Conference: August 5 - 7, 2003
The Peter Kiewit Institute
Scott Conference Center
Omaha, NE USA
Home Page

CONTACT INFO

CONFERENCE

Keynote Sessions

TK-1:
Ray Semko

WK-2:
Jim Christy

HK-3:
Georgia Killcrece

Sessions

TT-1:
Introduction to Forensics 101
Joseph A. Juchniewicz, Americredit

Abstract The ability to have a valid, reliable medium for information transfer has grown from a select group of universities, into the juggernaut of today’s information highway. As with any kind of technology, some individuals may corrupt the system and use it for malicious or illegal activities. These threats need to be examined to discover if they are internal “employees” or external “hackers”. To create a defense against these threats, today’s security professionals require the ability to not only gather information, but to be able to present the data to management, lawyers or even a judge and jury at a level that they can understand and make valid conclusions if called upon to do so. In the current environment computer forensics is in its’ infancy, but is starting to be a widely used tool. Its importance is starting to take shape and be recognized, for its importance and within the next five years, will be an integral part of any computer investigation.

TT-2:
Methodology for Incident Prevention & Response (MIPR)
Robert Bagnall, IDefense

Abstract The MIPR is a process for standardizing how contractors deliver CERT services at customer locations. The analogy is that McDonald's became a global American icon by making sure that the burger you order in California tastes the same as the one you order in Nebraska - or Washington, DC. You expect the same level of service delivery everywhere you see their sign, and it should be no different with CERT operations delivered by the same company. Through a series of steps with consistent processes and supportive technologies [such as asymmetrical agent defenses], Bagnall demonstrates how to standardize CERT delivery, regardless of customer, as well as how to provide a consistent level of skilled personnel to each operation.

TT-3:
Process Capability for Information Assurance: Security Engineering Practices for Better Bottom-Line Results
Matthew O’Brien, SAIC

Abstract Assessments of an enterprise’s security posture have historically taken a balance sheet approach: listing discrete technical strengths and weaknesses at a specified point in time. This emphasis often obscures the issue of an enterprise’s ability to consistently execute security-engineering practices that prevent, identify and remedy security vulnerabilities. Capability maturity models provide a framework to build process capability. For Information Assurance, process capability maturity is the heart of the matter--the robustness of an enterprise’s security posture is ultimately dependent upon consistent execution of security engineering practices.

TT-4 & TT-5:
Best Practices for Secure Development, Free Security
Ron Woerner, Solutionary

Abstract The National Strategy to Secure Cyberspace says, "An important goal of cybersecurity will be the development of highly secure, trustworthy, and resilient computer systems." But how do we do that?! This session will discuss general security guidelines for developers and will explain methods of security and software engineering. The presenter will give specific tips on secure programming that will benefit developers, program managers and project leaders alike. You will leave this session understanding how to develop your own methodology for creating secure code to help meet this critical goal of the Cybersecurity Strategy.

WT-1:
Using Cryptographic Methods to Verify the Authenticity of Mobile Agents
Dr. Volker Roth, CRCG Omaha and Fraunhofer, Germany

WT-2:
Wireless LANs, Lessons Learned

David Borden, ACS Defense

Abstract After hearing the session, the student should be able to describe a wireless network and enumerate how it differs from a wired network. They should understand the various relevant IEEE Protocols dealing with wireless networking. The student should be able to describe good wireless network security practices and know why they are important. They should be able to list adversaries’ attacks on the wireless network and describe the defense against each attack. The student should be able to describe wireless intrusion detection system techniques and know how they differ from wired systems. They should leave the session with a feeling that they could employ wireless networking without fear of hacker attack using the techniques enumerated.

WT-3:
Web Application Security: Risks and Concepts of Security

Kris Drent, Partner, Information Security Consultant, Security PS, Inc.

