To previous page COSAC 2002: International Computer Security Audit and Control Symposium To next page

Below is a synopsis of each session. This page is not intended to be read in isolation. Instead, it is easier if you link to it from the timetable page (clicking a session code in the timetable page will bring up the relevant session details that are found on this page).

However, should you wish to read through the contents of this page, you can use the links below to skip to the day in which you are interested. If you wish to read a speaker's bio, then just click on his/her name.


M1 The COSAC International Round Table Forum John O'Leary

One of the defining characteristics of COSAC is the degree of interaction in sessions. You might have been to other conferences where knowledgeable speakers cast new light on existing problems or alerted you to new ones and gave strategies for coping. But you probably didn’t experience a level of audience interaction wherein the announced speaker, though clearly an expert in the area, is often one of the least experienced people in the room regarding the topic being discussed, and the audience, anything but shy, takes nothing said at face value. This leads to one of the most significant benefits of attending any conferences - the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis.

Experienced practitioners know that solutions which appear technically elegant and look really good on paper can be hamstrung by political considerations or “minor” operational flaws. They know what works in the real world, what doesn’t and more importantly, how to make things work in the real world. They know how to develop and work realistic strategies for creating and implementing information security solutions.

The COSAC Forum should give you a feel for the rest of COSAC. The essence of this one-day session is give and take, therefore, participants must be prepared to discuss topics freely and be willing to both critique others and have their solutions subject to scrutiny. Participants will be asked prior to COSAC to submit lists of items they’re willing to discuss and want discussion on. Some may be asked to prepare short presentations on specific topics to lead into roundtable discussions. The better prepared you are, and the more you put into this session, the more you’ll get out of it.

To protect the participants and encourage information sharing, this forum takes place under non-disclosure agreement.

M2 Intrusion Detection Dr Eugene Schultz

Intrusion detection has grown from something that at one time was considered a "black art" to a mainstream activity in organizations throughout the world. There is a lot more to intrusion detection than meets the eye, however. Intrusion detection involves considerably more than deploying intrusion detection systems (IDSs), for example. The particular manner in which IDSs are deployed greatly affects their effectiveness, but few people genuinely understand the "in's and out's" of intrusion detection sufficiently to deploy IDSs in an optimal manner. Additionally, successful use of intrusion detection requires establishing an infrastructure that includes appropriate policy provisions, management oversight, incident response procedures, and many other considerations.

This one day course "puts it all together" by providing attendees with in-depth information about the most critical aspects of intrusion detection. This course teaches attendees what they need to know to set up an intrusion detection program and make sound technical decisions concerning deployment of the various elements of these programs.

Topics covered include:

  • Introduction
  • Approaches to Intrusion Detection
  • How Intrusion Detection Systems Work
  • Case Studies: Real-Life IDSs
  • The Administrative/Procedural Side of Intrusion Detection
  • Wrap-Up

This course is designed for a wide range of attendees, including system and network administrators, IT staff, information security staff, and auditors. It contains a mixture of technical and non-technical information.Some knowledge of networking, Unix, Linux and Windows operating systems will be helpful in understanding some of the technical content of this course, but is not required.

M3 How To Design Enterprise Security
David Lynas

"An orchestrated approach for providing a structure to enterprise security.
All information security professionals should embrace this disciplined approach."
Steven Scholochenko, CISSP, CISA, Program Manager U.S. Dept. of the Treasury

"David Lynas is a genius. In just a short time he takes some of the basic concepts that we follow like sheep,
questions their on-going relevance, and ends up redefining 'best practice' and rewriting the 'standards' to provide real benefit."
Richard Nealon, Chief Security Architect, Bank of Ireland

"On its own, this Architecture session fully justified my attendance at th entire COSAC 2000 event."
Milo Doyle, Head of Information Security, Education Building Society

If you need to deliver the right security in the right place at the right time, this highly participative course is for you. It takes attendees through a detailed and proven security architecture design process used successfully by a number of high profile multi-national organizations.

On completion of this class you will have developed an outline for a comprehensive strategy to create a winning enterprise security architecture, or improve an existing program. The strategy developed will be specific to your own business requirements and these objectives will be achieved through an innovative combination of presentations, peer group discussions, team workshops, interviews, and role-playing activities.

Security is a business, people, and technical issue requiring a comprehensive program of countermeasures and solutions. This Security Architecture Master Class can help solve these problems by addressing:

  • What is security architecture, why do we need it, and how does it work?
  • A business driven framework for architecture design;
  • The role of risk in architecture design
  • Defining the business context for security architecture
  • Conceptual Architecture and key security concepts:
  • Security attributes
  • Business entities and their logical representation
  • Trust and relationships between business entities
  • Security associations between logical entities
  • The defense in depth strategy
  • Logical and Physical Security Architecture
  • Security Policy architecture
  • Security Domain modelling
  • Security Management and the Operational Architecture

M4 "Pushing Security to the Limits..." Stan Dormer

This one-day master class looks at the state of security within your organisation and yields dozens of innovative ways to assess and improve your security strategies…

  1. Social state analysis – what’s your security really like - six interesting social engineering experiments that tell you more about your security than you ever wanted to believe!

    1. A weather man, a tyrant, an engineer and a consultant – the role players in security breaches
    2. Playing the stealth stroke – delayed action breaches of security
    3. Text me too, I’m outside – changing the security rules using new technologies
    4. Henry the VIII really was here; you can see the evidence – the value of evidence and trails
    5. It’s a thirteen horse race – is there anything new in security?
    6. I have an angel on the line for you – using power to take control

  2. An honesty baseline analysis – how do you assess what security risks your users know and care about – the six part acid test!

