[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] (UK) WebSec 2002 Europe: The e-Security Conference, 6./7.3.2002
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
Scheint eine interessante Konferenz für die Technik-Fraktion zu sein.
Aufgefallen ist mir folgender Workshop: "Firewalls and Demilitarised
Zones".
Ist "DMZ" ein neuer Fachbegriff der IT-Sicherheits-Szene oder nur ein
Versuch, Aufmerksamkeit zu bekommen?
RB
http://www.misti.com/europe.asp?page=0&subpage=0®ion=2&disp=showconf&type=&id=WSEU-E
WebSec 2002 Europe: The e-Security Conference
6 - 7 March 2002 London
4 , 5 , 8 March 2002 Optional Workshops
This highly technical conference features industry experts and delivers
real-world solutions to the most pressing e-security challenges,
including
securing Web browsers, Internet connections, wireless devices, and more;
and
how to protect your systems from war dialling, malicious codes, and
hacker
attacks.
Who Should Attend
· Information Security Professionals
· Systems and Network Administrators
· Web Professionals
· IT Auditors
· IT Management
Optional Workshops
Monday, 4 March 2002
09.00 - 17.00
W1: Preparing for the Certified Information Systems Security
Professional
(CISSP) Examination
Hal Tipton, Lead Instructor, (ISC)²
Professional certification is becoming more and more important in
today's
competitive world. Granted by (ISC)², the CISSP is the internationally
recognised standard for security practitioners. If you have three years
of
industry experience, you can take the exam following the conference to
qualify for CISSP certification. This intensive workshop will help you
review for the examination.
The workshop agenda:
· The 10 topical areas covered by the CISSP examination
· Subjects most likely to appear in the test questions
· Sample questions: what you are expected to know
· Selecting the best answers: how to eliminate detractors
· Which sections are historically most difficult: zeroing in on areas
that
require intensive review
W2: Understanding TCP/IP
Peter Davis, CISSP, CISA, Principal, Peter Davis & Associates
TCP/IP is the foundation of most networks, including the Internet. To
understand telecommunications risks, security solutions, and network
auditing, you must have a solid foundation in TCP/IP. In this intensive
workshop you will develop a comprehensive understanding of TCP/IP, its
structure, and its weaknesses. You will leave this workshop with a firm
grasp on TCP/IP and with the knowledge you need to get the most out of
the
conference's Web and E-Commerce Security track.
The workshop agenda:
· TCP/IP basics: protocol stacks, addressing, application services,
packet
structures, and network interconnection devices
· Vulnerabilities that open the door for denial-of-service, probing,
packet
sniffing, unauthorised entry, Web page manipulation, and other forms of
malicious attacks
· Guidelines for selecting tools and securing TCP/IP networks:
server/host
security, router security, enhanced authentication, firewalls, intrusion
detection, virtual private networks
· Deploying freeware and commercial products to improve network security
This workshop assumes a working knowledge of network and client/server
technology.
W3: Network Security Assessment
David Rhoades, President Maven Security Consulting
How do you test a network for security vulnerabilities? Just plug some
IP
addresses into a network-scanning tool and click SCAN, right? Not quite.
Numerous commercial and freeware tools assist in locating network-level
security vulnerabilities. However, these tools are fraught with dangers:
accidental denial-of-service, false-positives, false-negatives, and
longwinded reporting to name a few. In this detailed workshop you will
cover
the preparation, tools, methodology, and knowledge you need to perform a
security assessment against a network environment.
The workshop agenda:
· Preparation: what is needed before getting started
· Safety measures: ensuring that adverse effects from the scan on
critical
networks and systems are minimised, if not eliminated
· Architecture considerations
· Inventory: taking an accurate inventory of active systems and
protocols on
the target network
· Tools of the trade: how to effectively use a variety of security tools
· Automated scanning: best-of-class scanning tools and how to use them
effectively
· Research and development: what to do when you encounter unknown
services
or when existing tools are insufficient for proper testing
· Documentation and audit trail: recording your actions
· Reporting: how to compile results into a format useful for corrective
action
Tuesday, 5 March 2002
09.00 - 17.00
W4: Risk Assessment for the Virtual Office
Charles Pask, Director, MIS Training; Director, Information Security
Institute European and Middle East e-Security Services
With more and more staff working from the virtual office, organisations
face
additional security issues and the need for increased support. In this
timely workshop you will learn how to determine if the policies and
practices you currently have in place are enough to secure the virtual
office. You will examine a risk assessment methodology and focus on the
security challenges mobile workers introduce.
