| Platinum Sponsors: | |
 |
 |
 |
 |
Home
About AusCERT
About the Conference
Conference Location
Call For Presentations
Program
Registration Fees
Delegate Registration
Sponsors
Sponsorship Information
FAQ
Exhibitor Staff Registration
Contact Us 
AusCERT
University of Queensland
AusCERT2006
AusCERT2005
AusCERT2004
AusCERT2003
AusCERT2002Presentations:
| RFID - social impacts and implications | |
| Dan Klein | |
|
It is no secret that we are at the dawn of the digital age - our parents (and for some of us, even our grandparents) have computers, digital cameras, MP3 players, etc. We each have more computing power in our cell phones than the mainframes of 35 years ago, and everywhere we find data acquisition and tracking systems. Privacy has never before been more zealously guarded nor more freely abandoned, and with the proliferation of digital data collection and dissemination have come new worries. RFID - the boon of sales, inventory control, and tracking - has the potential to become the bane of our lives. What is being recorded, why, and by whom? A generation ago, people punched in and punched out of work, and their free time was largely their own. Today, sensor technology has the potential to track us without our knowledge, and secrets are harder to keep. Sensors needn't be implanted - they can be woven into our clothing! How can we prevent misappropriation or misuse of information about ourselves? How can we ever expunge flawed records, urban legends, or embarrassing facts? And with the impersonality of sensors, how can we prevent (or even detect) impersonation? We are becoming the elephant who never forgets, but what are we remembering? This talk will take a look at what our world is becoming, and perhaps suggest what we can do to make it a little less imperfect. |
|
| APWG Technology and Policy Priorities | |
| Peter Cassidy - Anti-Phising Working Group (APWG) | |
| The APWG has come to occupy many roles in the global contest with electronic crime: Statistician and Analyst, delineating the phishing experience, enumerating phishing's growth and characterizing phishing's evolution to inform stakeholder dialog; Advisor to government and industry, distributing information to inform industrial and public policy; and Federating Nexus where the counter-ecrime stakeholding community assembles to pursue technical and policy development programs of broad counter-ecrime utility. APWG Secretary General Peter Cassidy describes how the APWG is evolving into a clearinhouse for different kinds of ecrime data, ecrime data reporting formats, alerting mechanisms and federating schema (such as the user agreements it developed to allow its trading partners to exchange data without incurring new liabilities) that are helping to fuel counter-ecrime efforts in industry and government. Finally, Mr. Cassidy will report on the APWG's first major policy initiative: the Domain Name System Policy Working Group which is investigation how domain registration policies exploited by phishers and ecriminals could be tuned to frustrate the abuses of DNS registration that are now routine parts of phishing attacks. | |
| Avoid getting sued - can it be done? | |
| Kay Lam-Beattie - IDEALAW | |
|
No doubt IT security issues are keeping you awake at night, which is why you're at AusCERT. You'll find lots of answers at AusCERT - and probably also a whole new set of issues to worry about. Legally speaking, where does this IT security arms race leave you? And what can you do about it? This presentation will give a quick overview of sources of legal risk arising out of IT security breaches in an Australian context, that is - who can be sued, by whom, for what reason, and for how much? The presentation will then go on to give 6 basic strategies for legal risk management in relation to IT security:
Who should attend? This presentation is designed to give attendees an overview of legal risk management and is aimed at Australian SMEs. If you already have your own in-house counsel or lawyers on your speed dial, this presentation is probably not for you. |
|
| Cyber attacks directed against critical infrastructure control systems | |
| Marcus Sachs - SRI International | |
| Since its inception over 35 years ago as an experimental computer network, the Internet grew from purely academic and government use to a global phenomena. In parallel, formerly isolated computer-based industrial control systems were also networked over the past few decades. Many years ago there were very few direct connections between the Internet and process control system computers - but that situation is rapidly changing. Press reports over the past few years have sounded the alarm: terrorists, spies, and criminals could break into these critical systems via multiple access points and weak Internet protocols, causing havoc and panic. But yet the electricity keeps flowing, trains keep running, and there are few public reports of successful cyber intrusions into industrial systems. So is this all hype or is there really a problem we need to worry about? Unfortunately this is no myth. Recent experiments as well as real world incidents have proven that access to critical infrastructure control systems is easier than originally thought. This talk will show how control networks can be accessed from the Internet, what the threat groups are planning, and what the risks and challenges are for critical asset owners and operators. The talk will close with a discussion of several effective solutions for securing critical systems against cyber attacks from the Internet. | |
| Establishment of the CyberSecurity Malaysia | |
| Husin Bin Jazri - CyberSecurity Malaysia | |
| Malaysia has created a trusted model which combines the strength of government, private sector and communities. Through the creation of a government linked company, not for profit, this corporatized entity helps to develop competencies and expertise faster to cope with the changing technology and threats. It enjoys the trust from government, private sectors and communities. As a technical agency, CyberSecurity Malaysia (formerly known as NISER), has become a complaint beureau for the Internet community as well as a reference centre in information security. The CyberSecurity Malaysia operates the MyCERT, which is the point of contact for cyber incidents originating and/or targeting Malaysia. | |
| The Cyber Risk of Untrustworthy Software from the Globalization of Information Technology | |
| Andy Purdy | |
|
The Cyber Risk of Untrustworthy Software from the Globalization of Information Technology
|
|
| Digital Forensics- Emerging Trends | |
| Raja Azrina Raja Othman - MyCERT | |
| The rise in incidents and white collar crimes has led to greater needs for investigations involving digital forensics. Evidence are stored in miniaturized devices and social engineering are actively deployed by criminals. The presenter will share case studies as well as challenges faced by analysts in evidence extraction as well as analysis. | |
| Vulnerability Type Distributions in CVE | |
| Bob Martin - Mitre | |
| For the past 5 years, CVE has been tracking the types of errors that lead to publicly reported vulnerabilities and periodically reporting trends. The primary goal of these studies is to better understand research trends using publicly reported vulnerabilities. Over this period we have noticed various changes in the kinds of issues being reported. For this report we looked at all vulnerabilities and then just those in major vendor advisories, to compare and contrast. In the talk we will highlight the top vulnerabilities in each category, explain some possible reasons for the changes, and discuss possible future trends. While an initial version of this year's report was issued in October to support the Common Weakness Enumeration (CWE) project, this talk is based on the complete information from 2006 items. | |
| ISO 27001 Certification Process | |
| Tammy Clark - Georgia State University | |
| Georgia State University is one of the first universities in the world to embrace the ISO 27001:2005 standard for establishing an Information Security Management System (ISMS). Although it has been immensely challenging, this systematic/disciplined approach of empowering people, processes, and technology is helping us to develop a World Class ISMS. This panel session will discuss the development of an enterprise ISMS at GSU based on risk management, the ISO 27001 certification process, and briefly touch on the Holistic Information Security Practitioner certification (HISP). | |
| Security Return on Investment - A Case Study | |
| Jodie Siganto - Bridgepoint | |
|
One of the biggest challenges for Information Security Managers is demonstrating the value, particularly in "return on investment" terms, of implementing comprehensive security costs. Cost is often used as a reason for not implementing security controls, with an outcome that can skew an organisation's approach to risk acceptance. This presentation will use a case study to demonstrate how the costs of investigating and recovering from a security incident together with the reduced chances of successful identification of the incident source can far outweigh the cost of implementing and maintaining effective security controls. The case study will be based on a combination of different incidents where Bridge Point were the lead forensic investigators. |
|
| The incident response standardization and risk assessment process | |
| Sean Catlett - Bank of America | |
| In the changing world of security risk management, some practices are shifting focus to provide improved immunity and resiliency for the business. Incident response, a key driver in resiliency, is embracing risk based standardization as an approach to enable a more comprehensive service offering and “right sized” response to security events. This presentation will cover the concepts and advantages of this approach. | |
| An introduction to CobiT® Version 4.0 as a security management tool | |
| Rupert Dodds - KPMG | |
|
The presentation will seek to inform the audience on the objectives and structure of CobiT with respect to security management. The presentation will describe what CobiT is, how it is developed and the composition of the framework. The presentation will drill down into the IT processes outlined in CobiT and highlight those with particular relevance to security. In this way, the presentation will explain the key elements of the framework which contribute to optimising security management processes. The presentation will examine the detail within an example CobiT process and will choose DS5 as the process most closely aligned with the audience's interests. The presentation will show the high level and detailed control statements, the RACI (Responsibility / Accountability / Consultation / Information) chart, and the specimen KPIs. The presentation will introduce a comparison of CobiT with ITL and ISO 17799, showing the relative breadth and depth, strengths and weakness of each and suggesting how the se frameworks may complement each other. The presentation will conclude by summarising the key messages - the benefits of CobiT and how the framework supports improvements in security management processes. |
