SANS Institute

Dear Colleague,

It has been such a joy to see the sense of community that has developed around SANS over the years. The truth is that we really are making a difference! So it is my pleasure to invite you to join us in the continued effort to improve the state of information security. Make plans to attend SANS' 12th annual Network Security event at Caesar's Palace in Las Vegas!

The focus of SANS events is education, so for NS2006 we have scheduled twenty hands-on immersion training courses as well as sixteen other shorter courses for you to choose from. SANS@Night, Keynote addresses and Birds of a Feather Sessions will offer additional learning and networking forums.

One of the most exciting opportunities at NS2006 is to earn one of the SANS Platinum Certifications! The GIAC Security Expert (GSE), GIAC Security Malware (GSM), and GIAC Security Compliance (GSC) two-day examinations will be administered in Las Vegas. So if you qualify, why not apply to be one of the fifteen candidates that will sit for these exams?

SANS training events have evolved over the years, but some things will always remain unchanged - you will be offered the best selection of hands-on, up-to-date training presented by the world's best instructors and will return home with immediately useful knowledge and skills. It is these core elements that make us the most trusted source for information security training in the world.

So put Network Security 2006 on your calendar today. I look forward to meeting you in Las Vegas!

Kind regards,
Stephen Northcutt
President
SANS Technology Institute

NS2006 Welcome Reception

- Monday, October 2nd: 5:00pm - 7:00pm

Please join us for refreshments, snacks and activities at the NS2006 Welcome Reception. There will be plenty of time to network with your peers as well as visit with vendors' technical staff to get an up-close look at emerging technology and live interactive demonstrations. This is a great opportunity to network and have fun in a relaxed environment. You'll be surprised at how many people you will recognize throughout the week after meeting them at the reception!

Vendor Reception

- Tuesday, October 3rd: 5:00pm - 7:00pm

Throughout NS2006 vendors will be hosting a number of events including presentations, a two-day vendor solutions expo, and various receptions. Experience the latest in network security tools, meet industry leaders, and share your thoughts on developments you would like to see in the pipeline. Details of the Vendor Special Events can be found at www.sans.org/ns2006/vendor.php

Vendor Expo

- Monday, October 2nd: 12:00pm - 1:30pm; 5:00pm - 7:30pm
- Tuesday, October 3rd: 12:00pm - 1:30pm; 5:00pm - 7:00pm

All attendees are invited to meet with leading providers of firewalls, intrusion detection/ prevention systems and enterprise security management who will be demonstrating their latest solutions. The NS2006 Vendor Expo showcases product offerings from key technology providers in the commercial tools and services market. Vendors arrive prepared to interact with SANS technically savvy audience, presenting technical demonstrations and explanations. It's about having your questions answered! For a list of exhibiting vendors see: www.sans.org/ns2006/vendorexpo.php.

NS2006 Keynotes

- What's New In Windows Vista Security?
- Jason Fossen, Enclave Consulting LLC
- Monday, October 2nd: 7:00pm - 9:00pm

If Microsoft stays on schedule, Windows Vista should be released to the public in January of 2007. But what's new in Windows Vista for security? Will it be worth it to upgrade our Windows XP-SP2 machines? And what happened to WinFS? In this presentation you'll get an executive-level overview of all the new (and not-so-new) security features in Windows Vista BETA. Some of the topics covered: full drive encryption with BitLocker and a motherboard TPM, smart card support for EFS, egress filtering with the new Windows Firewall, User Account Control for least-user access, the Internet Explorer 7.0 phishing filter, and blocking spyware with Windows Defender. The long-awaited successor to XP is finally here -- but was it worth the wait? Come see!

- ADVENTURES...in Anti-Spyware Testing
- Ed Skoudis, Intelguardians
- Tuesday, October 3rd: 7:00pm - 9:00pm

Many organizations are evaluating and deploying anti-spyware applications to protect themselves from the burgeoning plague of spyware on the Internet today. But, comparing anti-spyware product features and protection is a difficult and time-intensive task. This presentation describes various measures to gauge the effectiveness of anti- spyware tools in the enterprise as well as tools to use in evaluating anti-spyware products. We'll look at various public test regimens as well as vendor-recommended tests. Topics will include building a test zoo, utilizing behavior-based testing with free tools like Spycar, and comparing enterprise management features. Finally, the presenter will discuss how various enterprise anti-spyware applications functioned during laboratory testing and provide tips for avoiding the gotchas of doing your own anti-spyware testing.

