Abstracts

Protecting NII

By Larry Hale, Deputy Director of the Department of Homeland Security, National Cyber Security Division, Computer Emergency Readiness Team (US-CERT)

In 2003, we witnessed the release of The National Strategy to Secure Cyberspace, the creation of the U.S. Department of Homeland Security (DHS), the establishment of the National Cyber Security Division (NCSD), the formation of US-CERT, and the convening of the first National Cyber Security Summit centered on the theme of "Closing the Gap." This presentation will describe national efforts to secure cyberspace and the ongoing issues and challenges such as early warning, incident response, information sharing, and related topics for federal and state governments, industry, and higher education.

Who's watching the door?

By Daniel Zatz, Computer Associates

As IT Security professionals we spend all of our time making sure that our IT infrastructures are sound, secure and available. However, 'Security' is about more than just 'IT' Security. For example, if your systems are so locked down that there is no way possible that a hacker or virus could penetrate your network, is there anything stopping an intruder from walking in through the front door and stealing the computer? Are you actually monitoring who goes in and out of your high security areas as well as the front door of the office? IT Security is about protecting the IT infrastructure and this includes protecting the physical as well as the logical devices.

This presentation will discuss the often overlooked physical aspect of IT Security and how the convergence of physical security and logical security can be successfully implemented to provide a more complete solution to the Data Protection problem.

Preventative security measures: balancing business needs with security & investment

By Wayne Weisse, Network Associates

With security threats proliferating globally in just minutes, it is no longer appropriate to implement "fire fighting" security policies. Proactive security policies are now a "must have."

With hackers constantly developing new reconnaissance, exploit and denial of service techniques, an underlying theme of this presentation is "remaining in control."

So what should a proactive security policy incorporate? It needs to protect your environment over its many levels; from the outside perimeter down to the inner core of the network.

To ensure business continuity, an Intrusion Prevention System needs to both detect and block attacks before they enter a network or system. It also needs to allow sufficient visibility to foresee and prevent future vulnerabilities.

Wayne will address security threats to the various levels of an organisation's network. He will provide recommendations on using "real world" components of McAfee's market leading Protection-in-Depth comprehensive security strategy - a strategy recently ranked by Gartner as the highest in "Completeness of Vision" and "Ability to Execute".

We still need to drain the swamp

By Andrew Walls, Betrusted

Although we are developing better and more sophisticated ways to beat back the alligators, we need to keep in mind that our original pursuit in computing was not focused solely on computer security. Our objectives included such things as enhanced productivity, lower error rates in processing, on demand access to information, reduced incidence of fraud, etc. Along the way to these objectives we have had to manage an army of alligators with differing objectives. Unfortunately, while we have honed our skills and developed our capabilities in computer security, we have lost sight of the need for information security. We will never be able to provide high levels of computer security without the adoption of an holistic view of information security that encompasses information both inside and outside of the computing environment.

In this presentation we will examine information security in a corporate context. The discussion will focus on the computer security concepts and techniques that can be more generally applied to information security outside of the computing environment. Examples will be drawn from corporate and academic environments in the US and Australia to demonstrate the nature of the problem and to indicate methods that can be applied successfully to the problem.

Conditioning More Effective Incident Response in the Enterprise

By Kim Valois, CSC Australia

Kim Valois will highlight some of the organisational challenges and behavioral barriers to effective security incident response in the enterprise. She will offer some suggestions on how to overcome the challenges and improve incident response results. Her talk will draw on personal experiences helping large global enterprises implement incident response programs, from strategy to tactics. She will include practical examples from the recent move of CSC's Security Incident Response Control Centre (SIRCC) from the US to its current home base in Australia.

Building the self-defending network

By Sam Trad, Cisco Systems Australia

Today's corporate network has become a critical component of business success-enabling new applications, enhancing productivity, and providing a multitude of services to customers. As the network continues to be a mission-critical business system for organisations of all sizes, a top priority for customers is securing their information assets and minimizing the impact of unauthorized intrusions and viruses and worms.

Time is no longer on the customer's side. Attacks hit faster than the news of them. This means that businesses need a pro-active pervasive security approach.

The Cisco Self-Defending Network helps customers identify, prevent, and contain security threats before they cause damage. It is a solution that protects the network and the data that traverses it, ensures the availability of the network and its resources, and reduces expenses.

Managed security services

By Lou Talevski, Symantec

This presentation will address how Managed Security Services delivers early warning and mitigation strategies for viruses, worms, and blended threats by integrating information and insight derived from a worldwide network. Learn how to eliminate volatility in resource demands and costs associated with managing information security, while maximising the effectiveness of existing security investments.

International trends in IT security

By Glen Noble, Macquarie Corporate
James B. Southworth, Secure Pathways

Corporate governance dictates that management of companies and agencies be more accountable for security of data. Legislation in both Australia and the US is increasing obligations on companies and agencies. Macquarie Corporate presents Australian research which helps quantify IT security vulnerabilities and challenges for organisations. Challenges for the CIO include budget restraints, skills shortages, increasing need for 24 x 7 operations and current architecture. The internet is driving security trends and we are now seeing an emerging model for managed security services.

Organisations are increasingly looking at prevention methods, software functions and hardware are becoming integrated and we are seeing changes in architecture as a result of hardware and software integration. Correlation engine and incidence reporting are becoming more available, security policy is moving from the written plan to day-to-day activity centred on reacting to security incidences. We are seeing an emerging role for vulnerability assessments and Macquarie comments on the future of new trends in managed services.

The future of the datacenter: utility computing, management technologies and information security implications

By Marcio Saito, Cyclades

The presentation will look at the changes in the architecture of the data center caused by the adoption of technologies such as blade computing, switching fabrics, virtualization, and advanced management tools. We argue that the transition to the utility computing model will happen gradually overtime and that one must design a strategy for the data center that works today and in the future. We will look at management technologies and explain the evolution of both in-band and out-of-band management tools. We will then explore the question: will information security in the data center of the future be the same as today?

Beyond the signature files

By Chris Poulos, Trend Micro

Antivirus is a commoditised market, it is estimated that as much as 97% of all companies globally have some form of antivirus in place. Today's threats are also continuously changing; they are becoming a lot more focused and faster in their attack mechanisms. If companies have employed some type of protection to protect against malicious code, why are virus attacks still creating such havoc and why are the usual suspects like Nimda, Code Red and Welchia still causing damages in excess of $5.35 billion dollars in 2003. Trend Micro's presentation is designed to address these specifics and help organisations understand how they can better protect their organizations.

Security Management - corporate accountability and market maturity affecting incident and vulnerability management programs

By Chris Pick, Vice-President Security Management, NetIQ

Over the past 15 years, corporate America invested in firewalls, anti-virus, network intrusion detection, and vulnerability scanning products to build trust and secure their intellectual property. These products provided a basic level of security and assurance but also created a wide variety of management and reporting problems, failed to address many new threats and fell short of meeting many business requirements. As a result, worms and viruses continue to strike at the heart of corporate networks and businesses consistently fail to comply with many new regulations and standards regarding security.

The proliferation of these arguably fundamental security technologies and the increased regulatory burden on businesses has created demand for newer technologies that manage the security infrastructure and enable compliance. These technologies promise to do more with less and provide meaningful protection. They seek to improve proactive security measures (enhancing protection) while expediting incident response and resolution.

Join NetIQ's Vice President, Security Management, Chris Pick, for an executive conversation about the maturity of the security market and NetIQ's strategy for Security Management. Chris will discuss how NetIQ is delivering an integrated, closed-loop security management solution that leverages current security product investments and helps establish a mature security management capability.

Attendees will leave with an understanding of:

• The evolution and adoption of security technologies
• The fundamental challenges created by the fundamental security technologies
• The realistic and practical approaches to tackling Incident and Vulnerability management
• NetIQ's closed-loop security management architecture
• NetIQ's approach to integrating IT systems and security management

Juniper Secure Access products - the new generation of remote access

By Matthew Miller, Juniper Networks

In October last year Netscreen acquired a company called Neoteris who specialized in SSL VPN remote access technology. The presentation will cover the difference between SSL VPN technologies and traditional "network to network" IPSec VPNs including some information on the evolution of remote access solutions.

SSL VPNs have revolutionalised remote access as we have historically known it as it is a clientless and platform independent approach to remote access for the enterprise. SSL VPN provides lower TCO, flexibility and functionality to the end user making it much more painless then alternative solutions which we have all been struggling with for years.

Its easy integration of the Secure Access solution into many back end servers makes the Juniper Secure Access servers as an attractive alternative to many agent based VPN technology on the market.

Centrally managed endpoint security from Zone Labs

By Jonathan Mabie, Zone Labs

You may have used Zone Alarm for years to protect your own personal computer. Now discover how Zone Labs Integrity can proactively protect your entire enterprise from worms, spyware, viruses, and data theft with a centrally managed endpoint security solution that provides Proactive and Total Access Protection for your network.