    1. Who’s telling porky pies? – How honest are your staff?
    2. It’s only the devil’s money! – The nature of employment and an employee’s regard for assets – how this impacts security
    3. Everyone does this once in a while! – Are there any excuses for poor security?
    4. It could go either way! – The facts that an employee uses when deciding to comply or breach security
    5. I’m only taking my rightful share! – How organisations can architect their own security nightmare
    6. After Dark – What makes security inconsistent and incoherent

  3. Building better security by re-engineering social mores

    1. Let’s take a trip back to basics – engineering social cultures that contribute to security
    2. No school, no result, no access – education as a tool in security plans
    3. Equity the 4th E – building out a level security playing field
    4. Soft and hard reactions – dealing with human beings involved in security incidents and breaches
    5. Tell them, show them, let them experience – three different ways for improving risk and security calls by staff
    6. Reward and performance structures – does security have a place in these structures?

  4. An integrated social security architecture that brings together man and machine – how to do better

    1. Deciding what’s at risk – which are the golden assets?
    2. Automate and Prevent or Repent – it’s about the nature of control that’s best for your organisation
    3. That Infosec Policy – how structured and useful is it?
    4. Strategy – Driver – Policy – Rule: the Feng Shui of security in the workplace
    5. Negotiated security structures – do security architectures always have to be rigid?
    6. Operational effectiveness – where does security fit in – how to perform a value probe of your security operations?
    7. Preparedness how do you rate – what are the critical people structures that you should have in place now?
    8. Rational decision making whilst under attack – could you control a major incident if you had to?
    9. Security Blueprint analysis for working environments – checking and testing fit; trying proof of concept security models; measuring results
    10. Root cause analysis and security outcomes – how do you learn from failure?
    11. Building out your security learning system

M5 The Insider Threat:
Standing On Your Own Foot
Peter Wood

About this Seminar

Commercial organisations in the UK appear to remain blind (or ostrich-like) to the threat of attacks from within. Despite numerous reports showing the prevalence of insider incidents, few, if any, firms take measures to secure their IT infrastructure internally. After years of conducting internal network security reviews for some of the largest UK firms, Peter Wood has developed a workshop to demonstrate the common exploits, the impact on the target organisation and how simple processes and best practice can negate most threats.

Seminar Outline

  • A typical UK corporate network

    • How can I see every device on your network without a password?
    • Why can I read your CV on your workstation hard disk?
    • How can I be a domain administrator with no authorisation?
    • Why is it I control every router on your network?
    • How do I bypass your firewall entirely?
    • How do I record every keystroke in your IT department?
    • If I'm a network admin, why can I study everyone's payroll?

  • Case studies - some real-world examples of insider incidents

    • Publish the payroll in the staff restroom
    • Rebuild the mail server three times a week
    • I'm the indispensable firewall admin - you can't do without me...ever

  • Pro-active defence - how to protect yourself from the majority of insider threats

    • Really understanding how your network works
    • Configuring servers, workstations and routers without gigantic loopholes
    • Monitoring where it matters

What You Will Learn

  • What your corporate network really looks like
  • What the real risks are to your organisation
  • How to implement a realistic strategy to defend your organisation

M6 Investigating I.T. Fraud Richard Cascarino

Seminar Objectives

This Master Class is designed to equip experienced auditors with the tools and techniques to investigate security incidents and produce forensically acceptable evidence.

Seminar Content

  • Learning the Fundamentals Goals and Methodologies
  • Incident Response
  • Being Prepared
  • Hosts
  • Networks
  • Policies and Procedures
  • Response Toolkits
  • Response Personnel

  • Technicalities Investigating
  • Computer Forensics
  • Understanding Protocols
  • Trap and Trace
  • Network Surveillance

  • Investigating Operating Environments Windows NT/2000
  • Unix

  • Other Technology Routers
  • Application servers

  • Hacker Tools
  • Cyberspace Establishing Identity
  • Tracing E-mail

Who Should Attend

The module is aimed primarily at computer auditors and forensic auditors who have to investigate crimes and produce computer evidence acceptable to the courts.


  • "Assurance & Risk" - stream codes: A1 - A4
  • "Internet Security Strategy" - stream codes: B1 - B4
  • "Cryptography & Its Real-life Applications"- stream codes: C1 - C2
  • "Steganography"- stream codes: C3 - C4
  • "Plenary Sessions"- stream codes: PS1 - PS3

A1 "What You Need to Know About Risk (but They Won't Tell You)" Jay Heiser

In Against the Gods, author Peter Bernstein makes the strong assertion that the ‘revolutionary idea’ that supports ‘modern times’ is the ability of man to recognize and deal with risk. If best-selling books are being written on the subject, then making decisions about information risk must be routine for us. But society today is not only post-modern, it is already post-industrial, so why are infosec witch doctors still bleeding their patients in an attempt to restore the balance of their essential humors? After thirty years of discussion, we ought to be able to at least agree on a method for analyzing risk and providing answers that support decisions, but we aren’t even close to consensus on the most basic assumptions about infosec risk.

The truth is that we still approach risk like amateurs, blown about by the winds of emotion, weighed down by cultural baggage that doesn’t fit into the overhead bin. This presentation provides a quick overview of what those other risk managers are up to in other disciplines, and what we can learn from them. Giving a conceptual understanding of the four basic methods of risk approaches, it provides seven criteria to determine the efficacy of a risk analysis method. Although we will not be able to agree on the qualitative versus quantitative debate, there will be lively debates about the subject during and after the presentation. Students will not be graded—until they return to their employers—but homework will be assigned. For extra credit, attendees should be prepared to discuss the relative merits of the Parknerian Hexad over traditional CIA.