|
| Know thy Enemy: deconstructing a multi-billion message spam attack & the criminals behind it | |
| Patrick Peterson - Ironport Systems | |
|
Know thy enemy Sun Tzu. This presentation dissects the enemy's attack and supporting command and control infrastructure. All aspects of a multi-billion pharmaceutical spam message attack is analyzed. This includes the 100,000 spam-sending zombies, thousands of spam content mutations, 1500 domain names used in spam, compromised hosts used to anonymize the pharma websites and the criminal's supply chain infrastructure including the overseas pharmaceutical manufacturing plant. This presentation will full dissect every aspect of the attack outlined above. This will be accomplished by providing vivid illustrations of each technique with real world examples. Examples of tools used to carry out such attacks will also be presented. The presentation will culminate in demonstrating that a single actor is behind the the attack. The delivery strategy will be to take each aspect of the attack and demonstrate in detail the actual techniques used for each of these aspects. The intended audience is IT professionals who are exposed to modern online threats. While the presentation focuses on a spam attack, the techniques are also used in virus attacks, phishing and web-based malware dropping. The audience will gain a deep understanding of the criminal techniques and insight in how to evaluate solutions holistically to protect their enterprise. |
|
| The Cyber Criminal Economy | |
| Stas Filshtinskiy - ANZ | |
| Cyber attacks and security breaches cost billions of dollars in direct losses, downtime, stolen identities and loss of intellectual property has become one of the most pressing issues facing the banking and finance sector. This presentation will cover the brash and innovative methods utilised by the criminal community to propagate the cyber criminal economy, the impacts to the corporate sector and what ANZ is doing to proactively address this ever-changing threat landscape. Come along and hear about what goes on 'below' the water line. While most discussions focus on what can be seen above the service - the tip of the iceberg, there is a lot to learn from identified incidents, uncovered compromises and acknowledged losses. | |
| Large Scale Flow Collection and Analysis | |
| Mike Newton - Stanford University | |
|
While a campus-wide departmental firewall deployment will soon change campus traffic patterns, currently Stanford's network is largely unfiltered. This gives a unique window onto the types of traffic, probes, vulnerabilities and weakness that one finds in such an open net. Stanford's Information Security Office collects flow data using Argus flow collectors. This paper will use the stored data set - approximately 3.5TB - to present various statistics, graphs and an analysis of the type of flows that a such an organization experiences. The data provides forensic evidence, direction for network upgrades, and an opportunity to study traffic signatures in a relatively unfettered network environment. |
|
| SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam | |
| Cristine Hoepers - CERT.br | |
|
This presentation will introduce the SpamPots Project, which main objective is to collect data about the use of home computers with broadband connectivity as part of the spam infrastructure. The architecture of the project, which involves the use of low-interaction honeypots, will be presented, as well as preliminary data that have already been collected and analyzed. It will also be discussed current and future steps necessary to better analyse the data, including new datamining algoritmhs and better ways to collect and correlate data seen in different networks and countries. This project is conducted by CERT.br and sponsored by the Brazilian Internet Steering Committee. |
|
| Brave New World: Combined Public-Private Sector Disaster Response Exercises | |
| Jeff Wright - Department of Homeland Security - DHS | |
|
Companies routinely conduct business continuity exercises and tests in order to ensure critical business functions in the face of disaster and meet regulatory requirements. Government also regularly conduct emergency management and disaster response simulations and exercises to rehearse standard operating procedures and first responders. But in today's highly integrated environment, risk does not reside just in the public or private sector. With increased reliance on IT systems and infrastructure interdependencies that are only now beginning to be understood, the stovepipes between public and private sectors continues to shrink. So too must the levels of coordination and collaboration dramatically increase in order to prevent, protect, respond and recovery from all hazards across government and within the private sector. But progress requires more than discussion and planning. In order to create a more collaborative environment with real response and recovery capabilities that are able to function across the board, all parties must exercise together - from service providers and critical infrastructure owners/operators, to government at all levels. This presentation will examine the issues of conducting combined public-private disaster response exercises and provide an update on how the U.S. Department of Homeland Security is working with governments, domestically and internationally, and the private sector to move disaster response exercises to a new level of cooperation. |
|
| Security certification into salaries | |
| Prof Cory Schou - Idaho State University | |
| No abstract provided for this presentation yet. Please check again later. | |
| Closing Address | |
| Richard Thieme - ThiemeWorks | |
|
Building a Platform for the Future: Life on the Other Side of the Looking-glass In his closing presentation, Richard Thieme looks forward as well as back. He will integrate the deeper subtexts of conference presentations with his own unique mix of anomalies, indicators, and possibilities to illuminate an emergent landscape - a landscape in which security, intelligence, and familiar notions of identity are shifting. The impact of the singularity (whether metaphor or fact), the real implications of space war and a transplanetary society that explicitly factors in The Others, and the advent of a cyborg civilization all come into play. |
|
| Presentation yet to be announced… | |
| None yet - None yet | |
| No abstract provided for this presentation yet. Please check again later. | |
| Everything you know about desktop security is wrong, or: How I Learned to Stop Worrying and Love the Virtual Machine | |
| Ivan Krstić - One Laptop Per Child | |
|
Hundreds of new security vulnerabilities are discovered every month. IDC estimates that more than 75% of all corporate machines are infected with spyware and malware. The count of known viruses surpassed a hundred thousand in late 2004 and keeps growing. The present security situation is dangerously chaotic, and to make things more interesting, a project called One Laptop per Child (OLPC) is hard at work creating one of the largest new monocultures in the history of computing. How does one secure a hundred million identical machines? Is OLPC a sign of impending doom for any hopes of secure computing? This talk traces many of the security industry's woes back to two engineers in 1971 and then provides a whirlwind tour of what they did wrong, why it matters, and the ideas that hold promise of a more secure tomorrow. |
|
| The International State of Information Security. The wins, the losses and the work that needs to be done | |
| Howard A. Schmidt - R & H Security Consulting, LLC | |
| As we continue the foray into a total digital society, many of the information security programs we have built over the years need to be updated to address the new cyber threats. While we can never be 100% secure or investigate and prosecute all of the cyber criminals, we can reduce the number of incidents by developing private/public partnerships that draw on the strengths of government/law enforcement and the private sector to use technology, policies and personnel to improve information security. Howard will talk about the latest threats and countermeasures to protect ICT. | |
| Web 2.0 - Securing the Brave New World | |
| Mary Ann Davidson - Oracle Corporation | |
| The advent of Web 2.0 represents the mainstreaming of collaborative computing. The old fortified, bastion model of information, with its attendant portcullises and gatekeepers - both individuals and technical guard dogs - has largely been replaced by a wide open "information campground" in which information is heavily disbursed into multiple "tents" instead of a single castle, tents that are erected and disassembled rapidly and flexibly. Data is no longer constrained by locale, device or, to some degree, individual. As such, Web 2.0 has important implications for security. To what extent does Web 2.0 pose new security challenges, and to what extent does Web 2.0 comprise the same old threats with a new bunch of protocols and products? And what are the non-technical - but critical - security implications of Web 2.0? How must Web 2.0 evolve to enable flexible, collaborative associations without cyberanarchy? | |
| A DELEGATE-ONLY CLOSED SESSION - NO MEDIA PERMITTED | |
| Special Agent Mark Grantz - (FBI) and a U.S. Secret Service employee. | |
|
At the specific request of the U.S. Secret Service, no media will be permitted to attend this session. The presentation is not be filmed and there will be no public release of the presentation and associated materials. This presentation is closed off to all members of the media. The details of the presentation are to be kept between the presenters and attendees. Media inquiries can be directed to U.S Secret Service Office of Public Affairs. |
|
| Mitigating Phishing by a New ID-based Chameleon Hash without Key Exposure | |
| Qiong Ren - University of Wollongong | |