- Top 10 Oracle Security Risks
- Tanya Baccam
- Wednesday, October 4th: 7:00pm - 9:00pm

Database security is often overlooked in an organization's security plan and architecture. Organizations spend time and money securing the network infrastructure, operating systems, and even applications, but the databases are often missed and left wide open. The issue is, our databases often store one of our most important and critical business assets - data. Data provides information, information provides knowledge and knowledge is power! Data must be protected. Database security is critically important and organizations need to take a closer look at the key issues related to database security. This keynote is an introduction to some of the Oracle Database risks that exist, and highlights the "Top 10" critical areas that organizations should address first when securing their Oracle Databases.

PaulDotCom Security Weekly: Live!

- Paul Asadoorian, & Larry Pesce, Defensive Intuition/PaulDotCom, "The Mason" & "Twitchy", PaulDotCom
- Tuesday, October 3rd: 5:30pm - 7:00pm

PaulDotCom Security Weekly is a weekly podcast that discusses the latest security news, vulnerabilities, and research in a lighthearted, fun, and entertaining environment. Come watch the show live as Larry and Paul record, participate in show topics, ask questions, and win free stuff! This is your chance to see us live and be a part of our show, contributing to the content and having fun along the way. Visit our web site http://pauldotcom.com for more information.

The SANS Technology Institute: Master's Presentations

- Reverse Shells Enable Attackers to Operate From Your Network
- Richard Hammer, Los Alamos National Lab
- Tuesday, October 3rd: 6:00pm - 7:00pm

Your network perimeter is hardened, but what if the bad guys are already inside. Will your egress filtering stop the outgoing connections? Come learn about reverse shells, how they work, the covert channels they use, how to detect and stop them. Attendees will become familiar with the methods and protocols that reverse shell programs use. Use the examples that will be presented for testing your network egress filters. The bad guys want your information; understand their methods and keep your information inside your network.

• Find out why reverse shells are valuable and what makes them different from normal shells
• Learn the methods and protocols that enable reverse shells to work
• Learn why application aware firewalls can make it more difficult for attackers to use reverse shells
• See real-world examples that you can re-apply to test your network
• Learn how to detect and defend against reverse shell

- Phish Feeding: An Active Response to Phishing Campaigns
- John Brozycki, CISSP
- Tuesday, October 3rd: 7:00pm - 8:00pm

Most financial institutions can count themselves as victims of Internet phishing schemes. Many are hit again, and again, and again. Getting fraudulent sites taken down, especially overseas, can take hours, days, or longer. Is there anything that can be done to help thwart the phishers? Phish feeding, a process and framework of programmatically passing fake, yet realistic, data to phishing sites, may help. This presentation will answer the following questions:

• How does a typical phish work?
• How much damage does phishing cause to target institutions?
• How do victim institutions respond today?
• How can phish feeding reduce the damage?
• What can go wrong in phish feeding?
• How do you know if phish feeding is actually working?
• What is involved in implementing a phish feeding program?
• Where is phishing headed in the future?

A demonstration will be given of the phish feeding process in a virtualized environment with an advanced phish kit recovered from a real phishing incident.

- The Spam/Anti-Spam Battlefield
- Brian Granier
- Thursday, October 5th: 6:00pm - 7:00pm

At times, spam and anti-spam attract a lot of attention as a security issue, an operational concern or as a basic time drain. Unfortunately, it seems that the battle between spam and anti-spam will continue to be fought for quite some time. In an attempt to understand the issues revolving around spam, this presentation will cover the most important knowledge areas that are essential to comprehending and responding to spam in today's environments. We'll cover the motivations that keep spammers spamming, the techniques used to battle spam, and finally close with a discussion about how an organization can maintain a mass email infrastructure in a responsible manner.

- CyberLaw 101: A primer on US laws related to honeypot deployments.
- Jay Radcliffe
- Thursday, October 5th: 7:00pm - 8:00pm

Don't let legal issues scare you away from using of honeypots!

This presentation will cover issues that both system administrators and lawyers face when dealing with honeypot deployments. This will include constitutional issues, wiretap concerns and PATRIOT/ECPA laws. We'll approach the topic from the system administration side focusing on guidelines on what you should get from your legal team, how to document things properly for potential legal safety and how to take some simple steps to comply with certain legal standards. We'll also summarize the laws and codes that should be reviewed when considering honeypot deployment and court cases that could apply.