A2 Assuring New Business Systems:
Managing the Risks of Launching New Applications
John Sherwood

As digital business becomes all-pervasive, more and more business processes are being automated and integrated using information technology, creating an increasing number of new business applications to be specified, developed, released and supported. The assurance of these systems thus becomes a major issue for the digitally-oriented business enterprise. Some of the key questions that need to be answered include:

  • Does the functional specification of the application reflect the true business requirements?
  • Is the application code correctly written to implement exactly the desired functionality?
  • Has the code been written so that it prevents malicious manipulation?
  • Does the underlying operating system / database management system / other system software prevent malicious exploitation? (Issues include memory management, buffer and stack overflows, etc).
  • If mobile code is in use (Java applets etc), is this protected against malicious substitution or subversion?
  • Can an application be subverted by a hostile employee, either during development or after release into production?
  • How much application testing (including ‘penetration testing’) is needed before release?
  • Can we rely upon the integrity of the software tools used for development, or are there potentially inherent faults that will undermine the integrity of out business applications? (Consider the recent concerns over the integrity of ASN.1 and its compilers).
  • Is there a complete audit trail that provides demonstrable assurance that the released application does indeed provide the desired functionality – no more and no less? How can this be achieved?
  • What overall programme of control is needed to provide the level of application assurance commensurate with the business risk management stance of the enterprise?

In this presentation we shall examine these issues in more detail from a risk management perspective, looking at the nature of the potential threats, examining the potential vulnerabilities in development and operational processes, and synthesising mitigation strategies to provide the enterprise with the desired output – risk-assured business applications.

A3 Process Analysis:
What's that got to do with Security?
Stan Dormer

This session will show how knowledge of process analysis methods and tools can yield superior security schemes that are more consistant, more effective, more elastic and which yield greater organisational value. Stan will demonstrate process methods that take account of volumes of activity and the value set of the organisation and show how you can improve security by integrating it into the right places in core business operations.

A4 Getting it Right First Time
Governance in the Development Process
Gerry O'Neill

Would you like to ensure that every system developed or implemented by your business incorporates fit-for-purpose security and control? In other words, every system is delivered already compliant with all of your corporate security policies and standards, with the appropriate involvement and signoff of the right stakeholders, and according to the risk appetite set by the business owners. How can this be achieved without creating a secondary industry?

We all know the problem. Security and control requirements are still seen as a nice-to-have optional extra which, in spite of our endeavours tends to get squeezed under time and budgetary pressures, or sometimes just forgotten about. At best, when it is considered, the resulting implementation may not quite meet standards or business needs.

The result is that security and control has to be retrofitted, at much greater cost than if it had been built appropriately in the first place.

In this largely interactive session, Gerry will outline the key issues around how businesses develop or procure IT systems and solutions, and highlight the areas where things have traditionally "fallen between the cracks". He will propose a framework, based on work he has been involved in at Barclays, and explain the key success factors and initial benefits derived, where the intention has been to develop a framework which achieves maximum impact for optimal effort. He will then invite delegates to share their experiences in this field with a view to challenging or improving the model.

B1 Denial is the Corporate Standard:
An Emergency Response Case Study
Krag Brotby

"Denial" is the standard corporate first line of defense against potential disaster. In many organizations, if not most, “denial” occurs because no one with the necessary authority is charged with officially declaring a crisis, no one has defined what constitutes a disaster or what a crisis might look like, no one wants a disaster on their watch, and maybe, just maybe, if they ignore it, it will go away. In addition, the determination of corporate crisis generally becomes a committee project involving numerous individuals in an endless series of meetings. Of course, no one wants to appear other than cool and professional and alarmist tendencies don’t play well on mahogany row. Often, this results in precious time wasted while weeks of detached deliberation carry on.

One such event was the subject of a recent, intense engagement by the author and four associates. Confidentiality requires that the names are changed and location of events masked but the story is true and there is much that can be learned from this example. Potential losses for the organization could have reached a hundred million dollars or more, caused loss of reputation, loss of share value and customers and a host of other problems. Fortunately, that didn’t occur partly due the efforts of the author’s team and partly due to blind dumb luck. This presentation tracks the events and staggering array of things awry from a security perspective the team uncovered during the engagement and the eventual outcome.

B2 Windows XP Security Gene Schultz

With Windows XP comes a large number of substantial changes related to security. Many of these changes represent security enhancements; many others represent still additional challenges for security professionals and others charged with tightening the security of systems and networks.

What vulnerabilities have been identified so far and how serious are they? What system and network security controls are available in Windows XP and how do they work? This presentation delves into these issues with an emphasis on the costs versus benefits of implementing the various countermeasures that can be used.

B3 Secure Content Hosting & eCommerce Application Architectures Simon Pascoe

Increasing numbers of corporations and small businesses are looking to web site hosting providers to locate their web site servers. The security of their infrastructures is often poorly specified – leaving the customer to ask the questions. Secondly off the shelf applications are used with impunity today, with little regard to the inherent security and interaction with other applications on the same platform.

The session will start with a review of security issues associated with Web and application hosting. Outline BT’s approach to web hosting security – explaining real operational examples and implementations.

Application hosting is also similarly out sourced by many companies – as complex and costly applications are ‘rented’ via the ASPe platforms. BT’s solutions to the security risks associated with this hosting model will also be debated.

Both these topics sit nicely with another area the presenter has been working on – application security. The section will be aimed at problems of integration and operation of off the shelf applications and how the security of these complex architectures can be improved.

The session will contain verbal anecdotes, personal experience and un-biased views on the security provided by the various Web and ASPe hosting technologies.

B4 Benefits Realisation Management:
Making a Business Return from IS Security
Denis Kelly

As IS Security Professionals we all find it difficult to sell the cost of security to the business. The broader IS community may see security as an undue hindrance to flexibility while the sales manager wants all his customers to have on-line access to their order processing systems without all this complex security stuff. This places the IS Security professional on the back foot trying to justify the expenditure and controls. Scare stories, legal requirements, auditors reports, etc can be used to coerce compliance. Will this result in the real value of security being demonstrated to the business? Does the business get the optimum solution?