| Chameleon signatures were introduced by Krawczyk and Rabin to provide a non-transferable signature scheme. However, the nontransferability property requires the willingness of the recipient in consequentially exposing a secret key and therefore invalidating all signatures issued to the same recipient's public key. This notion has been extended by Chen et al. to allow a "key-exposure" freeness scheme. However, it was concluded that to achieve this key-exposure freeness, one would require a technique called "identity customization". Therefore, the notion of identity-based chameleon hash function becomes redundant since the identity is always needed in the construction of chameleon hash functions themselves. In this paper, in contrast to the previous construction, we construct an identity-based chameleon hash without key exposure without requiring any identity customization. More importantly, using the framework proposed by Susilo and Mu, we extended our scheme to mitigate phishing. Furthermore, our scheme can be easily extended to multi-party scenario, where a phishing scenario can be mitigate in a mailing list scenario, which is more practical. | |
| A Secure Billing Architecture for 4G Wireless Networks | |
| Jared Ring - Queensland University of Technology | |
| Fourth Generation (4G) wireless networks allow ubiquitous pervasive data and voice connections for mobile users. Users will no longer have a single relationship with one access provider, but a relationship with a Biller or Agent which enables them access to the 4G world. The role of the Biller is to negotiate with providers that users have requested a service from. This situation gives rise to a number of security and trust issues between the 4G participants. The contribution of this paper is the proposal of a security architecture that provides informed consent for users and providers, per unit billing and per use billing with non-repudiation. We provide an informal analysis of the performance and security of this new architecture. | |
| Substantiating Security Threats Using Different Views of Wireless Network Traces | |
| Elankayer Sithirasenan - Griffith University | |
| Huge amounts of network traces can be collected from today's busy computer networks for various analysis. These traces could be used to detect intruders and other unusual events. Real time detection of outliers from large data sets can lead to effective intrusion detection and prevention. Presently, due to lack of fast on-the-fly updating and processing capabilities intrusion detection systems (IDSs) do not detect intruders instantly. Furthermore, most IDSs cannot adapt their detection mechanism in real time to accommodate legitimate dynamic changes. Achieving dynamic adaptation in real time has been a long standing desire for effective intrusion detection and prevention. Organizations which heavily rely on network activities are in need of an IDS that could detect intruders in advance and stop them before they could cause chaos. In this context we propose a novel mechanism to detect intruders in wireless LANs. Our system monitors for timing and behavioural anomalies and uses outlier based data association techniques to substantiate the anomaly. In this paper we introduce the concept of views and their use in substantiating security threats. We have tested our concept on data captured from our experimental wireless network environment. The results are analysed and reported here. | |
| Securely Depolying IEEE 802.11 WLANs | |
| David Ross - Queensland University of Technology | |
| In wireless LANs, the robust security network, or RSN, as defined in the IEEE wireless LAN security amendment, IEEE802.11i, is the goal for any new deployment of all but the most open public networks. This paper discusses and compares the differences between theory and practice - between WEP, WPA, WPA2, IEEE802.11i, RSN and TSN - and their application in public, private, commercial and government environments. While the details and analysis of a series of tests on two modes of attack on WPA2 WLANs shows a possible implementation attack on a strong configuration fails for all equipment surveyed, it illustrates the issues of weak configurations of WPA2 WLANs not meeting RSN requirements and demonstrates the vulnerabilities of such weak configurations. The empirical results are discussed, both in the context of the relevant parts of the standard, as well as in that of the intended application. The use of vendor-specific "mixed-modes" of operation (WEP with WPA/WPA2), where available, is shown to severely compromise the security of a WLAN and common failures in consumer and SOHO configurations are also substantiated. The paper concludes with specific guidance in the secure deployment of WPA2 to form a RSN and remedial actions where the existing configuration degrades security. | |
| Event-based Computer Profiling for the Forensic Reconstruction of Computer Activity | |
| Andrew Marrington - Queensland University of Technology | |
| In cases where an investigator has no prior knowledge of a computer system to be investigated, the significant investment of time and resources required to undertake a detailed computer forensic examination may deter investigators, given it is not known whether it will yield any relevant evidence. This problem is particularly acute in cases involving acceptable usage monitoring or intelligence operations, where an investigator has no particular expectations about the digital evidence which might be found on a collection of computer systems, or no prior knowledge of their usage. Computer profiling is a process by which a computer system is automatically examined, without direction, to determine whether the computer system is of interest to a human investigator. This paper proposes a new technique for automated computer forensic investigations which provides a computer profile with historical timelining of user and application activity. A prototype software implementation of the technique is described and experimental results are provided and discussed which demonstrate the feasibility and value of incorporating activity traces into a computer profile. | |
| Using Event Attribute Name-Value Pairs for Summarizing Log Data | |
| Zieb Rana - Defence Science and Technology Organisation | |
| Security loggers such as network intrusion detection sensors and operating system audit recorders typically produce a large volume of events, the magnitude of which can make detailed manual analysis (e.g., investigating a security incident) prohibitive. However, it is often only through such analysis that computer security professionals can meaningfully tune audit policy and operational configuration, and detect unusual or malicious events ("attacks"). Clearly, better tools are required. This paper proposes a data clustering algorithm which can assist in these areas. Our algorithm clusters log events according to type and attribute, grouping the events typical of normal behaviour into clusters, thereby highlighting which are typical and which are unusual events (those that don't map into one of the "normal" clusters). The number of clusters and the number of outlier events is typically very small compared to the overall size of the log since the vast majority of events have been filtered. As a result the manual investigation of these events is viable. Our algorithm is scalable and efficient and can further be used to detect temporal changes in event clusters. | |
| Network Incident Response | |
| Richard Bejtlich - TaoSecurity | |
|
Network Incident Response Part 1: Network Forensics You're responding to an intrusion and collecting network-based evidence. Now what? Most investigators know how to handle host-based forensics, but how does one protect, preserve, and present network-based evidence? This presentation helps attendees turn the data collecting during network incident response into something useful to a judge, jury, or human resource officer. This tutorial will supplement the more prevalent host-based forensics classes found in the security industry. Intended Audience: This tutorial is designed for security staff and sys admins who detect and respond to intrusions. A general knowledge of offensive and defensive security principles is helpful. The author's book "The Tao of Network Security Monitoring: Beyond Intrusion Detection" is a very helpful pre- requisite, but it is not mandatory. Technical Level: Intermediate - Advanced Duration: half-day Part 2: Network Incident Response Intro: Your network security monitoring operation just discovered an intrusion. Now what? Most investigators know what to do on the host side of the incident response equation, but how does one handle network-related IR? This presentation helps attendees know what network data is valuable, how to collect it, and what it means. This tutorial will supplement the more prevalent host-based forensics classes found in the security industry. Examples are drawn from real-life cases. Intended Audience: This tutorial is designed for security staff and sys admins who detect and respond to intrusions. A general knowledge of offensive and defensive security principles is helpful. The author's book "The Tao of Network Security Monitoring: Beyond Intrusion Detection" is a very helpful prerequisite, but it is not mandatory. Technical Level: Intermediate - Advanced Duration: half-day |
|
| Malware Reverse Engineering | |
| Andrew Collins - Stratsec | |
| Mark Titley - Stratsec | |
| Sarah Tueno - Stratsec | |
| Unknowingly placing malicious code into your ICT environment can pose a significant security risk. This tutorial aims to walk students through the process of reverse engineering potentially malicious code/applications. With this knowledge in hand a system administrator will be able to identify potential risks in non-commercial software prior to it being deployed into a business-critical production environment. | |
| ISO 27001 Certification Process - Business Tutorial | |
| Tammy Clark - Georgia State University | |
| This informative session will discuss how to develop a risk management based Information Security management System (ISMS). We will provide you with a copy of our comprehensive information security plan based on the ISO 17799 framework and discuss how you can apply our approach to seek ISO 27001 certification. We will provide participants with information on the process of pursuing ISO 27001 certification by an accredited body and the new HISP (Holistic Information Security Practioner) certification offered by Efortresses, a BSI consultancy based in Atlanta, GA, that trains information security practitioners in information assurance. | |
| Incident Response using PyFlag - the Forensic and Log Analysis GUI | |
| Dr Michael Cohen - AFP | |
|
FLAG (Forensic and Log Analysis GUI) is an advanced open source forensic tool for the analysis of large volumes of log files, forensic images and network captures. PyFlag features include the ability to load many different log file formats, Perform forensic analysis of disk images, and analysing large network captures as obtained via tcpdump quickly and efficiently. PyFlag allows for advanced recursive searches. For example, keywords may be found in a word document embedded within a Zip file contained in an email attachment found within a PST file. This tutorial will be hands on. Delegates will work through a number of simple to advanced incident response and forensic scenarios which include:
The tutorial will be focused on scenarios most likely to be presented to an incidence response team. |
|
| An Introduction To The Sleuth Kit and File System Forensic Analysis | |
| Brian Carrier - Basis Technology | |
| This tutorial will be on the basics of The Sleuth Kit (TSK) and Autopsy Forensic Browser, both of which are open source digital investigation tools. The tutorial will also cover some of the high- level details of file systems because the design of TSK is based on a file system design. The tutorial will cover how to install the tools and how to use them to look for evidence. This tutorial will require a laptop with Linux, OS X, or Free/OpenBSD. It will be assumed that the attendees will be comfortable using their laptop and know basic command line tools. | |
| Building a modern LDAP-based security framework | |
| Andrea Barisani - Inverse Path Ltd | |
|
Workshop: Building a modern LDAP-based security framework Duration: 3.5 hours Description The audience will be introduced to the general architecture of LDAP and its advanced usage in UNIX environments as a tool for improving accounts and authorization security via central management. The LDAP protocol and its related frameworks are valuable and powerful tools for user and authorization management in UNIX environment. This tutorial will show how to integrate such technology using the latest available tools for a completely centralized management of UNIX accounts. We will show how it's possible to grant/restrict and control user authorization in a scalable and efficient way on multi-server environments without any post-installation interaction on the LDAP aware servers, centralizing all the management task and access control. The objective is providing a clean, secure and flexible access control system including SSH public key management and Sudo profile management via LDAP. The workshop will focus on a secure implementation of the framework by clearly illustrating how LDAP can improve infrastructure security showing all the common mistakes to avoid that could instead open up security holes. LDAP failover problems in production environments will also be a central topic of the presentation. The tutorial session will focus on the OpenLDAP implementation on Gnu/LINUX systems, other covered applications are pam_ldap / nss_ldap / openssh-lpk / sudo / perl-ldap / PAM. Prerequisites Skills
Speaker Profile Andrea Barisani is a system administrator and security consultant. His professional career began 7 years ago but all really started when a Commodore-64 first arrived in his home when he was 10. Now, 15 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. He's currently involved with the Gentoo project managing infrastructure server security being a member of the Gentoo Security and Infrastructure Teams along with distribution development. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester and openssh-lpk projects and he's been involved in the Open Source Security Testing Methodology Manual, becoming a ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co-founder and Chief Security Engineer of Inverse Path Ltd. When outside his text-based world he joins real life and among many hobbies he studies for a bachelor's degree in Physics. |
|
| Database security | |
| David Litchfield - NGSSoftware | |
| Ron Brandis - NGS Software | |
| Wade Alcorn - NGSSoftware | |
|
NGSSoftware will present a tutorial for experts in Database and Web Application Security. The content will focus on advanced concepts in penetrating various tiers of a system's architecture. Professional and up to date attack techniques for MySQL, Oracle and MSSQL will be covered during this one day tutorial. NGSSoftware is the world leader in Database security, having published the Oracle Hacker's Handbook (Wiley), the Database Hacker's Handbook (Wiley), the Shellcoder's Handbook (Wiley), Special Ops (Syngress) and SQL Server Security (Osbourne-McGrawhill). Attendees of this tutorial will be presented with cutting edge professional techniques in accessing system security. It is advisable that participants have a solid understanding of the technologies and the standard security issues surrounding them. |
|
| 'Hands-on' Infrastructure penetration testing | |
| Chris Gatford - Pure Hacking | |
| Ty Miller - Pure Hacking | |
|
Pure Hacking: The Tutorial, Infrastructure Penetration Testing The Pure Hacking Tutorial is a highlights package from existing course offerings that provide intensive, hands-on training. Participants will learn how hackers think and act. They learn how hackers can gain entry, steal information, and damage company reputations. The intent of this course is to assist organisations in arming front line staff with the approach, the latest tools and techniques that attackers utilise so that they can better secure there organisation's IT environment. The tutorial will include modules covering the essentials of penetration testing and the various technologies commonly utilised in most organisations. This tutorial will provide a brief overview of:
The tutorial will allow attendees to understand the knowledge required for a person to be considered a capable, resourceful, and self-sufficient security tester. |
|
| Acquisition and Analysis of Large Scale Network Data | |
| John McHugh - Dalhousie Uni | |
| Ron McLeod - Telecom Applications Research Alliance (TARA) | |
|
Introduction: Detecting malicious activity in network traffic is greatly complicated by the large amounts of noise, junk, and other questionable traffic that can serve as cover for these activities. With the advent of low cost mass storage devices and inexpensive computer memory, it has become possible to collect and analyze large amounts of network data covering periods of weeks, months, or even years. This tutorial will present techniques for collecting and analyzing such data, both from network flow data that can be obtained from many routers or derived from packet header data and directly from packet data such as that collected by TCPDump, Ethereal, and Network Observer. This version of the course will contain examples from publicvally available packet data such as the Dartmouth Crawdad wireless data repository and will deal with issues such as the acquisition of data in IP-unstable environments such as those involving DHCP. Because of the quantity of the data involved, we develop techniques, based on filtering of the recorded data stream, for identifying groups of source or destination addresses of interest and extracting the raw data associated with them. The address groups can be represented as sets or multisets (bags) and used to refine the analysis. For example, the set of addresses within a local network that appear as source addresses for outgoing traffic in a given time interval approximates the currently active population of the local network. These can be used to partition incoming traffic into that which might be legitimate and that which is probably not since it is not addressed to active systems. Further analysis of the questionable traffic develops smaller partitions that can be identified as scanners, DDoS backscatter, etc. based on flag combinations and packet statistics. Traffic to and from hosts whose sources appear in both partitions can be examined for evidence that its destinations in the active set have been compromised. The analysis can also be used to characterize normal traffic for a customer network and to serve as a basis for identifying anomalous traffic that may warrant further examination. Prerequisites: General familiarity with IP network protocols. Elementary familiarity with simple statistical measures. Textbooks, etc.: At the present time, there is no suitable textbook. Participants will receive copies of the SiLKtools analysis handbook, supplemented by reprints of selected publications from the technical literature. The tools, themselves are freely available at http://tools.netsa.cert.org/silk and run on a variety of Unix based systems, including OS X. The group at Dalhousie is supplementing the SiLK toolset from CERT and these tools are available, as well and will be included in the discussion. Outline: I Introduction (45 Minutes) A Review of IP packet structures B Network data collection tools 1 Cisco NetFlow 2 TCP dump / Fprobe /etc. C A quick tour of "interesting data" II Data Collection (45 Minutes) A Netflow and similar abstractions B Packet data C DHCP and dynamic addressing Break III The SiLKtools Analysis Suite (90 Minutes) A Data fields and features B Selecting data for analysis 1 Selecting raw data records a rwfilter, a flow selector b Converting packet data to approximate flows 2 Building sets of IP addresses - rwset, rwbag, buildset, etc. 3 Manipulating sets and bags - bag to set, set union, set intersection, bag addition, etc. 4 Partitioning raw data with sets C Elementary analysis 1 Network structure - subnet analysis of IP sets 2 Feature extraction - rwcut for raw data 3 Ordering data by time or features - rwsort 4 Flow Counting - rwaddrcount 5 Top N IPs for some N and some feature - rwunique Lunch IV Advanced Analysis (90 Minutes) A Finding Connections 1 Bloom filters and other sparse relationships 2 Eliminating Non-connections 3 Consolidating unidirectional flows 4 Matching bidirectional components B Looking for scanners 1 High density scanners - the obvious cases, long term trends 2 Worm residue and related noise 3 Low rate and distributed scans C Clustering extracted features - rolling your own tools Break V Case studies (60 Minutes) A Worms and worm outbreaks (a recent case, if possible) B Estimating DDoS attack severity C A collection of strange individual host behaviors D Analysis of emergent internet behaviors E Enterprise level analysis, a case study VI General Questions and Discussion (30 minutes) Adjourn |
|
| A Practical Guide to Authentication for Strategists and Policy Makers - Business Tutorial | |
| Stephen Wilson - Lockstep Consulting Pty Ltd | |
|
This interactive and practical workshop aims to help strategists, policy makers and regulators make best use of authentication technologies in Australia's technology neutral governance environment. Hot topics addressed include Federated ID, Internet banking security, phishing, smartcards, and the new Man In The Middle attack. The workshop will provide everything you really need to know in this challenging field, with a focus on marrying real business needs with technology and processes. The workshop will furnish attendees with Actor Diagrams, risk based selection frameworks, and other practical analytical tools with which to understand their own authentication requirements, and to assist them to make robust decisions at the strategy, policy and architectural levels. What do you really need to know about authentication?
