Home About AusCERT Conference Location Program Presenter Information Sponsors Contact Us
AusCERT
AusCERT2002
Platinum Sponsors:
Abstracts
Getting Operations and Security To Get Along: Best Practices You Can Use (And Love)
By Gene Kim
One of the biggest challenges facing Information Security executives is how to integrate better with their peers in Operations, Audit, and Management. All too often, despite sharing common objectives, these stakeholders integrate poorly together. Common patterns include Infosec defining a policy, only to be ignored by Ops. Worse, the remedy is Infosec "fixing" the problem without telling anyone, all too often resulting in the entire infrastructure crashing around them.
This briefing presents the results of benchmarking, showing how "best in class" Ops and Security organizations work together to create stellar service levels (high uptimes, low Mean Time To Repair), incredible cost structure (server-to-sysadmin ratios of 100:1 or above), fewest incidents, and earliest integration of Infosec requirements in the service delivery lifecycle. It turns out that when auditable security controls are implemented, what is good for Security is good for Operations, and vice versa!
This briefing will show how they achieve this, summarized in the Visible Ops methodology, a freely-available process that describes how "best in class" operations conduct daily processes. The goals of the Visible Ops methodology are to decrease Outage MTTR, improve operational efficiencies, and build a "culture of causality" in operations. Visible Ops does this by creating auditable controls that create useful metrics that can guide audit and future process improvement.
Trusted Computing Platform Alliance (TCPA) and the Palladium Initiative (NGSCB)
Leading technical and business executives will be challenged to respond as panel members to the Trusted Computing Platform Alliance (TCPA) and the Palladium initiative. These initiatives intend to improve trust in the PC platform and implement stronger access controls on confidential documents. There are a number of controversial issues that may arise with this initiative such as operational issues, technical implementations, centralisation of economic power and censorship.
Cyber investigation of a telco attack
This case study will examine the Law Enforcement response to the network intrusion in which over 400,000 user names and passwords were compromised. The study will highlight the importance of early discovery and a planned response to a security incident, how the investigation was handled and what evidence was ultimately available which led to charging the offender
2003 Australian Computer Crime and Security Survey results
By Kathryn Kerr
Four of Australia's law enforcement agencies - the Australian Federal Police, Queensland Police, Western Australia Police and South Australia Police - and AusCERT produced this year's Australian Computer Crime and Security Survey. The survey builds on the format of the well-known annual CSI/FBI Computer Crime and Security Survey and includes several new questions designed to better understand the particular factors which contribute to computer security incidents.
With over 200 responses from Australian public and private sector organisations, the survey provides the most up to date and authoritative analysis of computer network attack and computer misuse trends in Australia over the last 12 months. As before, the survey includes a number of real case studies and expert commentary from Australian law enforcement, AusCERT and other Australian experts. Above all, the survey aims to raise awareness of the complex nature of computer security issues, identify areas of concern and, where appropriate, to motivate organisations to take a more active role in protecting their systems.
Cisco Systems
Formal security evaluation: Why it matters
By Peter Elford
The federal government sector imposes its own formal evaluation and certification requirements on the acquisition of security products. This session reviews the motivation and history of formal evaluation, outlines its role in the government security marketplace and provides an overview of the Common Criteria evaluation methodology.
eSecurity Australia
Collaboration, a better way of working
Through a strategic, collaborative approach to information security, eSecurity Australia enables customers to optimise their security investments and proactively protect their most important information assets from potential threats, by providing a single entry point to leading Information Security organisations.
eSecurity Australia aims to use its combined talents and services to raise the awareness of the importance of eSecurity.
eBusiness and emerging technologies make information security one of the most challenging and complex issues facing business today. Organisations that take the risk of not keeping their information security up to date can easily become exposed to security threats that can destroy their reputation and shut down operations.
eSecurity Australia leverages its capabilities in four distinct areas: People, Talent and Leadership; Research and Development; and Products and Services.
Vulnerability Handling: Analysis, Coordination, and Ethical/Legal Issues
This presentation will cover a case study in the handling of a vulnerability by the CERT Coordination Center (CERT/CC), looking at how the vulnerability was analysed by the CERT/CC, involvement with the vulnerability reporter and vendors, as well as ethical issues involved in handling the vul from the initial report, release of the advisory, and subsequent monitoring for incident activity.