Abstract Drawing from years of field experience and research, this eye-opening session puts web applications security in perspective and presents an overview of the kinds of vulnerabilities and risks that are prevalent in web applications today. The topics of this event include: application of information security principles, web application risks and vulnerability examples, network/host security versus web application security, and first steps toward mitigating web application security risk. This seminar is designed for anyone actively involved with designing, developing, auditing, or deploying web applications within their organization.

WT-4:
Kerberos and Active Directory Interop
Bob McCoy, Microsoft Corporation

Abstract Everyone is looking for a single sign-on solution. This session will look at using Kerberos for authenticating to Active Directory. We will also explore the mechanics and available tools for managing UNIX/Linux users in an AD environment.

WT-5:
Effective Use of SNORT IDS System
Aaron Grothe, President/CEO of Heimdall Linux Incorporated

Abstract This talk will go into some of the lessons learned and experiences gathered during the process of running Snort in a large enterprise company. A rough comparison of Snort to other IDS systems will be included. During its initial six month run quite a bit of data was gathered and several changes to policy and network infrastructure were implemented. This talk will also cover some of the ideas considered for the next six months.

HT-1, HT-2:
Open Source and Incident Response
Joe Loftshult, InteliData Technologies

Abstract When you know, or suspect, that one or more of your systems has been compromised and you want to investigate the incident, how do you do it? You can buy a commercial product (hardware and/or software) that will assist you in the incident response and/or forensic analysis process, but why spend thousands of dollars on such products when you can achieve the same results using open source tools. The open source community has provided many terrific tools ranging from the standard Unix/GNU tools to toolkits such as TASK to bootable, all-inclusive toolkits such as F.I.R.E. This presentation will describe some of the tools available in the open source world, with an emphasis on the F.I.R.E. (Forensic and Incident Response Environment) toolkit. This presentation is targeted at those who are in positions in which they may need to respond to security incidents and don’t want to spend a fortune putting together a good jump kit.

HT-3:
A Methodology to Implement, Operate, and Maintain an Information Security Process
Leonardo Garcia, Intelematica

Abstract The main objective of this session is to share with the audience the experience at the Mexico Federal Government projects. This session will cover implementation, operation, and maintenance of information security processes and will explain the methodology and how this methodology has fundament on an strategic, tactic and operative program.

HT-4, HT-5:
System and Network Hacking
David Askey, TechNow, Inc.

Abstract This two-hour tutorial exposes the strategies and attacks of the hacker. Question and answer session follows the tutorial. Attendees do not just get lectured on vulnerabilities and exploits, but see hands-on demos of network attacks utilizing systems, routers, and switches. This inspires the attendee to really think about their enterprise implementations. The specific attacks demonstrated are ARP spoofing, switch attacks, router attacks, session hijacking, and the effects of network visibility (including wireless) in viewing file, web traffic displayed in a browser, and email. Also a step-by-step demo is given on how Trojans and backdoors that circumvent Firewalls and Router access control lists are deployed. The presenter then discusses how the backdoor and Trojans are used to deploy agents that perform the network attacks presented earlier in the tutorial. The technical process of the attacks is discussed prior to each demo and live packet traces are displayed during the demo. This tutorial tells the story of attacks, from beginning to end, demonstrated with working exploits from a highly qualified presenter.

TM-1 TM-2:
Solaris 8
Tom Roehr, Physicians Mutual

TM-3:
Organizational Issues of Implementing IDS
Shayne Pitcock, First Data Corporation

Abstract Companies are aware of the need for a firewall to deny unauthorized access, computing hacking, or intrusions to their computing systems. Companies may also be aware of the need for Intrusion Detection Systems (IDS) to monitor possible computing intrusions. Most companies don’t understand the total commitment and extensive requirements to implement IDS tools. The key factor is that someone must monitor the IDS tools for effective, proactive monitoring of possible computing intrusions. IDS tools are useful for monitoring the network traffic allowed to pass a company firewall. IDS tools are also useful for monitoring the critical system files of a company's business. The company that wishes to implement IDS tools must understand that installing the IDS tools is only 20% of the effort. The remaining 80% of the effort to implement IDS tools requires that a company must work through issues identified in this report. An adequate systems and programmatic approach will address the problems around the installation of IDS tools.

