- "Forensics & Ditigal Investigations" - stream codes: D1
- "Cyber Crime, Information Warfare & Law" - stream codes: D2 - D4
- "Network Technologies Security"- stream codes: E1 - E4
- "The Changing Face of Security Management"- stream codes: F1 - F4
- "Plenary Sessions"- stream codes: PS4 - PS6
| D1 |
Evidence Eliminators:
The Next Hurdle for Forensic Investigators |
Andy Clark |
Forensic investigation of computer systems is always playing catch-up with the latest tools for
hiding compromising activity. Forensic capture and analysis products become the subject of countermeasures in the
same way as anti-virus software products. The most recent hurdle to emerge has been so called "evidence
eliminators" that claim to cover the tracks of a computer user. In this talk we discuss the operation of these
products, their effectiveness, and the threat that they pose to investigators - both within an organisation and
externally.
| D2 |
Cyber Crime & Internet Security:
Protecting Your Business & Your Customer |
David Spinks |
In the light of the recent spate of online fraud and security breaches, no one can afford to
ignore the issues surrounding internet security.
This session gives practical advice on the protection of business assets and recommends actions
which will greatly reduce the risks of cyber crime.
- How to protect your external connections – firewalls alone are not enough
- Best Practice and how to sell this to your senior managers – the importance of getting Senior Management Buy-In
- Creating a business continuity strategy to deal with potential security problems – the importance of Cyber Forensics – Biometrics & Smart Cards
- How new legislation in European countries could affect the way we do business online – the role of Law Enforcement in Cyber Crime
David will illustrate the above with specific examples of recent Cyber Investigations and
Information Assurance projects undertaken for clients including Ben Gurion Airport and the US DoD.. The examples
will illustrate the need to recognize that as organizations move towards the Digital Economy then more and more
corporate assets will be in digital format.
Based on recent developments and trends in Digital Technology the future will see a huge increases
in Cyber Crime attacks – David will stress the need for urgent action to be taken and businesses to adopt
Information Assurance strategies to protect their Digital Knowledge and Information.
Since the advent of nation states, standing armies have been used to protect organized society.
Prior to an attack on the citizen population or as part of that attack, an aggressor had to engage and defeat
the military defences. Information Warfare (IW) is regarded as a legitimate branch of warfare as the purpose
is damage to the infrastructure of the target state.
However, throughout the Western world, professional defence forces have little or no role in IW
other than to protect themselves. IW aggressors can make direct attack on the organs of the state and on the
industrial and commercial components without any engagement with the traditional defence forces. However,
protection of vital commercial and industrial organizations is now recognized as of fundamental importance not
only to shareholders but also to society itself in the Critical National Infrastructure concept.
What responsibility within the Critical National Infrastructure do commercial organizations have over an above
protection of shareholder investment? IW itself has a spectrum of possible perpetrators. Without an
understanding of the nature and capabilities of the variety of risks, commercial organizations may either over
protect themselves or leave themselves and the state itself vulnerable to IW exploitation.
| D4 |
Information Security & Privacy
in the Age of Terrorism |
Mark Rasch |
Just under one year ago, while attending COSAC, the world witnessed one of the most horrendous
acts of international terrorism in history. The action was blamed in part on inadequate laws and procedures to
permit interception of communications, and other intelligence collection and analysis lapses, although it is not
clear that anything could have prevented the attacks.
In the wake of the attacks of September 11, 2001, governments in general, and the United States
in particular, have enacted new legislations to permit the intereception and analysis of electronic communications.
They have developed new tools and techniques -- from Carnivore to Magic Lantern -- from "roving"
wiretaps to global jurisdiction -- and new legal powers to supervise financial institutions and check money
laundering. Hundreds of people around the globe have been arrested, and forensic analysis of computers have
played a part in the hunt for Osama Bin Laden as well as the evidence against those who assassinated Wall Street
Journal reporter Daniel Pearl.
At the same time we are sacrificing privacy in the name of the fight against terrorism,
international critical infrastuctures are more vulnerable to attack. Anectodal reports indicate that the Al
Kaida network had plans to disrupt banking and other critical electronic infrastuctures. The anthrax attacks
in the United States, and the suicide bombing in Israel and the West Bank and Gaza point out the need to "harden"
our infrastructures.