Zone Labs will demonstrate the Integrity solution and how to setup a Proactive Centrally managed Endpoint Security Solution that:

• Stops both known and unknown threats
• Prevents inbound and outbound threats
• Doesn't depend on post-facto patching
• Grants network access only to secure endpoints

Connectivity without Compromise

By Ken Long, Tenix Datagate

Good corporate governance mandates that organisations protect their IT infrastructure to the highest level practical using available technology. In response to this, IT security risk managers seek solutions that provide Connectivity without Compromise.

Traditional IT security products have not proved effective in mitigating the security risks associated with connected networks. However, the wide deployment within Defence and Federal Government of the ITSEC E6 Interactive Link product suite has established an acceptable secure connectivity methodology to protect mission-critical information.

If you are concerned about protecting your data from the outside world, Tenix Datagate's presentation by Ken Long will provide information about how global connectivity can be achieved, without compromise.

The Shrinking Perimeter: The Case for Data-Level Risk Management

By Glenn Johnson, Senior IT Security and Management Consultant, Guardian Tech.

You have secured your perimeter (at least as far as the needs of electronic business allow). You have set up IDS systems. You have structured the authentication methods and access controls to make sure that only authorised users access your organisation's information resources, and only those resources which they are trusted to access for their role in the organisation. You have comprehensive security policies in place, and the procedures in place to ensure that your systems remain policy-compliant.

But what happens when a trusted employee uses the information they legitimately have access to in ways which are not expected or desired? What happens if an intruder does gain access?

This presentation is about choice - the power of the individual over the data you are trying to protect, and the choices they can make which current security technology cannot detect, let alone prevent. The time has come to redefine the statement of the problem:

"To protect individual objects of value individually", or: "To contract the protection perimeter to individual objects"

Today you can log the fact that a user opened, modified, renamed a deleted a file on your servers. It's more of a challenge to do this on each PC that the users login to. Maybe you can log the fact that they printed a document.

But can you see, log or prevent them copying sections of a document to a new file, saving the file to a USB key, burning the data to a CD, emailing it out of the organisation or sending it using instant messaging? This presentation is about how technology is available now to allow organisations to protect their data assets individually. To allow you to trust your employees, but to verify their behaviour in relation to data assets.

This is about the ability to not only have an "acceptable use" policy in relation to the organisation's IP, but to enforce that policy and have forensic audit trails of information use.

New menaces, new defences - a vendor perspective

By Paul A. Henry, CyberGuard Corp

Targeted to senior level information security specialists and network security engineers, Paul's presentation will provide insight into current "Phishing" scams, password insecurities, rising vulnerabilities and the evolving world of worm attacks. The presentation will further examine the Top 20 SANS internet security threats that network administrators face, while offering solutions to protect against these Windows and UNIX threats using the state-of-the-art in network security "Total Stream Protection" (TSP).

One of the most notorious scams currently proliferating through the Internet is a technique known as "Phishing." The presentation will clearly define Phishing techniques currently used by hackers or more appropriately "scammers" to obtain or "fish" for private information of email consumers. This technique is most commonly used to mine for bank account numbers, social security numbers, and in most cases, credit card information. Paul will highlight the infamous "SwiftPay Email Scheme" and offer suggestions to the audience on how to recognize Phishing scams and suggestions for mitigating the risk of your clients falling prey to Phishing.

The presentation will also review and investigate the risks associated with password logistics and how password protection is an obsolete technology. Paul will show case legacy password cracking technologies such as 'LophtCrack', which set alarming rates of password cracking performance, such as 10 passwords cracked within 31 minutes and cracking LM challenge/response passwords at a rate of 23,000 per second. Next Paul examines the latest password cracking methodology referred to as Rainbow Tables. Rainbow Tables has literally eliminated passwords as a security mechanism. To protect users, the presentation will identify possible solutions including tokens, one-time passwords, and biometric technology.

While worms have evolved from both the technological and social engineering perspectives, there has been little change in the tremendous affects associated with these forms of attack. Paul's presentation will provide an in-depth look at some of the most infamous worm attacks including SQL Slammer and the Warhol Worm. The presentation will also provide attendees with general knowledge on worms including the precursor requirement of an installation base of 10,000 or more hosts before propagation of the worm becomes exponentially faster and some of the devastating effects of worms in the world.

With vulnerabilities being reported at an alarming rate of over 100 new vulnerabilities per month, it is important to understand the nature of these attacks and possible solutions to mitigate these risks. Paul will investigate the Top 20 SANS risks associated with Windows and UNIX operating systems. This Top 20 SANS listing is developed in cooperation from groups including the Federal Bureau of Investigation (FBI) and the National Infrastructure Protection Center (NIPC).

SPAM - a threat to security

By Andrew Gordon, Brightmail

Everyone is aware of the annoyance generated by spam, but many fail to realize the serious security threat it represents by providing a channel for viruses and other malicious attacks to enter and cripple a network. This session will highlight how businesses address the privacy issues surrounding spam protection.

IT Security at Microsoft Corporation

By Greg Galford, Microsoft

Microsoft is committed to sharing its internal IT security practices in order to help its customers successfully secure their environments. This paper describes what the Microsoft Corporate Security Group does to prevent malicious or unauthorised use of digital assets at Microsoft. This asset protection takes place through a formal risk management framework, risk management processes, and clear organisational roles and responsibilities. The basis of the approach is recognition that risk is an inherent part of any environment and that risk should be proactively managed. The principles and techniques described in this paper can be employed to manage risk at any organisation.

Network identity infrastructures

By Darren Fowler, Sun Microsystems

A comprehensive Network Identity Infrastructure allows companies to create, manage, and authenticate online identities and broker services based on those identities. Network Identity is the fusion of network security and authentication, identity management and provisioning, single sign-on technologies, and Web services delivery. Sun's Infrastructure Solution for Network Identity is designed to help the enterprise manage and control identities. It integrates software, systems, storage, and services into solutions that enable your organisation to quickly implement an open, end-to-end, secure network identity infrastructure.

The 3D Threat: How the rules have changed

By Scott Ferguson, Check Point Software Technologies

The network has changed and so have the rules. Security is no longer linear or elective. The proliferation of pathways (VPNs, wireless LANs, PDAs and telecommuting) into corporate networks means perimeter-oriented security strategies will never again be sufficient. Today, organisations need a number of technologies to secure environments.

The challenge? How do you manage, integrate and scale these technologies. The answer is a comprehensive security architecture that addresses the three new security fronts: the perimeter, internal and the Web. Scott Ferguson, Check Point's Regional Director, ANZ, will cover the new 3Ds of information security, what they are and how to achieve them.

Email security: are we there yet?

By Ned Engelke, IronPort Systems

SMTPi : an initiative from IronPort Systems extending SMTP to include sender identity and reputation

According to Paul Festa, CNET News.com, the SMTP flaws are so severe, some now believe, that the protocol that gave rise to the most significant explosion in written communication since Gutenberg may no longer be capable of serving its purpose in a world of con artists, pornographers, virus authors and unscrupulous spammers.

Email has become the most critical form of business communication, yet the medium itself is on the verge of collapse. SMTP (Simple Mail Transfer Protocol), the Internet standard for email delivery and receipt, is more than 20 years old and what originally worked in a research and academic environment is not working in a commercial business environment today. The protocol lacks several essential components, including a comprehensive way of verifying an email sender's identity. The next generation of email infrastructure must address identity and reputation. SMTPi is designed to do exactly this and is under review by the IETF.

This presentation will include a description of SMTPi and other technologies already in use that substantially increase and ensure email security for enterprises and service providers.

The content report: an in-depth look into email management practices

By Lindsay Durbin, Clearswift Asia Pacific

In this analysis, we look at modern content management issues. A best practice model that includes a spam policy must also be able to handle the all important spam false-positive/false-negative issues including focusing on user initiated release of false-positives. Outside spam, we will look at the legislative and compliance issues of email retention as well as an update on overall content policies. For the technically minded, there is an insight into mischievous email construction and an analysis of current malicious email use.

On Computable Numbers, with an application to the Entscheidungs problem (or why anti-virus and anti-spam is hard)

By Paul Ducklin, Sophos

Can you write a perfect virus detector? Can you write a perfect spam filter? Computing theory says that you can't, and the theory is absolutely correct. That doesn't mean that you can't do an almost-perfect job, but it does suggest that maintaining almost-perfect standards is not an exercise to be undertaken lightly.

This talk starts with some discrete mathematics to deal with the theoretical background (as well as to suit the academic pretensions of the author and to allow the gratuitous introduction of evidence to show that it was the British rather than the Americans who really invented the modern computer). It then shows some of the techniques used by virus writers and spammers to work around security software, and why - rather sadly - it takes neither genius nor particular coding skills to do so.

Lastly, lest it seem that all is lost, this talk deals with a rather satisfactory corollary to the impossibility of writing a perfect anti-virus or anti-spam, namely the concomitant impossibility of writing an undetectable virus or an unblockable spam.

