44

Securing Information, Computers and Networks

A 2 Day Seminar

Speakers:

Charles Pfleeger & Ionut Ionescu

This seminar is intended for the professional who has either technical or managerial responsibility for IT security. Typical attendees include:

Manager, IT security
Administrator, IT security
Network administrator or system administrator
Project or division manager, with security responsibilities
Analyst, engineer, or administrator who wants to learn more about IT security

The people for whom this workshop is appropriate are professionals in computing and software who have a responsibility for—but not necessarily a strong knowledge of—security. No particular security background will be expected, nor will any advanced concepts in mathematics be needed. Participants should have a knowledge of computing, with some understand of programming, software development, or software project management.

Hackers. Viruses. Intrusion. Denial of service. Firewalls. Public key certificates. Password guessing. Trojan horses. Masquerading. Checksums. Worried about IT security? Even the terminology can sound frightening. But more worrisome than the terminology is the high likelihood that

your site or system will be attacked
your organisation will suffer substantial financial losses to recover lost or damaged data
your customers, partners, and employees will lose confidence in the security of the data they entrust to your IT operation.

What you don’t know about IT security can hurt you. Fortunately, security need not be a mystery: you can learn what are the key aspects of information security, how to develop a security strategy, which controls to select and how to apply them, and when to seek additional guidance. This two-day workshop will introduce the key concepts of IT security, as it applies to computer systems, networks, and system users. It will remove the mystery and mystique from the concepts and terms of the field, and show that much of computer security involves just thought and common sense, coupled with the careful application of technological protections. Progressing naturally from threats and vulnerabilities to controls in individual systems and then networks, the presenters of this workshop will explain the key concepts of the field. Course enrollment will be limited so that there will be class interaction with the presenters.

After completing this workshop participants will know

what are the basic security concepts of threat, vulnerability, risk, and countermeasure, as they apply to applications, systems, and networks
how to identify threats against their own environments and select appropriate, cost-effective controls
how to use of their computer’s hardware and software controls to protect against inside and outside threats
why a "defense in depth" strategy is the sensible approach to achieving a secure posture
when security measures are enough and not too much to be adequate and cost effective
when and how to involve security professionals in order to ensure the security of an application, site, or network

This workshop will address seven topics that cover the most important technical and management aspects of computer, network, and information security.

Basic concepts: what are security requirements and how can they be met?

confidentiality, integrity, availability
threat, vulnerability, control; method, opportunity, motive; risk
attackers, attack types; insiders, outsiders, accidental acts

Authorisation and access control: who is doing what and how can you set appropriate limits on allowed actions?

security policy, authorisations derived from the security policy, identity-based and role-based authorisation
identification and authentication: unique and non-unique identifiers, the need for authentication, methods of authentication (including PINs and passwords, biometric devices, one-time passwords, challenge-response systems), vulnerabilities of authentication
access control: access control lists, object-based access control
audit logs, reviewing the logs

Security management: how you can measure risk and develop a security plan that mitigates risk at an acceptable cost?

the tradeoff between risk and cost, quantified risk management, qualitative risk management, balancing risk
security plans and security policies; reviewing the plan, updating the plan
employee training and security awareness

Network security: what are the threats from connected systems or users and how can you control those threats?

the faceless network attacker; script kiddies
sniffing, snooping, scanning, penetrating, hacking
perimeter protection, internal protection
network-borne malicious code: viruses, Trojan horses, worms
firewalls: types of firewalls, network architectures and positioning firewalls, redundancy, defence in depth, configuring firewalls
intrusion detection systems (IDSs): types, capabilities, limitations, configurations
virtual private networks (VPNs): purpose, installation, limits
denial of service (DoS) attacks

Cryptography: how can you use a complex protection tool without needing to learn the underlying mathematics?

cryptography, cryptanalysis, code-breaking
secret key cryptography, public key cryptography, hash codes and checksums
key management: generating, distributing, storing keys
digital signatures, certificates, a public key infrastructure (PKI)

Incident handling: how should you develop and institute a plan for when—not if—your site or system is attacked?

preparation: developing a plan, identifying people and resources, communicating the approach
during the attack: following the plan, priorities, maintaining control, legal action
after the event: forensics, legal action, returning to normal state, learning from the incident

Physical security: how do traditional gates and guards complement other technical protections?

physical threats: water, air, fire, power, communications
perimeter protection, physical access controls
internal security

	Dr Charles P. Pfleeger is a Master Security Architect for Exodus Communications, Inc., the premier provider of complex Internet web hosting solutions. He advises on secure network designs, security policies and procedures, and appropriate choices of security tools. He was Director of Research for Arca Systems, Inc., prior to the acquisition of Arca by Exodus. As Director of European Operations for Trusted Information Systems (UK) Ltd., he managed the European office of a major security consulting operation, and he was technical lead of the UK Ministry of Defense Security in Open System Technology Demonstrator Programme. He was a professor with the Computer Science Department of The University of Tennessee where he taught undergraduate and graduate courses in operating systems, software engineering, and computer security. His book, Security in Computing, is the standard college textbook in computer security. He holds a PhD from The Pennsylvania State University and is a Certified Information Systems Security Professional (CISSP).

	Ionut Ionescu joined Exodus first as a Security Architect, later becoming Security Director in Professional Services. Ionut started his career in IT in Romania as an Analyst Programmer. He subsequently worked in IT (System Administration and Management roles) in Romania and in the UK, before moving into Consultancy, specialising in Network and Service Level Management and later in Internet Security. Ionut has a Degree in Computer Science from the "Politehnica" University of Bucharest, Romania, holds various industry qualifications and certifications (e.g. CISSP, CCSE) and he is also pursuing a distance-learning MBA with the Open University. Ionut provides comment on Internet Security issues to industry publications and UK newspapers (e.g. Evening Standard, e-Business International, The Banker, Network Computing, etc) and acts as a design authority for security in major international deals for Exodus Internet Ltd. He can be contacted at Ionut.Ionescu@exodus.net