18th Annual Computer Security Applications Conference
December 9-13, 2002
Las Vegas, Nevada

Tutorials


Monday
M1 Information System Security Basics
M2 Understanding Biometric Technology and Its Implementation
M3 Denial of Service Attacks: Background, Diagnosis and Mitigation
M4 XML Security
 
Tuesday
T5 Cryptography and PKI Basics
T6 Mobile and Wireless Security Issues, Threats and Countermeasures
  T7   How to Successfully Assess Business
and Automation Risks
  T8   Survivable Systems Analysis


[ TOP ]

Tutorial M1 (Full Day)

Information System Security Basics

Dr. Steven J. Greenwald
Independent Consultant

Abstract

Designed for the person who is new to the field of Information Systems Security, this is an intensive one-day survey of the most important fundamentals of our field. It is designed to bring the students up to speed on important basic issues, and otherwise fill fundamental gaps in their knowledge. Therefore, its emphasis will be mostly historical in nature, and not necessarily topical. However, it will contain material that every effective practitioner in our field needs to know.

The ideal student is someone who is either entering the field for the first time, needs a refresher regarding the basics, or is starting to prepare for the CISSP exam. This will be a high-speed low-drag course covering a very broad range of material. Since it is unrealistic to assume that the students can absorb all of this material in a one-day tutorial, each will be given, in addition to a textbook, an annotated bibliography of seminal papers and reports (most available on the web) that will be covered during the tutorial and which they may use for future study and reference. A major goal of this tutorial is that the student should be able to effectively understand, research, and apply such material when it is later encountered.

Prerequisites:

None

Outline:

  1. Introduction. Overview/refresher of the necessary CS background, common definitions, and historical overview and perspectives.
  2. Fundamentals. Covers Identification & Authentication, Access Control, Security Kernels, and Security Models.
  3. Practice. Provides a brief overview of Unix and Windows NT Security, as well as common errors (e.g., buffer overflows) and security software.
  4. Cryptography. A brief overview of cryptography, PKI and standards.
  5. Distributed Systems. Covers Web security and other aspects of network and distributed system security.
  6. Database Systems. Explores DBMS models and problems.
  7. Conclusions and Questions. Seeing the forest for the trees, professional development options, and if time permits any topical or other areas that may be of particular interest.

About the Instructor:

Dr. Steven J. Greenwald is an Independent Consultant in the field of Information Systems Security specializing in distributed security, formal methods, security policy modeling, resource based security and related areas. He also works with organizational security policy consulting, evaluation, training, and auditing. He is a Research Fellow at Virginia's Commonwealth Information Security Center (CISC) and on the adjunct faculty at James Madison University's Computer Science department teaching in their graduate INFOSEC program (a National Security Agency designated Center Of Academic Excellence in Information Security Assurance). Dr. Greenwald was formerly employed as a computer scientist in the Formal Methods Section of the U.S. Naval Research Laboratory, and is also past general chair and past program chair of the New Security Paradigms Workshop (NSPW). Dr. Greenwald earned his Ph.D. degree in Computer and Information Science from the University of Florida (with a dissertation in the field of information systems security).


[ TOP ]

Tutorial M2 (Full Day)

Understanding Biometric Technology and Its Implementation

Ms. Catherine J. Tilton
SAFLINK Corp.

Abstract

This tutorial provides a technical overview of biometric technologies - what they are, how they work, what kinds there are and the characteristics of each, how accuracy is measured - as well as an overview of the considerations for selection and deployment. It also covers the current technical and market trends in terms of applications for the technology, privacy and ethics, biometric standards, and testing/certification.

The role of biometrics in IT security is addressed as is the integration of biometrics with smart cards and PKI. References and sources of further information are provided.

Prerequisites:

None. Technical background suggested, but not required.

Outline:

  1. Biometrics Overview. The What and How of Biometrics. Accuracy issues. Technology types. Markets and applications. Standards. Privacy and ethics issues.
  2. Planning and Engineering a Biometric System. Requirements, alternatives, and design.
  3. Summary and References.

About the Instructor:

Ms. Catherine J. Tilton is the Director of Special Projects at SAFLINK Corp., a multi-biometric computer security software company. She also chairs the steering committee of the BioAPI Consortium, and is active in the US Biometric Consortium, the International Biometric Industry Association (IBIA), ANSI X9F4, the Intel/Open Group CDSA Human Recognition Services (HRS) working group, the INCITS M1 committee. She formerly served as technical editor of the Human Authentication API. She has a BS in nuclear engineering from Mississippi State and an MS in systems engineering from Virginia Tech.


