISO 15408 (the "Common Criteria") and the USA's FIPS-140 standard for cryptographic modules. The paper concludes with some comments on further research being undertaken with longer timeframes, including quantum cryptography.

Calculating and Managing Internet Risk: The Global Threat Operations Center / Information Sharing Analysis Center Approach

By Dennis Treece

The presentation outlines an approach for gathering and presenting the information that aids in the calculation of risk factors associated with Internet connectivity. The product of the GTOC and ISAC effort is intended to assist business and government CISOs/IT security staff in the calculation of Internet risk factors and to help them manage that risk more efficiently. Given that at one end of the chart you cannot achieve perfect Internet security and at the other end that you won't have an unlimited budget, the GTOC/ISAC goal is to help find the right balance between operational efficiency, cost, and risk mitigation (Internet security). The presentation includes some conclusions about the Internet threat witnessed by the GTOC during the year 2001, and some predictions for threat activity and issues for 2002 and beyond.

Securing Windows 2000 in a corporate environment

By Andrew van der Stock

Andrew will present over the course of half a day, all the necessary tools to properly secure a Windows 2000 network, concentrating on the following topics:

Andrew will be concentrating only on the Windows 2000 environment, but will briefly touch upon other products as necessary (such as SMS or ISA server) as the need arises.

The Management Challenges to Information Security

By Rob McMillan

In recent times we have seen an increasing commitment to IT security issues on the part of vendors and government. However responsibility for the secure application of IT infrastructure ultimately rests with the organisation using it. Many of the challenges that arise in an installation of any significant size are not technical. Rather, they are issues around the management of the infrastructure. There is a need to recognise threats, control vulnerabilities and plan for adverse events.

An Audit trail for IP -- Argus Style

By Russell Fulton

Argus is a tool for recording an audit trail for all IP traffic flows visible at some point in a network. This paper seeks to explain why having an audit trail of your network traffic is a good thing and how argus can be used to implement such an audit trail for your network. The paper is illustrated by several real life examples of where argus has helped solve problems on our network at the University of Auckland.

Information Security in an Outsourced Environment

By Oliver Binz and Leif Gamertsfelder

In a time where organisations are looking for ways of improving efficiency, the outsourcing of "non-core" functions has become a common consideration. While efficiency gains and cost savings are primary concerns, the security of critical information must also given high priority.

This presentation explores the business, technical and legal issues that arise in the context of information security in outsourced environments and will propose solutions for managing the associated risks.

Wireless Insecurity

By Neal Wise

The ease and functionality of wireless networking has led to many home users and corporations trialing and deploying this new technology. But what are the risks?

As wireless technology becomes more pervasive, there is likely to be an increase in security incidents as a result of the ease with which many wireless networks can be compromised.

This presentation covers the issues and risks associated with deploying this technology. It also covers best practice methods for authentication, authorisation, and access. Real life compromises will be discussed (no names of course!), as well as examples drawn from recent war-driving activities.

Sweating the small stuff

By Mark Ames

The numerous system settings, rules, access control lists, and admin procedures across your organisation make your security policy effective. It is essential to have a policy that can translate into your organisation's security configuration settings, and even more important to make sure your security configuration is appropriate and maintained. This presentation looks at what policies you need to determine configuration settings and the operational practices necessary to maintain them.

Managing Online Risk

By Kim Duffy

Information is the currency that drives today's networked business operations. Protection for key online assets is as fundamental as locking the doors, as essential as auditing the books. No organisation would even consider opening operations without securing all facilities against theft, fire and vandalism. Nevertheless, companies engaging in online business routinely shortchange their protection of key online assets and systems. Like any other threat in business, online risk can be effectively managed. Speaker, Kim Duffy will present a holistic view of creating, implementing and managing the online security lifecycle. Duffy will illustrate through case studies methods of closing the security gap between policy and practice.

mCommerce and Wireless security

By Tyson Macaulay

Mobile Commerce (mCommerce) and micropayments are some of the most promising wireless applications on the horizon - but they are known to be at the mercy of their own "security": real and perceived. MCommerce will bring a whole new type of transaction to consumers, and a whole new market to merchants - estimated to be worth over $100Billion world wide by 2005. The most significant challenge to mCommerce will be security: authentication of the players and confidentiality of the transaction information. Security topics covered will include: Wireless LAN (WLAN) technology like 802.11, Bluetooth and 3G Mobile phone services. which will extent networking capabilities to the metropolitan (WWAN) level. This presentation will outline the security challenges facing wireless applications as a whole, and use mCommerce as the overall context for discussion.

Experiences in Commercial Penetration Testing

By Ajoy Ghosh

This is a critical examination of 200-odd commercial "penetration test" engagements. After analysing the results of the engagements, I will examine the lessons learnt in:

To assist the presentation, I will use two cases studies (i) a real engagement (ii) a hypothetical engagement derived from a composite of real engagements.

Queen v. Boden

By Peter Kingsley

In October 2001, Vitek Boden was convicted of 30 charges involving computer hacking of the Maroochy Shire sewerage system. The attacks, which commenced in late 1999, involved using remote radio transmissions to alter the actions of the sewerage pumping stations and caused hundreds of thousands of litres of raw sewage to be pumped into public waterways.
Senior Constable Peter Kingsley, a computer forensics examiner with the Queensland Police Service, will give us a detailed insight into the case. He will explain how the attacks occurred, their impact, how the police investigation progressed, how and what forensic evidence was collected and provide insight into the attacker's motives. The case demonstrates that vital infrastructure services controlled by computer systems can be vulnerable to computer network attacks and the need to ensure critical computer systems are adequately protected.