This presentation will demonstrate how a simple to apply benefits realisation methodology can help the formation of a business driven definition of requirements and define metrics in business terms to measure how IS Security will deliver.

The format of the presentation will be a walk through the methodology followed by an interactive case study demonstrating its application. So be prepared to participate.

C1 Good Ciphers Are Not Enough Tony Sale

Tony Sale will explore with despair the similarities between what is happening now with so-called secure systems and what happened to good German ciphers in World War II. Doesn't anyone learn from history?

C2 Whose Hole-In-The-Wall Is It Anyway? Richard Nealon
Andy Clark

The first Automatic Teller Machine (ATM) was introduced in the USA in 1969. Originally just an off-line cash dispenser, it rapidly evolved into the multi-function machine we use today. The early architectures were based on SNA communications in a star format and proprietary operating systems. Cryptographic processing was tamper protected and undetected access to the communications data was challenging. Today ATMs are IP based and use other networks, some are dial-up. Their operating systems have changed too, looking more like a PC than an industrial controller. In most cases, their cryptography has not progressed beyong single DES, mostly implemented in software, keys are stored in files on a local hard disk.

In our talk, we discuss how this pervasive technology is at risk of attack not considered in the original threat models. We propose approaches to make the systems sufficiently robust to meet current needs.

C3 Steganography:
Drawing a Picture of a White Cat in a Snowstorm
Vince Gallo

So, you have several forms of boundary control for data, at the external limits to your organisation, need-to-know domains within the enterprise, all succesfully discovering and preventing attempted breeches of corporate policy. That was until the data being moved was put in places you can't see, or don't look. In this session we shall explore the various mechanisms that can be used to hide data. In particular we shall explore some commonly available Steganographic tools and products. This is not a survey of published products, rather an investigation as to how they work so providing insight into the generic nature of steganography. Understanding how to do so is beneficial not only to those who wish to hide data, but also to those with the task of uncovering such covert messages.

C4 Steganalysis:
Finding a Black Cat in a Coal Cellar
Vince Gallo

The earlier session showed how data can be hidden from sight. Is dispair the only viable reaction, or are there means by which the veil can be withdrawn? In this session we shall review the steganographic mechanisms, exploring the tell-tale signs that are left behind. It would seem a reasonable argument that if a steganographic product is able to recover data, then so should you. The purpose of this session is to provide an understanding of how to detect hidden data thus allowing you to reinforce those need-to-know barriers, and boundry filters. There is more to be done in order to feel confident in your next conversation with auditors, compliance officers, the corporate lawyer, or your CEO.

PS1 Breaking the DES Michael Wiener

In 1993, a paper was published that included detailed chip and board designs for efficiently breaking the US Data Encryption Standard (DES). In the period prior to this publication, there was a lot of misinformation around concerning what it would take to break DES. Consultants and government officials could be heard talking about quadrillions of keys and thousands of years. Certainly there were many people who knew how strong (or weak) DES was, but they were often drowned out by the misinformation. DES was deemed "strong encryption" by the US export control regulations. In the period following 1993, common knowledge about DES evolved from believing it to be adequate for commercial purposes to believing DES to be hopelessly weak. Ultimately, this led to the development of the new Advanced Encryption Standard (AES). It is not clear how important the 1993 paper was in this transformation of public opinion, but it seems to have played a non-trivial role.

PS2 "Not-so-secret Ins and Outs" Ray Kaplan

Creativity is the life blood of the Internet and everyone in infosec sees the continuous flow of new and creative things that challenge us, especially in a networked environment - most especially in the Internet. For instance, protocols that run over other protocols are a network software engineering institution that we all count on. However, new and creative ways to use this paradigm has given rise to a variety of not-so-secret ways in and out of your network that are tough to deal with.

The inadequacies of our security architectures, designs, implementations, configuration, management and operations, and bugs all provide fertile ground for these not-so-secret ins and outs. For instance, a number of protocols can run over HTTP, remain undetected by your firewall and be easily used to facilitate the compromise of internal hosts on your intranet. Worse, most any port can be used to tunnel traffic in and out of your network undetected.

The damage that Vince Gallo's famous Bunratty attack which debuted at COSAC a few years ago can quietly do using Microsoft's Messaging API is significant. However, these not-so-secret ins and outs raise the bar to include real-time attack activities that are every bit as undetectable and subtle as Bunratty.

This session will explore some of these not-so-secret ins and outs, how they work, their use as attack tools, and some ideas for dealing with them.

PS3 Issues Of The Day: Open Forum Facilitated by
David Lynas

An extremely important and highly valuable aspect of COSAC is the Open Forum that follows the main stream of symposium sessions daily. All COSAC participants have the opportunity to submit questions, challenges or ideas throughout the day and real-time during the forum. Issues will be addressed openly by all of the day’s presenters and participants.

Facilitated by the COSAC Chairman, David Lynas, today’s forum aims to solve your problems and develop your ideas in the areas of:

  • Assurance & Risk,
  • Internet Security Strategy,
  • Cryptography & Its Applications,
  • Steganography,
  • Any other Hot Issue placed on the agenda by COSAC participants.