High speed security - perimeter security in the gigabit age

By Leigh Costin, Fortinet Inc

The performance demands on secure systems are dramatically increasing. The perimeter has essentially disappeared, and yet the number and complexity of external threats continues to rise. The addition of demands for high speed access to all resources, internal and external, wired or unwired, mean that companies at all levels face a dilemma: to attempt provide secure high speed access at any cost; or to limit access to what you can reasonably defend. This decision must also be made without the luxury of a secure perimeter to work with.

New protective measures are needed to meet these challenges. Combining existing technology will not provide the flexibility, integrity or the performance to meet the challenges. Only by closely integrating key security and networking technologies can a scalable solution be provided that can be deployed wherever it needs to be.

In this presentation the architecture of an integrated security solution is analysed.

Getting value from Vulnerability Assessment and keeping it

By Neal Wise, Principal Consultant, Dimension Data

Many organizations undergo regular reviews of technology from an information security point-of-view. Not all exercises provide the best benefits for the organization's investment in time, money and effort.

This presentation will offer suggestions of how to maximize benefits from information security testing efforts. Concepts, testing styles and exercise approaches will be discussed such as:

• Determining your requirements and communicating them
• Choosing an appropriate testing methodology (i.e. "White Box"/"Black Box") and the benefits each can provide
• Choosing an appropriate testing approach (review vs. penetration test vs. audit) and why
• Establishing and maintaining exercise confidentiality
• Deciding on exercise reporting output
• Managing exercise risks
• Managing the exercise progress
• How to choose an external assessor
• How to build an internal assessment capability
• Maintaining the results of your efforts

Technology and security professionals, business analysts and project managers will find this presentation beneficial. Common traps and pitfalls will be discussed to help ensure that your next security review provides the maximum benefit to your organization.

Next generation high performance network security architectures

By Matt Barrie, Sensory Networks

Traditional software-based approaches to network security are failing as network throughputs and complexity are dramatically increasing. Today's software security products do not have the memory and processing architecture necessary for deployment of next generation security services on gigabit networks. This talk focuses on why a specialized hardware architecture is needed for high-performance security and why CPUs and NPUs alone do not suffice. The talk concludes with a case study into the design of a high performance Intrusion Detection System.

Securing your environment with the IBM Tivoli Identity Management portfolio

By Paul Ashley, IBM Software Group, Australia

To effectively compete in today's business environment, companies are increasing the number of users, customers, employees, partners and suppliers that are allowed to access information. As IT is challenged to do more with fewer resources, effectively managing user identities throughout their lifecycle is even more important. IBM Tivoli Identity Manager provides a secure, automated and policy-based user management solution that helps address these key business issues across both legacy and e-business environments. Intuitive Web administrative and self-service interfaces integrate with existing business processes to help simplify and automate managing and provisioning users. It incorporates a workflow engine and leverages identity data for activities such as audit and reporting.

Are you spamming today?

By Matthew Sullivan, The University of Queensland

Today the worlds email system is being flooded by Unsolicited Commercial/Bulk Email, otherwise known as spam. The advent of spam has prompted various changes in the internet over the years, the first significant and noticable change was the removal of trust in the email system of the world. Back in the early days of the internet it was possible to find just about any mailserver to send your message to anyone in the world, but with spam on the increase this method of relaying had to be closed. Unfortunately for the users of the internet the spammers have not just said "ok they don't want it so we won't spam anymore", instead they have found more and more creative ways to send their junk mail and fill our inboxes.

This presentation will cover some of the methods that allow spammers to take over your networks, and spam from them. This has some obvious security implications especially when we discuss trojans leaving backdoors and keylogging machines, but the more subtle problems are those associated with instaling open proxy servers by trojans or misconfiguration. More worrying still is the new round of trojans and backdoors which install stealth services and attempt to hide themselves on the network by not opening ports for incoming connections but have daemons that call home or anonymous networks (botnets) which will then accept commands whether it is to DDoS another network or send spam.

AusCERT member's only briefings

By AusCERT

AusCERT member organisation representatives are invited to a session in two parts:

• A brief presentation to announce new member services and provide information on our current initiatives.
• A question and answer session and member feedback.

Light refreshments will be served during this session and there will be opportunity for networking.

Honeynets: Detecting Insider Threats

By Kirby Kuehl, Honeynet Project

The Honeynet Project is all about learning. Our primary goal is to learn about tools, tactics, and motives of the blackhat community, and share the lessons learned. We deploy Honeynets all around the world, capture attacks in the wild, analyze this information and share our findings. Based on this information, the security community can better understand the threats they face and how to defend against them.

This presentation will explain the Honeynet Project, some recent advances in Honeynet technology, and what Honeynets can potentially teach us about threats from outside (and from within) our networks.

Is a 21st Century Australia Card a recipe for increased Identity Fraud?

By Malcolm Crompton, Former Federal Privacy Commissioner

Identity management is in. It is emerging as the topic in government and business information technology thinking. 1

Identity management is proposed as a solution to a loose collection of issues with powerful economic, political and social resonance. Greater confidence about the identity of individuals, particularly in electronic contexts, is aimed at preventing financial, welfare and benefit fraud, protecting national borders and increasing national security, as well as better profiling customers or clients to better target services and goods.

Similarly, individuals themselves see a need to consolidate or simplify the way they present their identities to the world. Many of us can imagine how much more convenient it would be to have fewer PINs, passwords and plastic cards, for example. Many of us find the evidence of identity demands when we first deal with a government department or financial businesses, for example, to be onerous and intrusive.

The common thread, between individual and organisational needs for better identity management, is trust. Organisations want to trust the individuals they deal with; trust that they are who they say they are, and that they are authorised to do what they do. Individuals want to be trusted, but they also need to trust organisations to deal with them fairly, and to deal appropriately with their personal information.

Unfortunately, implemented poorly, identity management is likely to be a cure much worse than the disease. The widespread implementation of lazy identity management solutions - a real risk - would make it technically easy to combine vast amounts of electronic information held about a person, wherever it is stored, without that person's knowledge or permission and actually facilitate, instead of prevent, identity fraud. 2

My concern is that poor identity management solutions could amount to almost total surveillance of some, if not all, individuals.

Even more to the point, good identity management solutions are already available. The paper canvasses what good identity management solutions might look like in terms of both the law and technology.

A wide spread public debate on the issue of identify management is essential if we are to live in a safe, open society in which we can all lead our private lives.

1 "Identity management" is a relatively new term whose meaning may not be entirely settled, however for purposes of this paper we can understand identity management as a set of data management systems and practices designed to increase confidence in the identity of individuals where appropriate.

2 See for example the evidence given by staff of the Attorney General's Department to the House of Representatives Standing Committee on Legal and Constitutional Affairs during its Inquiry into Crime in the Community, Proof Committee Hansard, 26 September 2002, page LCA11 et seq.

Fighting High Tech Crime

By Mick Deats, Detective Superintendent, Deputy Head, NHTCU

This presentation will focus upon the types of crime that we are experiencing and the recognition by organised crime groups of the low risk and high return associated with Hi-Tech Crime. A number of investigations will be highlighted including those which have impacted upon Australia as well as the UK. The methods of investigating these crimes and the crime reduction lessons learnt from these incidents.

VoIP security

By Ofir Arkin, Sys-Security Group

"...it is no longer necessary to have a separate network for voice..."

Voice over IP (VoIP) is the next generation of telecommunications. It is combined from singling protocols (which establish, modify, and tear-down sessions), media transfer protocols (which carry the voice samples), and supporting protocols (which support the other two protocols with services they need such as routing, DNS, etc).

Security issues with VoIP based protocols are less highlighted than the hype about the technology. This talk will be focusing on the Security issues with the Session Initiation Protocol (SIP), a signaling protocol that is the crown contender of H.323, and with the Real-Time Transport Protocol (RTP) which is the most common vessel for carrying voice samples.

The presentation will highlight ways to take advantage of the design of these protocols. The talk will also examine ways to bypass any element in a VoIP architecture based on the Session Initiation Protocol. Among the issues we will be examining are free phone calls, call hijacks, call tracking, manipulation of conversations, fraud (and detection), etc.

Microsoft Patch Analysis

By Russ Cooper, Surgeon General, TruSecure Corporation; Founder and Moderator of NTBugtraq

With a single patch containing fixes for 14 different issues, Microsoft is making it extremely difficult to avoid patch-o-mania, applying patches as quickly as possible after their released regardless of your mitigation strategy. In this session Russ Cooper will present a comparison analysis of Microsoft's patches over the past 4 years providing accurate insight into just how many vulnerabilities are being addressed. He will explain why he concludes that Microsoft's newer products are no more secure than older versions, and why the Trustworthy Computing Initiative continues to struggle.

Honeynets and Honeypots: Companion technology for detection and response

By Cristine Hoepers, Senior Security Analyst, NIC BR Security Office (NBSO), Brazilian Computer Emergency Response Team

In recent years there has been an increase in the use of honeypot technology, despite this there are still a number of questions regarding their effective use and what their benefits are. This presentation will describe the differences between honeypot and honeynet technologies, their implementation and deployment, and the results obtained.