Hot topics
|
|
| Toxbot Takedown and Provider Paranoia: A reflection on modern ISP incident response. | |
| Scott McIntyre - FIRST, KPN-CERT, XS4ALL | |
| In October 2005 XS4ALL Internet, GovCERT.nl, and the Dutch High Tech Crime Center co-operated in the 'takedown' of an active Botnet being controlled by Dutch nationals; the experience was a unique collaboration between law enforcement and the private sector to effect real change in an active Botnet filled with what initially appeared to be tens of thousands of comprmised systems. This talk will cover the pre, during and post take down phases of the Takedown and give special insight into the effect this Botnet has had in the Asia-Pacific region, where many systems remain compromised to date. | |
| Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools | |
| Joanna Rutkowska - Invisible Things Lab | |
|
Many people believe that using a hardware based acquisition method, like e.g. a PCI card or a FireWire bus, is the most reliable and secure way to obtain the image of the volatile memory (RAM) for forensic purposes. This presentation is aimed at changing this belief by demonstrating how to cheat such hardware based solutions, so that the image obtained using e.g. a FireWire connection can be made different from the real contents of the physical memory as seen by the CPU. The attack does not require system reboot. The presented technique has been designed and implement to work against AMD64 based systems, but it does not rely on hardware virtualization extensions. |
|
| Infrastructure and Applications for Large-scale DNS statistics collection | |
| Keith Mitchell - Internet Systems Consortium | |
|
The Internet's Domain Name System (DNS) is increasingly implicated both as a target and in perpetration of abuse, including botnets, phishing and pharming. Recent examples include the DDoS attack against the Internet root name servers in February 2007, and the use of DNS resolvers to amplify an attack against root and top-level domain operators in early 2006. Large-scale data gathering from the working DNS has various unique applications, both from a research perspective to better characterise the behaviour of the Internet as a whole, and from an operational perspective to detect, mitigate, trace, analyse, and prevent these types of abuse. Since 2004, ISC's OARC (Operations, Analysis and Research Center) has been providing the organisational framework and operational infrastructure to gather and share data from live top-level and root DNS operators to the research, abuse prevention, and law enforcement communities. This presentation describes the novel software tools and hardware platforms developed by OARC to enable this data gathering, and looks at some recent successful applications, including participation in a 48-hour global "Day In The Life of the Internet" collection exercise, and data gathered during the root server DDoS botnet attack of 6/7th February. OARC has also developed a number of tools for rapid and secure exchange of critical information between key trusted contacts at DNS operators; the use of these to date and their proposed evolution is explored. |
|
| Forensic Dissection of an Oracle Attack | |
| David Litchfield - NGSSoftware | |
| This talk will start out with a demonstration of an attack against a fully-patched Oracle database server through a web application. Once done we'll explore where and how to gather evidence of the attack. | |
| The SANS Internet Storm Center: A Collaborative Network Security Community | |
| Johannes Ullrich - SANS | |
| The SANS Internet Storm Center (ISC) is the trusted source to refer to for advice while under fire from attacks. Using immediate and unfiltered information sharing and analysis provided by our handler team, the ISC is able to provide timely information to information security practitioners. This talk will outline the inner workings of the ISC. You will learn how information is shared and how the group of volunteer incident handlers are able to assess, analyze and counter threats of global scale. In order to illustrate the process, we will use the recent ANI vulnerability. | |
| Advances in Data Recovery and Carving | |
| Brian Carrier - Basis Technology | |
| The obvious way to hide an attack is to delete the evidence of it. While almost everyone knows that deleted data can be recovered, the difficulty of the recovery is heavily dependent on the operating system involved and the amount of system activity. For example, it is typically very difficult to recover files from Unix systems. Until recently, most file recovery methods were not widely published and many forensic tools had a high false positive rate. Recent work has changed this though and this talk will address some of the new and future techniques that can be used to more reliably recover evidence. | |
| 10 yrs of rootkits | |
| Nelson Murilo - Pangeia | |
|
Rootkits are a collection of tools developed to detect hidden intruders after gaining administrator access. Usually used in Unix environments, they have been in an evolution process for several years. The first reports about tools with these features were in 1989, at on-line zines like Phrack, and in 1994 used by security advisors of CERT. In their early days they were limited to change traditional Unix commands, such ls, ps, etc., and used small tools to remove invasion entries in files, like wtmp. These days Chkrootkit is an old, but hardy update tool. The first release was 10 years ago in 1997. During this time it has supported Unix systems like True64, HP-UX and others. Nelson will talk about his motivations to write these tools, discuss the features and methods of checking and, of course, plans for new features and resources. While several signatures and sample scripts will be discussed during this talk, this is an open tools, so suggestions will all be welcome. For more information about these tools, please check: http://www.chkrootkit.org |
|
| Log-based intrusion detection using OSSEC | |
| Daniel Cid - OSSEC | |
|
This presentation will provide a highly technical overview on how to implement security log analysis (Log-Based Intrusion Detection) using the open source tool OSSEC. We will explain the inner works of OSSEC and how to extract, analyze and correlate logs from multiple sources, including web servers, authentication devices and proxy logs. Examples on how to write decoders and rules will be provided, as well as tips on how to expand it for your own needs. |
|
| Evolution of a Security Event Management System | |
| Andrew Collins - Stratsec | |
| Mark Titley - Stratsec | |
| Sarah Tueno - Stratsec | |
|
Over the past 4 years both Andrew Collins and Mark Titley have designed, developed and managed large scale Intrusion Detection (ID) and Intrusion Prevention (IP) Systems for a number of commercial and Government departments. Over this time a number of architectures, vendors, platforms and configurations have been developed and analysed within a high pressure, large event volume environment. Mark and Andrew will present a vendor neutral overview of the architectures they have developed focusing on the real-life lessons learned in deploying these systems and sharing their knowledge of how to avoid some of the issues they have confronted. Areas to be covered include:
|
|
| The Nature Behaviour and Impact of Recreational Traffic | |
| Ron McLeod - Telecom Applications Research Alliance (TARA) | |
| This talk will focus on the application of the SiLK Tools to the discovery of a network compromised by an intrusion from an on-line gaming system. A brief case study of the event will be presented including preliminary evidence that the intrusion was used in part to propagate a virulent buffer-overflow attack worm. Recent information from an analysis of the adoption and spread of peer-to-peer systems and their influence on the diversity of network traffic and the resulting impact on profiling workstation behaviour will also be presented. | |
| Advanced Features of Botnets | |
| Aaron Hackworth - CERT/CC | |
| This presentation will cover malicious code features and techniques used by attackers to create, manage and defend their collections of compromised hosts. | |
| White is the new black: How to implement sysadmin-friendly and user-friendly whitelisting of web sites, and why this is essential to mitigate compromise and data exfiltration. | |
| Greg Castle - Defence Signals Directorate | |
|
With today's array of browser exploits, malicious web content, and large scale data exfiltration over the Internet, it is essential that organisations implement adequate web content filtering. Unfortunately most current filtering techniques are proving inadequate, and a number of filtering evasion techniques are available. In particular, the widespread use of SSL now necessitates a whitelisting approach to prevent data exfiltration and filtering evasion. However, the difficulty in building the list of legitimate SSL websites is proving too much for many organisations trying to implement this defence. This presentation showcases a new technique for dynamically building whitelists that can be applied to both SSL and HTTP. An evolving whitelist is created that requires very little sysadmin work, prevents a large slice of malware communications, and has very little impact on end users. Overall this presentation aims to instill the use of whitelisting techniques over the traditional blacklist approach to security. |
|
| Lessons in Open Source Security: the tale of a 0-day incident, security threats in OSS projects and paranoid practices that can save your day. | |
| Andrea Barisani - Inverse Path Ltd | |
|
The presentation will feature all the modern security practices that are really effective in saving the day when security incidents happen, practices that are unfortunately rarely seen in production environments. We will focus on pro-active security practices for mitigating possible attack vectors, as well as monitoring and forensic techniques. We'll stress the point that trusting an eventual security prevention layer is never enough, and there's no security without proper monitoring and awareness of what's happening on your network. Being able to know about a successful compromise is much more important than trying to prevent it blindly. The journey through these apparently paranoid practices will be supported by a real example of a 0-day incident against an rsync mirror which was successfully handled, resulting in an advisory being released less than 36 hours from the initial attack. We'll then cover the security of Open Source projects, talking about the intrinsic threats and exposure of this kind of environment, attack vectors and good security practices for mitigating them. More in detail the presentation will cover:
|
|
| The Secure Development Life-Cycle, where are today's development projects going wrong? | |
| Daniel Cuthbert - Corsaire Security | |
|
The adoption of a Secure Development Lifecycle by Microsoft has changed the way traditional development is undertaken. No longer is security a last stage consideration; it is now key to the whole structure of developing applications and ensuring they are robust and secure to withstand attacks. Microsoft is leading the way with this drastic move, yet others are yet to adopt the approach. Where are development projects and teams still going wrong?Key areas:
|
|
| VoIP: Attacks & Countermeasures in the Corporate World | |
| Jason Edelstein - Sense of Security | |
| Voice over IP (VoIP) is one of the most significant emerging trends in telecommunications. It is the transmission of voice over packet-switched IP networks, and is a driving force behind the convergence of voice and data networks. While VoIP can offer benefits there are associated risks which many organisations fail to consider. The presentation will cover the major security risks associated with the deployment of VoIP technologies, highlight exploit possibilities (illustrated with a live demo), and discuss a set of controls which can be implemented to mitigate these exposures. | |
| The Self-Defeating Network | |
| Richard Bejtlich - TaoSecurity | |
| Many product vendors claim to have the answer to your security problems. It's been over fifteen years since commercial security tools first appeared on the market, but it's tough to understand where all our money went. In this presentation I argue that the focus on preventing intrusions has diverted valuable time and resources away from the most basic aspect of digital security: understanding your enterprise. By touring the Self-Defeating Network, you'll learn what not to do, and how network security monitoring with open source tools can help you make the most of your defensive resources. | |