Using Computer Forensics at the HIH Royal Commission
The collapse of HIH Insurance is one of the largest corporate collapses in Australia's history. The HIH Royal Commission was set up to "examine whether decisions or actions of Directors, officers or associated advisers contributed to the failure or were involved in any undesirable corporate governance practices. It will also examine the adequacy and appropriateness of arrangements for the regulation and prudential supervision of general insurance at Commonwealth, State and Territory level." The Commissioner, Justice Neville Owen, is due to deliver his report in February 2003.
e.law was appointed the project manager for the IT & T infrastructure for the HIH Royal Commission. e.law was responsible for the initial set up of the hearing room, the Commission offices, and for the ongoing maintenance of all systems. e.law is also responsible for managing all data that is maintained by the Commission; all evidence is stored and presented electronically to the Commission. During the course of the hearing, evidence appeared in the form of back up tapes, which contained emails passing between Directors and senior executives of FAI Insurance, shortly before it was taken over by HIH. These emails proved an important turning point for counsel assisting the Commission.
Allison Stanfield will outline the forensics used at the Commission to retrieve important data. Further, Allison will examine some of the important questions that need to be addressed when accessing material stored on computer disks, where that material is likely to be used as evidence in a court proceedings.
Internet Security Systems
Dynamic Threat Protection - A new definition for information security
Internet Security Systems' Dynamic Threat Protection™ approach enables organisations to proactively protect against potential security risks when vulnerabilities are first discovered and before threats can become active attacks. Dynamic Threat Protection is the logical next step in security strategy, utilising network, server and desktop protection, including fixed, wireless and remote systems. This combination provides a significantly improved value on each security dollar invested, especially for extended enterprises with many gateway devices, a large percentage of remote or mobile workers, and a strong need for centralised administration and control.
TrendMicro
Let's stop spam! (email this to your friend)
By Jeani Boots
Almost one in every two emails today is unsolicited junk. Loss of productivity, consumption of network resources and other costs relating to spam are significant, not to mention the looming legal liability exposure. Why is spam so prolific and what can corporations do about it? Trend Micro explores the motives and business issues surrounding spam and examines how organisations can implement effective anti-spam strategies.
APNIC Whois database and use of Incident Response Team (IRT) Registration
The presentation describes how to find contacts for network abuse enquiries and reports in the Asia Pacific region by using the APNIC Whois Database. The presentation will also briefly explain how to find information in other databases in the region, such as the JPNIC (Japan) and KRNIC (Korea) databases.
The presentation will explain how to create and use an Incident Response Team (irt) object in the APNIC Whois Database. The benefits of the irt object for network administrators, CERTs and the legal authorities will also be discussed.
By Marcus Sachs
While global awareness of security issues in cyberspace has been growing steadily over the past few years, we still have a long journey to reach a state of relative security on the Internet. Computer network security is no longer just a technical challenge - it also requires leader involvement, policy development, user education and awareness training, and international cooperation. This presentation will cover the United States government's efforts to develop a domestic national strategy for securing cyberspace, as well as international efforts to foster a global culture of security. We will explore lessons learned over the past few years in dealing with both physical and cyber incidents, and will examine challenges coming our way in the near future.
Clearswift
Managing and securing electronic communications
What is really residing inside those electronic mail envelopes? With so much intra and inter company communication bouncing around out there via email, how can you understand, appreciate and explore your organisation's email habits, bandwidth usage and email exposures?
You've heard about the various threats that email can bring to your organisation such as spam, legal liability etcetera, now we'd like to discuss how you can extract and interpret detailed information that will allow you to intimately understand the nature and content of your email communications. Armed with this crucial information you will be in a more knowledgeable position to establish policies to enhance email usage.
By Matt Whelan
It's one thing to discuss OS hardening but when it comes to understanding what that really means, nothing beats seeing how a server is taken over in 30 seconds.
This session shows you a series of common attacks on a Windows 2000 Server, examines why they succeed, and discusses the often simple configuration options and network security settings that would stop them dead.
This live display of the hack-and-pillage process - including remote control, buffer overflows, privilege elevation, and SQL attacks - shows exactly what you're up against, and how to defend yourself better than you ever have before.
Security, Copyright and Reverse Engineering: Strange bedfellows or compatible concepts?
This presentation will look at some of the issues and ramifications under Australian law of pulling software apart to try and identify any security weaknesses.
EWA Australia
Enterprise assurance through security integration and engineering
EWA Australia provides the latest capabilities in critical infrastructure protection and information security services to the Australian and Asian markets.
