SANS Institute

SANS @Night

Complying with the NERC CIP Requirements to Protect the Power Grid
- Matthew E. Luallen, Managing Partner, Encari
- Sunday, September 28 * 7:00pm - 8:00pm

Critical infrastructure can be damaged, destroyed or disrupted by deliberate acts of terrorism, natural disasters, negligence, accidents or computer hacking. The power grids encompassing the globe provide the foundation for the rest of the critical infrastructure making it paramount to protect. Formally enacted on February 7, 2008, the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) Reliability Standards are having a considerable impact on the electric utilities industry. With auditing enforcement activities currently underway, and complete compliance with the remaining eight of nine total reliability standards for many entities due by July 1, 2009, electric utilities are faced with compliance enforcement mechanisms never before seen by other industries. On October 1, 2008, Encari, a consulting firm focusing on providing process control systems security and NERC CIP compliance consulting services, will provide an interactive session highlighting the core constituencies of the NERC CIP Reliability Standards.

Mr. Luallen will discuss the ongoing efforts, pain points and successes to secure control systems and other electronic grid devices. Included in his presentation will be the following topics:

• Protecting Energy Management System (EMS) control applications, protective relays, smart grid device communications
• Identified vulnerabilities and associated protective controls within control center, generation and transmission systems
• Defining and managing protective electronic perimeters for control center, generating and transmission facilities
• Situational awareness leveraging security event information management systems

SALSA: Scalable & Agile Lifecycle Security for Applications
- Jonathan Ham
- Tuesday, September 30 * 8:00pm - 9:00pm

"Help! Our development team is trapped in an endless cycle of death march application development. Our security team is trapped in an endless mode of crisis management. How can we break out of these traps, and start building secure applications in a sustainable way?"

SALSA is designed to be compatible with your existing development methodology, so that you don't have to fight the "methodology fight" to make a difference for your team. You don't need to be in charge, you don't need to change everything at once. If you're a developer on a team, you can begin to make a difference. Learn about the SALSA approach to building secure applications, and help spread the word. SALSA is free, and can be implemented with a variety of tools, including open source free tools as well as some very fine commercial tools. The SALSA approach isn't a crusade, it is a set of practical recommendations that will help your team.

Things That Go Bump In The Network: Embedded Device (In)Security
- Paul Asadoorian
- Tuesday, September 30 * 8:00pm - 9:00pm

Paul Asadoorian will discuss an area of rapidly growing risk from embedded devices. As these devices become ubiquitous, the risks continue to grow. Common devices from iPhones to Linksys routers are vulnerable to attacks which can compromise your data. Most do not realize unique opportunities for attackers to do damage and gain access to your network, and most importantly your information. This talk will focus primarily on common embedded device vulnerabilities. Paul will stroll down memory lane and review some of the vulnerabilities that have been released for embedded devices, how we can use them to gain control of the device, the network, and more importantly the data traveling across it. Example devices will include printers, mobile devices, Wireless Routers, and network-based cameras including live hacking demonstrations!

PaulDotCom Security Weekly: Live!
- Paul Asadoorian, Larry Pesce, PaulDotCom Enterprises
- Tuesday, September 30 *9:00pm

PaulDotCom Security Weekly is a weekly podcast that discusses the latest security news, vulnerabilities, and research in a lighthearted, fun, and entertaining environment. Come watch the show live as Larry and Paul record, participate in show topics, ask questions, and win free stuff! This is your chance to see us live and be a part of our show, contributing to the content and having fun along the way. Visit our web site http://pauldotcom.com for more information.

Future Trends in Network Security
- Dr. Eric Cole, Ph.D.
- Wednesday, October 1 * 7:00pm - 8:00pm

Malicious code and other attacks are increasing in intensity and the damage that they cause. With little time to react, organizations have to become more proactive in their security stance. Reactive security will no longer work. Therefore, organizations need to better understand what the future trends, risks, and threats are so that they can be better prepared to make their organizations as secure as possible. Dr. Cole's in-depth, cross-industry experience allows him to give relevant examples in every instance. This presentation covers security issues that are relevant to IT managers and administrators alike.

Linux/Unix Command-Line Kung Fu
- Hal Pomeranz
- Wednesday, October 1 * 8:00pm - 9:00pm

Strong command-line skills can save you time, allow you to more effectively react to security threats, and just make you more comfortable in the Linux/Unix environment. Think you know everything there is to know about Unix shell pipelines, input/output redirection, and command history? Well, you're wrong, and we'll prove it to you by demonstrating some neat tricks and dirty hacks that will make life easier for any Unix Admin, Security Professional, or Auditor. Also, time permitting, we'll give you a chance to play "Stump the Expert".

State of the Hack
- Rob Lee
- Wednesday, October 1 * 8:00pm - 9:00pm

This "straight from the battlefield" presentation will provide case studies that describe in detail the most recent computer security incidents Mandiant has responded to on behalf of the organizations. The three or four anonymous in-depth case studies will be covered about the recent complex hacks against commercial, government, and financial organizations. The talk will go into how the intruders are gaining access, what they are doing, and a discussion of the malware used in the attacks.