[ TOP ]

Tutorial M3 (Full Day)

Denial of Service Attacks: Background, Diagnosis and Mitigation

Dr. Sven Dietrich and Dr. John McHugh
CERT/CC

Abstract

In the beginning, security was equated to confidentiality and it was considered better for a system to fail (or be forced into failure) than to leak protected information. As the field matured, the emphasis changed and concepts such as "Security-*" giving equal weight to integrity and assured service became acceptable. Concurrently, adversaries realized that attacks that reduced the utility of computing systems to authorized users could be as effective as attacks that compromised sensitive information. In the past year, brute force denial of service attacks based on the exhaustion of the victim's processing or communication resources have become commonplace.

The tutorial will trace the development of denial of service attacks from early, machine crashing exploits to attacks that based on the exploitation of server vulnerabilities or protocol pathologies to consume excessive computing resources to the present day distributed denial of service (DDoS) attacks. Self imposed denial of service attacks in which a system administrator suspends a necessary service in the face of a real or threatened attack will also be considered. A substantial portion of the tutorial will be devoted to understanding DDoS attacks and developing appropriate responses. Among the issues to be addressed are preparing for a DDoS attack, recognizing the attack type and probable attack pattern, designing appropriate filter rules to mitigate the attack, and working with upstream providers. We will also survey current research that may lead to ways of thwarting such attacks in the future.

Prerequisites:

A basic understanding of IP networking, network protocols, and routing as well as an understanding of computer security fundamentals is required. The tutorial is intended to be useful to system administrators, network administrators and computer security practitioners.

Outline:

  1. Fundamentals. Basic networking and routing protocols.
  2. Denial of Service. Basic concepts. Vulnerabilities and pathologies. OS support. The jump from DoS to DDoS. Evolution of attack tools.
  3. Classes of DDoS tools. What they do. Choices in the attack space. How they work. Currently available tools.
  4. Diagnosis of the problem. How do you know you are under attack. Symptoms in your own operational and system monitoring data. Differentiating between flash crowds and attacks. Advances in research. Inspecting a compromised system. Building a monitoring/traffic capture facility.
  5. Mitigation. Recognition of the attack. Attack signatures and attack tool identification. DoS vs. DDoS. Indications of single and multiple sources. Creating countermeasures. Techniques for limiting the damage. Characterizing the attacked resources. Infrastructure changes. Traceback. Filtering. Active response. Strikeback.
  6. Political hurdles. Dealing with your ISP. Dealing with management.
  7. The bright road ahead. DDoS and beyond. Prospects for future advances in attacker tools, Technical, legal, and political mitigation strategies.

About the Instructors:

Dr. Sven Dietrich is a member of the technical staff at the CERTŪ Coordination Center, where he does research in survivability and network security. His work has included intrusion detection, distributed denial-of-service analysis, and the security of Internet Protocol (IP) communications in space. He was a senior security architect at the NASA Goddard Space Flight Center and has taught mathematics and computer science at Adelphi University. His research interests include, but are not limited to, computer security, cryptographic protocols, and quantum cryptography, and he randomly gives presentations and talks on the subject. Dr. Dietrich has a Doctor of Arts degree in Mathematics, a MS degree in Mathematics, and a BS degree in Computer Science and Mathematics from Adelphi University in Garden City, New York.

Dr. John McHugh is a senior member of the technical staff at the CERTŪ Coordination Center, where he does research in survivability, network security, and intrusion detection. He was a professor and former chairman of the Computer Science Department at Portland State University in Portland, Oregon. His research interests include computer security, software engineering, and programming languages. He has previously taught at The University of North Carolina and at Duke University. He was the architect of the Gypsy code optimizer and the Gypsy Covert Channel Analysis tool. Dr. McHugh received his PhD degree in computer science from the University of Texas at Austin. He has a MS degree in computer science from the University of Maryland, and a BS degree in physics from Duke University.