This presentation will explore the concepts of Security Integration andEngineering which underpin EWA-Australia's approach in providing security solutions. It will focus on EWA Australia's three security integration principles:
- Enterprise Integration: Security Solutions supporting Enterprise Requirements
- Security Process Integration: Security Solutions provided in a systematic manner
- Security Discipline Integration: Security Solutions covering technical, physical, perceptual and personnel issues
It will also discuss one of the assessment methodologies EWA Australia utilises, the Systems Security Engineering - Capability Maturity Model (SSE-CMM), with particular focus on how the SSE-CMM is interoperable with other standards such as AS/NZ 7799.
SSE-CMM provides an internationally recognised (ISO/IEC 21827) framework for evaluating security engineering practises and provides a means to measure and improve the performance of the wide range of products and services used to protect vital corporate information. SSE-CMM has the advantage of providing a structured, holistic approach that assesses security from data, physical and human resource perspectives.
Dimension Data
Wireless intrusion prevention and detection
By Neal Wise
Wireless technology of all sorts is enabling pervasive data services. What are some risks with wireless technology and implementation? Does wireless trade away too much security for too little convenience? This presentation builds on the speaker's previous presentations at conferences such as AusCERT 2002, AUUG Security Symposium & Hack 2002. The topic has been expanded to include high-level consideration of other wireless technologies such as Microwave, Bluetooth & proprietary Radio Frequency. The presentation also provides practical approaches to detecting rogue wireless services and preventing potential misuse of legitimate services.
Intrusion Detection: Current Challenges and Future Directions
By Andrew Clark
"Industry best practice" in terms of information security management suggests that the deployment of an Intrusion Detection System (IDS) across an organisations network is necessary. However, many organisations are grappling with the challenges associated with implementing such systems. The high overheads associated with configuration and monitoring of these systems often leads to one of two situations: a system is not deployed at all; or, the system that is deployed is not effective.
This presentation will identify the most critical issues associated with the deployment of both host-based and network-based intrusion detection systems. Design and implementation topics will be discussed in order to arm attendees with an understanding of the problems which need to be addressed prior to deployment. Future intrusion detection systems will be more interoperable leading to complex, centralised analysis possibilities. The presentation will conclude by summarising current research challenges being addressed to assist in alleviating some of the current problems.
How To Get Value & Return of Investment from Information Security
By David Lynas
Security exists to support the business. If it is not doing so, and seen to be doing so, we can be perceived as a "Business Prevention Department" - a mere cost center that contributes little and is therefore given little back in terms of resource allocation and budget, without which we can achieve even less. "Security" has no real meaning, no intrinsic value, without context. So what does "security" mean to us? What does it look like? Do we have enough of it? How do we measure it and the purpose it is serving? How do we know if it is succeeding and if our program has value? How do we benchmark security and set ongoing performance targets? How do we assess our program against relevant standards, directives, and legislation?
This innovative session presents the issues and introduces a structured and detailed process used successfully by organizations internationally.
CyberGuard
Examination of firewall architectures: What is important for security?
By Paul Henry
In spite of claims by respective vendors, no single firewall architecture is the 'Holy Grail' in network security. It has been said many times, in many ways by network security experts: If you believe any one technology is going to solve the Internet security problem… you don't understand the technology… and you don't understand the problem.
Unfortunately for the Internet community at large, many administrators today design their security policy for their organisation around the limited capabilities of a specific vendor's product. The author firmly believes all firewall architectures have their respective place in network security. Selection of any specific firewall architecture should be a function of the organisation's security policy and should not be based solely on the limitation of the vendor's proposed solution. The proper application of multiple firewall architectures to support the organisation's security policy in providing the acceptable balance of trust and performance is the only viable methodology in securing a private network when connecting to the public Internet.
This session will review the architecture components in a modern, secure firewall and discuss the suitability for common applications.
90East
Security across the enterprise
By Tim Cranny
In this talk Tim will discuss the failing of 'raw technology' to secure the enterprise, and show how effective security must be built on a foundation of risk management. 'Security' must be broad enough and mature enough to span the enterprise with an integrated package of policies, procedures, architectures and infrastructure. Only then can the vendors contribute to your security, rather than their bottom-line.
Kinetica
The security revolution - simplified, automatic, real time, security management
In this talk Steve will discuss how security management in evolving from disparate, reactive silos of management into simplified, centralized, real time management of the security enterprise. Steve will discuss how the latest management solutions allow organisations develop a simple generic policy for security management which is automatically deployed and managed in real time.