So you want to establish a CSIRT; a Dutch perspective on the do's and don'ts

By Hedy van der Ende, General Manager, GOVCERT.NL
Henk Bronk, Manager Technical Team, GOVCERT.NL

The world around our society has become very dependent on ICT. At the same time, security risks are getting worse. Security attacks are getting technically more complicated, and easier to execute at the same time.

The odds are against safety: today, every thousand lines of new computer code contains an error. Every error might in its turn cause a security flaw. This situation is not likely to change very soon.

The Dutch government, along with many other government and private organizations, took proactive steps. It started a (GOVCERT.NL) to organize measures focused on prevention of, and response to ICT related security incidents.

Our Project Goal:
From the beginning, it was the purpose of the Dutch CSIRT to give as much information on how we are doing our operations and share it with the community.

Therefore, we have during the set up of GOVCERT.NL and the Dutch National Alerting Service (De Waarschuwingsdienst) collected and preserved all our implementation and project plans.

The chance to set up a brand new CSIRT with the already existing knowledge from the International CERT-community and the help of the respected and major CSIRTS like CERT-CC and AUSCERT, helped us to set up a CSIRT in nearly a year and have it fully operational.

We see this project as an opportunity to give and help the CSIRT community to mature and grow. And to help new and starting CSIRTS with a very practical how-to on setting up a CSIRT.

This presentation will explain what needs to be considered when establishing a CSIRT. It will cover topics such as:

• Questions to ask before starting
• Funding the project (money, sponsorship)
• Staffing (operational, management, structure)
• Operational procedures (escalation, workflows)
• Legal issues

ISSPCS certification exam preview forum

By Nick Tate, Director, AusCERT
John P Hopkinson, President ISSEA
Mark McPherson, Training and Education Manager, AusCERT
Scott Sinclair, The University of Queensland

This BOF will provide participants with a sneak preview of the upcoming examination process for The International Systems Security Professional Certification Scheme. Representatives of the project team from AusCERT, The University of Queensland, EWA and ISSEA will report on the scheme's development to date, and will be asking for feedback from the IT security professional community.

Protecting Stateful Security Policies Using One-Way Functions

By Hakan Kvarnstrom, Hans Hedbom and Erland Jonsson
Presenter: Hakan Kvarnstrom, TeliaSonera, Sweden

This paper addresses the problem of protecting security-related information, such as the detection policy of an Intrusion Detection System, in distributed computer systems. Unauthorized disclosure of such information, possibly stored in a large number of nodes, can reveal the fundamental principles and methods for the protection of the whole network domain, thereby introducing new risks and vulnerabilities. To counter this, we suggest a protection scheme. The scheme extends previous research on protection of stateless policies to stateful policies. A stateful policy can deal with temporal occurrences of events and not only a single event as in the stateless case. It can be described by a finite state machine corresponding to regular languages. The protection scheme uses one-way functions and can be seen as a way to provide obfuscation and thus prevent reverse engineering. We provide a complexity analysis of its ability to resist attacks. An example is given to show its applicability.

A Protocol for Secrecy and Authentication within Proxy-based SPKI/SDSI Mobile Networks

By Craig Pearce, Peter Bertok and Charles Thevathayan
Presenter: Craig Pearce, RMIT, Australia

Resource-constrained mobile devices are becoming increasingly popular within distributed networks, but introduce a weak point of security. Existing protocols for distributed mobile device networks, such as SPKI/SDSI, lack built-in confidentiality, mutual authorisation and mutual authentication. Our research addresses the abovementioned security limitations of an existing network security protocol for distributed mobile device networks. By securing the protocol and minimising exchanged messages, our work gives a result which is both faster than the current protocol and more secure. This will open up open up new application areas for SPKI/SDSI.

Legal and Regulatory Issues of Implementation of Electronic Signatures

By Raj Gururajan, Anita Ryle and Abdul Hafeez-Baig
Presenter: Raj Gururajan, USQ, Australia

To address and facilitate the growth of activities in the area of e- and m-commerce, United Nations produced a document called the UNCITRAL Model Law. Article 13 of the Model Law describes the concept of 'attribution of data messages', a principal component in ensuring authenticity and reliability of an electronic message. The purpose behind such prescription is to ensure harmony among trading partners as the implementation of regulatory framework in many countries is not uniform and bound by various jurisdictional issues. While conducting transactions across borders, including state and national, trading parties should be aware of various consequences of 'transmission of electronic messages' as there may be profound implications to the parties when things go wrong due to technical problems.

When organizations trade on the Internet, especially to conduct transactions at international level, the concept of electronic signatures is an integral part of transactions negotiated through a data message. However, it appears that organizations have not yet comprehended the full impact of various legislative procedures associated with the implementation of electronic signatures as the enforcement of various issues with respect to this electronic signature varies depending upon the context and situation. While the electronic signature helps to identify a person who has been involved in a transaction electronically, due to various technical issues, it is difficult to interpret who is the sender, how to authenticate the signature, how the data message is transmitted, and the validity of enforceable issues.

This paper investigates aspects of United Nation.s Model Law, Article 13, which deals with electronic signatures. The discussion provided includes how electronic signatures are interpreted in the context of a data message, the difficulties encountered in implementing Article 13 in specific contexts due to regulatory frameworks and potential legal consequences. The scope of this paper is currently restricted to 'discussion' only.

A Privacy Logging and Reporting Framework

By Paul Ashley
Presenter: Paul Ashley, IBM Software Group, Australia

Regulation and consumer backlash is forcing many organisations to re-evaluate the way they handle personal information (PII). As a first step in managing their personal information enterprises are implementing privacy logging and reporting that allows them to identify when personal information has been accessed, by whom, and for what purpose. This paper reviews a privacy logging and reporting framework that we have been developing. The paper's main focus is to highlight the unique issues encountered when developing the privacy framework and the resulting solution that was created to satisfy these requirements.

Network-based Buffer Overflow Detection by Exploit Code Analysis

By Stig Andersson, Andrew Clark and George Mohay
Presenter: Stig Andersson, QUT, Australia

Buffer overflow attacks continue to be a major security problem and detecting attacks of this nature is therefore crucial to network security. Signature based network based intrusion detection systems (NIDS) compare network traffic to signatures modeling suspicious or attack traffic to detect network attacks. Since detection is based on pattern matching, a signature modeling the attack must exist for the NIDS to detect it, and it is therefore only capable of detecting known attacks. This paper proposes a method to detect buffer overflow attacks by parsing the payload of network packets in search of shellcode which is the remotely executable component of a buffer overflow attack. By analyzing the shellcode it is possible to determine which system calls the exploit uses, and hence the operation of the exploit. Current NIDS-based buffer overflow detection techniques mainly rely upon specific signatures for each new attack. Our approach is able to detect previously unseen buffer overflow attacks, in addition to existing ones, without the need for specific signatures for each new attack. The method has been implemented and tested for buffer overflow attacks on Linux on the Intel x86 architecture using the Snort NIDS.

Understanding Attacks via Distributed IDS

By Till Dorges and Olaf Gellert
Presenter: Till Dorges, Presecure Consulting, Germany

Intrusion detection systems (IDS) serve to assess what types of risks computer networks are facing. Since a single IDS usually doesn't "see" but a small portion of a network, it is advisable to try to acquire a more holistic view by placing several (independent) sensors and to analyse all the data gathered.

One of the goals of the project eCSIRT.net was to look at the internet in its entirety in order to better understand how attacks compare in different subnets or regions. This is already very useful when investigating worms and viruses and could eventually lead to an early warning system.

This article will discuss the actual realisation of a distributed sensor network as well as (some) analyses and statistics based upon the data gathered.

Trustworthy Routing with the TORA Protocol

By Asad Pirzada, Amitava Datta and Chris McDonald
Presenter: Asad Pirzada, UWA, Australia

Ad-hoc networks are made up of one or more low power mobile wireless nodes. These nodes are able to communicate over a wide range through mutual cooperation. All participating nodes pledge to pass packets for other nodes in accordance to a pre-agreed protocol. Temporally Ordered Routing Algorithm (TORA) is one of the unique routing protocols that can operate in dual mode (passive or active) based upon the mobility of the network. In TORA, heights are assigned to nodes so as to route the flow of data according to a directed acyclic graph. Routes are established in TORA with the assistance of other nodes present in the network. The accuracy of these routes requires that all network nodes depict benevolent behaviour. However, such an altruistic setting is virtually impossible to achieve and consequently a number of malicious nodes also contribute to the TORA route discovery process only to impair the network. In this paper we present a novel and pragmatic mechanism for establishing trust in ad-hoc networks that execute the TORA protocol for route discovery. The proposed mechanism is especially viable for ad-hoc networks that can be created on the fly without a formal trust infrastructure including Certification Authorities and Key Distribution Systems.