The workshop agenda:
· Getting buy-in from your organisation
· Defining the objectives of risk analysis for a virtual office
environment
· Assessment methodology
· Identifying and classifying assets
· Building risk analysis into an overall information security programme
· Developing the risk analysis model for the virtual worker
· Key players in the risk analysis process
· Quantitative vs. qualitative assessments
· How to produce a dynamic, successful action report from the risk
analysis
process
· Case study: implementing effective countermeasures
W5: Hacking Web Applications
David Rhoades, President, Maven Security Consulting
>From sign-on to sign-off, and everything in between, this practical workshop
goes beyond typical Web server configuration tips and removing default
CGIs.
You will learn how to test your Web-based application for security flaws
that range from the subtle to the severe. You will discover how to
identify
security weaknesses for Web-enabled services that could be exploited by
remote users.
The workshop agenda:
· Information gathering attacks: how hackers read between the lines to
get a
jump on your Web site
· User sign-on/sign-off process
· OS and Web server weaknesses
· Encryption: finding the weakest link
· Session tracking: URL rewriting, basic authentication, and cookies:
their
strengths and weaknesses; session cloning, IP hopping, and other subtle
dangers; and a recipe for strong session IDs
· Authentication: server, session, transactional
· Transaction-level issues: hidden form elements, unexpected user input,
GET
vs. POST, JavaScript filters
· Improper server logic
W6: Securing Your Place on the Web
Peter Davis, CISSP, CISA, Principal, Peter Davis & Associates
In this intensive workshop you will be introduced to a variety of ways
to
connect to the Internet. You will explore strategies for strengthening
the
security of your Internet interface, and learn how to take advantage of
the
Internet's resources while avoiding the hazards of doing business in
cyberspace.
The workshop agenda:
· Assessing the security and audit implications of important components
of
TCP/IP, Internet, and Web technology
· Locating the key security control point and related threats to your
external and internal internet/web environment
· Improving Web site security by properly configuring, patching, and
auditing your Web server
· Reducing the risk from e-commerce applications based on Server Side
Includes (SSI), Common Gateway Interface (CGI), and/or Active Server
Page
(ASP) software components
· Making sense of SSL, TLS, SET and other Web cryptographic security
protocols
· Serious security issues and countermeasures associated with Web
applications development software tools, including Java, ActiveX,
JavaScript, VBScript, adbots, cookies, and robots.
This workshop assumes a working knowledge of TCP/IP network technology
and
security such as that presented in the Understanding TCP/IP workshop.
Friday, 8 March 2002
09.00 - 17.00
W7: Implementing a Public Key Infrastructure
Steve Purser, Founder Member, Club de Sécurité des Systèmes
d'Information au
Luxembourg, (CLUSSIL)
In this comprehensive workshop you will examine the common problems and
pitfalls typically encountered when implementing PKI and gain proven
tactics
for overcoming them. You will explore the use of PKI from both technical
and
business perspectives. Throughout the workshop, real-world examples with
illustrate what you learn.
The workshop agenda:
· Essential cryptography: a review of currently used algorithms, network
security services and implementation problems
· Commonly used registration and revocation models
· Certificates, trust hierarchies, certification models, key management
and
liability concerns
· Technical architecture: J2EE and COM+ case study
· Procedural framework: standards and required documentation; CPS and
CP;
contractual issues
· Interoperability: analysis of B2B and B2C considerations, trust
centres,
liability limitation, Identrus and GTA
This workshop assumes a basic knowledge of modern cryptographic
algorithms
and how they are used. Extensive reference is made to RFC documents and
the
PKIX framework.
W8: One Step Ahead: Vulnerability Testing
Phil Cracknell, CISSP, Security Specialist
The ability to test your system's vulnerabilities is critical to staying
one
step ahead of hackers, crackers and phreakers. Without this system
self-assessment, you run a greater chance of missing a security hole and
increase the chance of attack. Planning, organising and executing a
vulnerability test are essential to the overall success of your system.
The workshop agenda:
· Assessing your target
· Updating and grading vulnerabilities
· What tools to use
· Methodology and approach
· What the report should contain
· Going forward: systems hardening
Agenda
Wednesday, 6 March 2002
09.15 - 10.15
Keynote: The Internet--Future or Failure?