  • "Forensics & Ditigal Investigations" - stream codes: D1
  • "Cyber Crime, Information Warfare & Law" - stream codes: D2 - D4
  • "Network Technologies Security"- stream codes: E1 - E4
  • "The Changing Face of Security Management"- stream codes: F1 - F4
  • "Plenary Sessions"- stream codes: PS4 - PS6

D1 Evidence Eliminators:
The Next Hurdle for Forensic Investigators
Andy Clark

Forensic investigation of computer systems is always playing catch-up with the latest tools for hiding compromising activity. Forensic capture and analysis products become the subject of countermeasures in the same way as anti-virus software products. The most recent hurdle to emerge has been so called "evidence eliminators" that claim to cover the tracks of a computer user. In this talk we discuss the operation of these products, their effectiveness, and the threat that they pose to investigators - both within an organisation and externally.

D2 Cyber Crime & Internet Security:
Protecting Your Business & Your Customer
David Spinks

In the light of the recent spate of online fraud and security breaches, no one can afford to ignore the issues surrounding internet security.

This session gives practical advice on the protection of business assets and recommends actions which will greatly reduce the risks of cyber crime.

  • How to protect your external connections – firewalls alone are not enough
  • Best Practice and how to sell this to your senior managers – the importance of getting Senior Management Buy-In
  • Creating a business continuity strategy to deal with potential security problems – the importance of Cyber Forensics – Biometrics & Smart Cards
  • How new legislation in European countries could affect the way we do business online – the role of Law Enforcement in Cyber Crime

David will illustrate the above with specific examples of recent Cyber Investigations and Information Assurance projects undertaken for clients including Ben Gurion Airport and the US DoD.. The examples will illustrate the need to recognize that as organizations move towards the Digital Economy then more and more corporate assets will be in digital format.

Based on recent developments and trends in Digital Technology the future will see a huge increases in Cyber Crime attacks – David will stress the need for urgent action to be taken and businesses to adopt Information Assurance strategies to protect their Digital Knowledge and Information.

D3 Information Warfare:
A Commercial Perspective
David Love

Since the advent of nation states, standing armies have been used to protect organized society. Prior to an attack on the citizen population or as part of that attack, an aggressor had to engage and defeat the military defences. Information Warfare (IW) is regarded as a legitimate branch of warfare as the purpose is damage to the infrastructure of the target state.

However, throughout the Western world, professional defence forces have little or no role in IW other than to protect themselves. IW aggressors can make direct attack on the organs of the state and on the industrial and commercial components without any engagement with the traditional defence forces. However, protection of vital commercial and industrial organizations is now recognized as of fundamental importance not only to shareholders but also to society itself in the Critical National Infrastructure concept.

What responsibility within the Critical National Infrastructure do commercial organizations have over an above protection of shareholder investment? IW itself has a spectrum of possible perpetrators. Without an understanding of the nature and capabilities of the variety of risks, commercial organizations may either over protect themselves or leave themselves and the state itself vulnerable to IW exploitation.

D4 Information Security & Privacy
in the Age of Terrorism
Mark Rasch

Just under one year ago, while attending COSAC, the world witnessed one of the most horrendous acts of international terrorism in history. The action was blamed in part on inadequate laws and procedures to permit interception of communications, and other intelligence collection and analysis lapses, although it is not clear that anything could have prevented the attacks.

In the wake of the attacks of September 11, 2001, governments in general, and the United States in particular, have enacted new legislations to permit the intereception and analysis of electronic communications. They have developed new tools and techniques -- from Carnivore to Magic Lantern -- from "roving" wiretaps to global jurisdiction -- and new legal powers to supervise financial institutions and check money laundering. Hundreds of people around the globe have been arrested, and forensic analysis of computers have played a part in the hunt for Osama Bin Laden as well as the evidence against those who assassinated Wall Street Journal reporter Daniel Pearl.

At the same time we are sacrificing privacy in the name of the fight against terrorism, international critical infrastuctures are more vulnerable to attack. Anectodal reports indicate that the Al Kaida network had plans to disrupt banking and other critical electronic infrastuctures. The anthrax attacks in the United States, and the suicide bombing in Israel and the West Bank and Gaza point out the need to "harden" our infrastructures.

This speech will touch on the conflicting goals of more openness for commmunications, and the need for governments, law enforcement agencies, intelligence agencies and regulators to have instant and meaningful access to the interception of real-time communications, and the role of security in preventing attacks on critical infrastructures. It will discuss new laws and new technologies, as well as policy changes both within and outside government that affect global information security.

E1 Wireless LAN Security Ken Lindup

Wireless LANs based upon the 802.11 are growing in importance. Wireless LANs are finding favour for applications such as baggage handling in airports and providing Internet access in public places. The problem is that they remove the last vestige of the security perimeter. They make possible the scenario of drive by hacking. The equipment needed is cheap and it is coming into use in home computer set-ups. This means that the organisation that implements strong controls over remote access for its home workers can find it is vulnerable to attacks from outside the home.

In this session Ken will describe the basics of 802.11, the vulnerabilities of wireless LANs and identify ways to make transactions once again secure.

E2 "Pass the Pringles" David Everett

Next time you see a car driving around with a Pringles can on the dashboard don't be fooled, this could be a tasty snack with a difference. War Driving is the new hacker's hobby of searching for wireless networks, much more fun than War Dialling, the modem access point terrestrial equivalent. The Pringles can has been used to construct a tuned directional Yagi array antenna homing in on the 2.4GHz of the Wireless 802.11 network standard.

The popularity of wireless networks is on the increase providing network access where cables are not easily available be it in the corporate domain or more recently public spaces including even the local coffee shop.

The security of Wi-Fi (Wireless Fidelity) is generally accepted to be a disaster, easy to eavesdrop and with an encryption system WEP (Wired Equivalent Privacy) that even when turned on has been shown easy to hack.

In this paper we will look at some of the tools used by the hackers such as NetStumbler, WEPcrack, and Airsnort, moving on to show how simple well known concepts involving VPNs and security tokens can bring security and order to this chaos.