Kinetica has long delivered management solutions for large and small corporate and public sector organisations, including many service providers. Steve will draw on these experiences in discussing how to reduce cost, increase value and deliver results from a management system which relate directly to desired business outcome.
Security Threats: Technological evolution or social devolution?
A technical examination of recent cyber attack technologies, strategies and trends in attack tool development. This presentation is an analysis of the 'here and now' of dangers in cyberspace both real and perceived as seen by AusCERT.
Digital Signature Legislation: Which way Forward?
In order for e-commerce to work, we apparently need some sort of digital signature law, although we're currently moving in the low trillions of dollars each day electronically without the help of such a law. This talk will look at why this may or may not be the case, why it's extremely hard to create a digital signature law, the approaches being used (or at least tried) by various countries, and how people are currently doing e-commerce in the absence of this type of legislation.
Black/White/Grey -- Shades of Hackers
By Simple Nomad
While there are always going to be hackers, what is with the labels of "Black Hat", "White Hat", and "Grey Hat"? Does it really matter? The presentation will combine discussions regarding the different shades of hackers, the politics involving hacking, and examples from real life. And don't think this will simply be a mild lecture regarding social divisions -- there will be highly technical examples of hacks to help show the divisions and the blurring lines between these divisions. Remote OS identification and mapping, automated attack tools, exotic crypto, and the uncomfortable dance between hackers and federal authorities will be discussed.
KPMG Forensic - Issues from a client perspective
In an environment of constant change, time and distance are no longer relevant. This session will cover the demand drivers of the KPMG Forensic practice globally and how these drivers have led KPMG Forensic to become one global integrated unit. This strategy has enabled KPMG Forensic to assist major corporations on a global basis when there is disagreement as to facts (disputes between corporates or government) or when behaviour is not in accordance with expectations ( fraud, theft of intellectual property, money-laundering, corruption). Included in this session will be a discussion on the KPMG Global E.fr@ud Survey and its impact on the global business environment, together with the emerging trends that contribute to fraud within business.
Enterasys Networks
ISO 17799 and intrusion detection systems
ISO 17799 is a recently introduced international standard that defines best practices information security. It is an all encompassing document which addresses all aspects of information security, including IT infrastructure, personnel and physical security issues.
In this presentation, Dick Bussiere will introduce the ISO 17799 standard for defining best information security practices for an organisation, and suggest how elements of this standard can be mapped into physical implementation using elements of the physical infrastructure that may be at the disposal of the IT professional.
IBM Tivoli
IBM Tivoli software: Integrated Identity Management
As companies expand into e-business and respond to the dynamics of changing business environments, they must change the way they establish relationships between users and business resources. Managing who gets access to what information is critical. Typically, more people will need access to business critical resources. Fluctuating user populations and rapid employee turnover add to the complexity of provisioning users for access. To combat these business challenges, companies must increase the efficiency, and reduce the cost, of managing user information. This session covers how the IBM Tivoli Identity Management suite offers best of breed features to manage user entitlements to the access controlled resources of an IT environment.
Anatomy of a Hack: FBI Case Study and Techniques
By Robert Flaim
Special Agent (SA) Robert Flaim will present a case study on a hacker who gained unauthorized access into an Internet Service Provider (ISP), installed a "packet sniffer" program to capture login information from legitimate users and used that information to obtain customer credit cards. This case study will start with the first report of the ISP intrusion through undercover contact with the subject to his capture and arrest. Some of the areas covered will be the utilization of a cooperating witness to converse with subject on IRC, PGP to communicate with subject, and undercover purchases of stolen credit cards from the hacker. In addition, SA Flaim will discuss other FBI cyber units and how they are used to assist in investigations, i.e. the Computer Analysis Response Team (computer forensics) and the Special Technologies Application Section (technical analysis).
Sun Microsystems
Network identity, strategies, assessment and implementation
By David Bunker
Network Identity is the context-sensitive identity, attributes, rights, and entitlements, all maintained within a policy-based trusted network framework. Managing Network Identity describes the software infrastructure and business processes for managing the life cycle and usage of an identity, including those attributes, rights, and entitlements. By extending the current infrastructure, businesses can bring together disparate identity data to better serve customers, partners, and employees.
This discussion will focus on the strategic implications of Network Identity covering the evolution of Network Identity, the business drivers including Financial, Compliance and Legislation, Trust and Privacy, Security and Technology. As well as reviewing assessment of an enterprise's Network Identity capability and Sun's software technology and implementation recommendations.