Honeypot-based Forensics

By Fabien Pouget and Marc Dacier
Presenter: Fabien Pouget, Eurecom, France

Some attacks on honeypots are very frequent and repetitive. In addition, such repetitive attacks generate a very large amount of data. In this paper, we show that it might be misleading to consider general statistics obtained on these data without carrying an in depth analysis of the various processes that have led to their creation. We show that such analysis can be done by means of a simple clustering approach. We present an algorithm to characterize the root causes of these attacks. Despite its simplicity, this algorithm enables us to obtain precious and non trivial information to identify the various attacks targeting our environment. We use this algorithm to identify root causes of the data collected from our honeypot environment. We demonstrate that identifying the root causes is a prerequisite for a better understanding of malicious activity observed thanks to honeypots environments. Finally, we hope this work will open new avenues for the ongoing work related to honeynets.

2004 Australian Computer Crime and Security Survey Results

By Kathryn Kerr, Analysis and Assessments Manager, AusCERT
Alastair MacGibbon, Director of the Australian High Tech Crime Centre

All of Australia's law enforcement agencies - the Australian High Tech Crime Centre, the Australian Federal Police, Queensland Police, NSW Police, Victoria Police, Tasmania Police, South Australia Police, Northern Territory Police and Western Australia Police - and AusCERT produced this year's Australian Computer Crime and Security Survey.

The survey builds on the format of the well-known annual CSI/FBI Computer Crime and Security Survey and includes new lines of enquiry designed to better understand the particular factors which contribute to computer security incidents.

The survey provides the most up to date and authoritative analysis of computer network attack and computer misuse trends in Australia over the last 12 months. As before, the survey includes a number of real case studies and expert commentary from Australian law enforcement, AusCERT and other Australian experts. Above all, the survey aims to raise awareness of the complex nature of computer security issues, identify areas of concern and, where appropriate, to motivate organisations to take a more active role in protecting their systems.

The survey has been sponsored by the Australian Government's Attorney-General's Department, the Department of Communications, Information Technology and the Arts and the Australian Federal Police.

Email Filtering and Mitigating Circumvention Techniques

By Dr Michael Cohen, Senior Technical Adviser
Steven McLeod, Technical Adviser

This presentation discusses how email filtering software designed to disallow executable attachments can be circumvented. For example, executable code can be embedded in PDF files and bitmap files, or specially crafted so that file extension and file type checking mechanisms fail. The presence of the email filtering software itself may introduce vulnerabilities into the network. Techniques are provided to prevent malicious external or internal users from attempting to bypass the email filtering software.

E-Security Policy Developments in Australia

By Keith Besgrove, Chief General Manager, Regulation and Analysis, NOIE

The presentation will address recent developments in the e-security policy environment in Australia, including initiatives covered by the E-Security National Agenda and Australia's contribution to international developments through the OECD and APEC. The presentation will discuss developments in e-security for small business and the security implications of spam.

Wireless Hacking: How to do it and how to avoid it happening to you

By Phillip Yialeloglou, Senior Systems Engineer Cisco Systems Australia

This session on securing wireless LANs (WLANs) includes an overview of early WLAN security. It identifies and details existing vulnerabilities and threats to WLANs. Topics discussed include the use of virtual private networks (VPNs), dynamic keying, and authentication systems; an introduction to WLAN cryptographic algorithms; and securing legacy 802.11b devices. Design scenarios and examples underscore the topics discussed, rounding out the theme of designing and deploying secure WLANs. The session will include live demonstrations.

Personal and Corporate Identity Theft: How to Spot and Avoid Today's Common Techniques of Elicitation and Social Engineering?

By Chris Pick, Vice-President Security Management, NetIQ

Today's thieves have many tools available to steal your personal and corporate identity. Techniques range from persistent theft of personal identifiable information (dumpster diving), to more sophisticated forms of technical and social engineering attacks which are designed to steal (and use) your complete identity quickly.

In this presentation Chris Pick will examine:

• the threat and how to determine if you.re a target;
• the cost and consequences are of losing your identity;
• methods and practical examples on how these are attacks are performed; and
• what steps you can take to safeguard your personal and corporate identity.

Security Response at Microsoft: Tales from the Trenches

By Iain Mulholland, Manager, Microsoft Security Response Center

Slammer, Blaster, Nachi, Swen. Hear from the team on Microsoft's front line for the major security incidents of 2003 and learn about the processes they use to react to and manage security incidents and security vulnerabilities in Microsoft products. The Microsoft Security Response Center is responsible for handling all externally found security vulnerabilities, managing relationships with external researchers and managing incident response in the event of a major security incident. Hear how years of experience in security response have shaped the process, people and policies.

Establishing security as a part of the business

By John Geurts, General Manager, Group Security, Commonwealth Bank

The impact and convergence of financial crime, physical, personnel and information security issues requires new approaches to the anticipation, prevention, detection and investigation of these issues. Security risk management practitioners need to mature their approach to ensure the critical business aspects of risk management are also addressed.

This presentation will highlight an approach that achieves a holistic security risk management model within a diverse financial institution, including:

• The convergence of security;
• A coordinated approach to security risk management;
• Implementing a security capability maturity model; and
• Business expectations of the security risk management practice.

Deploying Remote-Access IPSec VPNs

By Tony Saunders, Cisco Systems

With the growing desire to be able to work anywhere anytime, it is now necessary for the smallest to the largest enterprises to be able to deploy secure Remote Access Virtual Private Networks for connectivity from the Internet to their enterprise. However, the number of approaches to this problem are many and varied, and the complication for configuring them has historically been high.

This session will define what components are required to deploy a scalable secure Remote Access VPN solution for your business. It will focus on; appropriate designs to protect the security of your network, an introduction to the technology, as well as some configuration examples to help you deploy the solution.

This session is a good overview for an Engineer or Architect wanting a process they can use to design, select, and deploy a VPN solution. Example configurations will be provided, however this session will focus more on process than technical configuration.

An understanding of the applications for Remote Access VPNs is expected, as well as some knowledge of IPSec and authentication methods.

SCADA Systems Security - Why the IT Security approach might fail!

By Andreas Tilch, ISIG
Mark Ames, ISIG

There has been a lot of noise about Critical Infrastructure Protection and SCADA Systems are right in the centre of this discussion. SCADA, or Supervisory Control and Data Acquisition Systems are the core of the modern fully automated world. They enable remote control of large industrial infrastructures and complex processes, which could be physically spread across several countries and continents.

Their use ranges across all industries. These systems control the distribution of Gas, Water and Electricity. Given the significant investment needed in industrial systems, SCADA can, unlike Information Technology, deliver a competitive advantage by delivering a lower cost base for the manufacturing process.

Over the years, SCADA systems have adopted open standards, such as HTTP, Java, TCP/IP and wireless protocols to allow them to integrate with the existing Information Technology infrastructure. SCADA systems itself also relies on Information Technology, in order to process data and control processes. With the introduction into this new world, it also introduced new risks, which have been only typical to Information Technology in the past.

Typical today is the lack, or should I say uncertainty, of governance and authority between the engineering network and the corporate network. Information Security Professional, which have been busy securing their Corporate Information Assets now suddenly get aware of the risks these engineering networks bring with it and try to move forward in order to secure these. However, their approach is set to fail. As experienced Security Professional we all know how to protect the Information Assets of our organisations and we want apply the same principles to SCADA Systems. In Information Technology we focus on Data. In Process Control, or main concern is the Process under supervision. These Principles, namely Confidentiality, Integrity and Availability however are only effective in protecting Information. Industrial Processes need Safety, Reliability and Control. The usual lifespan of Information Technology is around 3-5 years, significant less when compared to the 15-20 years of SCADA systems. Information Technology Systems usually allow delays in processing data, but process control quite often requires real time data.

Because of these differences, the normal approach is only effective to the Information Technology components of SCAD systems, but does not address its specific needs. Sadly, the market has been fast and reacted with controls such as proprietary protocols, encryption or frequency hopping. Some well-known IT Security Vendor has also tailored his existing Security Suite a praised it in a white paper aimed at Utilities. There no single solution to Security and certainly not a bolt on module available. But this is not new to us. In order to address the real issues, we have to take a holistic approach and develop a new framework with a Risk Management approach in order to secure these systems. Only if we understand the difference between IT and SCADA, then we are qualified enough to make suggestions.

Cyber Threats to Critical Information Infrastructure: Local Case Studies

By Zahri Hj Yunos, National ICT Security and Emergency Response Centre (NISER)

The presentation will describe what are cyber threats and its definition from NISER's perspective. A definition and composition of Critical Information Infrastructure (CII) in Malaysian context is also explained. The case studies of reported incidents of security breaches in Malaysia will be presented. In this presentation, several matters of concern in protecting CII will be identified and discussed. This presentation also provides some recommendations that need to be developed to protect the nation's CII against cyber attacks. Some of the cyberlaws passed by the Malaysian Government will be introduced.

Malicious Code Attacks in the 21st Century

By Vincent Weafer, Senior Director of Development Symantec Security Response

The global impact of such threats, such as MyDoom, Blaster, Sobig , SQLSlammer and Nimda are having an increasing impact on all segments of computer users from global enterprises down to home/small offices. We are a society that is becoming more and more dependent on our information technology infrastructure, yet we do not take the steps to protect out critical digital assets, nor we do not have a good understanding of the changing nature of these attacks - how they have evolved in terms of technological sophistication and ability to reach more vulnerable targets.

