Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] (UK) WebSec 2002 Europe: The e-Security Conference, 6./7.3.2002,

Scheint eine interessante Konferenz für die Technik-Fraktion zu sein.
Aufgefallen ist mir folgender Workshop: "Firewalls and Demilitarised
Ist "DMZ" ein neuer Fachbegriff der IT-Sicherheits-Szene oder nur ein
Versuch, Aufmerksamkeit zu bekommen?

WebSec 2002 Europe: The e-Security Conference
6 - 7 March 2002 London
4 , 5 , 8 March 2002 Optional Workshops

This highly technical conference features industry experts and delivers
real-world solutions to the most pressing e-security challenges,
securing Web browsers, Internet connections, wireless devices, and more;
how to protect your systems from war dialling, malicious codes, and

Who Should Attend
·	Information Security Professionals
·	Systems and Network Administrators
·	Web Professionals
·	IT Auditors
·	IT Management

Optional Workshops
Monday, 4 March 2002
09.00 - 17.00

W1: Preparing for the Certified Information Systems Security
(CISSP) Examination
Hal Tipton, Lead Instructor, (ISC)²
Professional certification is becoming more and more important in
competitive world. Granted by (ISC)², the CISSP is the internationally
recognised standard for security practitioners. If you have three years
industry experience, you can take the exam following the conference to
qualify for CISSP certification. This intensive workshop will help you
review for the examination.
The workshop agenda:
·	The 10 topical areas covered by the CISSP examination
·	Subjects most likely to appear in the test questions
·	Sample questions: what you are expected to know
·	Selecting the best answers: how to eliminate detractors
·	Which sections are historically most difficult: zeroing in on areas
require intensive review

W2: Understanding TCP/IP
Peter Davis, CISSP, CISA, Principal, Peter Davis & Associates
TCP/IP is the foundation of most networks, including the Internet. To
understand telecommunications risks, security solutions, and network
auditing, you must have a solid foundation in TCP/IP. In this intensive
workshop you will develop a comprehensive understanding of TCP/IP, its
structure, and its weaknesses. You will leave this workshop with a firm
grasp on TCP/IP and with the knowledge you need to get the most out of
conference's Web and E-Commerce Security track.
The workshop agenda:
·	TCP/IP basics: protocol stacks, addressing, application services,
structures, and network interconnection devices
·	Vulnerabilities that open the door for denial-of-service, probing,
sniffing, unauthorised entry, Web page manipulation, and other forms of
malicious attacks
·	Guidelines for selecting tools and securing TCP/IP networks:
security, router security, enhanced authentication, firewalls, intrusion
detection, virtual private networks
·	Deploying freeware and commercial products to improve network security
This workshop assumes a working knowledge of network and client/server

W3: Network Security Assessment
David Rhoades, President Maven Security Consulting
How do you test a network for security vulnerabilities? Just plug some
addresses into a network-scanning tool and click SCAN, right? Not quite.
Numerous commercial and freeware tools assist in locating network-level
security vulnerabilities. However, these tools are fraught with dangers:
accidental denial-of-service, false-positives, false-negatives, and
longwinded reporting to name a few. In this detailed workshop you will
the preparation, tools, methodology, and knowledge you need to perform a
security assessment against a network environment.
The workshop agenda:
·	Preparation: what is needed before getting started
·	Safety measures: ensuring that adverse effects from the scan on
networks and systems are minimised, if not eliminated
·	Architecture considerations
·	Inventory: taking an accurate inventory of active systems and
protocols on
the target network
·	Tools of the trade: how to effectively use a variety of security tools
·	Automated scanning: best-of-class scanning tools and how to use them
·	Research and development: what to do when you encounter unknown
or when existing tools are insufficient for proper testing
·	Documentation and audit trail: recording your actions
·	Reporting: how to compile results into a format useful for corrective

Tuesday, 5 March 2002
09.00 - 17.00

W4: Risk Assessment for the Virtual Office
Charles Pask, Director, MIS Training; Director, Information Security
Institute European and Middle East e-Security Services
With more and more staff working from the virtual office, organisations
additional security issues and the need for increased support. In this
timely workshop you will learn how to determine if the policies and
practices you currently have in place are enough to secure the virtual
office. You will examine a risk assessment methodology and focus on the
security challenges mobile workers introduce.
The workshop agenda:
·	Getting buy-in from your organisation
·	Defining the objectives of risk analysis for a virtual office
·	Assessment methodology
·	Identifying and classifying assets
·	Building risk analysis into an overall information security programme
·	Developing the risk analysis model for the virtual worker
·	Key players in the risk analysis process
·	Quantitative vs. qualitative assessments
·	How to produce a dynamic, successful action report from the risk
·	Case study: implementing effective countermeasures