This presentation will discuss issues such as:
- how did conventional PKI get to be so complicated
- what are the business drivers for PKI versus other authentication methods
- how does scheme based PKI simplify the end-to-end user experience
- best practice case studies from Australian and overseas
What do you mean 'We won't detect that'?
Ever increasing numbers of Windows system are being compromised via trivial security lapses or well-known vulnerabilities that should have been long-since patched (null or weak passwords on Internet-facing shares, and ancient IIS directory traversals are the two most obvious that spring to mind). Marching in lock-step with this trend is a similar increase in the appearance of 'malware' that consists entirely or almost entirely of 'legitimate' applications such as IRC clients, FTP and HTTP servers, remote viewing/control/administration tools and so on. Traditional antivirus approaches are hamstrung in detecting such malware as adding detection of these applications is tantamount to adding false-positives should the scanner also be used on systems where any of these applications have been knowingly installed.
There is a double-whammy effect here though. The less security-aware (or more overworked) administrators whose machines are more likely to be hit by these emerging bot-net agents are more likely to live in the 'I've installed antivirus software so should be safe' camp. Thus they are doubly-disadvantaged through not having taken sufficient steps to secure their systems and the false sense of security afforded by their overly trusting belief in the level of protection afforded by their antivirus software.
This presentation will dissect a couple of these recent bot-net agents then discuss alternatives to blacklisting-based approaches to maintaining the integrity of code on your systems.
By Oliver Binz
Hackers, whatever their motivation, will typically attack that part of the information system which is most vulnerable. With security awareness on the increase, most organisation now have the perimeter more or less secured.
The remaining "soft" targets are the applications.
This presentation will define the problem and provide examples, consider why these weaknesses exist, and offer viable solutions to address the problem.
This presentation looks at both in-house and outsource developed applications.
By Peter Croft
Commercial and government organisations are coming to terms with their place in critical national infrastructure. What can we learn from the military experience that translates into better protection strategies for commercial systems against the broadest range of cyber-threat.
Netscreen
Intrusion detection and intrusion prevention explained
This session will give you an introduction to the key issues associated with traditional IDS systems and how Intrusion Detection Prevention aims to solve these. You will learn about how preventative technology reduces operational management and cost of intrusions. A comparison of the different methods of detection such as stateful signatures, packet signatures, back-door detection and protocol anomaly will show you how different types of attacks are dealt with.
Worm and DDOS impact: some case studies
By Bruce Morgan
Each attack on the network infrastructure is different and characterised by different patterns. Within a large network with many hosts, the early detection of worm, DOS and DDOS activities is crucially important,especially with such a devolved infrastructure. It is especially important to maintain a high degree of network accounting to be able to isolate compromised hosts in the early stages so that the effects of attacks can be mitigated, yet that very record keeping is often the first victim of an attack. Sometimes actions taken to counter attacks can have greater impact than the attack itself. The presentation will look at a number of incidents, such as the Code Red II worm and Slammer worm which had very different profiles, and a growing number of problems and incidents especially against well known services and ports.
A Benchmark for the Management of IT Evidence
By Ajoy Ghosh
This presentation examines the development of a new Australian standard for the management of evidence produced by information technology systems. The standard aims at electronic information that may be produced in Court for either criminal or civil matters. We will examine:
- The need for a benchmark;
- International collateral;
- IT evidence and the information security lifecycle;
- Challenges for developing the standard;
- Achieving consensus.
It is anticipated that the standard will be ready for publication as a handbook prior to AusCERT 2003.
By Avi Freedman
A company's Internet-exposed network and web infrastructure is critical. Protecting and enhancing it is serious business.
We will discuss a number of critical security vulnerabilities in the common routers used on the Internet, in the routing protocols used to connect networks together, and in the DNS infrastructure as commonly deployed. We will also cover issues present in the Internet core, such as the lack of source address filtering and the lack of proper provisioning of inter-provider connectivity.
We will also cover monitoring and mitigation strategies for dealing with many of these vulnerabilities, with a particular focus on available software, services, and practical device configurations.
Wietse will present lessons learned about persistence of information in file systems and in main memory of modern computers - how long information persists and why. The results are based on measurements of a variety of UNIX and Linux systems, with some first results for Windows/XP.
Cyber-Security - Corporate Governance a Revolution or natural Evolution
Corporate governance has taken centre stage due to the fall out of HIH, One-Tel, Enron and Worldcom. The US and Europe have set-out their National and International Stategies for SECURE CYBERSPACE. In this presentation, Adrian McCullagh will discuss the current legal framework for corporate IT Security Governance and will give guidance as to what is over the near horizon. In particular the discussion will centre upon what needs to be done in order to protect the organisation and its management.