This speech will touch on the conflicting goals of more openness for commmunications, and the
need for governments, law enforcement agencies, intelligence agencies and regulators to have instant and
meaningful access to the interception of real-time communications, and the role of security in preventing
attacks on critical infrastructures. It will discuss new laws and new technologies, as well as policy changes
both within and outside government that affect global information security.
Wireless LANs based upon the 802.11 are growing in importance. Wireless LANs are finding favour
for applications such as baggage handling in airports and providing Internet access in public places. The problem
is that they remove the last vestige of the security perimeter. They make possible the scenario of drive by
hacking. The equipment needed is cheap and it is coming into use in home computer set-ups. This means that the
organisation that implements strong controls over remote access for its home workers can find it is vulnerable to
attacks from outside the home.
In this session Ken will describe the basics of 802.11, the vulnerabilities of wireless LANs and
identify ways to make transactions once again secure.
Next time you see a car driving around with a Pringles can on the dashboard don't be fooled,
this could be a tasty snack with a difference. War Driving is the new hacker's hobby of searching for wireless
networks, much more fun than War Dialling, the modem access point terrestrial equivalent. The Pringles can has
been used to construct a tuned directional Yagi array antenna homing in on the 2.4GHz of the Wireless 802.11
network standard.
The popularity of wireless networks is on the increase providing network access where cables
are not easily available be it in the corporate domain or more recently public spaces including even the
local coffee shop.
The security of Wi-Fi (Wireless Fidelity) is generally accepted to be a disaster, easy to
eavesdrop and with an encryption system WEP (Wired Equivalent Privacy) that even when turned on has been
shown easy to hack.
In this paper we will look at some of the tools used by the hackers such as NetStumbler,
WEPcrack, and Airsnort, moving on to show how simple well known concepts involving VPNs and security tokens
can bring security and order to this chaos.
| E3 |
Voice Communications Security in the
Midst of Network Convergence |
Valene Skerpac |
Cost savings and deregulation changes as well as the promise of new media applications and
services are propelling the progressive shift to voice over some combination of IP, ATM and MPLS. Previous
voice and data security models are no longer adequate as new and evolving voice security models and services
based on a data-centric network emerge. The session reviews traditional circuit based landline and wireless
voice communication architectures, protocols, features, Quality-of-Service (QoS) and related security issues.
Delving into network convergence, the session examines new architectures, evolving standards based protocols
such as SIP and H.323 and new QoS methods. Novel voice security issues and solutions such as voice firewalls
and enterprise VoIP LAN designs are highlighted.
The first half of 2002 has witnessed a marked decline in virus-writing activity compared to the
previous year. Amongst the reasons for 'retirement' cited by one prominent member of the scene was the
introduction of increasingly aggressive cybercrime legislation. We first examine the relevant legislation - UK
Regulation of Investigatory Powers Act 2000, Counter-Terrorism Act 2001, US Patriot Act 2001 and recent EU
cybercrime proposals - and consider implications for the would-be virus writer.
We conclude that it is entirely inappropriate to apply such legislation to either the recreational,
intellectual pursuits, typical of the more mature elements of the virus-writer community or the clueless vandalism
of the script-kiddies. The legislation was drafted in a broader geopolitical context encompassing the attacks of
September 2001. Considering the probable perpetrators of the attacks, we conclude that the cybercrime legislation
is unlikely to bear any relevance to counter-terrorism efforts.
So what useful purpose could the cybercrime legislation possibly serve? The logical answer is
'interesting' and, if correct, may force the IT security community, and in particular those concerned with Internet
content filtering technologies, to confront unprecedented professional and ethical dilemmas. Scenarios may arise
necessitating serious reappraisals of both our own roles and those of our adversaries.
| F1 |
A Large Scale 'Warts n All' Project Case
Study, in Three Words: "Oh My God" |
Cheryl Jackson |
In early March 2002, I received an email asking if I would be willing to take a short-term
assignment in Europe. In the middle of a proposal for an up-coming conference call, I quickly and absentmindedly
replied, “yes” to the email.