Richard Barrington, Director, Industry, Office of the E-Envoy, UK
Government
Reporting directly to the E-Envoy, Mr Barrington is responsible for
encouraging UK business to grasp the opportunities e-commerce brings. He
works with individual companies and trade associations to capture the
concerns of business and influences policy in this area.
In his riveting keynote address, Mr Barrington will take a fresh look at
the
Internet and pose an intriguing question: As a new technology, is the
Internet in the 'chasm' never to emerge? Don't miss this unique
opportunity
to find out from a 28-year IT veteran the future direction of the
business
of IT and the role of IT in business.
10.45 - 12.15
1: Secure Web Hosting and E-Commerce Application Architectures
Simon J Pascoe, Lead Internet Security Architect, British Telecom
· Current hacker techniques and their impact on Web hosting, ASP and
e-commerce delivery systems
· Detailed analysis of countermeasure best practices
· How to design and implement Internet threat modelling
· Defence-in-depth security architectures: firewalls are not enough
· Technical solutions to complex attacks: firewall tunnelling,
application
denial of service, distributed denial of service and against firewall
protected Web servers, case studies
Knowledge of TCP/IP networking is assumed.
Track: WebSec Business Essentials
10.45 - 12.15
2: Hacking for the Masses
David Rhoades, President, Maven Security Consulting
· Port scanning: how to anonymously scan any IP address for active
services
· Mail bombing: flooding an address with spoofed emails
· Search engines: finding Web site flaws
· SNMP: viewing detailed router information
· NetBIOS: scanning for open network shares
· Anonymous proxies: surfing and hacking in privacy
· OS fingerprinting: determining exactly which OS a remote site is using
· DoS: how online tools allow you to take other systems offline or find
other networks that can be leveraged in denial-of-service flooding
attacks
Track: Web and E-Commerce Security
10.45 - 12.15
3: Strategies for Designing and Implementing a VPN
Stan Kiyoto, Chief Information Systems Security Officer and Acting
Director
of Architecture and Standards, Booz Allen & Hamilton
· Integrating virtual private networking services into the e-business
and IT
strategies of your company
· Defining VPNs in the context of e-business, IT, and the Web
· Benefits of VPN over conventional remote access strategies
· Sorting through the available technologies: RADIUS, TACACS, Tokens and
others
· Design and implementation considerations for your VPN strategy
· Future direction of virtual private networking and how it affects your
VPN
strategy
Track: Secure Mobility
13.30 - 15.00
4: Outsourcing Security: A Panel Discussion
Moderator: Charles Pask, Director, MIS Training; Director, Information
Security Institute European and Middle East e-Security Services
· The issues surrounding outsourced security
· When should you outsource the security function?
· Can managed outsourcing companies protect against financial loss,
intrusion, or brand damage?
· What to look for when outsourcing security
Track: WebSec Business Essentials
13.30 - 15.00
5: IDS: Your Cyber Burglar Alarm
Peter Davis, CISSP, CISA, Principal, Peter Davis & Associates
· IDS defined: types of IDS; network vs. host-based IDS
· Point-in-time vs. continuous
· Deploying IDS
· Reacting to alerts
· The who, what, where, how and why of IDS
Track: Web and E-Commerce Security
13.30 - 15.00
6: Designing and Implementing a Multi-Application Smart Card in Banking
Services: A Case Study
Timo Rinne, Senior Consultant, Modirum Oy
· Smart cards: cryptographical services and PKI infrastructure;
multi-application operating systems, general features and their
pros/cons
· Smart card applications: digital signatures and authentication;
debit/credit applications; electronic purses and loyalty applications
· Designing a multi-application smart card: selecting the platform and
set
of applications; optimising performance and memory
· Smart cards in banking services: current status and future deployment;
implementing smart cards into payment infrastructures; electronic
banking
service channels
Track: Secure Mobility
15.30 - 17.00
7: Wireless Security: From Top to Bottom
Tim Wright, Security Standards and Research, Vodafone R&D
· GSM security
· 3GPP security
· WAP and wireless internet security
· Application download
Track: WebSec Business Essentials
15.30 - 17.00
8: Incident Response Management: A Case Study
Ray Stanton, Director, UNISYS EMEIA Security COE, UNISYS
· The need for integration into business processes
· Key components
· What's worked and what hasn't: real-world examples
· Implementing new technologies and their effect on incident management
· Intrusion detection systems
· Should you bother or not?