This talk will review some of the most significant advances in malicious code design and technology and how that is driving changes in the overall attack lifecycle include speed of initial propagation, persistence of infection and overall damage impact. We will also look at some newer areas for concern including day zero attacks and multiple blended threats several, fast moving attacks being launched at the same time in cyber space. Combining these new cyber threats with physical attacks on our critical infrastructure is also becoming a real concern for many businesses and government organizations. Finally security defense strategies to combat these evolving threats will be discussed, that aim to improve the ability to protect the critical infrastructure while lowering the cost of that protection and improving management's ability to get a holistic view of their security posture.

Information System Threat & Risk Assessment (ISTRA) - the Vital Precursor to Establishing an Appropriate Security Strategy

By Sue Dudley, Victoria Police

This tutorial will introduce three methods that can be used for undertaking an Information System Threat & Risk Assessment (ISTRA), focussing in greater detail on the most detailed approach. Delegates attending this tutorial will learn how to identify which of these three methods is the most appropriate approach to use in their specific circumstances, and gain a practical understanding of both how to conduct an ISTRA and the vital role of ISTRA reports in gaining management interest, support and "buy-in".

Tutorial outline:

1. "Risk"
   • To what are we referring when we use the word "risk"?
   • Can the meaning of the word "risk" be easily defined?
   • What are the relationships and differences (from a risk management perspective) between business risk, project risk and information security risk;
2. "Risk Assessment"
   • What must we identify (and/or know/understand) so that we can assess risk?
   • How do these factors inter-relate to enable us to assess the risk?
3. "Risk Management"
   • What does the term "Risk Management" mean?
   • What general approaches can be used to manage/mitigate risk?
4. What is the relationship between "Risk Assessment" and "Risk Management"?
5. What are some publicly available sources of information regarding risk assessment methodologies?
6. What are three different approaches to undertaking an ISTRA, and how do they compare?
7. What are the steps that need to be worked through in the most detailed approach?
   • The theoretical framework (and component steps) of this detailed approach
   • Applying the methodology

Wireless Security - Don't Bet the Farm Just Yet

By Stephen Glass, IBM Tivoli/Griffith University

This presentation identifies the security problems inherent when using 802.11 networks, describes the attacks to which they are subject and considers the technologies which are emerging to address these risks.

Delegates will learn why their 802.11 wireless networks are at risk, how they can be attacked and what steps they might take to mitigate the threats of drive-by hacking or "parking lot" attacks.

This presentation is appropriate to IT professionals and other technically-aware professionals who want to acquire an informed understanding of the security issues inherent in using 802.11 wireless LANs.

Securing passwords over the wire; Implementing proxy digest authentication

By Sean Burford, The University of Adelaide

This presentation discusses the problems and benefits experienced implementing secure authentication for users of The University of Adelaide's central proxy servers. Serving approximately 6,000 individual users and 5 million accesses per day, the university web proxies are an important gateway to the Internet. Proxy users authenticate using LDAP credentials, which provide a same signon across many applications.

Given the wide usage and importance of the credentials used, it was decided that protecting these credentials as they passed across the network was an important issue to address. This required changes to both the Squid proxy servers and the Netscape LDAP Directory servers.

Delegates with a technical background will learn about the issues that need to be considered if they are to banish the use of plain text passwords from their network. Whilst the presentation focuses on proxy authentication, some of the broader issues such as client testing and how to dealt with supporting different password hashing schemes for different applications are addressed.

After introducing the environment the servers operate in, the presentation covers:

• Selecting an appropriate authentication scheme
• Modifying the proxy and directory server
• Storing credentials securely
• Browser support for digest authentication
• Migrating to secure proxy authentication

CANCELLED
Using the APNIC Whois Database to find contacts for the source or target of an attack

By Samantha Dickinson, APNIC
Champika Wijayatunga, Senior Training Specialist, APNIC

After an intrusion to a network is detected, the next step may be to find the contact details for the organisation responsible for the source IP address. The APNIC Whois Database is available freely to all who wish to find the source of IP addresses registered to networks in the Asia Pacific region. This tutorial will teach participants introductory and advanced techniques to most effectively search the APNIC Whois Database to more quickly converge on the contacts required for mitigation or post-mortem.

The tutorial will also cover:

• Whois services available from other IP address registries, including ARIN, RIPE NCC, LACNIC, etc
• Issues of accuracy in whois databases
• Current discussions and activities of interest to those who report abuse, such as hijacked IP addresses, a common format for abuse reports, and CRISP (Cross Registry Information Service Protocol).

Biometric *In*security

By Roger Clarke, Consultant

Discussions about biometrics are fraught with difficulties. The technologies are complex, poorly-explained, and easily misunderstood. Suppliers have, partly accidentally and partly intentionally, confused and bemused the media. Media reports in turn project misinformation to potential users, policy-makers and the public.

Moreover, the contexts in which biometrics are applied are complex, and have to date been very poorly analysed. There is enormous intrusiveness inherent in measuring people's bodies and associating data with those measures. But that has been left to one side as the recent 'war on terror' extremism has far exceeded terrorist actions in terms of its impacts on the public.

This presentation will set out to clear some of the fog that surrounds biometrics, and demonstrate how most of the proposals developed to date worsen security rather than helping it.

Patch Warfare - Losing the battle? How to win the war . . .

By Robert Hensing, PSS Security Incident Response Specialist, Microsoft

• Where we are at, where we are going?
  • Reduced number of installers
  • IPD / binary delta compression
  • Hot-patching vs. cold-patching
  • QFE vs. GDR source tree
• SUS / SMS SUS Feature Pack
  • Now / Future
  • Demo using SUS with the automatic updates client to deploy patches using group policy
• MBSA 1.2
  • Demo using MBSA to scan for patches that can be deployed via SUS

Securing your Windows Network (Security advice from the front-line)

By Robert Hensing, PSS Security Incident Response Specialist, Microsoft

• The importance of a well defined corporate security policy (minimum software requirements for clients / servers etc.)
• Microsoft's approach to security - Layered defense

Network / Perimeter Defense

• Secure networks - the importance of IPSec AH / network segmentation
• Identifying unauthorized hosts / applications
• VPN's - The unlocked backdoor? Not anymore . . .

Host Defense

• Secure builds - starting from a secure baseline - the importance of slipstreaming
• Popular Threats and Countermeasures (the top X threats all organizations face)
• Passwords (LM hash? NT hash? Account Lockout Policies? Strong Passwords?)
  • (Demo cracking a 'strong' 8-character complex password in seconds)
• Host based firewalls? ICF? IPSec? (Using IPSec to stop worms)
• Automating Windows hardening using Group Policy
  • (Demo creating Organizational Units and deploying security policy through group policy)
• Often overlooked - Auditing to facilitate security incident response
  • (Demo a worm / IIS hack and how auditing helps facilitate IR)
  • (Demo how IPSec an be used to block the worm's spread)
• What's new in XP SP2

Application Defense

• Securing IIS
• Securing SQL
• Writing Secure Web Applications

Enterprise Incident Response Planning

By Robert Hensing, PSS Security Incident Response Specialist, Microsoft

• Why you need a formal incident response process
• Top mistakes companies make with respect to incident response
• Building an incident response plan that works
  • Live response vs. offline response
  • The Microsoft IR toolkit
• Analyzing the output
  • Reviewing output from compromised machines
• Rootkits - The responders worst nightmare - tips for detecting

AS 13335, The New Standard for IT Security?

By Rob Siganto, Bridge Point Communications

AS 7799 and ISO 17799 have been receiving increasing attention as the main standards relevant to information security. However, for those interested in IT Systems Security - rather than the more general information security management system concept - AS13335 will be of far more interest.

The standard's title - "AS 13335, Information Technology - Guidelines for the management of IT Security" - leaves you in no doubt that it is firmly focused on IT Security, and not general information security management. Not only is it specifically IT focused, but the standard also provides a guideline for managing security - something which neither AS 7799 nor ISO 17799 purport to do.

First published in Australia in 2003, the standard is identical to ISO 13335. It is made up of 5 parts:

• Part 1: Concepts and Models for IT Security
• Part 2: Managing and planning IT security
• Part 3: Techniques for the management of IT security
• Part 4: Selection of safeguards
• Part 5: Management guidance on network security

Some important features of AS 13335 include:

• Its content is closer to the documents usually published by Australian Standards as Handbooks. It is aimed at IT Security Managers and provides practical guidance in designing and implementing effective IT security, including a discussion of different techniques that may be employed and practical advice.
• Although IT focused, the standard still includes a detailed discussion of the organizational aspects that are necessary to ensure that the IT security policy is aligned with the corporate policies and goals. A useful Example Contents List for a Corporate IT Security Policy is prvided.
• There is a comprehensive treatment of Risk Assessment as applicable to IT Systems, including annexures listing Common Vulnerabilities and Threat types.
• Another feature of the standard is that rather than redefining its own best practice it chooses to cross reference other standards and best practice. These standards come from the UK, USA, Canada, France and Germany and are generally accepted as the best practice in these countries and internationally. They include the NIST Computer Security Handbook and ISO 17799, although the latter is listed as BS 7799.1. By taking this approach measures can be selected that are appropriate to different locations and different techniques can be considered as a solution to an information security issue.