Unisys
Zero-Gap Security Planning
By John Ellis
Security isn't a narrow-focused quick fix. It's a mindset that links every element of your company together. It's a shield that can't be seen, but can be felt. It's a defence infrastructure and process that searches out gaps, reveals them, and fixes them. It's Unisys Zero-Gap Security Planning.
Unisys Zero-Gap Security Planning has little to do with systems integration - and everything to do with business integration. It's a unique, holistic approach that combines technological superiority with business process expertise for the best security plan and implementation.
The presentation reveals what Unisys Zero-Gap Security Planning is all about and how it works.
What's more important - Audit or Penetration Testing?
Audits tend to look at management practices and policy compliance; pen testing gets down and dirty to find the weaknesses in your defenses. What is really important in providing assurance for your IT or e-commerce infrastructure? And how do you get value from either approach? This will be an open discussion session for sharing experiences and opinions.
This is an informal session to discuss the latest IT security developments. It will include:
- Trends and threats seen by AusCERT
- AusCERT achievements
- AusCERT future directions
By Professor William (Bill) Caelli
The Prime Minister of Australia, the Hon John Howard, has announced the setting of national security as a major research direction for the nation. In the USA a similar situation has occurred with the passing of a computer security research and development Act in that nation's congress. Similar attention is being paid elsewhere to the challenge of protection of the national information infrastructure (NII) that often underpins critical infrastructures and industries. With the NII essentially owned and operated by the private sector, the question of IT governance, including all aspects of computer and data network security, takes on new importance. However, the problem of recognition of this reality and its acceptance at "board level" and at departmental management level in the non-military government sector, presents a major, educational challenge. The problems of viewing IT infrastructure as a "cost centre" to be minimised as good corporate practice, understanding the problems involved while taking unacceptable risks in the use of commodity products and services for mission critical applications, manufacturers' attitudes to secure product design and delivery, and other matters all need to be addressed. This means that education, in the general sense, from primary school to the board room, must play a part. For this to occur, Government will have to take a leading role.
(Prof Caelli is a Board Member of the Colloquium for Information Systems Security Education - CISSE, based in Washington, D.C., USA.
See: URL http://www.ncisse.org )
Appetite for risk - diet or die? (The business implications of information security)
This presentation will pose and seek to answer the following questions:
- what is information?
- what is it worth and to whom?
- why should you protect it?
- how do you protect it?
- from what and from whom?
- why must you balance information's utility and security?
Business Continuity Planning/Management (BCM)
Security is a business continuity risk requiring a plan of action to deal with expected or unexpected incidents. However business continuity plans need a holistic approach so as to deal with all threats including Reputation, Corporate Governance, Supply Chain & Outsourcing.
This session will explain the latest international BCM thinking and procedures to enable you to benchmark your business continuity status here and now.
Topics to be covered:
- The Business Continuity Institute & their new "Good Practice Guide"
- A modern BCM definition & positioning
- After Y2K and September 11 what has happened to BCM
- Ten key BCM drivers for 2003
- Software should be used to simplify BCM for all business units
- Blind spots in the world of BCM
Network Associates
Proactive threat protection
By Allan Bell
This presentation will discuss issues such as:
- the changing nature of security threats on complex networks
- understanding the window of vulnerability
- the impact of spam on your organisation
- identifying your Internet security priorities
- adopting the 'Hard & Crunchy' philosophy
- balancing Internet security requirements to achieve organisational goals
Secure Systems
Data Defence - combining hardware, encryption and pre-boot authentication
By Mike Hearn
Over the past 2 years Mike Hearn has met with US government departments and organisations, including the NSA, Office of Naval Intelligence, DARPA, Northrop Grumman, Booz Allen Hamilton, General Dynamics, CSC and many others to discuss data security. A common thread has emerged; data security requires a layered approach incorporating access control, authentication and encryption.
Mike will discuss how the combined use of hardware security and encryption provides stronger security than software methods alone. He will reveal how hardware can achieve higher levels of security by being fundamentally more difficult to compromise.
Further, he will address how using pre-boot authentication enhances security by protecting from operating system security vulnerabilities.
By John Barlow
In this talk I will highlight some of the features of IPv6 and how they relate to security (both positively and negatively). When IPv6 arrives on your network, how is this likely to change your security model? How will per-packet authentication and encryption affect the ways in which you can secure your communication? What is the impact of "cruft" removed from the IPv4 protocol?