Track: Web and E-Commerce Security
15.30 - 17.00
9: 802.11 Wireless LAN Auditing
David Rhoades, President, Maven Security Consulting
· Defining the threats: what attackers can do
· Locating your wireless access points before an attacker does
· How to test and audit the security of an access point
· Recommendations for making the 802.11 wireless LAN more secure
· Demonstrations of the latest attacks
Track: Secure Mobility
Thursday, 7 March 2002
09.00 - 10.30
10: Web Security Privacy Standards, Policies, and Laws
John Aldred, IT Technical Security Officer, NATO
· Current and future legislative requirements in USA, Europe, and the UK
· Additional requirements imposed by professional bodies and regulators
· Legislative and additional requirements as minimum standards of
security
· Incorporating minimum standards in the Information Security Management
· System (ISMS) and associated policies
· Developing a robust but reactive ISMS to meet changes in risk and
requirements of legislators, professional bodies, and regulators
· Role of accreditation and audit
· Accreditation and auditing standards
Track: WebSec Business Essentials
09.00 - 10.30
11: Investigating Crime: A Guide to Computer Forensics
Bo Norgren, Chief Security Officer, DEFCOM
· IT crime and organised crime, recent cases
· Fraud on the Internet
· Investigating Web criminality
· IT-crime incident handling methods
· Wireless LAN hacking
· Threats/crimes against our critical infrastructure
Track: Web and E-Commerce Security
09.00 - 10.30
12: XML Security in the Mobile World
Steve Scagell, Mobile Solutions Consultant, Nokia
· Security Standards in WAP 2.0 WTLS/SSL
· SecurID authentication and mobility
· WAP Forum/W3C secure mobility standards
· Nokia active server: managing your secure application
Track: Secure Mobility
11.00 - 12.30
13: Protecting Your Privacy on the Internet
Peter T. Davis, Principal, Peter Davis & Associates
· Identifying key threats to your privacy on the Internet
· Defending against packet sniffers
· Evaluating the security and privacy issues associated with the use of
cookies in Web applications
Track: WebSec Business Essentials
11.00 - 12.30
14: Firewalls and Demilitarised Zones
Phil Cracknell, CISSP, Security Specialist
· Firewall market: types of firewalls and leading products
· The best line of defence
· Firewall design principles
· Using multiple firewalls together
· Pros and cons of a DMZ
Track: Web and E-Commerce Security
11.00 - 12.30
15: The Role of Application Security and Access Management in Building
Business Infrastructures
John Hughes, Senior Vice President and Chief Technology Officer,
Entegrity
· Access management technology and how it provides application security
in
complex architectures
· Authentication, authorisation, auditing, and administration in
managing
the security of n-tier application architectures
· The role of Web, CORBA, and EJB technologies
· Using dynamic policy rules to implement business logic
· Scalability challenges
· Access management standards and products
Track: Secure Mobility
13.45 - 15.15
16: Security Awareness: The E-Business Challenge
Charles Pask, Director, MIS Training; Director, Information Security
Institute European and Middle East e-Security Services
· Awareness planning: success factors
· Tips for getting management buy-in
· Key messages and the new challenge for e-business risks
· Case study examples from a large UK bank
· CBT: a look at the marketplace
· Useful sites for information
Track: WebSec Business Essentials
13.45 - 15.15
17: Malicious Codes
Steve Purser, Senior Manager IT Security, Clearstream Services
· Looking at the problem
· Evolution and projected trends
· Classes of malicious code
· How malicious code works: a dissection of recent examples
· Designing and implementing a malicious code control framework
· The importance of procedures
Track: Web and E-Commerce Security
13.45 - 15.15
18: Windows Security from NT to XP
John Hayday, Security Manager, Colt Telecom
· How Windows security architecture has changed
· SAM to Active Directory: scaleable security
· Using templates and Group Policy to enforce security
· Internet Information Server: Can it be secured?