The State of Remote Exploits
- Stephen Sims
- Thursday, October 2 * 7:00pm - 8:00pm

In this technical presentation we will take a look at the current state of remote exploits and the likelihood of successful exploitation when a vulnerability is discovered. We will walk through each of the controls added to modern day operating systems including Windows Vista, Windows Server 2008 and various Debian and Red Hat OS distributions. Can attackers beat Data Execution Prevention (DEP)? Can they defeat Address Space Layout Randomization (ASLR)? What controls are protecting the stack and heap segments? How concerned should I be if our code has vulnerabilities? This presentation will provide you with a better understanding on the vast improvements made by OS developers to mitigate many well known attack vectors.

The Law of E-mail Retention and E-Discovery
- Ben Wright
- Thursday, October 2 * 7:00pm - 8:00pm

A hot topic in litigation is the discovery of electronic records such as e-mail. The retention, searching and disclosure of e-mail in a lawsuit can be very expensive. But courts are serious about it and punishing enterprises that don't play by the rules. Mr. Wright will offer some practical suggestions and predictions for the future.

Simple Principles to Protect Information and Control Today and Tomorrow
- Matt Luallen
- Thursday, October 2 * 8:00pm - 9:00pm

Our ongoing challenge is to understand technology, its impact and how to safely protect the information its processes and the control it maintains. This challenge is overwhelming as one attempts to discern the expanding options in protection, the variances among integrated solutions, and the ongoing difficulty in understanding what truly is meant by "secure". In this talk we will discuss a limited number of principles to aid your solution selection and ongoing endeavor to protect the seemingly un-protectable. Prepare to be intrigued as Matt discusses the principles using real-world examples and current enterprise challenges in today's typical IT and process control environments.

Advanced Methods to remotely determine Application Versions
- Craig Wright
- Thursday, October 2 * 8:00pm - 9:00pm

Statistical and Machine learning techniques make the hiding of information difficult. Statistical methods such as neural network perceptrons and classification algorithms including Random Forest ensembles allow for the determination of software version and patch levels.

These methods can be used to find server versions and patch levels using standard calls to the application server. This appears as standard traffic to the server and does not register as an attack. This bypasses controls (such as the renaming of DNS versions in Bind) allowing an attacker to remotely gather information regarding the patch levels of a system.

A Brief History of Hacking with Dave Shackleford
- Dave Shackleford
- Friday, October 3 * 7:00pm - 8:00pm

Quick quiz: What do Phreaking, Captain Crunch, Blue boxes, LoD and MoD have in common?
Answer: They were all milestones in the evolution of hacking and information security.

Please join Dave Shackleford, Director of Configuresoft's Center for Policy & Compliance and SANS certified instructor, for a look at the evolution of hacking and hackers. You'll hear Dave's take on lessons learned from hacking milestones, including:

• The early days of phone phreaks and bulletin boards
• The growth of hacker gangs and 2600: The Hacker Quarterly
• The 75-cent accounting error that led to an international crime investigation
• Bill Cheswick's evening with "Berferd"
• The first malware and Trojan horse programs

At the same time, Dave will give his predictions for the coming year of hacking — and discuss which hacker movies are most realistic (if any)!

Security Considerations in VMware Deployments
- Rob VandenBrink
- Friday, October 3, 7:00pm - 8:00pm

This presentation brings together source information from VMware, SANS, CIS (Center for Internet Security) and real-world scenarios to help in making architectural and security decisions for VMware deployments. The security of VMware Vi3 is discussed for both internal, DMZ and combined deployments. Factors that influence security decisions such as business risk assessment, regulatory requirements, and classification of hosts and hosted data will be discussed. Considerations brought to bear by the new VMsafe architecture and EAL4 certification will be also be included. VMware detection and manipulation that malware or attackers might deploy will be demonstrated - real-world risks around "VMware escape" will be discussed in depth. Finally, uses for VMware in security applications will also be discussed.

Rob VandenBrink is a Network, Security and Virtualization consultant with Metafore. He is currently pursuing a Masters' Degree in Information Security with the SANS institute (http://www.sti.edu).

Incorporating Advanced MitM Attacks in Your Penetration Testing Regimen
- Bryce Galbraith
- Friday, October 3 * 8:00pm - 9:00pm

Internet Piracy: How to live large on $2500 a day
- Chad Tilbury
- Friday, October 3 * 8:00pm-9:00pm

Chad Tilbury spent over two years as Hollywood's point man on the front lines of the global Internet piracy war. Let him show you the dark underbelly of Internet piracy that few have seen or experienced.

This talk aims to expose the shadowy sources of Internet piracy, describe how pirate infrastructure is configured and secured, show how content is propagated, and discuss where you can find pirate activity on a server near you. Chad will describe how Internet piracy fits within the big picture of international trafficking of pirate goods, discuss links to syndicates and organized crime and explain why pirates are willing to take big risks amidst increasingly vigilant law enforcement activity.