• Students enrolled in ACSAC Tutorials are provided lunch on the day of their tutorial.

• Although all tutorial attendees will be provided a copy of the materials used by the instructor, only those who pre-register for the tutorial will be guaranteed the tutorial materials at the beginning of the tutorial instruction. Please note that lunch is included in both the full-day and the half-day tutorial fee. See the registration form for more information. Please note the tutorial registration fees are for tutorials only; registration for the technical portion of the Conference is separate.

[ TOP ]

Tutorial M1 (Full Day)

Dr. Steven J. Greenwald
Independent Consultant

Abstract

Designed for the person who is new to the field of Information Systems Security, this is an intensive one-day survey of the most important fundamentals of our field. It is designed to bring the students up to speed on important basic issues, and otherwise fill fundamental gaps in their knowledge. Therefore, its emphasis will be mostly historical in nature, and not necessarily topical. However, it will contain material that every effective practitioner in our field needs to know.

The ideal student is someone who is either entering the field for the first time, needs a refresher regarding the basics, or is starting to prepare for the CISSP exam. This will be a high-speed low-drag course covering a very broad range of material. Since it is unrealistic to assume that the students can absorb all of this material in a one-day tutorial, each will be given, in addition to a textbook, an annotated bibliography of seminal papers and reports (most available on the web) that will be covered during the tutorial and which they may use for future study and reference. A major goal of this tutorial is that the student should be able to effectively understand, research, and apply such material when it is later encountered.

Prerequisites:

None

Outline:

1. Introduction. Overview/refresher of the necessary CS background, common definitions, and historical overview and perspectives.
2. Fundamentals. Covers Identification & Authentication, Access Control, Security Kernels, and Security Models.
3. Practice. Provides a brief overview of Unix and Windows NT Security, as well as common errors (e.g., buffer overflows) and security software.
4. Cryptography. A brief overview of cryptography, PKI and standards.
5. Distributed Systems. Covers Web security and other aspects of network and distributed system security.
6. Database Systems. Explores DBMS models and problems.
7. Conclusions and Questions. Seeing the forest for the trees, professional development options, and if time permits any topical or other areas that may be of particular interest.

About the Instructor:

Dr. Steven J. Greenwald is an Independent Consultant in the field of Information Systems Security specializing in distributed security, formal methods, security policy modeling, covert channels, resource based security and related areas. He also works with enterprise/organizational security policy consulting, evaluation, training, and auditing. He is a Research Fellow at Virginia's Commonwealth Information Security Center (CISC), is an Adjunct Graduate Faculty member at James Madison University's Computer Science department teaching in their graduate INFOSEC program (a National Security Agency designated Center Of Academic Excellence in Information Assurance Education), and is an Applied Computer Security Associates (ACSA) Fellow. Dr. Greenwald was a visiting assistant professor at the University of Florida, and was employed as a computer scientist in the Formal Methods Section of the U.S. Naval Research Laboratory. He is also past general chair and past program chair of the New Security Paradigms Workshop (NSPW) and does other volunteer work in the field. Dr. Greenwald earned his Ph.D. degree in Computer and Information Science from the University of Florida (with a dissertation in the field of Information Systems Security). He has an M.S. degree in Computer Science and Information Systems from Barry University, and a bachelor's degree in Chemistry from Emory University.

[ TOP ]

Tutorial M2 (Full Day)

Mr. David Chizmadia
Promia Inc.

Abstract

This tutorial introduces the basic principles of IT Security Risk Assessment (SRA), with a focus on the processes, techniques, and tools for conducting such assessments. The tutorial will concentrate on two asset-oriented methodologies: the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE.) methodology from the CMU SEI and the FISMA implementation guidance from the US NIST. Attendees can expect to leave the tutorial with a solid understanding of the elements of a SRA and effective reference materials for applying the two methodologies covered.

Prerequisites:

None

High Level Outline:

1. Overview of Information System (IS) security risk concepts
2. Security Risk Management success factors
3. Components of a Security Risk Assessment (SRA) methodology
4. The OCTAVE process for IS SRA
5. Comparison of the FISMA implementation guidance with OCTAVE

About the Instructor:

Mr. David Chizmadia is the Senior Security Assurance Analyst for Promia, Inc, where he is currently applying his 10 years of experience with computer security evaluations and criteria and 7 years of experience with distributed object computing security to shepherding Promia's attack sensing, warning, and response management product through a NIAP evaluation. He is also a part-time lecturer for the Johns Hopkins University Information Security Institute (JHU ISI), where he is the instructor for graduate courses in IS Security Risk Assessment and Principles and Patterns For Secure Distributed Applications.