| Network Awareness and Network Security | |
| John McHugh - Dalhousie Uni | |
|
Network Awareness and Network Security John McHugh Routine acquisition and aggregation of network data offers an opportunity to understand some of the forces that drive the internet. It also offers an opportunity to detect and understand a variety of phenomena that are related to overtly questionable or malicious activities on the part of network users and abusers. The initial observations analyzed by the US CERT were based on data observed at the borders of a very large network, and concentrated on characterizing network scale phenomena. Carried out on a smaller scale, if offers an opportunity to perform passive monitoring on the activities on your own network, including the detection of spyware and other forms of compromise. By monitoring the unoccupied portions of an organization's address space, scanning and other activities that are often precursors to attacks can be identified. Given cheap, fast, analysis machines and inexpensive mass storage, it is possible to maintain relatively complete activity records for all the hosts in a modest network for long periods of time. This allows us to characterize ``normal'' activity on a per host basis. The richness of the source means that it is always a source of new insights and observations. In this talk, I will summarize a variety of large and small scale observations that have resulted from such monitoring activities. Key to this work is the choice of suitable abstractions for the representation of both data and analysis results. The talk will also consider some of the issues associated with the management of the quantities of the data involved as well as techniques for analyzing the data and presenting the analysis results. These techniques aid system managers in better understanding the activities that routinely occur on their networks and provide a baseline against which changes in behavior, whether benign or malicious can be evaluated. |
|
| The Top 10 ways to Protect your Critical Systems | |
| Haf Saba - Attachmate | |
|
Achieving comprehensive security protection has become more difficult over the past decade with new forms of attack and ever increasing levels of sophistication. Networks are becoming increasingly complex, with multiple servers handling different tasks, some even existing together within the same system, through virtualization. At the same time, regulatory and general business requirements are broadening the territory that must be secured. A comprehensive and integrated Security Incident and Event Management (SIEM) solution is a key component for security protection and to meet compliance requirements for ensuring the confidentiality, integrity and availability of critical data. This session will examine the top ten issues in infrastructure security today. It will also provide you with a practical means to improve the security of your operating systems, databases, Web/application servers and applications. It is a must attend session for both IT security and IT operations professionals, including security analysts, systems administrators and internal auditors. Just a few of the security 'best practices' this will cover are:
|
|
| Eclipse Project Higgins and Identity 2.0 | |
| Anthony Nadalin - IBM | |
|
Almost all on-line activities - sending emails, filing tax declarations, managing bank accounts, buying goods, playing games, connecting to a company intranet, meeting people in a virtual world, etc., - require identity information to be given from one party to another. The abundance of different situations and types of identity information suggests the need for a flexible and user-centric identity management infrastructure. It must be flexible to support the multitude of identity mechanisms and protocols that exist and are still emerging, and the different types of platforms, applications and service-oriented architecture patterns in use. It must be user-centric since the end users are at the core of identity management: The infrastructure must empower the end users to execute effective controls over their identity information. These requirements have far reaching consequences, not only on the user-interfaces of the identity management system but also on the infrastructure itself and how it must be built. Major technology suppliers such as IBM, Novell®, Microsoft, Verisign®, major financial institutions, and governments are placing large bets in this area to gain advantage. This presentation provides an analysis of the business requirements and technical options for a flexible and user-centric identity management infrastructure, and outlines an open architecture for meeting these requirements. There is the strong need for all parties, including industry and end users, to agree on such a common layer, bridging the existing islands of identity management systems, and encouraging the development and easy deployment of new systems with improved security and privacy properties. IBM is already engaged in a number of open source and open standards projects in this space, in particular Project Higgins, and intends to continue working with all interested parties on making this vision a reality. |
|
| Gaining an advantage on modern "Hackers" | |
| Peter Woollacott - Tier-3 | |
|
IT security has come a long way in a relatively short space of time, but the perpetrators of cyber-crime have evolved their criminal techniques even further and faster than much of the security technology that is pitted against them. The new breed of "hacker" knows the security systems you use and its latest rules and signatures. This sort of information is in the public domain and so a targeted attack that is purposely crafted to slip below your security radar can easily result in stolen funds, credit card details or other commercially valuable information. Some of these losses have been significant. The first sign will be that something is different in your network. Then the search begins. Where is it? What is it doing and how long has it been there? A security professional needs to have a system to identify and manage a response to this changing risk environment. How can you protect against it? Join Tier-3 in this session and learn how Behavioural Anomaly Management technology will provide you with a permanent advantage over the modern hacker. |
|
| Stop Managing Security. Start Managing Risk | |
| Michael Sentonas - McAfee | |
| As a security IT professional, what is your role in ensuring your organisation is in compliance? SOX, HIPAA, GLBA, FISMA, CIS, NSA, NIST are just some of the regulatory frameworks with which corporate IT departments may have to comply globally. Even if companies are not subject to U.S. regulations, compliance makes good business sense. What tools can you use to report and manage compliance? Where does SRM (Security Risk Management) fit into your day to day job? How can remediation make your organisation more secure? Are you implementing Network Access Control? What new technologies can track and block the leaking of confidential data? Learn the answers to these questions and more at this McAfee security update. | |
| Ask Microsoft | |
| George Stathakopoulos - Microsoft | |
| Peter Watson - Microsoft | |
|
Got a question on Microsoft security? This session is your chance to ask the Microsoft team including:
|
|
| CSI:SIM - Enhance Your Security Information Management with Forensic Analysis | |
| Jason Mical - CA | |
|
As network and system complexity increases, cyber attacks, in parallel, are becoming more sophisticated and harder to detect. But protecting the network from external threats is just one piece of the puzzle. Consequently, IT is faced with a growing challenge to safeguard the dissemination of important, yet vulnerable information between customers, business partners, suppliers and/or internal departments. CA Network Forensics is a revolutionary security management solution comprised of distinct modules, which perform real-time functions - including building a knowledge base while collecting network data for forensic investigations. CA Network Forensics addresses today's IT security concerns by examining network relationships regardless of physical topologies. As such, it visualises traffic patterns into behavioural clusters, which quickly provide a graphical depiction of nodal communications and dependencies. Furthermore, CA's solution employs a methodology known as network security analysis, which provides the framework to empower security and incident response teams to assess, investigate and inform. This session will demonstrate an investigation to identify policy violations or unauthorised activities. This exercise will demonstrate CA Network Forensics not only as an investigative tool but also as a security solution that extends the capabilities of security administrators, auditors, and others who need to monitor network and user activities. |
|
| Inside the petrie dish - an up close look at modern malware | |
| Patrick Peterson - Ironport Systems | |
| This presentation will show how financial profit drives development and deployment of spyware and crimeware. Shortcomings of common security techniques to combat this problem will be illustrated. | |
| Is UTM a UFO? Identifying UTM in enterprise | |
| Stephen MacDonald - Check Point Software Technologies | |
| Although its popularity is growing, there's still no consensus about what UTM should encompass. For larger organisations a 'one size fits all' box that houses separate point solutions to address threats isn't sufficient. Steve MacDonald will explain how a true UTM solution must incorporate unified management and protect from the desktop to the core network and back again. | |
| Ips-Secured Networks: 360° Network Security & Control | |
| James Collinge - TippingPoint | |
|
TippingPoint, the world's leader in in-line network intrusion prevention systems, is introducing its new Network Access Control (NAC) solution at AusCERT2007. However, instead of focusing on NAC in and of itself - because alone, it does not address the real network security need that customers are trying to address - this presentation will demonstrate why a new approach to NAC is required to solve the real security issues customers face today. Top-of-mind security issues customers are facing today, such as the continuously evolving threat landscape, increased employee and device mobility and regulatory compliance pressures. The need for 360? policy-based control that provides continuous traffic flow inspection, flexible enforcement, affordability and that is non-disruptive to an existing network. How IPS-Secured Networks convert uncontrolled, unclean devices, users and flows to those that are controlled and clean Why providing integrated access and attack control policies is only possible with a proven in-line IPS that provides multi-gigabit throughput and switch-like latency, and operating with thousands of active vulnerability filters at high accuracy. The world-renowned Digital Vaccine® service from TippingPoint's DVLabs that delivers thousands of filters to the IPS for preemptive protection against zero day threats, worms, viruses, Trojans, denial of service attacks, spyware, phishing and voice over IP security threats. |
|
| The Rise of the Selfish Bot: How Spam and Target Attacks are Becoming the New Attack Vehicle | |
| Mark Sunner - MessageLabs | |
|
The 'selfish bot' is the next stage in the evolution of spam. Towards the end of 2006 spam, virus and botnet activity seemed to reach a plateau. Botnet sizes had been shrinking over the past year, and gradually becoming more agile as the criminals worked on staying below the radar. Similarly, attacks have become more targeted, profiling the victims into well organised cross-sections of society, based on their online habits, banking facilities and other demographics. During this time, the attack profile seemed to be fairly well understood and countermeasures were continually being deployed and upgraded to counter them. However, from August through to October 2006 everything changed. August saw the introduction of the dropper trojan called "Warezov," only to increase in intensity by October. The latest strain of the "SpamTru" trojan also started to take hold. Because of the way both of these work, suddenly large botnets were back on the scene with increased levels of sophistication that would make them a serious challenge to the viability of email in the future. SpamThru is the Cookoo's Egg of the botnet world. MessageLabs has dissected these new trojans and has examined how they resulted in a 70% rise in spam volumes in one month alone. MessageLabs understands the underlying factors behind these next generation botnets and asks, "is this only the thin end of the wedge?" |