TM-4:
Day in the Life of a Hacker
Michael Endrizzi, InterSec

Abstract "Day in the Life of a Hacker" is an interactive introduction to the techniques of Internet hackers and the serious dangers they pose to organizations. This interactive presentation designed to be understood by the CEO, technical workers, or your everyday employee, challenges the audience to play the roles of a hacker versus security analyst in a game of measures, attacks and countermeasures. The audience attempts to identify defenses as the hackers work to find these major weaknesses. Highlights include a detailed analysis of buffer overflow and Malicious Mobile Code (Java/ActiveX) attacks that have crippled the Pentagon and Microsoft. Most of the demonstrated attacks are not stopped by firewalls or intrusion detection systems. As a result, anyone from a CEO to your Network Administrator will understand that technical countermeasures are self-defeating and that the people, processes, procedures and technology aspects of security must be addressed in an effective security program.

TM-5:
Security Policies: Your First Line of Defense
Bruce Hartley, Privisec

Abstract The foundation of a successful information security program is a strong security policy. Without one, your company’s systems are more vulnerable to attack, both internally and externally. The initial policy must also be continually reviewed, updated, and communicated to ensure it addresses your changing business needs and/or regulatory requirements, such as the Gramm-Leach-Bliley Act and HIPAA. An equally important part of an effective security policy is the development of implementation standards, which are designed to translate the policy into operating system-specific configuration guidelines. These guidelines ensure that IT professionals can easily implement the policy for each operating system on the network. This session will address the basic steps of developing an enterprise-wide security policy, including the following: Reviewing existing security relevant policies and procedures; defining protection requirements; developing the security policy document; and developing the implementation standards.

WM-1:
Justify the Return on Investment
Chris Shepherd, ICCT Corp

Abstract Security investment is hard to quantify. The need is known, the impact is real, justifying it ahead of time is difficult. This session shows how to use business defined return on investment as a core and how to use realistic extrapolations to determine impact and loss deference of investing in appropriate security.

WM-2:
Wireless Network Security: Technologies, Guidelines & Management
Steve A. Rodgers, Security PS, Inc.

Abstract This informative session will discuss current wireless network technologies focusing on the security features and benefits of each. Implementation guidelines as well as management issues will also be covered. The topics of this session include: Wireless Network Technology Overview, Wireless Security Technologies, Guidelines for Secure Wireless Implementation, Management Issues, and Wireless Security Resources.

WM-3:
The Insider Threat – Are You Safe From Internal Attack?
Bruce Hartley, Privisec

Abstract Most companies recognize the need for network security and continually focus on maintaining adequate protection. Many have taken the steps necessary to safeguard their systems from external attacks. Often, however, these same companies overlook internal security despite the fact that a significant percentage of computer abuse stems from internal problems. These problems range from intentional insider abuses to accidental discoveries and mistakes. Because an insider already has physical and logical access to the system, an understanding of what data is sensitive, and possibly an understanding of the security controls, the potential for misuse is very high. This oversight can unnecessarily expose a company to not only internal threats, but also successful penetration when internal attacks occur. Successful internal attacks are often a result of improper configuration. Additionally, many available security mechanisms, such as minimum password lengths, password histories, and security auditing, are not used. These vulnerabilities are easily preventable when strong internal security is maintained. This session will address the importance of protecting your organization from internal attacks, as well as provide information on how to improve your internal security.

WM-4:
Ethical Hacking: The Value of Penetration Testing
Bruce Hartley, Privisec

Abstract For competitive businesses, the goal of technology is to create competitive advantages. Today's powerful computing and networking environments create unlimited opportunities for innovative new customer services, increased employee productivity, and higher profitability. However, all the benefits of advanced technology can disappear in an instant if the system is not secure. As a company's dependence on enterprise computing and network systems increases, so does its dependence on security, data integrity, and reliability mechanisms. Unfortunately, computer crime and abuse is a serious is on the rise. One of the biggest reasons firms are vulnerable is because they have NOT established and implemented a formal security policy. As a result, their systems are NOT consistently configured and weaknesses are common. The session will cover the concepts and the process of both internal and external penetration tests. The main focus will be on the process, tools and techniques used to identify computing devices, scan for vulnerabilities, and to exploit any identified vulnerabilities. Case studies, from multiple industries, will be used to further illustrate both the process and the results that ethical hacking can provide.