As with many standards care needs to be taken with terminology, and where ISO 17799 has controls, AS 13335 has safeguards. There is also a dedicated section on network security, which is one of the weaker areas of the ISO 17799 standard.

The presentation will:

• Outline the content of the standard,
• Review some of the major differences between AS 13335 and AS7799 & ISO17799,
• High-light particular areas of strength in the standard - e.g. risk assessment and security planning, system base-lining, safeguard selection and network security, and
• Cover a possible implementation strategy based on the standard.

Note: AS 13335 is available from Standards Australia in hardcopy or PDF format. ISO 13335 is available from national standards bodies.

Introduction to Nessus

By Renaud Deraison, Director of Research, Tenable Network Security

During the tutorial I will explain how to set up Nessus on a Unix host, will explain most of the (sometime cryptic) options that it offers and explain how a scan should be conducted for a local network, a remote site and finally a pre-production server in a lab.

Going through all the options of Nessus will allow me to give attendees an in-depth view of all the capabilities of the scanner.

Advances in security scanning

By Renaud Deraison, Director of Research, Tenable Network Security

In this talk, I will cover the changes that occured over these last years in the security scanner fields - distributed scanning, fingerprinting, but also how users have changed over the years and how their expectations regarding the scanner have changed. I will of course illustrate this with Nessus, the scanner I wrote, although this talk applies to most scanners out there.

Highly Distributed Intrusion Detection Systems and Trust Relationships

By Raven Alder, True North Solutions

When designing an intrusion detection system for the enterprise, collection from and correllation of data from many widely distributed sensors is a common strategy. But determining what trends in that data are valuable and require the attention of analysts or administrators is often a more critical challenge. In the rush to get good data corellation, many enterprises look beyond their own network for sources of real-time data about network attacks. This paper will look at the various challenges involved with sharing intrusion detection information between enterprises, illustrating both the concerns and potential benefits of inter-enterprise intrusion detection systems.

Let's start with your enterprise. If you're a sizeable shop, it is likely that you have more than one sort of intrusion detection system deployed. Industry best practices state that an IDS monoculture is suboptimal. But what if you're a smaller enterprise with a limited budget? What if your intrusion detection sensors are not widely deployed enough to be really valuable in terms of correllation, or if you are so extremely proactive that you want to take a very close look at any IPs that might possibly be suspicious? You may wish to look at sharing data beyond your enterprise.

One of the first and most common security concerns in sharing sensitive IDS data beyond your enterprise is that of risk. What additional threats will sharing this data expose me to? How much risk am I at if I send out information on my alerts? One of the common tricks of the penetration tester or the malicious attacker is to search Google for entries that sysadmins post to public mailing lists asking for help configuring their equipment -- knowing what's on the network makes exploitation and attack much easier and much more targeted. Most sysadmins have no desire to give free information to attackers, but by sharing your IDS alerts and correllating firewall and border device logs, you give away precisely that sort of information.

This risk can be somewhat mitigated by obfuscating your IP addresses in such logs, but the format of the logs themselves may disclose what sort of IDS or firewall you have in place. Since there are many different products out there, and not all of them gather the same sorts of data, flattening all output into a single anonymous formatting is a non-trivial task. There are distributed databases that take this sort of approach, but keep in mind that unless the flattening is done on your side of the wire, that you are still giving this information to the flattening party at the least, and that it may be visible at any point between you and them if encryption is not used.

When disclosing potentially sensitive information to others, it is important to consider questions of trust beforehand. Review your site's security policy, and decide what an acceptable level of risk is for your site. Act accordingly.

The real benefit of highly distributed intrusion detection systems, though, is how much information you can get from others. Many people who pursue this sort of solution are after a list of IPs known to have attacked other nodes on the network, so that they can treat them with a higher level of suspicion than a random Internet IP would merit. Real-time information on ongoing attacks, trending, and mitigation measures can be valuable to those needing to make business decisions affected by this sort of security information. Yet there are questions of trust to be raised here, also.

Whom did you receive this data from? Are you sure that their intrusion detection systems were properly configured? Are you sure that, if their IDS are different than yours, the data was homogenized in a sensible and compatible fashion? Do you know that they used timestamps to establish correllation of attack streams? Are you sure that the source was not compromised, and that they're not injecting false information and a slew of false positives into your data stream? Is it digitally signed? Can you trust the signer? When you focus your analyst's hours on data from an external source, you are making a financial investment based on the integrity of that information. Consider that before you decide where to focus your analysts.

Additional factors to consider include the feasibility of data munging for your enterprise. Do you have the time and computational power to parse the external alerts and logs? If the external data was obfuscated, does that interfere with its usefulness to you?

Having raised many questions and issues regarding the sensible and scalable use of highly distributed intrusion detection systems, let's take a look at a few possible scenarios addressing these issues.

1. You are the CERT for a relatively small organization. The enterprise that you support relies on you for quality real-time information and support for their network security needs, but their data is sensitive to the enterprise and should not be released into the wild.
2. You are a small business with two intrusion detection sensors... one inside and one outside your firewall. You'd like to know more about who might be attacking you, so that you can take more proactive intrusion prevention measures, but you don't have a high budget or a whole lot of time.
3. You are an Internet Service Provider. You'd like to reduce the amount of attacks transiting your network, as well as protecting your own infrastructure. Budget is less of a problem, but you absolutely do not want to send any information of a large scale to anyone but trusted partners.

[walk through each scenario, highlighting possible solutions including setting up your own web of trust with other organizations, DShield, nsp-security, and/or deciding to keep your information solo] Ultimately, the decision whether to use a distributed intrusion detection system beyond your own enterprise is a risk assessment like any other. Know your network and your security policy well, and you should be able to make the right decision for your enterprise.

Why isn't the Internet secure yet, dammit

By Peter Gutmann, Researcher, Auckland University

Almost every PC sold today has IPsec built into the OS, US crypto export restrictions are (effectively) gone, full-strength S/MIME encryption is a standard feature of Outlook and Exchange, GPG is available for Unix users, every browser does full-strength SSL, and every Unix box is running SSH. All of the tools are there, but most are rarely used. This talk looks at the reasons behind this, and what needs to be done to fix some of the problems.

Security Fatigue: Threatening the Culture of Security

By Nick Ellsmore, Director and Principal Consultant of SIFT Pty Ltd

This presentation will provide original material examining and discussing the growing trend towards .Security Fatigue. in Australia and internationally. Specifically, the paper will examine the question of whether the ongoing barrage of security related information and warnings to the general public, has resulted in a cultural shift towards desensitization and risk tolerance.

Having examined the concept of "Security Fatigue", along with how it impacts individual organisations as well as the broader economy & community, the presentation will also identify the symptoms of security fatigue within an organisation, and the actions required to genuinely understand and influence the organizational culture to ensure ongoing security and attentiveness by all people involved.

Such an understanding is crucial for any manager responsible for systems that require the interaction and behaviour of end-users to ensure their security.

Clarice Meets The Matrix: The Science of Profiling Takes a Whole New Direction

By Max Kilger, Psychologist, Honeynet Project

Since it's emergence from the basement offices of the Behavioral Science Unit of the Federal Bureau of Investigation, the science of profiling (or Criminal Investigative Analysis as the FBI more formally denotes it) has been all about the application of the principles of Behavioral Science and the laws of probability to the scene of the crime. Traditionally it has involved the relational analysis of bits of physical evidence using social and psychological theory to form a coherent picture or profile of the perpetrator. The migration of the science of profiling into the cyberworld has given a whole new meaning to the phrase "bits of evidence". During this presentation we'll explore how some of the techniques and assumptions of the science of profiling have changed in its transition to the digital world.

Hacking Techniques and Defensive Measures

By Marcus Sachs, Director of the Internet Storm Center, SANS

Attacks on computer networks come from many threat sources - teenage "script kiddies", experienced criminals, terrorists, and even government sponsored organizations. While their resources and intent may differ, all of these groups follow a fairly consistent pattern in their attack methodology, from the initial reconnaissance to finding vulnerable hosts, gaining access, installing tools, and removing the evidence of unauthorized entry. This high-level overview of the hacking process covers several tools in common use, methods that hackers use today to gain access to remote networks, what to look for if you think you've been compromised, and how to defend against common attacks. While you won't be a seasoned hacker after attending this fast paced tutorial, you certainly will have a much better understanding of the "tricks of the trade."

It's 11 o'clock - Do You Know Where Your Kids Are?

By Marcus Sachs, Director of the Internet Storm Center, SANS

Passing your teenager's bedroom you notice the light behind the closed door is on. You hear the familiar clicking of the computer keyboard. "Doing homework online," you think to yourself as you crack a smile, "too bad we didn't have the Internet when I was in high school."