[ TOP ]

Tutorial M3 (Full Day)

Mr. Cornell Robinson III and Mr. Anthony Scott
Booz Allen Hamilton

Abstract

The field of wireless communications is bourgeoning. Although the growth of wireless local area communications has been tremendous, a fear of misunderstood security as well as incorrect implementations of security are huge obstacles standing in the way of enterprise deployments.

Four objectives will be met in this workshop detailing mobile wireless security. First we will identify vulnerabilities that effect Wireless Local Area Network (WLAN) security. Next we will identify how these vulnerabilities have been addressed with the new IEEE 802.11i standard. Then we will address wide-area wireless security issues incurred as users connect to public WLANs. Lastly, we will demonstrate how wide-area security can be addressed by utilizing a defense-in-depth secure mobility architecture.

Prerequisites:

It is expected that all attendees will be comfortable analyzing protocols such as TCP/IP and 802.11. Additionally all attendees should understand basic local area network terminology and fundamental networking concepts such as the OSI model and network components (routers, switches, firewalls and gateways). Lastly it would be useful for all attendees to understand basic cryptography terms such as symmetric/asymmetric keys, hashes, and plain text / cipher text.

Outline:

1. I. Common Wi-Fi Vulnerabilities
   a. MAC spoofing
   b. WEP vulnerabilities
   c. Denial of service attacks
   d. Session Hijacking
   
2. II. IEEE 802.11i
   a. Intro to IEEE 802.11i with emphasis on differences between IEEE 802.11i and WEP
   b. Discussion on how IEEE 802.11i addresses authentication
   c. Discussion on how IEEE 802.11i addresses integrity and data confidentiality
   d. Discussion on how IEEE 802.11i addresses access control
   
3. III. Advanced attack methodologies
4. IV. End-To-End Mobile Security
   a. Ensuring adherence to enterprise security policy
   b. Mobile IP and IPSec VPNs provide secure seamless roaming
   c. PED configuration management system
   d. PED hardening - Personal Firewall, IDS, EFS, strong authentication, and secure data wipe.
   

About the Instructors:

Mr. Cornell W. Robinson III is a Senior Consultant with Booz Allen Hamilton. He has more than seven years experience of information technology (IT) related experience that carry with them extensive knowledge in wireless communications (IEEE 802.11/WiFi), network security, local area network (LAN)/wide area network (WAN) design, system administration, network device implementation/configuration, and network management. Prior to joining Booz Allen Hamilton, Mr. Robinson was an adjunct professor for Syracuse University and functioned as a reviewer for Network Computing Magazine in the area of emerging wireless technologies. Mr. Robinson has a MS. in Telecommunications and Network Management from Syracuse University, and a BS. in Computer Science from Point Park University. He holds nine industry certifications covering wireless technologies, security, operating systems, IP networking, a few of which are the CISSP, CWSP, CWNA, CCDA and CCNA.

Mr. Anthony D. Scott is an Associate with Booz Allen Hamilton. Mr. Scott is a licensed professional engineer (PE) in electrical engineering specializing in communications and control systems and a Certified Information Systems Security Professional (CISSP). He has over five years of technical experience in secure commercial communications, ad hoc networking research, secure infrastructure networking, commercial device research and military missile/radar systems analysis with a comprehensive background and experience in secure wireless communications, cryptography, secure Type-1 mobile handset 2.5G and 3G communications, hand held 2-way radio communications, and information security. Mr. Scott is currently the co-author of a NIST special publication detailing the IEEE 802.11i wireless medium access layer security enhancements. Mr. Scott graduated from the dual degree program at Georgia Institute of Technology (GT) and Morehouse College. He received a BS degree in Electrical and Computer engineering from GT and he received a BS degree in Mathematics from Morehouse College. Mr. Scott also holds a MS degree from GT in Electrical and Computer engineering.

[ TOP ]

Tutorial T4 (Full Day)

Dr. Steven J. Greenwald
Independent Consultant

Abstract

Security Policies are the basis for the design and implementation of security mechanisms, among other things. This tutorial starts with a definition of .policy. and the important top-level policy properties for the INFOSEC field. Notions of security policies are examined, as well as some sample policy objectives in the context of enterprise/organizational and automated security policies. The differences between formal and informal security policy models will be examined, and some of the most influential policy models in the field will be presented (in the areas of access control, confidentiality, integrity, and organization). An example of the security policy modeling process will be given with an actual example model. Security policy modeling guidelines will then be presented.