E3 Voice Communications Security in the
Midst of Network Convergence
Valene Skerpac

Cost savings and deregulation changes as well as the promise of new media applications and services are propelling the progressive shift to voice over some combination of IP, ATM and MPLS. Previous voice and data security models are no longer adequate as new and evolving voice security models and services based on a data-centric network emerge. The session reviews traditional circuit based landline and wireless voice communication architectures, protocols, features, Quality-of-Service (QoS) and related security issues. Delving into network convergence, the session examines new architectures, evolving standards based protocols such as SIP and H.323 and new QoS methods. Novel voice security issues and solutions such as voice firewalls and enterprise VoIP LAN designs are highlighted.

E4 "Tomorrow's Virus Writer: Villain or Cyberhero?" Pete Simpson

The first half of 2002 has witnessed a marked decline in virus-writing activity compared to the previous year. Amongst the reasons for 'retirement' cited by one prominent member of the scene was the introduction of increasingly aggressive cybercrime legislation. We first examine the relevant legislation - UK Regulation of Investigatory Powers Act 2000, Counter-Terrorism Act 2001, US Patriot Act 2001 and recent EU cybercrime proposals - and consider implications for the would-be virus writer.

We conclude that it is entirely inappropriate to apply such legislation to either the recreational, intellectual pursuits, typical of the more mature elements of the virus-writer community or the clueless vandalism of the script-kiddies. The legislation was drafted in a broader geopolitical context encompassing the attacks of September 2001. Considering the probable perpetrators of the attacks, we conclude that the cybercrime legislation is unlikely to bear any relevance to counter-terrorism efforts.

So what useful purpose could the cybercrime legislation possibly serve? The logical answer is 'interesting' and, if correct, may force the IT security community, and in particular those concerned with Internet content filtering technologies, to confront unprecedented professional and ethical dilemmas. Scenarios may arise necessitating serious reappraisals of both our own roles and those of our adversaries.

F1 A Large Scale 'Warts n All' Project Case
Study, in Three Words: "Oh My God"
Cheryl Jackson

In early March 2002, I received an email asking if I would be willing to take a short-term assignment in Europe. In the middle of a proposal for an up-coming conference call, I quickly and absentmindedly replied, “yes” to the email.

Note to self: In the future read email more carefully before replying.

Things happened very quickly after that, and a phone call on a Wednesday morning started a chain of events that found me at the airport the same afternoon. Thirteen hours, three airports, and seven time zones later, I was walking through customs and immigration wondering how I was going to recognize the person who was meeting me at the airport to take me to the hotel.

The following weeks and months (yes, months!) came to be some of the most challenging, frustrating, and exciting of my career. What began as a 30-day assignment to do a risk assessment turned into a commitment to a major project, the largest ever undertaken by our company. The identity of the client organisation will be withheld due to confidentiality agreements, and I know this audience will respect this requirement, but suffice it to say this is a very large well-known company involved in the telecommunications industry.

The reason for the rush was the risk assessment kick-off meeting scheduled for Friday of that week. I met a number of my fellow team members that evening (it was Thursday by the time I actually arrived), and was warned right away not to let the project manager get hold of my passport. I thought they were joking.

Friday morning we had a hasty preparation meeting followed immediately by the client meeting. All went well as they bought into the process and approach and promised their support in making sure the appropriate business people would participate in the up-coming training class followed by the actual facilitated workshop for the risk assessment. Early in the following week, I was asked to attend a business dinner with project leadership and a key client representative. Turns out that the client has a background in risk assessment and was very interested in discussing our approach.

During the course of the evening I mentioned at one point that we usually find around 80% of the recommended controls from the risk assessment workshop already exist in any given environment, although they are often incompletely or inappropriately implemented. He laughed and said he’d bet me dinner that we wouldn’t find that to be the case at his company. This is the usual response we get prior to the workshop, so I accepted that bet. He then proceeded to pull out pen and paper and started describing their environment and the types of problems they were encountering. By the end of the evening, he was picking out more and more expensive restaurants.

What we did not know until right before the workshop was that the business managers who should have participated delegated their participation. Their delegates in turn delegated it once again, so we ended up having to do damage control from the very beginning of the engagement.

In the weeks immediately following, we began to scope and resource the full project plan, which included the following sub-projects:

  • Current state assessment
  • Risk assessment
  • Network security vulnerability assessment
  • Policy & Organisational design
  • Standards, Guidelines & Procedures
  • Audit & compliance framework design
  • Awareness program design
  • Limited remediation of discovered vulnerabilities

Just to make things more interesting, we were faced with the loss of two key resources right away. This session will tell the tale of how we resolved these issues and numerous others that came up along the way. It has not always been a smooth process, and compromises have had to be made along the way, but our primary goal then and now is to ensure that the client feels they received good value for the time, effort and money that was spent on this engagement.

F2 Customer Service for the Information
Security Professional
John O'Leary

This session focuses on serving our internal and external customers well while providing appropriate security. We analyze the situation on both the security and the user sides from a customer service perspective, emphasizing the need to understand the viewpoints of those you must deal with. We also analyze complications and particular difficulties inherent in doing anything that provokes as many potential conflicts as information systems security. Customers want what they want, they want it now, and they don’t want to hear that what they want represents a significant risk to the organization.

We must remember the function of the business, and we want to serve our customers well, but we also understand that our responsibilities as security professionals are to safeguard organizational assets. This session provides specific recommendations for actions that will help IS Security fit customer service principles and resolve conflicts.

F3 Firewalls to Firearms: The Expanding
Role of Enterprise Security Management
John Ceraolo

This session covers a trend that begin developing early last year and catapulted into common place on September 11th - the encompassing of Information Systems Security with Physical Security. Topics will include how to prepare your management skills to tackle a unique perspective to security that many IT professionals have no experience. Also covered will be the speakers own personal experiences when presented with this challenge over a year ago. This trend is growing, and this session will attempt to expand your career horizons and be ready to accept the challenge.