WM-5:
Risk Considerations in Developing Security Ops Center
Ed Covert, ICS Corp

Abstract For competitive businesses, the goal of technology is to create competitive advantages. Today's powerful computing and networking environments create unlimited opportunities for innovative new customer services, increased employee productivity, and higher profitability. However, all the benefits of advanced technology can disappear in an instant if the system is not secure. As a company's dependence on enterprise computing and network systems increases, so does its dependence on security, data integrity, and reliability mechanisms. Unfortunately, computer crime and abuse is a serious is on the rise. One of the biggest reasons firms are vulnerable is because they have NOT established and implemented a formal security policy. As a result, their systems are NOT consistently configured and weaknesses are common. The session will cover the concepts and the process of both internal and external penetration tests. The main focus will be on the process, tools and techniques used to identify computing devices, scan for vulnerabilities, and to exploit any identified vulnerabilities. Case studies, from multiple industries, will be used to further illustrate both the process and the results that ethical hacking can provide.

HM-1, HM-2:
Back to the Future
John Casciano, SAIC

Abstract Mr. Casciano's presentation will draw historical parallels between the role played by Omaha and Nebraska during the Cold War and its new role in helping America cope with Twenty-first Century threats and vulnerabilities. Nebraska's position as both a major financial and security center as well as STRATCOM's new missions place Omaha and Nebraska at the forefront in a newly evolving concept of National Security. Nebraska, Omaha, STRATCOM, and its predecessor Strategic Air Command have a long history of thinking and acting globally, and that is exactly what is required in the first part of this century. Non-kinetic operations in cyberspace, both defensive and offensive, are a central part of Nebraska's future. The presentation will include a view of lessons from the past and their implications for the future as the regional players go forward.

HM-3:
Information Security Career Guide
William Sieglein, Fortrex Technologies Inc.

Abstract This tutorial provides: the history of the field and names some successful professionals, an outlook, a description of the current job titles/positions in this field, the minimum skills, knowledge and experience required to be successful in an information security career, a description of the minimal education and training and well as experience required, information on how to decide on goals and how to establish a strategy and tactics to achieve those goals, insight on improving your overall chances of succeeding in the field of information security, and case studies of various security professionals who have succeeded using diverse approaches.

HM-4, HM-5:
HM-4 and HM-5   Privacy & Security Laws
Kate Wakefield, Costco

Abstract The legal landscape for Privacy legislation within the United States is a rapidly changing environment. Recently enacted legislation such as the Gramm-Leach-Bliley Act, and the finalization of HIPAA Privacy and Security rules, combine with existing sector-specific privacy rules to provide a highly regulated environment with serious civil and criminal penalties, as well as increased legal liability. Information security professionals need to be informed about legislation that applies to their organization so that they can implement appropriate policies, procedures, and security architectures. This tutorial will provide an overview of the relevant legislation, the types of information that must be protected in each state, and pointers to best practices for securing information. The prospective audience is information security professionals and managers. No prior legal experience or knowledge of the subject area is required. The tutorial will include a webliography with extensive online resources.

TE-1:
AI Techniques
Steve Nugen, NuGenSoft

Abstract Models and methods associated with machine intelligence can be leveraged to create more powerful InfoSec attacks that discover and exploit vulnerabilities, adapting to evade detection. These same methods can also be leveraged for stronger assessments, smarter detection, and adaptive countermeasures. The presenter will review published research in this area and some of his own thoughts on the subject.