[ TOP ]

Tutorial M4 (Full Day)

XML Security

Mr. Christian Geuer-Pollmann
University of Siegen

Abstract

The tutorial will give a short introduction into XML and will explain the W3C standards, "XML Signature" and "XML Encryption," in great detail. It will cover introductions into the "XML Key Management Specification" (XKMS), the "Security Assertion Markup Language" (SAML) and describe how these security mechanisms can be integrated into SOAP to create secure web services.

The "eXtensible Markup Language" (XML) is a standard that describes a syntax for structuring data and documents. In early 1999, W3C and IETF officially launched the XML Signature Working Group to develop an XML compliant syntax used for representing the signature of Web resources and portions of protocol messages. All major vendors of cryptographic software have integrated support for the new XML digital signature format into their products. XML Signatures can sign parts of a document, allowing parties to sign only the relevant portions of a contract. XML Signatures help bringing confidence into web transactions. IBM, HP, Microsoft, SUN and the Apache Foundation integrated XML Signature into their respective SOAP based web service architectures.

In 2001, the W3C started the "XML Encryption" task. The mission of this working group is to develop a process for encrypting/decrypting digital content and an XML syntax used to represent the encrypted content and the information that enables an intended recipient to decrypt it. Encryption enables selective-field-confidentiality for XML data. Together with its twin XML Signature, they enable system architects to design applications that provide real end-to-end-security on the application layer.

The "XML Key Management Specification" (XKMS) serves as an XML'ized application protocol to access PKIs and related structures. XKMS enables constrained clients like mobile devices and embedded hardware to outsource security related tasks like certificate validation to trusted hosts, and much more. The "Security Assertion Markup Language" (SAML) is an XML-based tool for exchanging authentication and authorization information in distributed systems, e.g. used by the Liberty Alliance.

Prerequisites:

Basic knowledge on cryptography. This tutorial is intended for security people who want to come in touch with XML and the related security specifications.

Outline:

  1. Introduction to XML. XML 1.0. DTDs and Schema. Namespaces and Infoset. XSL Transforms. Structured data.
  2. Related Security. Network layer vs. application layer security. Why SSL is no help. WYSIWYS problems - "What you see is what you sign"
  3. XML Security Standards. Canonical XML, XML Signature: Forms, Generation, Verification, Multiple Signatures, Syntax, Algorithms, and Security Considerations. XML Signature and SOAP Security. XML Encryption. XML Advanced Electronic Signatures (XAdES). Security Assertion Markup Language - SAML.
  4. Application Scenarios for XML Security. Document Workflow with XML Signature and XML Encryption. Contract Signing with XML Signature. Single-Sign-On with SAML and XML Signature. Credential transfers with SAML.
  5. Products for XML Security. An overview to implementations and available products.
  6. Future directions in standardization.

About the Instructor:

Mr. Christian Geuer-Pollmann has a degree in electrical engineering from the University of Wuppertal/Germany, and is currently working on his Ph.D. thesis at the University of Siegen. He created the XML Signature implementation which is now available as part of the Apache XML Project. His main research interest is in encrypting XML. He's maintainer of the "XML Security page", and has presented a similar tutorial at BSI/GISA. Currently, he's writing a book on XML Security for Morgan Kaufmann Publishers. He actively participated in standardization since 1999, especially in the area of W3C for the standards "XML-Signature Syntax and Processing", "Exclusive XML Canonicalization", "XML-Signature XPath Filter 2.0" and "XML Encryption Syntax and Processing". He's in the program committee for the "2002 ACM Workshop on XML Security", held in conjunction with the Ninth ACM Conference on Computer and Communications Security (CCS-9).


[ TOP ]

Tutorial T5 (Full Day)

Cryptography and PKI Basics

Dr. Steven J. Greenwald
Independent consultant

Abstract

This tutorial is designed for the person who is new to the area of cryptography and Public Key Infrastructure (PKI). It is an intensive one-day survey of the most important areas of cryptography and PKI, designed to bring the students up to speed on important basic issues, and otherwise fill fundamental gaps in their knowledge. It will contain material that every effective practitioner in our field who deals with cryptographic applications needs to know.

The ideal student is someone who knows nothing (or next to nothing) about cryptography and PKI, or needs a refresher regarding the basics. This will be a high-speed low-drag course covering a very broad range of complex material. Since it is unrealistic to assume that the students can absorb all of this material in a one-day tutorial, each will be given, in addition to a textbook, an annotated bibliography of seminal papers and reports (most available on the web) that will be covered during the tutorial and which they may use for future study and reference. A major goal of this tutorial is that the student should be able to effectively understand, research, and apply such material when it is later encountered.