If you think IPv6 will never get here, the Japanese government has mandated the incorporation of IPv6 and set 2005 as the deadline for the upgrading of existing systems in every business and public sector; and China and Korea have moved in a similar direction. IPv6 is primarily about getting more address space, and many asian countries embrace IPv6 because of that very fact.
Of course, this wouldn't be an IPv6 talk unless I painted the big picture of where IPv6 might take us and how it might permeate our everyday lives, so I will. In the course of painting this picture I will examine some of the security implications, and hopefully illuminate the different approach to security issues required to handle IPv6.
Security Governance of Service Provider Agreements
There is a business focus on increasing the use of IT Service Provider models to deliver Services to organisations where IT is not their core business. This model enables an organisation to drive cost efficiencies and enhance the customer experience.
QANTAS has been able to compete with new entrants into the Australian domestic market by engaging Service Providers to gain cost efficiencies by continuing to proliferate and introduce enhanced products for interfacing with its customers, business partners, suppliers and its employees. These cost efficiencies enable QANTAS to continue to compete in a high fixed cost, low profit margin industry.
By placing such a heavy reliance on Service Providers dependencies exist on securing the confidentiality, integrity and availability of the in-scope systems and services. To counter these dependencies appropriate security obligations need to be negotiated with the Service Provider and settled before finalising the contract.
It is important to understand security concerns thoroughly, conducting a security risk assessment regarding the function to be outsourced will assist to identify security risks, identify how they are to be managed and review the preparedness of the organisation to managed the identified risks.
This presentation will acquaint the audience with measures to govern the security management of service provider agreements and cover the interrelationships with a standards based approach.
Computer Associates
Is Identity Management a Security Issue?
By Daniel Zatz
While the Privacy Act and other laws surrounding Cyber Crimes provide a certain level of assurity, they can be of little use if the need to prosecute arises if you can't identify your attackers. This presentation will deal with :
- why do we need Identity Management and Access Management and what do they really mean
- user provisioning provides easy user administration but a flow on effect is accurate identification of users - understanding cost justification and ROI around user provisioning
- why relying on Operating System permissions isn't good enough
- audit trails are only of use if they are auditing the right processes or users (i.e is Bob really Bob ?)
- the Privacy Act, CyberCrime Act, and other legislation. Help or hinderance ?
Symark
Securing Unix/Linux systems
This presentation will discuss Unix/Linux security weaknesses. In particular, weak access control (including poor login/password and the lack of root delegation) inherent in the design of the Unix operating system. The presenter will discuss how these weaknesses are addressed with Symark solutions resulting in significant ROI. The presentation will also include a successful customer case study.
Applying Open Source Tools to Incident Response Surrounding Distributed Malware Networks
This talk discusses some old and new Open Source host and network analysis tools, their capabilities and limitations, and ways of using them to stay on top of distributed DoS and distributed "warez" networks.
The MAD Doctrine and the Future of the Internet
From a technical standpoint, the basic low-level protocols that support today's Internet were developed a couple of decades ago as part of a series of military funded research projects in survivable communications. The threats envisioned by the funding agencies and the researchers were those that were the result of physical attacks or natural disaster, primarily the loss of one or more communication links.
The success of these projects provide the basis of the Internet that we rely upon so much today.
Today's threats to Internet communications are of a very different sort, where often the very robustness of the network's protocols are used against it, attacking from within rather from without. Today, dozens of individuals have the capability to bring much of the Internet to its knees for hours, or even days, with a few simple commands.
In addition to discussing how this has been accomplished and who some of these individuals are, this presentation will try to suggest answers to the questions, "Why hasn't this happened already?", "Will it happen?", and "Can it be prevented?". To give away part of the talk, the answers are, "It has", "It will", and "Probably not." But there is hope, and just what that may be will also be discussed.
Security Policy Development - The Quick, Dirty but Effective approach
By Karl Hanmore
Writing a good Security Policy document is often considered a black art. There are few books on the subject and those that do exist propose a rigorous process of threat assessment, risk analysis prior to starting to develop your policy document. However, many of these tomes still fail to provide practical assistance in security policy development.
Internet available security policy documents are few and far between and mainly vested in the realm of academia or government. Very few corporate entities are willing to share their policy documents, it would appear they fear that exposing them may cause a weakness in their defence.
Security policy frameworks exist, such as ISO 17799, however these are often regarded as too abstract for the first time policy writer to make tangible use of.