· Managing Windows 2000 security in a large-scale environment
Track: Secure Mobility
15.45 - 17.15
19: Pragmatic Privacy in the Workplace: A Case Study
Eric Schansman, Retired Senior Security Advisor, Rabobank
· Employers' right to protect, monitor, and check resources
· Employees' right to require protection of their privacy
· Privacy do's and don'ts
· The model used by companies to develop or evaluate their RUP or CoC
· The model's proposed rules for maximum retention period of log-files
containing personalised data from Web sites accessed for private and
business purposes
Track: WebSec Business Essentials
15.45 - 17.15
20: The Evolution of PKI as a Trust Capability: A Case Study
Alistair Wardell, Head of IT Security Policy and Architecture, Reuters
· Reasons to use PKI and reasons not to
· Getting started
· Building a policy and governance framework
· Working with multiple levels of trust
· Business process design
· Technical challenges, then and now
· Why PKI is not Trust
· Communicating with management, users and customers
· The evolving landscape of trust services
Track: Web and E-Commerce Security
15.45 - 17.15
21: System Environment Control Technology (SECT): A Case Study
Mike Longhurst, Principal Security Consultant, SecureWave
· Where Executable Content Verification System (ECVS) and External
Interface
Management System (EIMS) technologies fit within the protective
solutions
infrastructure
· Methods of conducting internal attacks against systems
· Technically how ECVS and EIMS technologies work
· The types of attack that can be prevented
Track: Secure Mobility
Special Features
Timely Keynote Address
In his keynote address, Richard Barrington, Director of Industry at the
Office of the E-Envoy, will share his views on the Internet, technology
and
security, and what the future holds for these critical areas.
Three, Targeted Tracks
The conference covers all aspects of Web security in three, focused
tracks:
· WebSec Business Essentials
· Web and E-commerce Security
· Secure Mobility
Government and Association Discounts
Government employees and ISACA and IIA members may deduct 10% from their
conference fees. This savings cannot be combined with other discounts.
Team Discount
Register three people from your organisation and the third attends at
half
price. Registrations must be made and paid for at the same time and this
savings cannot be combined with other discounts.
Conference Reception
You'll forge professional and social networks as you trade ideas and and
tips with colleagues and instructors during the Conference Reception on
Wednesday, 6 March.
Conference Materials
You will receive complete conference materials (excluding workshops).
Where
provided by the speakers, you will also receive notes and slides.
Vendor Expo
You'll have the opportunity for valuable one-on-one time with the
leading
providers of Web and e-security products and services at the WebSec 2002
expo.
CISSP & SSCP Examinations
We have conveniently scheduled the Certified Information Systems
Security
Professional (CISSP) and the Systems Security Certified Practitioner
(SSCP)
exams following the conference.
Optional, One-Day Workshops
Optional, one-day workshops before and after the conference let you
learn
in-depth about specific topics, including TCP/IP, network security
assessment, risk assessment for the virtual office, hacking Web
applications, Web security, implementing PKI, vulnerability testing, and
CISSP preparation.
Continuing Education Credits
All conference attendees are eligible for 15 hours of Continuing
Education
Credits that can be applied toward professional recertification
requirements. Workshop participants receive 7 CPE credits for each
workshop
they attend.
20 High-Impact Reasons to Attend WebSec 2002 Europe
You will:
1. Learn how to design and implement Internet threat modelling that will
help you to determine appropriate countermeasures
2. Discover the tactics hackers use to get into your systems and learn
proven techniques for thwarting them
3. Get tips on designing and implementing a secure VPN
4. Investigate the who, what, where, how, and why of IDS
5. Benefit from the lessons learned in a real-world smart card
implementation
6. Explore wireless security from bearer to applications layer
7. Find out the key components of an effective incident response
management
programme
8. Walk away with proven strategies for testing the security of access
points on wireless LANs
9. Review current and future Web legislative requirements in the US,
Europe,
and UK and determine the minimum security standards you should include
in
your information security management system
10. Gain insights into investigating computer crime and learn how to
handle
IT fraud incidents
11. Get the latest on XML security in the mobile world
12. Pinpoint key threats to privacy on the Internet and master
countermeasures for protecting against them
13. Learn what a DMZ is and when it makes sense to use one
14. Examine the roles of authentication, authorisation, auditing, and
administration in managing the security of n-tier application
architectures
15. Uncover the success factors you should build into your security
awareness plans and get tips on obtaining management buy-in
16. Demystify how malicious code works and learn how to implement a
control
framework that will counter it
17. Find out how to manage Windows 2000 security in a large-scale
environment
18. Clarify employer and employee privacy rights
19. Go through the steps you must take to set up a PKI
20. Determine how ECVS and EIMS technologies work
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.