Prerequisites:

None.

Outline:

  1. Introduction and Basic Concepts.
  2. Conventional Cryptography. Explores classic and modern techniques, common algorithms, and approaches to confidentiality.
  3. Public Key Cryptography and Hash Functions. Explores public key cryptography, message authentication and hash functions, algorithms, digital signatures, and authentication protocols.
  4. Public Key Infrastructure (PKI) and Network Cryptography Practice. Explores applications of cryptography such as authentication and email, as well as Internet protocols and web security.
  5. Conclusions and Questions.

About the Instructor:

Dr. Steven J. Greenwald is an Independent Consultant in the field of Information Systems Security specializing in distributed security, formal methods, security policy modeling, resource based security and related areas. He also works with organizational security policy consulting, evaluation, training, and auditing. He is a Research Fellow at Virginia's Commonwealth Information Security Center (CISC) and on the adjunct faculty at James Madison University's Computer Science department teaching in their graduate INFOSEC program (a National Security Agency designated Center Of Academic Excellence in Information Security Assurance). Dr. Greenwald was formerly employed as a computer scientist in the Formal Methods Section of the U.S. Naval Research Laboratory, and is also past general chair and past program chair of the New Security Paradigms Workshop (NSPW). Dr. Greenwald earned his Ph.D. degree in Computer and Information Science from the University of Florida (with a dissertation in the field of information systems security).


[ TOP ]

Tutorial T6 (Full Day)

Mobile and Wireless Security Issues, Threats and Countermeasures

Dr. Tasneem G. Brutch
Hewlett-Packard

Abstract

The broadcast nature of the communication medium, and the absence of a fixed topology make communication in mobile/wireless networks vulnerable to illegal access, eavesdropping, and both passive and active intrusions. This includes disclosure of information to unauthorized individuals, modification of previously communicated messages, and falsely claiming the identity of a legitimate user. In order to provide adequate protection against these threats, a good understanding of security issues with various mobile and wireless technologies is needed for the provision of a secure environment. However, with the diversity of mobile and wireless standards and technologies available today, it is difficult to gain a complete understanding of the various mobile/wireless technologies, their limitations.

This tutorial is intended to provide an overview of some of the mobile and wireless technologies available today, the security provisions provided by each of these technologies, their limitations and vulnerabilities, and the available mechanisms, which can be used to protect against attacks and intrusions. Main topics discussed will include the Bluetooth standard, 802.11b (or Wi-Fi), and the Wireless Application Protocol (WAP).

Prerequisites:

A general understanding of wireless computer security concepts.

Outline:

  1. Bluetooth. Overview of the Standard. Security Architecture. Connection Setup. Access Profiles. Device Security. Service Security. Link Level Security. Key management. Encryption. Authentication. Security Limitations. Security Issues.
  2. Wireless LANs. The 802.11b (Wi-Fi) Standard. Wireless LAN architecture. Wi-Fi Security Provisions. Open System Authentication. Shared Key Authentication. Access Lists. Service Set Identifier (SSID). Security Limitations and Issues. Security Solutions.
  3. Wireless Application Protocol. Specification. Architecture. Wireless Transport Layer Security (WTLS). Security Features. Link Level Security. Connection Management. Cryptographic Attributes and Protocols. WAP Identity Module. WAP Security Issues.

About the Instructor:

Dr. Tasneem G. Brutch received her B.S. in Computer Science and Engineering, and an M.S. in Computer Science, from Texas A&M University. She has a Ph.D. from Texas A&M University in Computer Engineering in the area of wireless communication security. She is currently working for Hewlett-Packard as Security Software Design Engineer on the IDS/9000 intrusion detection product.