F4 The Information Security Hokey Kokey: Perils
& Pitfalls of Acquisition, Divestiture, Spin-offs, Partnerships & Outsourcing
Marcus Alldrick

Change is nothing new in our companies; teams and departments come and go as do their names and members, often reflecting the current flavour of organisational structure and terminology. Controls are (or should be!) implemented to cater for such changes that can and do pose risk to an organisation’s information assets. However, recent years have seen far more dramatic changes to organisational structures, initiated by downsizing, followed by rightsizing and, in some notable cases, sometimes resulting in capsizing. Organisational restructuring is now effected through numerous methods in support of increasing market share, protecting the bottom line and maximising shareholder value; from acquiring to divesting, from partnerships to joint ventures, from outsourcing to spin-offs.

While on the surface the business case for the organisation is attractive, each activity introduces new risks, especially to information assets, that existing measures and controls are not designed to or are inadequate to cope with. These risks not only alter the risk profile of the resulting organisation but can also impact the cost benefit of undertaking the change in a detrimental manner.

This presentation will examine the risks that significant organisational change poses to companies and in particular to their information assets and then look at the approaches adopted to manage the changes in information risk caused by these changes.

While based on experience gained primarily in the financial services industry, the issues faced are common and relevant to many market sectors and therefore should be of interest and benefit to risk and security practitioners in general.

PS4 "The Building of Deep Thought 1" Nick Spenceley

In mid 2002, Inforenz Limited positioned itself to assist with the recovery of encrypted data from a variety of sources. In most cases the passphrases originally used to protect the data were no longer available, and no suitable clues or hints existed to allow intelligent guessing of the necessary information. Coupled with this, the encrypted data came in a range of formats from different encryption packages.

The problem in recovering such data is multi-dimensional, firstly the package protecting the data must be analysed and then sufficient resources deployed to recover the data in an acceptable time.

With a wide range of packages to be analysed, the development of a dedicated engine like EFF's Deep Crack was impractical since it's usefulness could be compromised with normal encryption package changes and enhancements. Instead Inforenz concentrated on the construction of a General Purpose brute force engine called Deep Thought 1.

This paper describes some of the design requirements and implementation issues encountered during the design and construction of the first Deep Thought Machine that is now in service.

PS5 September 11th - One Year On Lessons Learned Carl Jackson

We have all lived through much since the attacks of 9/11 a year ago. Our horror turned to shock and then grief for those souls lost on that day, and continues given military and related activities the world continues to undertake in response to these atrocities. As continuity planning professionals, we have a very unique view of events such as these because our careers so closely relate to mitigation and recovery from disruptions and disasters.

Call to Arms - The September 11th attacks raised the awareness internationally for the need for appropriate recovery planning in the U.S. and indeed the rest of the world. The U.S. Attorney General’s call for companies to revisit their security programs in light of the terrorist attacks on U.S. properties should also serve to put executive management on notice, as if they needed any more incentives, that it may be time to rethink investments in their security and continuity planning programs.

There are no signs that the potential for disruptions caused by terrorist activities will be over anytime soon. In fact, it was recently made public that the U.S. Government has activated its own continuity plans by establishing offsite operations for all three branches of Government at secret locations outside of the Washington, D.C. area. These contingency plans were originally prepared during the Eisenhower Administration in anticipation of nuclear attack during the Cold War, but were thankfully never needed, until now. It is more than interesting to think that these long-prepared contingency plans had to be activated some fifty or so years l ater! I wonder if the folks who suggested that these plans be developed in the first place had to worry about cost justification or return on investment? This presentation will address lessons learned and suggest next step actions.

PS6 Issues Of The Day: Open Forum Facilitated by
John O'Leary

An extremely important and highly valuable aspect of COSAC is the Open Forum that follows the main stream of symposium sessions daily. All COSAC participants have the opportunity to submit questions, challenges or ideas throughout the day and real-time during the forum. Issues will be addressed openly by all of the day’s presenters and participants.

Facilitated by John O’Leary, Director of Education at Computer Security Institute, today’s forum aims to solve your problems and develop your ideas in the areas of:

  • Forensics & Digital Investigations,
  • Cyber Crime, Information Warfare and the Law,
  • Network Technologies Security,
  • The Changing Face of Security Management,
  • Any other Hot Issue placed on the agenda by COSAC participants.


  • "Return on Investment & Benefits Realisation" - stream codes: G1 - G2
  • "Instrusion & Defence" - stream codes: H1 - H2
  • "Security as a Business Enabler"- stream codes: I1 - I2
  • "Plenary Session"- stream codes: PS7

G1 Return on Investment Through Legal Duty of Care Ken Lindup

Those responsible for information security have long faced the problem of justifying their recommendations. Many techniques including risk analysis have been tried, but none have really succeeded. The Baseline Controls concept first described by Donn Parker at SRI in 1986 and later developed as the I-4 Baseline Manual, the ISF Code of Good Practice and BS7799 attempted to identify a minimum standard of security. These have met with some success but still there is a pressure to justify security on business grounds. Currently, calculating the return on investment is much in fashion, but seems to be limited to justifying firewalls and intrusion detection systems.

There is an older legal principle, “the neighbour principle” that has its roots in a UK case from 1932 that has nothing to do with IT. In this session Ken Lindup will explore the significance of “the neighbour principle” and show how it, and other civil cases could be used to bring an action for damages against any organisation that failed to implement good security. Ken believes that the legal duty of care provides a more solid business case that will help security managers justify security to their directors.

G2 Can You Justify Security Spend? Aled Miles

In this session we'll look at the truth behind justifying security spend upwards to senior management and/or the board. A somewhat provocative title and subject from a security vendor.