TE-2:
MVS (z/OS) Security Issues

Steve Wiggin, Mutual of Omaha

Abstract An overview of the MVS (z/OS) operating system and what all those acronyms mean, like APF, SVC, SMF, and TSO. This session will give a basic description of the MVS environment and present some issues that, as a security professional, you will probably want to look into when you get back to your company.

TE-3:
Creating an Effective Audit Policy for Oracle Databases
Aaron Grothe, President/CEO of Heimdall Linux Incorporated

Abstract Oracle databases provide rich auditing functionality. Very few companies have implemented this capability because it is thought to be to resource intensive. For full auditing this may be true, but a limited audit policy can yield valuable information without imposing too large a performance impact of a system. This talk goes into the groundwork of laying out an effective policy and some of the benefits and costs of pursuing a more complete audit policy.

TE-4 and TE-5:
TE-4   TE-5   Tutorial & Case Study in Implementing Linux Network Security
Oskar Andreasson, Direct2Internet

Abstract In the first session Oskar will bring into focus a brief overview of iptables and IP system controls (ipsysctl) structures later used in the case study. Iptables is a set of programs and applications used to control the firewalling capabilities of the linux kernel, or netfilter as it is also called, while ipsysctl is a set of structures inside the kernel that is possible to set during runtime of the Linux OS. Both of these give tremendous power and possibilities when setting up Linux security properly. Additionally, he will look at different ipsysctl's, such as the IP forwarding, reverse path filters and garbage collection thresholds available through ipsysctl at runtime, as well as how the iptables applications work among other things. During the second part of the tutorial he will take a look at a case study, where students set up a webserver with connections to databases and an application server both on the local host and on other hosts on a separate network. Oskar will also discuss decisions and different possible paths to take.

WE-1:
Computer Forensics – How to Conduct a Cyperspace Autopsy
Doug Conorich, IBM Managed Services

Abstract In today's network-centric world, where technology and business are converging, any disruption to the flow of information can be devastating. More and more companies are becoming e-businesses. If someone were to breach the security of your system, would you be ready? Are you prepared to track this perpetrator to find out what he accomplished during this breach? What will you do now that you have the evidence? Computing environments need to address many protection issues where keys, locks and fences just are not enough. Mr. Conorich will show step-by-step how a break in can be discovered and how the hacker can be tracked through the system. He will discuss tricks hackers use to prevent discovery and what you can do to thwart them. Additionally, he will discuss how a company can handle incident management and some of the legal considerations a company must consider when investigating an incident.

WE-2:
Checkpoint NG VPN/Securemote
FishNet Security

Abstract In this session, the presenters will demonstrate Check Point remote access solutions. These solutions enable teleworkers to securely connect to corporate resources. Check Point provides client options to meet the needs of any organization. The panel will also discuss such things as encryption, data authentication, personal firewalls, secure configuration verification, and advanced management.

WE-3:
DEFCON Roundtable Discussion

WE-4:
How to Write a Security Policy
Doug Conorich, IBM Managed Services

Abstract In the past business managers have regarded computer security as something that doesn't have to concern them. However, recent events such as the continuous attack by viruses, network worm invasions and high school pranksters have increased their awareness and concern. If someone were to breach the security of your system today, would you be ready? Are you prepared to track this perpetrator to find out what he accomplished during this breach? What will you do now that you have the evidence? These and many other questions to be answered and they need to be answered before something happens to you. Today's computing environments need to address many protection issues where keys, locks and fences just are not enough.

WE-5:
How to Deploy an IDS Solution for Internet Hosts
Doug Conorich, IBM Managed Services

Abstract Understanding how to deploy an Intrusion Detection System to protect your Internet facing hosts can be a real challenge. IDS can collect huge amounts of data from their daily operations. Mr. Conorich will discuss how to choose an IDS for your organization and how to deploy it to the best advantage. He will explain both network-based and host-based IDS solutions, explaining the pros and cons of each and how they can be best deployed to work together. Mr. Conorich will address alarm filtering and response escalation procedures. New correlation methods will be discussed.