Doing homework, indeed. If that's what you call raiding distant computers on corporate networks, trading stolen credit card numbers for "zero-day" exploits, or commanding thousand-host "bot" networks that are used to knock other users off the Internet for minutes or hours at a time.

Many parents proudly boast that their kids stay off the streets, don't do drugs, and don't terrorize the neighborhood with loud cars or music. Instead, these parents believe their kids are spending their idle time on the Internet learning about world events, chatting innocently with new friends in far-away lands, or perhaps doing homework.

This talk will explore the new world of the digital teenager, what they are exposed to on the Internet, the intense pressures to participate in online malicious behavior with their peers, and steps that parents can take to reverse the trend. The speaker comes armed with experience - he has two teenagers of his own who have mastered the basement LAN and are power users on the 'net. But they do it with plenty of adult supervision and they really don't mind. Find out how to make the Internet a place where you can trust your kids while still allowing them to have fun and be creative in their own way. After all, we never broke any rules when we were kids, right?

Building a Computer Forensics Program in a Global Company

By Kathy Fithen, Manager of the KO-CIRT and Computer Forensics team at The Coca-Cola Company

This presentation will address:

• What are the Benefits to a Global Computer Forensics Capability?
• What are the Issues?
• Capabilities and Knowledge/Skills.
• Identify and Develop Relationships with Internal Departments/Organizational Units.
• Identify and Develop Relationships with External Organizations.

The Cost of Risk - Passing it back to the business

By Karl Hanmore, Bank of Queensland

For many businesses, managing risk is difficult. Even once a Comprehensive risk management approach is in place, it is often difficult to manage the financial processes in a robust manner.

Often, projects will not mitigate risks due to cost while operational areas rarely have budget to expend to manage realised risks.

This presentation looks at basic risk management approaches and then expands to investigate costs of risk.

We then look at potential ways to better manage the cost of risk and driving business units to better manage the risk acceptance vs control introduction trade offs.

Further we examine a model of "risk chargeback" to the business units, forcing business units to be more accountable for the risks they introduce into the environment.

The target audience for this presentation is delegates wishing to gain a basic understanding of risk management or those already familiar in risk management who would like to explore options for extending their risk management methodology.

Legal Liability and Security Incident Investigation

By Jennifer Stisa Granick, Director of the Center for Internet and Society (CIS), Stanford Law School

Companies and governments use various techniques to investigate when computer break-ins happen, and to learn more about potential intruders. But these techniques can invade the privacy of entities other than the suspect, and violate privacy laws. Additionally, regulations may define different investigative techniques themselves as attacks or intrusions. There is little legal guidance in this area, and a lot of uncertainty. This talk will discuss the legality and social benefit/detriment of network scans, war driving, borrowing wireless connectivity, sniffers, "hack-back", social engineering and other techniques.

Security Breaches: Who is responsible

By Hamish Fraser, Lawyer, Optus

Recent insurance industry reports suggest that Australia is amongst one of the litigious societies in the world, so if a security breach occurs, people will be looking for someone to sue to recover any loss. This presentation will consider the various legal rights and responsibilities that arise when a security breach does occur and will then discuss legal strategies companies can employ and should be aware of to minimise their exposure to this risk. The presentation will then examine several recent case studies of security breaches including Denial of Service attacks and PBX and international tolling fraud. This paper is aimed at both suppliers and users of ICT based systems that are susceptible to security breaches.

Applied Information Security Risk Assessment

By Gary Gaskell, Infosec Services Pty Ltd
Mark Ames, ICT Risk Pty Ltd

Many IT and audit professionals are familiar with the principles of risk management and the key processes involved in information security risk assessment, but find applying these principles and processes challenging in the corporate context.

This tutorial assumes previous knowledge or experience of assessing IT security risk.

Participants should be familiar with at least some of the major relevant standards:

• Australian Standard 4360, Risk Management,
• Standards Australia Handbook 231, Information security risk management guidelines
• ISO 17799 and its companion implementation standard AS 7799.2,
• Commonwealth Government Australian Computer Security Instruction (ACSI) Handbook 3.

A laboratory and "hypothetical" approach is used to develop participants. proficiency in the application of risk assessment and risk management techniques for their organisations and clients. Each participant is asked to bring along a specific risk assessment/risk management problem that they have encountered.

A principal focus of this tutorial is on the application of different techniques and approaches for:

• Identifying and assessing risks
• Gaining buy-in from stakeholders
• Presenting results to line and senior management.
• Aligning, rationalising, and embedding consistent risk management processes within the organisation.
• Developing integrated, consistent risk management approaches incorporating information security risk management.

Participants will have the opportunity to sharpen their skills and develop improved techniques and approaches for applying information security risk management.

The educational approach is based on a heterogenous group where more experienced participants will gain by .third-party teaching. through communicating their experience and understandings to keen students who bring fresh understandings and perspectives to the risk management challenge.

Tutorial Outline:

• Review of Risk Management framework and concepts
• Practical experiences (War Stories)
• Traps for young Players
• When it hits the fan - how best efforts fail
• Case studies - Ideology, Ignorance, Politics, (and) Success
• Interactive review and discussion
• 'Hypothetical' development
• Making it real - Executing the Hypothetical (on for young and old)
• Review and wash-up
• Group participation - what have we learnt

The Internet: What we'd fix if we thought it was broken

By Fred Baker, Cisco Fellow, Cisco Systems

It is rumored that the Internet Architecture is less than perfect; that failures happen, that people receive mail they didn't solicit, and that attacks of various kinds happen. Without admitting or denying the allegations, Mr Baker, who has served as a contributor and leader in the Internet Engineering Task Force, will look at the operational and protocol structure in the Internet, potential weaknesses, and potential solutions to the problems these present.

Exploring Grand Challenges in Trustworthy Computing

By Eugene Spafford, Professor, Department of Computer Sciences, Purdue University

We are presented with numerous challenges to make our information systems more secure, increase our confidence in our stored data, and protect the privacy of our personal information. However, under the steady barrage of attacks and flaws, it is sometimes difficult to think in terms of "big" challenges that can inspire us to make revolutionary, rather than evolutionary, strides.

In this presentation I will discuss a few of the trends and problems that have been occupying researchers and industry over the last few years. I will explain why advances against these challenges are unlikely to provide long-term improvements in the security of our infrastructure. From this, I will then discuss the results of the recent CRA Grand Challenges conference on information security, including some discussion of how we might proceed to make progress on each of these four grand challenges.

Comparing Handheld Operating System Security

By Eric Chien, Senior Software Engineer Symantec

Today, telephony-enabled personal digital assistants (PDAs) and smart phones are beginning to replace classic cellular telephones and non-networked PDAs. The functionality of these handheld devices are moving towards a desktop computer combined with a cellular phone, small enough to fit in ones own pocket. The ability to have network or telephony access dramatically increases the vectors of infection on these handheld devices.

This presentation will explore the malicious code threats on the three major handheld platforms (PalmOS, EPOC32, and Windows CE) and consist of live demonstrations. The demonstrations will include the ability to remotely control devices via SMS, send email worms, hook the operating system, modify files, programmatically send SMSes, and initiate phone calls.

Finally, preventative measures and existing solutions for handheld devices will be discussed.

Incident Response and Intrusion Analysis - Intermediate Level

By Dr Michael Cohen, Senior Technical Adviser
Scott MacLeod, Leader
Steven McLeod, Technical Adviser
David Collett, Technical Computer Security Analyst
Steven Stroud, Manager, Technical Services

The tutorial will be a follow-on from our 2 hour session last year (Incident response and Intrusion Analysis) which was a basic level tutorial. This year we would like to move to an intermediate standard. Attendees should have a basic understanding of Incident Response and Intrusion Analysis.

System administrators are often faced with the overwhelming task of understanding and analysing digital forensic material (such as network captures and log data) after an incident or compromise. This tutorial will demonstrate the technical steps to process this information using open source tools and utilities specifically FLAG a tool developed by the DSDs Computer Network Vulnerability Team.

Topics that will be covered in the tutorial are:

• Hard Disk Forensics including RAID Reconstruction
• Network Forensics

How the above topics can be used as complementary skill sets when working with large datasets or complex attacks.

This tutorial is an extension of the 2003 AusCERT tutorial conducted by DSD and is designed to show attendees the more complex issues related to computer/netwerk forensics and incident response.

New Spam laws: risks and compliance issues?

By David Vaile, Executive director, Baker & McKenzie Cyberspace Law and Policy Centre, University of NSW

The Spam Act 2003 comes into force in April 2004 in Australia, and potentially affects many businesses, consultants, direct marketers, internet providers and employers. With its wide scope (inc. SMS and IM), its strict opt-in approach leavened by exemptions and loopholes, its differences from the 'USA CAN-SPAM' Act, and some key definitions open to interpretation or discretionary enforcement by ACA, it poses initial challenges for security, legal and privacy policy ad