Note to self: In the future read email more carefully before replying.
Things happened very quickly after that, and a phone call on a Wednesday morning started a
chain of events that found me at the airport the same afternoon. Thirteen hours, three airports, and seven
time zones later, I was walking through customs and immigration wondering how I was going to recognize the
person who was meeting me at the airport to take me to the hotel.
The following weeks and months (yes, months!) came to be some of the most challenging,
frustrating, and exciting of my career. What began as a 30-day assignment to do a risk assessment turned into a
commitment to a major project, the largest ever undertaken by our company. The identity of the client
organisation will be withheld due to confidentiality agreements, and I know this audience will respect
this requirement, but suffice it to say this is a very large well-known company involved in the telecommunications
industry.
The reason for the rush was the risk assessment kick-off meeting scheduled for Friday of
that week. I met a number of my fellow team members that evening (it was Thursday by the time I actually
arrived), and was warned right away not to let the project manager get hold of my passport. I thought they
were joking.
Friday morning we had a hasty preparation meeting followed immediately by the client meeting.
All went well as they bought into the process and approach and promised their support in making sure the
appropriate business people would participate in the up-coming training class followed by the actual
facilitated workshop for the risk assessment. Early in the following week, I was asked to attend a business
dinner with project leadership and a key client representative. Turns out that the client has a background
in risk assessment and was very interested in discussing our approach.
During the course of the evening I mentioned at one point that we usually find around 80% of the
recommended controls from the risk assessment workshop already exist in any given environment, although they are
often incompletely or inappropriately implemented. He laughed and said he’d bet me dinner that we wouldn’t find
that to be the case at his company. This is the usual response we get prior to the workshop, so I accepted that
bet. He then proceeded to pull out pen and paper and started describing their environment and the types of
problems they were encountering. By the end of the evening, he was picking out more and more expensive
restaurants.
What we did not know until right before the workshop was that the business managers who should
have participated delegated their participation. Their delegates in turn delegated it once again, so we
ended up having to do damage control from the very beginning of the engagement.
In the weeks immediately following, we began to scope and resource the full project plan, which
included the following sub-projects:
- Current state assessment
- Risk assessment
- Network security vulnerability assessment
- Policy & Organisational design
- Standards, Guidelines & Procedures
- Audit & compliance framework design
- Awareness program design
- Limited remediation of discovered vulnerabilities
Just to make things more interesting, we were faced with the loss of two key resources right
away. This session will tell the tale of how we resolved these issues and numerous others that came up along
the way. It has not always been a smooth process, and compromises have had to be made along the way, but our
primary goal then and now is to ensure that the client feels they received good value for the time, effort and
money that was spent on this engagement.
| F2 |
Customer Service for the Information
Security Professional |
John O'Leary |
This session focuses on serving our internal and external customers well while providing
appropriate security. We analyze the situation on both the security and the user sides from a customer service
perspective, emphasizing the need to understand the viewpoints of those you must deal with. We also analyze
complications and particular difficulties inherent in doing anything that provokes as many potential conflicts as
information systems security. Customers want what they want, they want it now, and they don’t want to hear
that what they want represents a significant risk to the organization.
We must remember the function of the business, and we want to serve our customers well, but we
also understand that our responsibilities as security professionals are to safeguard organizational assets.
This session provides specific recommendations for actions that will help IS Security fit customer service principles and resolve conflicts.
| F3 |
Firewalls to Firearms: The Expanding
Role of Enterprise Security Management |
John Ceraolo |
This session covers a trend that begin developing early last year and catapulted into common
place on September 11th - the encompassing of Information Systems Security with Physical Security. Topics
will include how to prepare your management skills to tackle a unique perspective to security that many IT
professionals have no experience. Also covered will be the speakers own personal experiences when presented
with this challenge over a year ago. This trend is growing, and this session will attempt to expand your
career horizons and be ready to accept the challenge.
| F4 |
The Information Security Hokey Kokey: Perils
& Pitfalls of Acquisition, Divestiture, Spin-offs, Partnerships & Outsourcing |
Marcus Alldrick |
Change is nothing new in our companies; teams and departments come and go as do their names and
members, often reflecting the current flavour of organisational structure and terminology. Controls are (or should
be!) implemented to cater for such changes that can and do pose risk to an organisation’s information assets.