W5: Hacking Web Applications
David Rhoades, President, Maven Security Consulting
>From sign-on to sign-off, and everything in between, this practical workshop
goes beyond typical Web server configuration tips and removing default
You will learn how to test your Web-based application for security flaws
that range from the subtle to the severe. You will discover how to
security weaknesses for Web-enabled services that could be exploited by
remote users.
The workshop agenda:
·	Information gathering attacks: how hackers read between the lines to
get a
jump on your Web site
·	User sign-on/sign-off process
·	OS and Web server weaknesses
·	Encryption: finding the weakest link
·	Session tracking: URL rewriting, basic authentication, and cookies:
strengths and weaknesses; session cloning, IP hopping, and other subtle
dangers; and a recipe for strong session IDs
·	Authentication: server, session, transactional
·	Transaction-level issues: hidden form elements, unexpected user input,
vs. POST, JavaScript filters
·	Improper server logic

W6: Securing Your Place on the Web
Peter Davis, CISSP, CISA, Principal, Peter Davis & Associates
In this intensive workshop you will be introduced to a variety of ways
connect to the Internet. You will explore strategies for strengthening
security of your Internet interface, and learn how to take advantage of
Internet's resources while avoiding the hazards of doing business in
The workshop agenda:
·	Assessing the security and audit implications of important components
TCP/IP, Internet, and Web technology
·	Locating the key security control point and related threats to your
external and internal internet/web environment
·	Improving Web site security by properly configuring, patching, and
auditing your Web server
·	Reducing the risk from e-commerce applications based on Server Side
Includes (SSI), Common Gateway Interface (CGI), and/or Active Server
(ASP) software components
·	Making sense of SSL, TLS, SET and other Web cryptographic security
·	Serious security issues and countermeasures associated with Web
applications development software tools, including Java, ActiveX,
JavaScript, VBScript, adbots, cookies, and robots.
This workshop assumes a working knowledge of TCP/IP network technology
security such as that presented in the Understanding TCP/IP workshop.

Friday, 8 March 2002
09.00 - 17.00

W7: Implementing a Public Key Infrastructure
Steve Purser, Founder Member, Club de Sécurité des Systèmes
d'Information au
Luxembourg, (CLUSSIL)
In this comprehensive workshop you will examine the common problems and
pitfalls typically encountered when implementing PKI and gain proven
for overcoming them. You will explore the use of PKI from both technical
business perspectives. Throughout the workshop, real-world examples with
illustrate what you learn.
The workshop agenda:
·	Essential cryptography: a review of currently used algorithms, network
security services and implementation problems
·	Commonly used registration and revocation models
·	Certificates, trust hierarchies, certification models, key management
liability concerns
·	Technical architecture: J2EE and COM+ case study
·	Procedural framework: standards and required documentation; CPS and
contractual issues
·	Interoperability: analysis of B2B and B2C considerations, trust
liability limitation, Identrus and GTA
This workshop assumes a basic knowledge of modern cryptographic
and how they are used. Extensive reference is made to RFC documents and
PKIX framework.

W8: One Step Ahead: Vulnerability Testing
Phil Cracknell, CISSP, Security Specialist
The ability to test your system's vulnerabilities is critical to staying
step ahead of hackers, crackers and phreakers. Without this system
self-assessment, you run a greater chance of missing a security hole and
increase the chance of attack. Planning, organising and executing a
vulnerability test are essential to the overall success of your system.
The workshop agenda:
·	Assessing your target
·	Updating and grading vulnerabilities
·	What tools to use
·	Methodology and approach
·	What the report should contain
·	Going forward: systems hardening

Wednesday, 6 March 2002

09.15 - 10.15
Keynote: The Internet--Future or Failure?
Richard Barrington, Director, Industry, Office of the E-Envoy, UK
Reporting directly to the E-Envoy, Mr Barrington is responsible for
encouraging UK business to grasp the opportunities e-commerce brings. He
works with individual companies and trade associations to capture the
concerns of business and influences policy in this area.
In his riveting keynote address, Mr Barrington will take a fresh look at
Internet and pose an intriguing question: As a new technology, is the
Internet in the 'chasm' never to emerge? Don't miss this unique
to find out from a 28-year IT veteran the future direction of the
of IT and the role of IT in business.