HE-1, HE-2, HE-3:
Network Perimeter Security
Marty Gillespie, Haverstick Government Solutions

Abstract The learning objective of this tutorial is to teach the basic fundamentals of Network Perimeter Security including perimeter fundamentals, components and design. This includes: Fundamentals, Firewalls, Security Policies, Routers, Intrusion Detection Systems, Virtual Private Networks, Host Security, Design Fundamentals, Architecture, VPN Integration, Performance Issues, and Sample Designs.

HE-4, HE-5:
Cancelled

TG-1:
ISC2 Certification
Dow Williamson, Director of Communications, ISC2

Abstract This session explores the professional certification process. Professional certification for information security careerists is a matter of individual choice. However there are several factors that now appear to be tipping the scale in favor of CISSP certification. First and foremost is the fact that the profession of information security is now recognized as a separate and distinct career field. Within the federal government, this fact is reflected in the President’s Executive Order of October 2001 and the identification of information security as a defined specialty within the 2200 IT Job series announced by OPM in 2001. Secondly, Information Security is now seen as vital to the nations well being and to the effective functioning of the federal government. The establishment of the Office of Cybersecurity as part of the National Security Council staff structure is witness to this Twenty-First century reality. Finally, the strategic nature of the government’s information security problem is now coming into focus. The OMB report on GISRA implementation correctly identified information security as a management issue, not a technical problem. The CISSP certification reflects an individual’s ability to address security issues in a larger organizational context, as the certification emphasizes theory and concepts, rather than product specific knowledge. CISSP certification is an important investment in an increasingly important career field.

TG-2:
Fiber Optic Vulnerability
Mark Gross, NeSTronix, Inc

Abstract A major new threat to our national security and our national information infrastructure has been uncovered. Fiber optic networks form the backbone of our nation’s economic well being. In fact, fiber optic networks form the communications infrastructure backbone for both government and industry. Recent technology advances have resulted in the ability to easily and inexpensively tap a fiber optic cable without detection. Our government’s most secret and valued information is now exposed to those wishing harm to our nation. Our nation’s military, intelligence, law enforcement, banking, and financial services information are now vulnerable. During this session you will learn how to counter this threat.

TG-3:
HIPAA Final Security Rule
James O'Connor, Baird Holm Law Firm

Abstract As a security professional you may be asked to conduct an "Evaluation" of a security program as required by the final HIPAA Security regulations. What should this "Evaluation" look like? What liability do you undertake if you perform one in-house? What if you do it for a client? This presentation will address this issue and the changes between the preliminary regulations and the final rule. It will explore what those changes really mean and what pitfalls are lurking in the final regulations.

TG-4:
Enhancing your Security Architecture with Multi-Level IDS
Mike Hrabik, Solutionary, Inc.

Abstract One of the largest challenges security professionals face today is deploying an enterprise security solution across large complex, interconnected, multi-layered network environment. During this presentation we will discuss how to look beyond single-system security solutions to a multi-level intrusion detection system through event correlation and analysis. We will also discuss how to make Intrusion Detection Systems scalable, reliable and customized for your environment.

TG-5:
The War Against Spam
Christopher Baker, MCSE

Abstract The war against unsolicited commercial e-mail is one of the Internet’s hottest issues. Millions of hours are wasted by the task of deleting unwanted e-mail from inboxes. Spam also places unwanted loads on e-mail systems and bandwidth. And the most dangerous spam includes spyware that transmits information from the unknowing recipient’s machine back to the sender. Unless you have no Internet connectivity at all, you are in the war against spam. In this one-hour presentation, Chris Baker will show the methods spammers use to harvest e-mail addresses and how to block the “harvest bots.” He will feature techniques end-users can use to fight back against spam and will explain why simply ignoring them is not enough. He will discuss effective and ineffective methods that system administrators are employing in the war against spam. He will also demonstrate that sometimes the cure is worse than the disease.

