[ACSAC-Dec 8-12, 1997-SAN DIEGO]

Tutorial Program

Monday Tutorials:

Tuesday Tutorials:

Free Tuesday Workshop:
Firewalls: High Performance, High Availability, High Security
A Full Day Tutorial, 8:30 am, Monday, December 8, 1997, Registration Code: M1

Course Director:
Norm Laudermilch
Uunet Technologies, Inc.

Course Objective:
This tutorial will briefly cover the philosophies of firewalls, and then move into a discussion on building firewalls for mission critical operations. More and more organizations are relying on Internet and external connectivity for their mission critical applications, and the firewalls that protect those connections needed for a higher level of performance and reliability. There are difficult problems associated with building reliable firewalls that support speeds of 45 Mbit/sec and up, and this tutorial addresses many of them. Also presented will be discussions of which operating systems to use (UNIX, NT, etc.), which hardware to use (PC hardware, UNIX workstations, etc.), and what services to allow and deny. This tutorial will require a basic knowledge of firewall technologies and architectures, UNIX, TCP/IP networking, and a general understanding of the vulnerabilities of common Internet protocols. While brief discussions on these topics will be presented to support the tutorial material, there will not be in-depth training on any of these subjects.

Course Outline:
1. Introduction
2. Philosophies/Background

3. High Performance Firewalls 4. Wrap Up


Security and Reliability for Electronic Commerce Applications

A Full Day Tutorial, 8:30 am, Monday, December 8, 1997, Registration Code: M2

Course Directors:
Brian Tetrick and David Klur
Deloitte & Touche

Course Objective:
This tutorial describes the role of security and reliability in successful applications of electronic commerce, and explains some of the key challenges faced in establishing and maintaining secure and reliable electronic business processes.

Course Outline:
1. Introduction
2. Security and Reliability Play Critical Roles
3. The Secure and Reliable Electronic Commerce Infrastructure
4. Security and Reliability in Electronic Commerce Applications
5. Case Studies and Their Overall Security Approaches


Alternate Assurance vs. Evaluation Assurance within the Common Criteria

A Full Day Tutorial, 8:30 am Monday, December 8, 1997, Registration Code: M3

Course Director:
Aaron Cohen
JOTA System Security Consultants

Course Objective:
In the beginning assurance was simple. The Orange book (TCSEC) specified what assurance was in terms of pre-defined packages (C1, C2, B1, B2, B3, and A1) and the yellow book instructed users on how much assurance was needed. With the rise of alternate assurance methodologies and the release of the Common Criteria (CC), this is no longer the case. The CC does not contain absolute assurance packages as in the TCSEC and claims to envelop developmental assurance. This tutorial will examine the CC assurance structure and the ability to roll your own assurance as well as the fundamental differences between alternate assurance and evaluation assurance. Alternate assurance methodologies (SSE-CMM, TCMM, ISO 9000, and X/OPEN) will be compared to the CC to investigate how alternate assurance may be used to shorten the evaluation schedule and possibly replace evaluations. In addition, the CC will be examined to see where and how alternate assurance fits in and how the CC can become an assurance framework. The tutorial will end with a review of some of the ongoing assurance activities such as the assurance framework by WITAT, AAWG, and ISO.

Course Outline:
1. What is assurance?
2. Assurance types
3. An assurance framework
4. Introduction to some alternate assurance methodologies
5. Comparison of alternate assurance and evaluation assurance
6. Can alternate assurance methodologies replace evaluations?
7. Ongoing assurance activities


Internet and Intranet Security

A Full Day Tutorial, 8:30 AM, Tuesday, December 9, 1997, Registration Code: T4

Course Director:
Dr. Rolf Oppliger
Swiss Federal Office of Information Technology and Systems (BFI)

Course Objective:
There are several security technologies available today that can be used to provide Internet and intranet security. In particular, there are firewalls to provide access control services and cryptographic protocols to provide communication security services, such as authentication, data confidentiality, data integrity, and non-repudiation services. In fact, there are many cryptographic protocols that have been developed, proposed, and partly implemented to provide security services at the Internet, transport, and application layer. The aim of this tutorial is to overview the various security technologies that are available today to secure TCP/IP-based networks, and discuss their advantages and disadvantages with regard to their deployment within the Internet or corporate intranets. The tutorial is organized as follows:

Course Outline:
1. Fundamentals
2. Access Control
3. Communications Security
4. Discussion


Role and Task Based Access Control

A Full Day Tutorial, 8:30 AM, Tuesday, December 9, 1997, Registration Code: T5

Course Director:
Dr. Ravi Sandhu
George Mason University

Course Objective:
Role and task based access control are rapidly emerging as viable mechanisms which are much better suited to the needs of the commercial and non-classified government sectors as opposed to classic discretionary and mandatory access controls which grew out of the military sector. A critical mass of consensus has been reached on what constitutes role and task based access control (although debate continues on some of the details). This tutorial will provide a comprehensive, self-contained and up-to-date review and analysis of the principles and practice of role and task-based access control. Target Audience is assumed to have basic familiarity with INFOSEC principles and practice.

Course Outline:
1. Limitations of Discretionary and Mandatory Access Controls
2. Role-Based Access Control (RBAC)
3. RBAC in Commercial Systems and Standards
4. Administrative Role-Based Access Control (ARBAC)
5. Relationship of RBAC to Other Access Control Models
6. Application of RBAC to Control of Executable Content
7. Task-Based Access Control (TBAC)


Java and COM/DCOM/ActiveX Security

A Half Day Tutorial, 8:30 am, Tuesday, December 9, 1997, Registration Code: T6

Course Directors:
Kate Arndt and Susan Chapin
The MITRE Corp.

Course Objective:
Much has been written about the relative security of Java and COM/DCOM/ActiveX, not all of which is factual. This tutorial attempts to clarify the facts. The tutorial describes Java and COM/DCOM/ActiveX, compares their security models, examines the security services that they provide, and discusses the extent to which they can interoperate securely.

Course Outline:
1. Introduction
2. Installed Client/Server Application Security
3. N-Tier Application Security
4. Mobile Code Security
5. Interoperation
6. Summary


Penetration Testing

A Half Day Tutorial, 1:30 pm, Tuesday, December 9, 1997, Registration Code: T7

Course Director:
Debra Banning
Booz, Allen, and Hamilton, Inc.

Course Objective:
The aim of this tutorial is to give the student an accurate depiction of the role penetration testing plays in analyzing a system's overall security posture. This penetration testing tutorial is designed to provide the student with a thorough understanding of penetration testing concepts, terminology, approaches and techniques that can be applied to all system and network configurations. This course is NOT intended to teach a student specific system vulnerabilities and how to exploit them but will provide them with information on publicly available sources and tools that are commonly used by hackers. During this course the student will learn how penetration testing fits into life-cycle system/network security and how it can complement other commonly performed security activities such as risk analysis and security test and evaluation. The student will also learn the limitations to penetration testing and that it is not a comprehensive analysis of a system's security. At the completion of this course, the student should have a better understanding of what penetration testing is and is not, how it can be beneficial to organizations, restrictions imposed when performed by professional consultants within legal boundaries. The student will have obtained the basic foundation necessary for building a penetration testing capability and performing penetration tests.

Course Outline:
1. Introduction to Penetration Testing
2. Approaches to Penetration Testing
3. Building a Penetration Testing Capability
4. Penetration Testing Scenarios
5. Performing Penetration Testing