10.45 - 12.15
1: Secure Web Hosting and E-Commerce Application Architectures
Simon J Pascoe, Lead Internet Security Architect, British Telecom
·	Current hacker techniques and their impact on Web hosting, ASP and
e-commerce delivery systems
·	Detailed analysis of countermeasure best practices
·	How to design and implement Internet threat modelling
·	Defence-in-depth security architectures: firewalls are not enough
·	Technical solutions to complex attacks: firewall tunnelling,
denial of service, distributed denial of service and against firewall
protected Web servers, case studies
Knowledge of TCP/IP networking is assumed.
Track: WebSec Business Essentials

10.45 - 12.15
2: Hacking for the Masses
David Rhoades, President, Maven Security Consulting
·	Port scanning: how to anonymously scan any IP address for active
·	Mail bombing: flooding an address with spoofed emails
·	Search engines: finding Web site flaws
·	SNMP: viewing detailed router information
·	NetBIOS: scanning for open network shares
·	Anonymous proxies: surfing and hacking in privacy
·	OS fingerprinting: determining exactly which OS a remote site is using
·	DoS: how online tools allow you to take other systems offline or find
other networks that can be leveraged in denial-of-service flooding
Track: Web and E-Commerce Security

10.45 - 12.15
3: Strategies for Designing and Implementing a VPN
Stan Kiyoto, Chief Information Systems Security Officer and Acting
of Architecture and Standards, Booz Allen & Hamilton
·	Integrating virtual private networking services into the e-business
and IT
strategies of your company
·	Defining VPNs in the context of e-business, IT, and the Web
·	Benefits of VPN over conventional remote access strategies
·	Sorting through the available technologies: RADIUS, TACACS, Tokens and
·	Design and implementation considerations for your VPN strategy
·	Future direction of virtual private networking and how it affects your
Track: Secure Mobility

13.30 - 15.00
4: Outsourcing Security: A Panel Discussion
Moderator: Charles Pask, Director, MIS Training; Director, Information
Security Institute European and Middle East e-Security Services
·	The issues surrounding outsourced security
·	When should you outsource the security function?
·	Can managed outsourcing companies protect against financial loss,
intrusion, or brand damage?
·	What to look for when outsourcing security
Track: WebSec Business Essentials

13.30 - 15.00
5: IDS: Your Cyber Burglar Alarm
Peter Davis, CISSP, CISA, Principal, Peter Davis & Associates
·	IDS defined: types of IDS; network vs. host-based IDS
·	Point-in-time vs. continuous
·	Deploying IDS
·	Reacting to alerts
·	The who, what, where, how and why of IDS
Track: Web and E-Commerce Security

13.30 - 15.00
6: Designing and Implementing a Multi-Application Smart Card in Banking
Services: A Case Study
Timo Rinne, Senior Consultant, Modirum Oy
·	Smart cards: cryptographical services and PKI infrastructure;
multi-application operating systems, general features and their
·	Smart card applications: digital signatures and authentication;
debit/credit applications; electronic purses and loyalty applications
·	Designing a multi-application smart card: selecting the platform and
of applications; optimising performance and memory
·	Smart cards in banking services: current status and future deployment;
implementing smart cards into payment infrastructures; electronic
service channels
Track: Secure Mobility

15.30 - 17.00
7: Wireless Security: From Top to Bottom
Tim Wright, Security Standards and Research, Vodafone R&D
·	GSM security
·	3GPP security
·	WAP and wireless internet security
·	Application download
Track: WebSec Business Essentials

15.30 - 17.00
8: Incident Response Management: A Case Study
Ray Stanton, Director, UNISYS EMEIA Security COE, UNISYS
·	The need for integration into business processes
·	Key components
·	What's worked and what hasn't: real-world examples
·	Implementing new technologies and their effect on incident management
·	Intrusion detection systems
·	Should you bother or not?
Track: Web and E-Commerce Security