However, recent years have seen far more dramatic changes to organisational structures, initiated by downsizing,
followed by rightsizing and, in some notable cases, sometimes resulting in capsizing. Organisational restructuring
is now effected through numerous methods in support of increasing market share, protecting the bottom line and
maximising shareholder value; from acquiring to divesting, from partnerships to joint ventures, from outsourcing
to spin-offs.
While on the surface the business case for the organisation is attractive, each activity introduces
new risks, especially to information assets, that existing measures and controls are not designed to or are
inadequate to cope with. These risks not only alter the risk profile of the resulting organisation but can also
impact the cost benefit of undertaking the change in a detrimental manner.
This presentation will examine the risks that significant organisational change poses to companies
and in particular to their information assets and then look at the approaches adopted to manage the changes in
information risk caused by these changes.
While based on experience gained primarily in the financial services industry, the issues faced
are common and relevant to many market sectors and therefore should be of interest and benefit to risk and
security practitioners in general.
In mid 2002, Inforenz Limited positioned itself to assist with the recovery of encrypted data
from a variety of sources. In most cases the passphrases originally used to protect the data were no longer available, and no suitable clues or hints existed to allow intelligent guessing of the necessary information. Coupled with this, the encrypted data came in a range of formats from different encryption packages.
The problem in recovering such data is multi-dimensional, firstly the package protecting the data
must be analysed and then sufficient resources deployed to recover the data in an acceptable time.
With a wide range of packages to be analysed, the development of a dedicated engine like EFF's Deep
Crack was impractical since it's usefulness could be compromised with normal encryption package changes
and enhancements. Instead Inforenz concentrated on the construction of a General Purpose brute force engine called
Deep Thought 1.
This paper describes some of the design requirements and implementation issues encountered during the design and construction of the first Deep Thought Machine that is now in service.
We have all lived through much since the attacks of 9/11 a year ago. Our horror turned to shock
and then grief for those souls lost on that day, and continues given military and related activities the world
continues to undertake in response to these atrocities. As continuity planning professionals, we have a very
unique view of events such as these because our careers so closely relate to mitigation and recovery from
disruptions and disasters.
Call to Arms - The September 11th attacks raised the awareness internationally for the need for
appropriate recovery planning in the U.S. and indeed the rest of the world. The U.S. Attorney General’s call for
companies to revisit their security programs in light of the terrorist attacks on U.S. properties should also
serve to put executive management on notice, as if they needed any more incentives, that it may be time to rethink
investments in their security and continuity planning programs.
There are no signs that the potential for disruptions caused by terrorist activities will be over
anytime soon. In fact, it was recently made public that the U.S. Government has activated its own continuity
plans by establishing offsite operations for all three branches of Government at secret locations outside of the
Washington, D.C. area. These contingency plans were originally prepared during the Eisenhower Administration
in anticipation of nuclear attack during the Cold War, but were thankfully never needed, until now. It is more
than interesting to think that these long-prepared contingency plans had to be activated some fifty or so years l
ater! I wonder if the folks who suggested that these plans be developed in the first place had to worry
about cost justification or return on investment? This presentation will address lessons learned and suggest
next step actions.
An extremely important and highly valuable aspect of COSAC is the Open Forum that follows the
main stream of symposium sessions daily. All COSAC participants have the opportunity to submit questions,
challenges or ideas throughout the day and real-time during the forum. Issues will be addressed openly by all
of the day’s presenters and participants.
Facilitated by John O’Leary, Director of Education at Computer Security Institute, today’s
forum aims to solve your problems and develop your ideas in the areas of:
- Forensics & Digital Investigations,
- Cyber Crime, Information Warfare and the Law,
- Network Technologies Security,
- The Changing Face of Security Management,
- Any other Hot Issue placed on the agenda by COSAC participants.