WG-1:
Evolution of the Firewall
Mark Kraynak

Abstract Firewalls have established themselves as the staple of network security infrastructures based on their ability to block attacks at the network level. As a result of firewall success, hackers have developed more sophisticated attack methodologies. The new breed of attacks directly target applications, often attempting to exploit vulnerabilities inherent in the applications themselves or in the underlying communication protocols. Multi-layer security gateways are required to safeguard corporate networks from these threats. Additionally, multi-layer security solutions must protect against both network and application-layer attacks, while providing access control to IT resources. This section of the workshop will cover the application-layer vulnerabilities and the options to mitigate the risks.

WG-2:
Challenges of Enterprise Security

Conrad Herrmann, Zone Labs

Abstract This session addresses the challenges of enterprise security, focusing on how to use comprehensive policy enforcement to impose strict security guidelines for every point on the network, without hampering employee productivity and efficiency.

WG-3:
Online Education in Security
Tom Myers, Bellevue University

Abstract The need for security especially in the IT field is rapidly increasing. Much of the need is internal, but some of the need is external as the government adds new regulations such as HIPAA and Sarbanes-Oxley. The costs of hiring a consultant to bring an organization into compliance and set it up to meet its security needs can be prohibitively expensive. It is no secret that there are not enough properly trained security people out there to meet corporate need. Many organizations have put their heads in the sands and have decided to wait it out in hopes that the deadline will be extend--if it is not, the fines will be extensive. Some organizations have put manpower against the problem, but that manpower is not trained to accomplish this task without help. When can they get this kind of help without bleeding away the bottom line? Education.

WG-4, WG-5:
Building a Viable Information Assurance Program
Harry Bouris, Sumaria

Abstract This session will provide the student with the requisite knowledge and tools to develop a viable Information Assurance Program. First, will be a brief discussion of US Statute. Next the workshop will cover corporate policy including usage, passwords, screen savers, what not to put in a policy and the importance of a signed acknowledgement statement. Next the workshop will discuss personnel security including background checks, adverse conditions, etc. Additionally physical security will be explored, including the importance of low/no cost elements like locked doors, controlled entry, and visitor sign in. This session will also cover having an awareness program, network policy, continuity of operations plan and system accreditation.

HG-1, HG-2:
Secured n-Tier Web Services - Case Study
Matthew G. Marsh, Paktronix Systems LLC Abstract In these sessions we expose in gory detail the design, planning, and implementation of a secure n-tier web services environment. The environment discussed went into production in March of 2003. It consists of a traditional multi-server distributed system designed and built with confidentiality, integrity, and authentication fully incorporated from the beginning. We expose and illustrate actual security practices running within the context of the system and discuss the real world tradeoffs needed to implement usability. The first session covers the design and planning of the connectivity and security matrix including software selection and design goal tradeoffs. The second session covers the actual implementation with discussion of operating system realities as versus ideal security and interoperability. Where applicable, we illustrate the parametric fitness of the system for consideration under ISN certification structures.

HG-3:
Application Security
S. Ramesh, Razorwire Security

Abstract This session is intended for a business audience, and technology will be discussed in terms of its impact on business and the bottom line. Application Security protects server-side applications from attacks that target application weaknesses. Application-based attacks use specialized attack data packets sent within legitimate communications such as web requests. Because the request itself is legitimate, firewalls, server hardening, and other network defenses are inadequate against this type of attack. This session covers strategies to protect you from application weaknesses. We will discuss different strategies that you can use to protect yourself from attacks that target your server applications. These include strategies that are applicable for generalized protection behind your network perimeter, and strategies to limit vulnerabilities of specific types of applications, such as databases and application servers. Additionally, we will discuss some real life situations in the financial, enterprise software, and communications industries, where application security greatly enhanced the security posture of customers who discovered weaknesses in their systems.

HG-4, HG-5:
Taxonomy of Cryptographic APIs in JAVA
Brian Smith, Solutionary, Inc.



NEbraskaCERT Conference 2003 is brought to you by NEbraskaCERT
*CERT is a servicemark of Carnegie Mellon University. Used with permission.