|
| The Past, Future & Evolution of IPS | |
| Steve Manzuik - Juniper Networks | |
| This talk will cover the history of Intrusion Detection on both the host and network levels, why they failed, why they haven't failed and what the future of these defence technologies hold especially as networks grow and move beyond the typical boarders of an organisation | |
| Wireless - The Weakest Link in Enterprise Security | |
| Kiran Deshpande - Air Tight Networks | |
|
Organisations are installing WLAN (Wireless Local Area Networks) infrastructure for employee convenience and flexibility. However, wireless communication exposes Layer 2 of an enterprise network, hitherto considered secure against outside access due to the physical barrier. Security products such as firewalls, wired intrusion detection, and prevention systems have been designed to protect Layer 3 onwards assuming that Layer 2 is secure. Enterprise LANs (Local Area Networks) have also been implemented assuming the security of Layer 2. IEEE 802.11 based wireless communication takes place at Layer 2. It breaks the physical barrier and provides outsiders an access to the enterprise network through Layer 2 using wireless transmission. Current security products such as firewalls, wired intrusion detection, and prevention systems cannot protect an enterprise network from such attacks. This presentation will highlight the exposure to Layer 2 of an enterprise network describing various wireless vulnerabilities and protection against these attacks as provided by AirTight® Networks' SpectraGuard Enterprise - Wireless Intrusion Prevention System (www.airtightnetworks.net). |
|
| Certificate Validation Solutions- Past, Present, Future / Content Management for Email and Web | |
| Jim Wyre - Tumbleweed Communications | |
|
Certificate Validation Solutions- Past, Present, Future This presentation will be an introductory to intermediate level discussion about X.509 Certificate Validation, a critical component of every Public Key Infrastructure (PKI). It will cover the benefits, methodologies, and technology used to provide certificate validation. The discussion will centre around Certificate Trust, Path Validation, Certificate Revocation Checking, Extending Validation Services, and lessons learned from one of the largest production level PKIs on the globe. Content Management for Email and Web This presentation will be a best practices guide to the management of email and Web content for both inbound and outbound Internet traffic. This will centre on the need to meet compliance as well as protecting the welfare of users and company Intellectual property. |
|
| Virtualisation's Impact on Enterprise Security | |
| Steve Reddock - Internet Security Systems | |
|
Virtualisation alone does not equal security. As virtualisation is rapidly deployed worldwide, it is critical to understand the business risks at the network, application, and behavioural levels. Internet Security Systems, an IBM company (ISS) will explore issues related to securing virtual assets from exploits and malware and how to provide defense-in-depth for your environment. Throughout this session, we will reveal how the evolving virtualisation market space can be leveraged to innovate your security processes to both protect your infrastructure as well as meet the rising standard of due care with corporate compliance. |
|
| Patch & Vulnerability Management Solution - Core of a Comprehensive Security Strategy | |
| Andrew Clarke - Patchlink | |
|
Organisations worldwide are increasingly taking a more formal, rigorous and defensible approach to business management and operations. Corporate Governance and Risk Management principles are being embraced at least in part to respond to a growing number of global regulations and standards that codify the need to diligently manage financial and operational risk. Of course, we are also in an era where technology is critical to the business. This in turn establishes the need for IT governance and subsequently, a comprehensive security strategy to ensure the integrity and availability of critical business systems, financial records, and other essential data. At this level organisations must deal with a wide range of challenges, including the need to prioritise their security initiatives to mitigate risk as efficiently and effectively as possible. To this end, this presentation shows that organisations must first establish a robust patch and vulnerability management solution as the core of their information security strategy. The reason for this is it directly remediates known weaknesses, affording it a significant advantage over other countermeasures in terms of efficiency and efficacy. However, adding further layers of defence will still be appropriate to help ensure that a truly comprehensive level of protection is achieved. The presentation will outline the advantages of a centrally managed, vulnerability management solution (VMS) that effectively manages and measures the entire vulnerability management lifecycle with powerful integrated vulnerability assessment and automated patch management. More information available: www.patchlink.com/products/VMS |
|
| 10 Security Questions You Need to Ask | |
| Jeff Paine - Network Box | |
|
No-one disputes that security risks are growing in volume and complexity. With a continuing fall in expertise internally and an increasingly fragmented security product and service industry, organisations are finding it tougher to get a REAL perspective on where they stand. One way forward is to ask better questions of the internal techs or the outsourced provider. Determining what those questions should be is a joint exercise for management and IT, whose objectives are frequently different when performing these evaluations. This presentation aims to explore a number of issues that face executive management, who need to understand what their information security coverage is but find it difficult to ask the right questions. Management can begin to evaluate what their security risk exposure is, without drowning in the technical jargon that frequently fills a conversation with IT personnel This presentation is also useful for system administrators, who are required to provide information to management about the state of information security. The issues facing organisations (and the IT department) are complex and difficult to explain - this presentation will provide some tips on making this information exchange a little easier. Attendees will leave the presentation with a practical insight into the types of questions that need to be asked by both management and technical personnel (and the answers that can be expected) when discussing information security to ensure the security of the organisation is comprehensive, and is well managed and maintained. |
|
| Making Source Code Analysis Part of the Security Review Process | |
| Roger Thornton - Fortify Software | |
|
How do you know if your software applications are secure? Manual audits cover only a small percentage of the source code base, and periodic checks provide only a snapshot in time. Source code analysis allows development organisations to manage software security by leveraging well-documented best practices that can be automated. This presentation will provide an overview of how source code analysis can be a powerful tool for software security architects, developers and QA professionals by pinpointing security vulnerabilities throughout an entire code base as an integral part of the development cycle, or as part of software security audits in order to significantly improve application security. Real-life examples from actual engagements will be used to show you how source code analysis can benefit you and your organisation. |
|
| Homeland Security Partnerships with the Private Sector | |
| John Lindquist - EWA / IIT | |
|
This presentation will cover the current structure for partnership between the US Department of Homeland Security and the private sector members/owners/operators of the IT infrastructure. The presentation will include: Structure set up by the US National Infrastructure Protection Plan Major ongoing coordination activities including the IT Sector Specific Plan, IT Sector input to the US National Response Plan, and to the US Incident Management Plan as well as input to and participation in various exercises including Cyber Storm The role of Information Sharing and Analysis Centers (ISACs) in this partnership and the role of the IT ISAC as the operational arm of the IT Sector Coordinating Council (the entity specified in the National Infrastructure Protection Plan as the planning and coordinating interface between DHS and the IT Sector John will be joined by Cheri McGuire, the Chairman of the IT Government Coordinating Council and Deputy Director of The National Cyber Security Division at Department of Homeland Security. |
|
| The Keys to Building an Investigative Infrastructure | |
| Darren O'Loughlin - Dimension Data | |
|
Many organisations face ever-increasing issues associated with insider threats, targeted attacks, protection of intellectual property, regulatory compliance, and eDiscovery (such as FOI requests), and have realised the importance of information security and assurance (computer forensic) audits in providing this service back to the business. The requirement for organisations to be successful in their efforts to secure information assets and to respond to investigative needs has created a gap in capabilities that can be filled by the creation of investigative infrastructure and the use of forensics technologies. This session will demonstrate a high level investigative infrastructure that involves people, process and technology that scales to all variety of organisations. The session will use real world scenarios and technology displays to highlight the benefits of the proposed model. |
|
| Protecting customer information on the web with PCI-DSS | |
| Phil Montgomery - Citrix | |
| One in two merchants in Australia is not aware of their obligations to protect their customers' personal financial information. The Payment Card Industry Data Security Standard (PCI-DSS) is a global standard governed by the major credit card companies. PCI-DSS requirements apply to any organisation accepting credit card payments, but also provide a valuable framework for any organisation to protect data and reduce fraud. This session will detail the protective measures specified by PCI-DSS and illustrate how these measures can be implemented using application firewall technologies. | |
| An Architectural Approach to Security | |
| Colin Bradley - Cisco Systems | |
| With dissolving perimeters, a relentless drive towards converged infrastructures and employees demanding more services with greater flexibility and mobility, the need for an architectural approach to security has never been greater. With the industry facing more complex threats and the growing spectra of organised crime, is it time to change security models and to expect the systems we deploy to be adaptive and self-defending? | |
| Web 2.0 Gateway Security: A paradim shift in enterprise security | |
| Eric Krieger - Secure Computing | |
| A look at how the new Web threats are affecting the way you should view your security policies. Why signature based security solutions are no longer viable on their own | |
| Unifying Networking and Security | |
| Freddy Mangum - Fortinet | |
| In the past couple of years, we have seen the rise of Unified Threat Management products, which aggregate all the essential security functions, such as firewall, antivirus, anti-spyware, etc., into a single hardware platform. UTM is only the most recent stage in the rapid evolution of network security technologies, which has already gone through the stages of miniaturisation, commoditisation and now integration. The next step in this evolution is the integration of security functions into networking equipment, such as switches, to provide even better levels of security to computers inside and outside the network. | |