Cyber Defense and Attack Training Simulator

- Tim Rosenberg
- October 4-6: 12:15pm - 1:30pm and after 5:00pm

Come and test your computer network skills in a live fire, multi-network environment. White Wolf Security will be hosting a multi day war game where participants can try their hand at network attack or defend. Two networks that replicate a mid-sized company's internet connection will need to be secured. Participants can join a team and defend their network while attacking the other. Or, if you are not in the mood to defend, you can sit between the two networks and attack either at will. A variety of server platforms and operating systems along with network infrastructure (routers, firewalls and IDS) will need to be secured, while keeping services available. Bring your own laptop if you want to play. Instructors will be available to provide mini-classes in network attack and defense. Full documentation, rules and even cheat sheets will be available to all players.

An information security specialist with a strong legal background, Tim is presently responsible for developing and delivering a wide variety of information security courses for his clients. Tim's diverse IT background includes software development and testing through network security and application design for major telecommunications and healthcare solutions providers. Tim has presented material at a variety of international conferences including RSA 2002, and 2003, InfowarCon, the American Bar Association's Annual Conference, NW3C Economic Crime Summit, the FBI Academy at Quantico, and the Air Force's Information Warfare Conference. Tim has also been a guest lecturer at the U.S. Military Academy at West Point, the Army War College Center for Strategic Leadership, Villanova University School of Law. Tim has also served as Adjunct Faculty at the George Washington University as well as Georgetown University's Security Studies Program.

SANS Quiz Show

- Rob Kolstad, Quizmaster
- Thursday, October 5th: 7:00pm

Please join quizmaster Rob Kolstad for a challenging and fast-paced evening of quiz-show action on Thursday evening, October 5th. Conference attendees will compete on-stage for fabulous prizes by answering questions about technology, general knowledge, and popular culture. Host Rob is a pro at comforting contestants who forget their first name; a good time will be had by all.

Announcing the GSX World Games 2006 Exam Schedule

- GSE/GSM/GSC Exam Schedule 2006
- October 6-7, 2006

The SANS Institute is pleased to offer you an opportunity to earn the GIAC Security Expert (GSE) certification, the highest level of Information Security certification, and to meet IAT Level III of the Department of Defense's Baseline Certification for 8570. Additionally, we announce the inaugural offering of two brand new GIAC Platinum certifications: GIAC Security Malware (GSM) and GIAC Security Compliance (GSC).

We invite every qualified candidate to participate in the two day GSE, GSM or GSC certification exam at SANS Network Security 2006 in Las Vegas, Nevada on October 6-7, 2006.

Details of the Vendor Special Events can be found at www.sans.org/ns2006/gsx.php

SANS@Night

- Windows Log Management that Works!
- David Hoelzer, Cyber-Defense.org
- Wednesday, October 4th: 6:00pm - 7:00pm

This presentation covers a brand new piece of open source software that will let you answer any of your Windows log questions by aggregating all of your Windows logs into one place where you can interactively query them or set up dynamic alerting to let you know when something's up.

- Oracle Security
- Paul Wright, NGS Software
- Thursday, October 5th: 6:00pm - 7:00pm

An accurate method is required to allow an Auditor to ascertain vulnerability to an exploit without actually running the exploit code itself. Traditionally this has been by ascertaining the DB Version or more precisely the Patch-Level of the DB and then correlating that to the vulnerabilities pertinent to that version. The problem with this is that the reported Version/Patch-level may well be incorrect causing false positives. Deducing vulnerability to a forensic level of accuracy is required in mission critical environments. Furthermore being able to deduce what historical time periods the server was vulnerable for and what mitigating actions the DBA took to counter the vulnerabilities over this time period would be of great use when calculating risk, compliancy and legal liability. To achieve the above requires Computer Forensics skills applied to the Oracle database environment as will be shown.

- Malware Analysis: The Basics
- Lorna Hutcheson, SANS Internet Storm Center
- Thursday, October 5th: 7:00pm - 9:00pm

Have you have ever found a suspicious file on your system and wondered what's it doing but didn't know how to find out? Then this presentation is for you! We will be covering the basics of how to conduct malware analysis. Some of the areas that will be discussed are: setting up a test environment, safety while doing analysis, tools used and how to use them and behavioral analysis. You will see different pieces of malware in action and how to use these basic skills to start to understand them. Prepare to enter the fascinating world of malware analysis.