The ideal student is someone who knows nothing about Security Policy Modeling, or needs a refresher regarding the basics. Since it is unrealistic to assume that the students can absorb all of this material in a one-day tutorial, each will be given an annotated bibliography of seminal papers and reports (most available on the web) that will be covered during the tutorial and which they may use for future study and reference. A major goal of this tutorial is that the student should be able to effectively understand, research, and apply such material when it is later encountered.

Prerequisites:

None. Novice level.

High-Level Outline:

1. Security Policy. Policy vs. Consensus. Definition of Security Policy. Objectives and Enforcement. Contrast with Organizational Policies. Automated Policies.
2. Security Policy Models. Formal vs. Informal Models. Access Control Models. Well-known Models: Lampson, HRU, Bell-LaPadula, Biba, Clarke-Wilson, Chinese Wall, RBAC, Secure Information Flow Models, DCM.
3. Security Policy Modeling Guidelines. How do develop models. How to prove correctness and validity. Determining validity and completeness.
4. Conclusions and General Q&A.

About the Instructor:

Dr. Steven J. Greenwald is an Independent Consultant in the field of Information Systems Security specializing in distributed security, formal methods, security policy modeling, covert channels, resource based security and related areas. He also works with enterprise/organizational security policy consulting, evaluation, training, and auditing. He is a Research Fellow at Virginia's Commonwealth Information Security Center (CISC), is an Adjunct Graduate Faculty member at James Madison University's Computer Science department teaching in their graduate INFOSEC program (a National Security Agency designated Center Of Academic Excellence in Information Assurance Education), and is an Applied Computer Security Associates (ACSA) Fellow. Dr. Greenwald was a visiting assistant professor at the University of Florida, and was employed as a computer scientist in the Formal Methods Section of the U.S. Naval Research Laboratory. He is also past general chair and past program chair of the New Security Paradigms Workshop (NSPW) and does other volunteer work in the field. Dr. Greenwald earned his Ph.D. degree in Computer and Information Science from the University of Florida (with a dissertation in the field of Information Systems Security). He has an M.S. degree in Computer Science and Information Systems from Barry University, and a bachelor's degree in Chemistry from Emory University.

[ TOP ]

Tutorial T5 (Full Day)

Dr. Nicholas Weaver
ICSI

Mr. Daniel Ellis
MITRE

Abstract

Mobile malicious code (mobile malcode) has resulted in the loss of tens of billions of dollars to the international economy. Far more devastating worms are feasible. Four observations lead us to believe that mobile malcode is a significant and increasing threat. First, many instances of mobile malcode could have caused much greater damage than they did. Second, advancements in malcode technology are making for far more potent attacks. Third, the vulnerabilities that pervade our infrastructure and the fabric of modern life are not being adequately removed and instead are becoming more tightly coupled. And, fourth, users and economies are becoming more dependent on this fragile infrastructure.

And this field is rapidly changing. In the past year, we have observed worms written by malicious, motivated, and capable attackers, worms released less than 48 hours after a vulnerability disclosure, and widespread worms infecting over 8 million hosts. We have also seen the development of first-generation anti-worm products, designed to stop scanning worms. In this tutorial we present different types of mobile malcode, including viruses and network worms. We focus more on the latter, as the antivirus industry offers reasonably robust defenses against viruses but much poorer defenses against worms. We explain the history of worms and viruses, the anatomy of malicious malcode, what postures and countermeasures help mitigate the threat, and an overview of current efforts to combat the threat. We provide detailed analysis of several examples of contemporary mobile malcode.

A student will come away from this tutorial with a technical understanding of mobile malcode technology--what the threat is and why the threat exists. A student will also understand what defenses are available and what researchapproaches are being applied to address the problem.

Prerequisites:

A student should have a general understanding of networking, including TCP/IP. An understanding of software and the anatomy of a process will also be helpful.