| Exploits, rootkits, bootkits, fruitkits! | |
| Paul Ducklin - Sophos | |
|
If you listen to some security companies, you'll hear that we've never had it so good in terms of computer security. Proactive detection, pre-execution prevention, trustworthy computing, etc. If they were giving you a three-quarter-time score, it would be something like Good Guys 17.5 107 Bad Guys 4.7 31. If you listen to some independent researchers, grey hats and others, you'll hear that we used to be doing OK, but we're on the edge of an unassailable defeat thanks to 0days, exploits, rootkits, etc. They'd be sending us into the last quarter with Good Guys 6.9 45 Bad Guys 9.11 65, with at least two of the Good Guys unable to return to the field due to injury. This paper looks at some of the latest trends used in malware attacks - in the form of a live demo with commentary - so you can make up your own mind (and so you can plan for victory in your own next quarter) |
|
| Enterprise Threat Management (ETM): Bringing Security Together Through Intelligence | |
| David Thomason - Sourcefire | |
| The days of "see a threat, buy a box" are gone. In this presentation, David Thomason will discuss how a holistic security approach is evolving - one that unifies Network Behaviour Analysis (NBA), Vulnerability Assessment, Intrusion Prevention, and Network Access Control (NAC). Many are calling this approach, "Enterprise Threat Management (ETM)." | |
| Developing Tactical Intelligence | |
| Vincent Weafer - Symantec | |
|
Traditionally online malicious activity is associated with viruses, worms, trojans, zombies, hacking, and denial of service attacks. Today's threats are becoming increasingly sophisticated; they have shorter lifecycles, are specialized to regions and targets and are more commercialized. Just as new technology comes and goes, so follow threats. Newly emerging technologies such as smartphones, P2P networks and VOIP provide potential new arena for security threats. This presentation evaluates how the art of intelligence gathering, including the research automation, has changed throughout the years to match the shift in the threat landscape. It will also explore what this means with regards to the type and variety of security threat data we need to monitor in the future and what that data is likely to tell us about how we estimate risk and how we best protect our assets. |
|
| Evolving Threat Landscape, Building a Layered E-mail Security Defence | |
| Richard Cullen - SurfControl | |
|
Dr Richard Cullen is a well respected expert and trusted advisor in the security industry. In his presentation, Dr Cullen will give an informative overview of the current threat landscape then delve into the key and emerging threats targeting businesses of all sizes today and what we can expect in the near future. Based on those emerging complex threats, Dr Cullen will then introduce the concept of building a layered approach to e-mail security and help you answer:
Dr Cullen will then give real-world scenarios illustrating how companies today are using the layered approach to meet their security and regulatory requirements for secure messaging |
|
| Advanced Browser Attacks | |
| Wade Alcorn - NGSSoftware | |
|
Wade Alcorn will explore the rapidly emerging arena of Web browser based attacks. The presentation will focus on cutting edge vulnerabilities surrounding Web 2.0 including Interprotocol Exploitation, 'JavaScript Hacking' and advanced cross-site scripting viruses. Over the past decade, Web browsers have gained a privileged position in both network locations and in the attitude of users. They are a 'must have' on any workstation. This has made them ripe for hackers as attacks using them can be launched against internal networks or against authenticated sessions across the Internet. Browser based attacks are rapidly increasing in scope and damage. During the presentation, Wade will demonstrate how future hackers will launch metasploit style attacks from browsers situated inside boundary firewalls. This type of vulnerability shows how present security paradigms will rapidly become ineffectual when faced with this new species of exploits. Security professionals will urgently need to consider these attacks on the internal networks they aim to protect. Web 2.0 vulnerabilities and 'JavaScript Hacking' will also be explored. The term JavaScript Hacking relates to a new type of eavesdropping attack against Ajax-style Web applications. The vulnerability exists in many popular Ajax programming frameworks and in some cases the developers are required to create a vulnerable server just to use it. Wade will also discuss the impact of advanced cross-site scripting viruses when combined with the latest JavaScript vulnerability scanners (Jikto). This combination creates real potential of an autonomous advanced cross-site scripting virus infecting the Web using previously unknown vulnerabilities for propagation. The virus can employ new techniques for constructing lists of potential target requests, finding previously unknown vulnerabilities for propagation and delivering more sophisticated payloads. To date, wild cross-site scripting viruses have been of limited sophistication and have (fortunately) delivered relatively malign payloads. Browser based attack vectors are a rapidly emerging threat. A working knowledge and understanding of the issues surrounding attacks of this nature is imperative for any professional committed to keeping ahead of the game. |
|
| How PCI DSS is changing the security industry and what it means to you? | |
| Andy Solterbeck - SafeNet | |
| The PCI DSS is a multifaceted security standard for enhancing payment account data security. This presentation will introduce how such standard is changing the security industry and what it means to you and your organisation to better protect your customer data. | |
| Security in the "Any Era" | |
| Daniel Zatz - VeriSign | |
| Welcome to the Any Era, where millions of users interact via laptops, PDAs and cell phones anywhere, anytime, across any network. They expect to choose how, when and where they communicate and conduct commerce. But along with digital freedom comes new security threats. As enterprises rebuild architectures to share information, criminals find opportunities to attack networks, steal identities, and damage corporate reputations. This session will examine the need for an interdependent approach to identity protection. | |
| Making Security a business enabler- not a cost centre | |
| Michael Livingstone - Tier-3 | |
| Securing your organisation and its assets is no longer about building a higher or wider perimeter. The almost daily reports of losses resulting from compromised assets security and information protection systems are causing a fall in customer confidence and shareholder values. Regulators are becoming increasingly concerned. The role of the IT security department in protecting your organisation is no longer limited to protecting against the threats you know. Multi-vector risks, both malicious and unintentional, have demonstrated an ever-increasing ability to defeat current security solutions that require every potential risk to be pre-defined and specifically protected against. These existing single dimension rules based solutions are readily defeated and your enterprise and its assets open to loss. Clearly an innovative approach to security is required; one that will protect the enterprise yet not limit how it does business now or in the future. | |
| Secure and Optimized Multi-Protocol Application Delivery | |
| Andy Purdy | |
| As enterprises evolve their IT infrastructure there is a trend towards consolidating applications and services into centralised data centers. This is primarily motivated by the flexibility and operational ease. There is also an associated trend of outsourcing applications using the SaaS (Software as a Service) model that is motivated by economic benefits. At the same time, the users of these applications, namely employees, business partners and customers are becoming more and more decentralized. They are accessing applications from remote offices, business partner's offices, roaming laptops, Internet kiosks, mobile devices, etc. Each of these access locations has different security and network performance characteristics. Notwithstanding these trends, there is an expectation that IT provides access to all application and services in a high-performant, consistent and secure manner, no matter where the applications are hosted and no matter from where the users access them. To provide a complete solution IT needs to blend both the security and performance needs of these applications and be able to work with the wide set of application protocols in use today. This presentation goes into the issues and challenges faced with creating a secure and optimized multi-protocol application delivery infrastructure. | |
| A Proactive Roadmap To Fight Today And Tomorrow's Threats | |
| Maros Mozola - Eset | |
| Nowadays there are more than 10 000 new pieces of malware created every day. Traditional reactive anti-malware solutions are not capable of coping with the ever growing influx of malware. History and future of the proactive protection against the emerging threats will be presented. | |
| Threat Management: A New Frontier | |
| David Rand - Trend Micro | |
|
There are two main channels cyber criminals are targeting today - the Web and Email. Of these threat vectors the greatest growth has been seen around Web based threats. Motivated by the lure of profits from the sale of stolen confidential information, cyber criminals today are using the Web as the medium for their malicious activities. Characterised by blended techniques, an explosion of variants and targeted regional attacks, Web threats pose a broad range of potential costs, including identity theft, loss of business confidential information, damaged brand reputation and erosion of consumer confidence in Web commerce. Meanwhile, organisations remain dependent on email as their primary communications channel; threats delivered by email continue to grow at an alarming rate. Not only are there a greater number of these threats than ever before, attacks and techniques utilising both Web and email mechanisms are being combined to enhance their impact. Mr Dave Rand will be presenting how savvy organisations are minimising threats to their critical communications infrastructure by using interwoven layers of protection that spread throughout the network. Layered protection strategies guard against combinations of internal and external threats, including spam, phishing, viruses, and other malware, as well as bulk mail attacks and threats to data security. With Web threats traditional means do not provide adequate protection from threats, and no single method or technology will improve this situation. Dave will be discussing these new paradigms in Web threat technology; how they function, their impact and explaining why traditional methods fail to protect against these threats, as well as describing the characteristics of the new approach that is needed. |
|
| Information Security Governance - the Nuts and Bolts | |
| Jo Stewart-Rattray - Vectra Corporation | |
| This presentation looks at what constitutes information security governance and how it fits into the overall corporate governance and compliance landscape including its relationship to risk and audit. The main activities of information security governance will be examined in an organisational context. | |
| Novell's Vision for Identity and Security Management | |
| Mason Hooper - Novell | |
|
Improving authorisation management has been the focus of many identity management deployments. Driven by regulatory requirements plus the need to provide developers with a consistent, simplified means of managing access, enterprises are looking to centralised authorisation services to externalise finer-grained controls. But such an approach has its limits. Organisations can address a much broader set of enterprise authorisation requirements by allowing for specialisation and distribution of fine-grained controls while aggregating the intent of authorisation policy. This session shows how organisations can effectively address fine-grained authorisation requirements with Novell's Identity and Security Management solutions. |
|