By the end of this tutorial, attendees will have a basic understanding of what is required to start writing security policy documents. A security policy is perhaps the most valuable tool in the security arsenal, it is important to have one, today.
The aim of this tutorial is to provide exposure to security policies at the basic level and to arm the audience with the tools required to move forward in developing their own policy documents. This tutorial will cover:
- Why have policy documents?
- Threat & Risk assessment - the classic starting point. (And how to survive skipping this time intensive step.)
- A whirlwind tour of two Internet available policy examples.
- A brief introduction to ISO17799.
- Building a policy document - starting with a template.
- Review of a sample developed policy document.
- Benefits from Policy - Practical Application.
- Policy Improvement - Making Quick and Dirty less so.
- Auditing Against the Policy (and working with Outsourcers)
This short tutorial is designed to give an overview into policy development and to empower the first time policy writer to develop policy documents. This tutorial is targeted at those new to IT Security, specifically Policy development.
Incident response and intrusion analysis
By Steven Stroud, Scott MacLeod and Michael Cohen
System administrators are often faced with the overwhelming task of understanding and analysing digital forensic material (such as network captures and log data) after an incident or compromise. This tutorial will demonstrate the technical steps to process this information using open source tools and utilities. After this tutorial delegates will be able to form basic incident response procedures, and be familiar with several analysis techniques useful in containing and investigating a compromise.
Internet Level Anti-virus Techniques
By Alex Shipp
Senior Anti-Virus Technologist, MessageLabs
Over the last few years a new type of anti-virus protection has become increasingly more prevalent - Internet level anti-virus. Many people think that Internet level anti-virus is just a question of bolting a desktop scanner into a mail engine. However, Internet level anti-virus uses completely different strategies, techniques and technologies to detect and stop viruses than desktop virus scanning. For instance, a typical Internet level knowledge base file will be several Gigabytes, compared to several Megabytes for a desktop scanner signature file; as another example, the different time pressures allow Internet level scanners to carry out many more checks than desktop scanners. One result of this is that Internet level anti-virus has had a much more successful track history than desktop virus scanning, stopping all the mass-mailing viruses of the past few years. This session discusses in a vender neutral way the differences between Internet level and desktop anti-virus; explains why the two are completely different technologies; looks at their strengths and weaknesses; and looks at the new techniques and areas of research being explored by Internet level anti-virus. Some of the specific areas I will be addressing are: email decoding strategies, traffic heuristics, heuristic complexity, statistical heuristics, trial heuristics, managed heuristics, code analysis heuristics, whole email heuristics, knowledge base size, scan time, signature update pressures development speed pressures.
Handling of viruses in a large network environment
The organisation I work for currently detects and stops between 30,000 and 50,000 viruses each day. These present various different logistical problems, which I shall discuss, including; security, storage, classification and transportation.
Minimize Windows XP Information Leakage
Out of the box, Windows XP will try to phone home several times, and by default be prone to information gathering attacks. This is most likely not what you want. Andrew goes through each of the potential information leakages and lets you make decisions based on facts. Where possible, Andrew gives advice on methods to reduce the information leakage.
Using Linux for Data Forensics
By Thomas Rude
Next Generation Data Forensics is here and now. Large hard drives, handheld devices, non-standard storage media, and varying operating systems and filesystems are increasingly widespread. While there is no panacea for data forensics, Linux certainly is the most powerful platform from which to process both live and post-mortem analysis.
There are many reasons why Linux is the operating system of choice for data forensics, including, but not limited to;
- everything is a file
- filesystem types support
- loopback driver
- read-only, non-invasive
- logging and monitoring capabilities
This tutorial will discuss the power of Linux with regards to data forensics and demonstrate the capabilities that enable forensic examiners to do their jobs using the Linux operating system. How the operating system environment can be used and additionally, a number of third party programs that further enhance the ability of Linux to process data forensics.
By Matt Carling
This presentation will discuss the best current practices and configurations to secure a Service Providers infrastructure - specifically how to protect the control plane from attack. Also covered will be how to use ip routing as a DDOS security tool. Techniques such as remote triggered black-hole filtering, shunts, and sinkholes will be explained.
Design Principles for Secure Enterprise Networks
This design session is for network engineers who design and implement security in enterprise environments and is presented in two parts. The first presents example attacks on a fictitious company and their mitigation. The second part is a comprehensive examination of three networks of varying sizes that are designed from the ground up to be secure. Participants will learn how network security can be deployed in a systematic fashion to mitigate security risks.