Computer Security SIG

Moderated by: Ken Fox

Computer Security covers a large number of topics. This SIG will start out with the basics of information security. Attendees will be asked what they are interested in learning and doing. Some suggested future topic areas could be:

  • Understanding Hackers - The progression from the wild, wild west to the organized crime mentality.
  • Living in the Surveillance world - What you don't know, can and will be held against you.
  • Current events in the hacker sphere - what are the bad guys up to and how are they doing it.
  • Information Security and you - A whole bevy of topics covering the "Why?" and not just the how to.
  • The Evolution of Malware.
  • Virtualization and security for the Average Joe.

Here is the list of topics for the next few months:

MARCH: Introduction to TCP/IP networking with an emphasis on understanding the protocol and packet analysis. The purpose will be to lay the groundwork for understanding network exploits, why you need a firewall, and how firewalls work. For anyone interested in protecting their computers from being hacked, this is kind of like kindergarten or first grade. Additionally an understanding of networking fundamentals will greatly aid in understanding status and error messages. We're going to cover, packet, ports, Ethernet, Mac addresses, basic routing, DNS, ARP and a few other topics. We will not be getting into some of the more enterprise oriented stuff like BGP. I might be able to cover some SNMP, but I'm not sure. I may demonstrate a packet sniffer (Wireshark) - this presentation is System Agnostic because it applies to Windows, DOS, Mac, Linux, Solaris, or anything else (photo stop lights?) that uses TCP/IP as its network communication protocol (essentially anything attached to the internet).

APRIL: building on March's presentation, I expect to put together a nice packet filtering firewall, using BSD UNIX (maybe M0n0wall) or Linux on an old more or less throwaway computer. Basically, the idea is to have a firewall system that lets you regulate exactly what gets into and out of your network. During the discussion I will go over the differences between an Application Gateway Firewall, and a Packet Filtering Firewall. During the presentation, we're going to fire up the firewall and look at what it sees - I may do this with a physical box, or I may run a virtual machine on a PC and connect to the internet over the Wifi. while we are connected, we'll log the traffic traveling to and from the PC through the firewall. Then we'll review the logs to see what was going on based on the information presented in March's meeting. I'm going to give away the crown jewels here: the reason you want to have a separate firewall between you and the internet is this: regardless of what you are running for an operating system, if your system is compromised (Hacked) one of the first things your friendly neighborhood hacker is going to do is cover their tracks by eliminating (if possible) any logging of their activity on the compromised computer. The physical separation of the functions will aid in detecting the anomalous behavior. This of course does not stop someone with adequate knowledge and ability from eventually detecting and potentially compromising your firewall but it does make the job that much harder. I will also bring in a some real firewall logs that show why the COTS firewall/router/toaster oven/microwave/coffee machine/file server/print servers leave MUCH to be desired in the arena of logging both from a detail perspective, and what your ISP/Broadband provider (Verizon, Comcast, COX Communications, Adelphia, Clear, etc) doesn't want you to or will not let you see.

MAY: We will cover Intrusion Detection Systems (IDS), and the close relative, an IPS or Intrusion Prevention System with a focus on setting up and using the defacto standard - Snort - on a home based network. First I will cover what an IDS is, then we'll fire up an copy of Snort, and look at what it sees with an eye to understanding how that information can be used. Secondly, we'll compare and contrast the firewall with the IDS - the prominent feature being that for all intents and purposes, the IDS is undetectable to any malware any one is likely to see, and that allows us to see what is going on regardless of whether your computer has been 0wned (pwned) or not. As with the firewall session, I plan on bringing in some real world snort logs to go over.

JUNE: putting it all together - we'll wrap up for the summer by integrating the firewall and IDS and your new found networking knowledge into a complete user awareness experience by using some hacker tools to assault an endpoint computer that is being monitored by an IDS and protected by a firewall. You should end up seeing that the firewall is not the final solution and that no matter what defensive software you have on your system, there's the potential to be hacked. People will be encouraged to experiment with their setups over the summer, so we can move on to additional topics in the fall.

Ken Fox is a Certified Information Systems Security Professional (CISSP) and Certified Secure Software Lifecycle Professional (CSSLP). He works as a Senior Applications, Security, and Forensics Analyst at The FCS Group, Inc.