15.30 - 17.00
9: 802.11 Wireless LAN Auditing
David Rhoades, President, Maven Security Consulting
·	Defining the threats: what attackers can do
·	Locating your wireless access points before an attacker does
·	How to test and audit the security of an access point
·	Recommendations for making the 802.11 wireless LAN more secure
·	Demonstrations of the latest attacks
Track: Secure Mobility

Thursday, 7 March 2002

09.00 - 10.30
10: Web Security Privacy Standards, Policies, and Laws
John Aldred, IT Technical Security Officer, NATO
·	Current and future legislative requirements in USA, Europe, and the UK
·	Additional requirements imposed by professional bodies and regulators
·	Legislative and additional requirements as minimum standards of
·	Incorporating minimum standards in the Information Security Management
·	System (ISMS) and associated policies
·	Developing a robust but reactive ISMS to meet changes in risk and
requirements of legislators, professional bodies, and regulators
·	Role of accreditation and audit
·	Accreditation and auditing standards
Track: WebSec Business Essentials

09.00 - 10.30
11: Investigating Crime: A Guide to Computer Forensics
Bo Norgren, Chief Security Officer, DEFCOM
·	IT crime and organised crime, recent cases
·	Fraud on the Internet
·	Investigating Web criminality
·	IT-crime incident handling methods
·	Wireless LAN hacking
·	Threats/crimes against our critical infrastructure
Track: Web and E-Commerce Security

09.00 - 10.30
12: XML Security in the Mobile World
Steve Scagell, Mobile Solutions Consultant, Nokia
·	Security Standards in WAP 2.0 WTLS/SSL
·	SecurID authentication and mobility
·	WAP Forum/W3C secure mobility standards
·	Nokia active server: managing your secure application
Track: Secure Mobility

11.00 - 12.30
13: Protecting Your Privacy on the Internet
Peter T. Davis, Principal, Peter Davis & Associates
·	Identifying key threats to your privacy on the Internet
·	Defending against packet sniffers
·	Evaluating the security and privacy issues associated with the use of
cookies in Web applications
Track: WebSec Business Essentials

11.00 - 12.30
14: Firewalls and Demilitarised Zones
Phil Cracknell, CISSP, Security Specialist
·	Firewall market: types of firewalls and leading products
·	The best line of defence
·	Firewall design principles
·	Using multiple firewalls together
·	Pros and cons of a DMZ
Track: Web and E-Commerce Security

11.00 - 12.30
15: The Role of Application Security and Access Management in Building
Business Infrastructures
John Hughes, Senior Vice President and Chief Technology Officer,
·	Access management technology and how it provides application security
complex architectures
·	Authentication, authorisation, auditing, and administration in
the security of n-tier application architectures
·	The role of Web, CORBA, and EJB technologies
·	Using dynamic policy rules to implement business logic
·	Scalability challenges
·	Access management standards and products
Track: Secure Mobility

13.45 - 15.15
16: Security Awareness: The E-Business Challenge
Charles Pask, Director, MIS Training; Director, Information Security
Institute European and Middle East e-Security Services
·	Awareness planning: success factors
·	Tips for getting management buy-in
·	Key messages and the new challenge for e-business risks
·	Case study examples from a large UK bank
·	CBT: a look at the marketplace
·	Useful sites for information
Track: WebSec Business Essentials

13.45 - 15.15
17: Malicious Codes
Steve Purser, Senior Manager IT Security, Clearstream Services
·	Looking at the problem
·	Evolution and projected trends
·	Classes of malicious code
·	How malicious code works: a dissection of recent examples
·	Designing and implementing a malicious code control framework
·	The importance of procedures
Track: Web and E-Commerce Security

13.45 - 15.15
18: Windows Security from NT to XP
John Hayday, Security Manager, Colt Telecom
·	How Windows security architecture has changed
·	SAM to Active Directory: scaleable security
·	Using templates and Group Policy to enforce security
·	Internet Information Server: Can it be secured?
·	Managing Windows 2000 security in a large-scale environment
Track: Secure Mobility