In the first section we will look at a tool that enables you to understand cost & spend, and how much that will reduce the risk curve, giving you a management tool you can use at board level.

Secondly, we will analyse "what if" scenario creation and if that adds any value in trying to justify spend.

Thirdly, we will look at the balance between the product and the human responsibility against an increased backdrop of outsourcing.

Thus, using a mix of interactive tools and visual models you'll be able to take away a tangible and useful mechanism as you continue to justify security spend for your organisation.

H1 Is the Internet Secure Enough for Financial Business? Norbert Bielefeld

"Internet has now reached a level of maturity that one can consider using it for sensitive businesses. Such sensitive businesses require information confidentiality, integrity and availability. Supporting network infrastructures are also required to be international and financially competitive to offer commercially attractive information communication mechanisms.

In the Seventies, the few information communication infrastructures had none of those characteristics. It lead to the development of private networks controlled by business co-operative, either at regional level or international levels. The model was an answer to the demand of the industry, valid at that point in time. Nowadays, the utilisation of common information communication infrastructure will enable a drastic cost reduction and satisfies the same business requirements. The TCP-IP technology, supporting the Internet, provides unparalleled level of redundancy as per its distributed model. The security technology provides information confidentiality, integrity, authentication and non-repudiation services. It is a proven, robust and cheap technology.

The missing piece is the trust: trust comes with confidence, stability and reliability. The natural evolution of any new technology is to go from enthusiasm of pioneers to consolidation, industrialisation and commoditisation. No doubts the Internet is now entering this commoditisation phase. No one would today consider realistic to pull its own water pipes or phone lines: you just make sure you have several source of commodities and adequate disaster recovery plan. The same applies for information communication networks. The paradigm is shifting: commoditisation is moving up the value chain. After all, the Internet was conceived by the military organisations (Arpanet), to resist to a nuclear war, so it can well support the financial industry."

H2 "Web Applications:
Revenue Generator or Hackers Delight?"
Michael Harris

We all know the web can allow companies to cut costs and increase revenue. Web applications sit at the heart of the web providing the functionality to enable services such as online banking or credit card sales. How many companies are confident that these applications are secure? Where are companies in terms of their web security and what is the potential risk impact on potential revenue loss ?

As awareness of information security issues increases, gaining unauthorised access becomes more difficult, Operating systems are properly patched, firewalls and other devices are properly configured resulting in attackers being forced to redirect their efforts. The new target for much of the hacking community are the web applications that sit on your otherwise secure platforms.

No one can deny that almost all application software contains bugs and misconfigurations. Not surprisingly, software bugs cause applications to behave in unexpected ways. In web applications, these odd responses can be loopholes that may be exploited to bypass the logic and flow of the application and break into the system.

These bugs may be used to gain access to private customer information , reveal sensitive business data, deface the web site, and/or perform numerous other attacks. A response to this growing threat is web application security testing.

This web applications master class will outline Ernst & Young's web application security testing methodogy. It will use "real life" case studies to demonstrate what can happen and highlight common security problems encountered. Finally this masterclass hopes to leave attendees with guidelines which they can use in the future when developing web applications.

What will be covered:

  • Introduction: Why are web applications targeted?
  • Overview of web application testing: Black box. White box.
  • How to hack a web app: Common techniques: SQL injection, form manipulation etc.
  • The tools
  • Common programming mistakes
  • How to secure web applications: Should you trust the user?
  • Security testing

What you'll learn:

  • Why web applications are a potential security risk
  • A taste of some web application hacking techniques
  • Common web development mistakes and misconfigurations
  • Countermeasures your organisation should be using to protect web applications

I1 Protecting and Enabling Customer Propositions – a Business Reality Patricia Anderson

Traditionally, information security has focused on protection strategies that have enabled businesses to manage down their operational risks. Too often business managers perceive such strategies to be a “nuisance cost of doing business”, and something they have to do rather than want to do. However, security technologies now provide a genuine means of enabling businesses as well, such that traditional business propositions can be offered to customers in new forms that really do provide mutual benefit. RBSG has looked carefully at how to achieve this migration of customers’ traditional trust to new business capabilities based on electronic models of trust, and has launched a number of business solutions that use this security technology to provide strong business benefits to its customer base.

I2 "I.T. Security is Dead. Long Live Business Risk!" Gerry O'Neill

Awaiting Details

PS7 Vulnerability Analysis of Fingerprint Systems Professor Tsutomu Matsumoto T.B.A.

Potential threats caused by something like real fingers, which are called fake or artificial fingers, should be crucial for authentication based on fingerprint systems. Security evaluation against attacks using such artificial fingers has been rarely disclosed. Only in patent literature, measures, such as "live and well" detection, against fake fingers have been proposed. However, the providers of fingerprint systems usually do not mention whether or not these measures are actually implemented in emerging fingerprint systems for PCs or smart cards or portable terminals, which are expected to enhance the grade of personal authentication necessary for digital transactions.

As researchers who are pursuing secure systems, we would like to discuss attacks using artificial fingers and conduct experimental research to clarify the reality.

This talk will report that gummy fingers, namely artificial fingers that are easily made of cheap and readily available gelatine, were accepted by extremely high rates by 11 particular fingerprint devices with optical or capacitive sensors. We have used the moulds, which we made by pressing our live fingers against them or by processing fingerprint images from prints on glass surfaces, etc. We describe how to make the moulds, and then show that the gummy fingers, which are made with these moulds, can fool the fingerprint devices. We would like to discuss the effect of such a vulnerability analysis and how to disclose the information based on our experience and the responses we received.

This web site is designed and managed by
All content on this web site © 2001-2002 and COSAC
- All Rights Reserved -