High-Level Outline:

1. Mobile Malcode Overview. Virus Overview. Email-Borne Viruses and Worms Overview. Worms Overview. Auto-updaters Overview. Hybrid Malcode Overview. The OODA Loop. Exploit Primer. Mobile Malcode Anatomy. Worm Defense Overview.
2. A History of Viruses. First wild viruses. Fred Cohen's Work. Ken Thompson's Self Replicating Code. First PC Virus. Early Destructive Virus. Email Viruses. Hybrid Malcode. Mail Viruses for Profit
3. A History of Worms. Shock & Hupp. Morris Worm. Ramen, 1i0n, adore. Klez32. Code Red. Nimda. Slammer. Blaster/Welchia/Sasser. Witty.
4. Current Defensive Postures. A general model of perimeters and perimeter failure. Firewalls. Antivirus. Intrusion detection and response.
5. Advances in Malcode Technology. Hitlisting. Enhanced Scanning & Bandwidth-Limited Scanning. Firewall Penetration. Distributed, Authenticated Control. Polymorphic/Metamorphic Code. Toolkits.
6. Areas of Future Research. Worm Containment. Honeyfarms. Distributed Analysis. Hardware Systems. Embedded Firewalls. Paranoid's Windows Network.
7. Conclusion

About the Instructors:

Dr. Nicholas Weaver is a recent Ph.D. from the University of California at Berkeley, and is now a postdoctoral researcher at the International Computer Science Institute in Berkeley. His research interests involve FPGA (Field Programmable Gate Arrays) and computer security. His security work has focused on the threat of high-speed worms and other Internet-scale attacks, and automatic, network level defenses to counter these threats.

Mr. Dan Ellis is a senior infosec scientist at MITRE and a Ph.D. student at George Mason University. His interests are information security--intrusion detection and malicious code, in particular. His research is focused on developing defensive postures and countermeasures that are adequate to combat the worm threat in an enterprise setting.

[ TOP ]

Tutorial T6 (Full Day)

Dr. John McHugh
SEI/CERT

Abstract

Detecting malicious activity in network traffic is greatly complicated by the large amounts of noise, junk, and other questionable traffic that can serve as cover for these activities. With the advent of low cost mass storage devices and inexpensive computer memory, it has become possible to collect and analyze large amounts of network data covering periods of weeks, months, or even years. This tutorial will present techniques for collecting and analyzing such data, particularly network flow data that can be obtained from many routers or derived from packet header data.

Because of the quantity of the data involved, we develop techniques, based on filtering of the recorded data stream, for identifying groups of source or destination addresses of interest and extracting the raw data associated with them. The address groups can be represented as sets or multisets (bags) and used to refine the analysis. For example, the set of addresses within a local network that appear as source addresses for outgoing traffic in a given time interval approximates the currently active population of the local network. These can be used to partition incoming traffic into that which might be legitimate and that which is probably not since it is not addressed to active systems. Further analysis of the questionable traffic develops smaller partitions that can be identified as scanners, DDoS backscatter, etc. based on flag combinations and packet statistics. Traffic to and from hosts whose sources appear in both partitions can be examined for evidence that its destinations in the active set have been compromised. The analysis can also be used to characterize normal traffic for a customer network and to serve as a basis for identifying anomalous traffic that may warrant further examination.

Prerequisites:

General familiarity with IP network protocols. Elementary familiarity with simple statistical measures.

High-Level Outline:

1. Introduction. Review of IP packet structures. Network data collection tools. A quick tour of "interesting data".
2. The SiLKtools collection suite. Transport and Packaging. The packing system. Inserting data from other sources.
3. The SiLKtools Analysis Suite. Data fields and features. Selecting data for analysis, including selecting raw records, building sets of IP addresses, manipulating sets and bags, and partitioning raw data. Elementary analysis, including network structure, feature extraction, ordering data, and flow counting.
4. Advanced Analysis. Finding Connections, including bloom filters and other sparse relationships, eliminating non-connections, consolidating unidirectional flows, and matching bidirectional components. Looking for scanners, including high density scanners, worm residue and related noise, and low rate and distributed scans. Clustering extracted features. Address entropy measures and their use.
5. Case studies. Worms and worm outbreaks. Estimating DDoS attack severity. A collection of strange individual host behaviors. Analysis of emergent internet behaviors.
6. General Questions and Discussion

About the Instructor:

Dr. John McHugh is a senior member of the technical staff with the CERT Situational Awareness Team, where he does research in survivability, network security, and intrusion detection. Recently, he has been involved in the analysis of large scale network flow data. He was a professor and former chairman of the Computer Science Department at Portland State University in Portland, Oregon. His research interests include computer security, software engineering, and programming languages. He has previously taught at The University of North Carolina and at Duke University. He was the architect of the Gypsy code optimizer and the Gypsy Covert Channel Analysis tool. Dr. McHugh received his PhD degree in computer science from the University of Texas at Austin. He has a MS degree in computer science from the University of Maryland, and a BS degree in physics from Duke University.