15.45 - 17.15
19: Pragmatic Privacy in the Workplace: A Case Study
Eric Schansman, Retired Senior Security Advisor, Rabobank
·	Employers' right to protect, monitor, and check resources
·	Employees' right to require protection of their privacy
·	Privacy do's and don'ts
·	The model used by companies to develop or evaluate their RUP or CoC
·	The model's proposed rules for maximum retention period of log-files
containing personalised data from Web sites accessed for private and
business purposes
Track: WebSec Business Essentials

15.45 - 17.15
20: The Evolution of PKI as a Trust Capability: A Case Study
Alistair Wardell, Head of IT Security Policy and Architecture, Reuters
·	Reasons to use PKI and reasons not to
·	Getting started
·	Building a policy and governance framework
·	Working with multiple levels of trust
·	Business process design
·	Technical challenges, then and now
·	Why PKI is not Trust
·	Communicating with management, users and customers
·	The evolving landscape of trust services
Track: Web and E-Commerce Security

15.45 - 17.15
21: System Environment Control Technology (SECT): A Case Study
Mike Longhurst, Principal Security Consultant, SecureWave
·	Where Executable Content Verification System (ECVS) and External
Management System (EIMS) technologies fit within the protective
·	Methods of conducting internal attacks against systems
·	Technically how ECVS and EIMS technologies work
·	The types of attack that can be prevented
Track: Secure Mobility

Special Features
Timely Keynote Address
In his keynote address, Richard Barrington, Director of Industry at the
Office of the E-Envoy, will share his views on the Internet, technology
security, and what the future holds for these critical areas.
Three, Targeted Tracks
The conference covers all aspects of Web security in three, focused
·	WebSec Business Essentials
·	Web and E-commerce Security
·	Secure Mobility
Government and Association Discounts
Government employees and ISACA and IIA members may deduct 10% from their
conference fees. This savings cannot be combined with other discounts.
Team Discount
Register three people from your organisation and the third attends at
price. Registrations must be made and paid for at the same time and this
savings cannot be combined with other discounts.
Conference Reception
You'll forge professional and social networks as you trade ideas and and
tips with colleagues and instructors during the Conference Reception on
Wednesday, 6 March.
Conference Materials
You will receive complete conference materials (excluding workshops).
provided by the speakers, you will also receive notes and slides.
Vendor Expo
You'll have the opportunity for valuable one-on-one time with the
providers of Web and e-security products and services at the WebSec 2002
CISSP & SSCP Examinations
We have conveniently scheduled the Certified Information Systems
Professional (CISSP) and the Systems Security Certified Practitioner
exams following the conference.
Optional, One-Day Workshops
Optional, one-day workshops before and after the conference let you
in-depth about specific topics, including TCP/IP, network security
assessment, risk assessment for the virtual office, hacking Web
applications, Web security, implementing PKI, vulnerability testing, and
CISSP preparation.
Continuing Education Credits
All conference attendees are eligible for 15 hours of Continuing
Credits that can be applied toward professional recertification
requirements. Workshop participants receive 7 CPE credits for each
they attend.

20 High-Impact Reasons to Attend WebSec 2002 Europe
You will:
1. Learn how to design and implement Internet threat modelling that will
help you to determine appropriate countermeasures
2. Discover the tactics hackers use to get into your systems and learn
proven techniques for thwarting them
3. Get tips on designing and implementing a secure VPN
4. Investigate the who, what, where, how, and why of IDS
5. Benefit from the lessons learned in a real-world smart card
6. Explore wireless security from bearer to applications layer
7. Find out the key components of an effective incident response
8. Walk away with proven strategies for testing the security of access
points on wireless LANs
9. Review current and future Web legislative requirements in the US,
and UK and determine the minimum security standards you should include
your information security management system
10. Gain insights into investigating computer crime and learn how to
IT fraud incidents
11. Get the latest on XML security in the mobile world
12. Pinpoint key threats to privacy on the Internet and master
countermeasures for protecting against them
13. Learn what a DMZ is and when it makes sense to use one
14. Examine the roles of authentication, authorisation, auditing, and
administration in managing the security of n-tier application
15. Uncover the success factors you should build into your security
awareness plans and get tips on obtaining management buy-in
16. Demystify how malicious code works and learn how to implement a
framework that will counter it
17. Find out how to manage Windows 2000 security in a large-scale
18. Clarify employer and employee privacy rights
19. Go through the steps you must take to set up a PKI
20. Determine how ECVS and EIMS technologies work

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.