[ TOP ]

Tutorial T7 (Half Day - Morning)

How to Successfully Assess Business and Automation Risks

Ms. Marianne Emerson
Federal Reserve Board

Abstract

Although risk assessments are essential to information security, there is little guidance on how to do them. This course uses case studies and the methodology in place in the Federal Reserve System1 for more than ten years and to explain in detail how to analyze and measure risks to information and automation resources. The course starts with a study of the loss of two pieces of automation equipment and asks students to identify what was lost and the size of the loss. The study illustrates the difficulty of identifying which safeguards should be implemented when risks have not been assessed. The results of the case study are used as a frame of reference for introducing the elements of the risk assessment model, which are opportunities, threats, potential losses and offsetting safeguards. After walking through the elements hierarchically from less detail to more, the course returns to the case study to apply the model. Practical application of the model lets the students evaluate their level of understanding of it. Through this exercise and the questions it raises, they strengthen their knowledge of the concepts. This knowledge is reinforced through a final case study, whether or not the senior management of a major hotel chain should allow employees to telecommute from regional telework centers.

Prerequisites:

A general familiarity with automation such as one would gain by using a PC for word processing and email.

Outline:

  1. Overview. What good information security requires. Why risk assessments. How to do a risk assessment.
  2. Stolen PC and lost PDA case study. Lessons from the case study. Scarcity of risk assessment methodologies.
  3. Federal Reserve System Risk Assessment Model. Overview and details. Application of model.
  4. Doing a risk assessment. Challenges. Threat checklists.
  5. Application of Model to large hotel chain telecommuting decision.
  6. Wrap-up.

About the Instructor:

Ms. Marianne Emerson is the deputy director in the Federal Reserve Board's Division of Information Technology. The division provides automation, statistical, and telecommunications services to the Board and to the Federal Financial Institutions Examination Council. Ms. Emerson spent two years on loan to the Board's Division of Banking Supervision and Regulation as an advisor to the supervisory information technology function and ten years as the Board's information security officer. She has e-banking review experience, having led the first information services review of the firm responsible for automating Security First Network Bank, now the e-banking part of the Royal Bank of Canada. She has also participated in a number of operations reviews of information technology at Reserve Banks. She teaches graduate courses in information security at the R. H. Smith Business School of the University of Maryland. Ms. Emerson holds a Bachelor of Arts from Bryn Mawr College and a Master of Business Administration in finance and a Master of Science in Computer Science from the University of Maryland.


[ TOP ]

Tutorial T8 (Half Day - Afternoon)

Survivable Systems Analysis

Dr. Nancy Mead and Dr. Tom Longstaff
CERT/CC

Abstract

Increasing societal dependence on large-scale, distributed information systems amplifies the consequences of intrusions and compromises. It is vital that these critical systems survive to provide essential functions even when operating under adverse circumstances. The tutorial objective is to describe practical techniques for survivability analysis and design that attendees can apply in their own environments. In particular, the tutorial introduces the Survivable Systems Analysis (SSA) method developed by the SEI's CERT/CC, as a means to assess and improve survivability and security characteristics of planned or existing information systems. The tutorial will present a case study and more detailed examples of survivability analysis.

Prerequisites:

No special prerequisites, general understanding of information security desirable. The tutorial is aimed at analysis of abstract system architectures prior to implementation.

Outline:

  1. Trends in information security and system survivability concepts. Trends in information security. Formal definition of survivability. Survivability concepts of resistance, recognition, and recovery.
  2. The Survivable Systems Analysis Method. The 4-step SSA method, including system definition, essential capability definition, compromisable capability definition, and survivability analysis.
  3. SSA Case Study and Examples. How to apply the SSA method. Examination of a prior SSA case study. Detailed examples.

About the Instructors:

Dr. Nancy Mead is the team leader for the Survivable Systems Analysis (SSA) team as well as a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). She is also a faculty member in the Master of Software Engineering and Master of Information Systems Management programs at Carnegie Mellon University. She is currently involved in the study of survivable systems architectures and the development of professional infrastructure for software engineers. Her research interests are in the areas of software requirements engineering, software architectures, software metrics, and real-time systems. Dr. Mead received her PhD in mathematics from the Polytechnic Institute of New York, and received a BA and an MS in mathematics from New York University.

Dr. Tom Longstaff is a senior member of the technical staff in the Networked Systems Survivability (NSS) Program at the Software Engineering Institute (SEI), where he manages research and development in network security. Publication areas include information survivability, insider threat, intruder modeling, and intrusion detection. Since 1997, Tom has been investigating topics related to information survivability and critical national infrastructure protection. Prior to coming to the Software Engineering Institute, he was the technical director at the Computer Incident Advisory Capability (CIAC) at Lawrence Livermore National Laboratory in Livermore, California. He completed a PhD in 1991 at the University of California, Davis in software environments.