Real-World Information Operations

By Patrick Scribner

This presentation will acquaint the audience with the concepts of Information Operations (IO) in the context of the Military Decision-Making Cycle. The presentation will cover topics essential to understanding IO, such as the elements of IO (Psychological Operations, Electronic Warfare, Physical Destruction, Deception, Civil/Military Affairs, and Operational Security) and their application in the IO planning cycle. Using a series of practical scenarios, the presenter will conduct a real-world related mission analysis focusing on: Intelligence Preparation of the Battlefield: determining IO tasks, assets and constraints; preparing a risk analysis; determining the commander's critical information requirements; and developing the course of action.

Computer Malware: Viruses, Trojan Horses and Worms

By Myles Jordan, Hamish O'Dea and Eugene Dozortsev

This presentation provides a solid background for understanding the principles of malicious software functionality and behavior, as well as explaining security and system integrity threats related to virus infections and Trojan horse activation. It will explain the most common attacks and the most interesting ones. Presented by CA's experienced anti-virus researchers, this session not only provides reliable, up-to-date information, but also gives participants the opportunity to see practical demonstrations, including virus payloads, a working email worm, a backdoor security exploit, and an HTML/script attack.

Black Hat, White Hat, Gray Hat, Red Hat: What Dr. Seuss Forgot to Tell You About the Computer Hacker Community

By Max Kilger

The stereotyped computer hacker of the popular media has little to do with the actual reality of the hacker community itself. To many people this community seems like a chaotic, unpredictable group of ill-dressed, ill-behaved individuals many of whom are bent upon less than lawful activities. In this presentation you will have a social scientist as your guide to unravel some of the stereotypes, motivations and behaviors of various-colored "hat wearing" members and hopefully you will come away with a better understanding of the computer hacker community, how it functions and how it affects you.

Vulnerabilities go mobile

Marko Laakso

Information security incidents plague the Internet. Our society depends on phone networks. Today, the Internet has gone mobile. There will be an inevitable clash between these two worlds. Mobile phones have transformed into interconnected computing appliances and information about their security vulnerabilities begins to roll-in.

We explored the vulnerability scene of the mobile phone networks. What would be characteristic to the mobile phone network vulnerabilities? What security problems in mobile phones have been publicly announced? How did WAP implementations survive test-suites constructed to find flaws with security implications? We realised that despite its pecularities, such as patch deployment problems and a lack of real market diversity, the mobile phone vulnerability scene resembles its Internet counterpart. We encourage you to keep-up your security methodology and level of scrunity even in mobile context.

Using the SSE-CMM to Improve Security Practices

By John Lindquist

The System Security Engineering Capability Maturity Model (SSE-CMM) is offered by the International Systems Security Engineering Association (ISSEA) to help organizations effectively manage information security. In this practical session, you'll discover what the CMM is and how it can improve the security of your organization. You will also find out:

Securing E-Government In Western Australia

The GovSecure Project

Jim Meneely, Manager Information Assurance at the WA Department of Industry and Technology (DoIT) will outline the history, purpose and progress of this project.

The GovSecure project has the following major objective:

To establish a consistent standards-based approach to online security across all of government in Western Australia, based on threat assessment and risk management principles.

The standards being adopted include:

ISO 17799:2001, Information Technology - Code of Practice for Information Security Management; and AS/NZS 7799.2:2000, Specification for Information Security Management Systems.

DoIT is developing polices, procedures, a methodolgy and software tools to enable Agencies to achieve compliance with these standards and to address common security risks and concerns expressed by the Auditor General of Western Australia.

The outcomes from the project will be that:

Ongoing online service delivery and operations of government are maintained at a high level of availability; Confidentiality, integrity and authenticity of communications are assured; and

A public perception of trustworthiness in Government online services is created and sustained.

Inverting the Risk Analysis Process - Addressing the security issues of WWW

By Paul Young

The management of risk in IT systems forms an integral part of Business Continuity in todays systems. Risk must be addressed from a business perspective, it is not simply a technical issue that can be addressed by firewalls, digital certificates and the like. An appropriate security and risk profile for a IT systems can only be Determined by analysing the underlying business requirements, which then can be translated into technical requirements. Undertaking the development of systems in this manner, usually results in, strong management buyin and commitment to the project, realistic costs and timelines. These are key factors in the success of designing and deploying medium to large scale WWW and eCommerce systems. Too often technical architectures are defined by systems architects that do not address the business requirements. Typically , a Risk analysis (AS 4360) is performed far too late in the systems development life cycle of a WWW project. The system vulnerabilities that are exposed by the Risk assessment usually result in costly changes to the architecture and extension of critical project timelines. This is rarely a desirable situation.

Based upon the experience, outcomes and recommendations from numerous AS4360 Risk Audits conducted across the Commercial and Government Sector, this paper Identifies and develops the issues that need to be considered during the early design phase:

These include:

• Identification of High impact Business Consequences
• Typical Goals of Attackers
• Typical High Risk Vulnerabilities
• Security Policy review
• Business Continuity Planning (Disaster Recovery)

Thinking Strategically About Information Systems Defense

By Gene Spafford

The threats are all around us - hackers, viruses, worms, DDOS systems, rootkits, and more. Sometimes, it seems that all we have time and energy for is applying the next patch, installing the most current anti-virus update, and checking our firewall logs. But is maintaining the status quo of "just-in-time" defenses really what we want to be doing?

In this talk, I will present some figures about the growth in threats and attacks, the nature of new technology, and the role of current defenses in a rapidly-evolving threat environment. From this, I will discuss some basic principles of information security, and how they can be applied to acquiring and configuring your infosystem defenses. Underlying all the advice is the simple maxim: If you aren't vulnerable to the threat de jour, you do not need to expend resources defending against it.