[ISN] A review of SANS 2001

From: InfoSec News (isnat_private)
Date: Mon Jun 18 2001 - 10:26:43 PDT

  • Next message: Marc Maiffret: "[ISN] All versions of Microsoft Internet Information Services, Remote buffer overflow (SYSTEM Level Access)"

    UNIX SECURITY --- June 14, 2001
    Published by ITworld.com -- changing the way you view IT
    Getting Back to Basics: SANS 2001
    By Carole Fennelly
    To be honest, I haven't attended a SANS conference
    (http://www.sans.org) since 1998 when I walked out of almost every
    talk with the impression that the presenters should update their
    material.  The last straw came when a presenter patronizingly
    suggested I attend the tutorials after I disagreed with his solution
    of securing a Web server by sticking a firewall in front of it. Yes, I
    know what a firewall is, but I also know that they are not the answer
    to every security requirement.
    Things change, and I was given an opportunity to re-evaluate SANS by
    way of a free pass to the conference held in Baltimore this past May,
    courtesy of Alan Paller (http://www.sans.org/SANS2001.htm). According
    to Alan:
        "SANS exists to enable technologists to learn from the top rated 
         teacher/practitioners in their fields -- people with front-line, 
         real world experience. There are a lot of great practitioners who 
         are not very good at teaching and there are hundreds of good 
         teachers who do not have the front-line experience to answer 
         questions well." 
    Does SANS meet this goal? I drove down to Baltimore to find out.
    I wanted to attend tutorials at will to get a better over-all feel for
    the conference but registering for Track 4, "Advanced Incident
    Handling and Hacker Exploits", restricted me to tutorials for that
    track alone.  The course materials were comprehensive and very
    detailed. In fact, the course materials seemed to be all that I would
    need to learn about the few tools I wasn't already familiar with.
    While it would have been worthwhile to sit through the tutorials for
    the side comments and extra insights from presenters Eric Cole and
    Edward Skoudis, I opted to check out the rest of the conference
    I wanted to attend Marty Roesch's tutorial on Snort
    (http://www.sourcefire.com), an Open Source Intrusion Detection
    package. I found this to be a very useful tutorial for anyone
    interested in Intrusion Detection Systems, not just Snort. Especially
    effective was the screen showing real-time details of building and
    using the package. More detail than I really needed, but I've been
    building and using software packages for about 20 years. I wish
    tutorials like this were available when I started in Unix.
    I skipped the afternoon session of Snort to check out a presentation
    hosted by Network Computing magazine at the Sheraton, "Network
    Computing Challenge: Securing Your eBusiness"  
    This presentation was open to anyone, though targeted at IT managers.
    I expected a 50,000-foot view of security and only went to finally
    meet the guys from Neohapsis (http://www.neohapsis.com) who were
    presenting.  Jeff Forristal did a great job explaining the hazards of
    wireless networks to an audience that really needed to hear it.
    Although I interviewed Jeff for an article I wrote on wireless
    (http://www- 106.ibm.com/developerworks/wireless/library/wi-sec.html),
    I learned something from his presentation and picked up another good
    resource for wireless networking, the "Wildpackets" site
    Wednesday's Technical Conference kicked off with a keynote address by
    Gopal Kapur of the Center for Project Management titled "Management's
    Seven Deadly Sins". Keynote addresses are usually good and this was no
    exception. Management mistakes are often a source of humor, such as
    Scott Adams' popular Dilbert comic strip, and Gopal kept the audience
    entertained as well as informed with examples that everyone could
    relate to. While Gopal offered many useful suggestions to fix
    management mistakes, the average techie usually is not positioned to
    affect management changes. I couldn't help feeling that Gopal was
    preaching to the choir.
    For me, the most important aspect of a conference is the social
    interaction with other people in the field. I've learned more talking
    to people in hallways or at the bar than in any tutorial. Based on my
    previous experiences, I didn't expect too much social interaction at
    SANS. I was pleasantly surprised.
    The vendor floor had a great turnout and included the IDNet
    Demonstration Network for attendees to test their hacking skills and
    observe intrusion detection systems responses. This became the
    gathering spot for some of the top people in the information security
    field attending the conference. As many discussions initiated there
    continued over lunch or into the evening outings, it occurred to me
    that getting these talented people together and adding alcohol could
    be very dangerous!
    I only caught the last 15 minutes of Simple Nomad's "Stealth
    Communications Across Networks" presentation, and was told by the door
    monitor that I missed a "great talk". Based on the conversation I had
    with Simple Nomad (http://www.nmrc.org/) over lunch, I can believe it.
    The last official event I attended was one I always look forward to,
    Rob Kolstad and Dan Klein's "Quiz Show" ? Jeopardy for Geeks. It's
    always lots of fun and I give credit to anyone brave enough to get
    onstage and be on the receiving end of Rob's good-natured abuse.
    Overall, the conference was well worth attending, even though I did
    not stick to the program. On the negative side, I felt "herded" and I
    wasn't happy with the rigid restrictions to Tracks. With over 2000
    attendees attending 100 classes in one week, this is understandable
    but I still found it annoying.
    Still, SANS is a great resource for the average person in the IT
    field.  You won't see many new theories presented and that's fine;
    plenty of other conferences exist for the more advanced audience and
    we definitely need to educate the beginner to intermediate audience.
    For more advanced security people, it's still worth attending for the
    vendor floor and social interaction at the very least. As a colleague
    who shall remain nameless put it, "SANS is good for people who are
    confused at USENIX."
    About the author(s)
    Carole Fennelly is a partner in Wizard's Keys Corporation, a company
    specializing in computer security consulting. She has been a Unix
    system administrator for almost 20 years on various platforms, and
    provides security consultation to several financial institutions in
    the New York City area. She is also a regular columnist for Unix
    Insider (http://www.unixinsider.com). Visit her site
    (http://www.wkeys.com/) or reach her at carole.fennellyat_private
    - Go to: http://reg.itworld.com/cgi-bin/subcontent12.cgi
    - Enter your email address under "Current subscriber" to log in
    - Uncheck the box next to the newsletter you want to unsubscribe from
    - Or check the box next to the newsletter you want to subscribe to
    - Submit
    If you have questions, please send email to customer service at:
    * For editorial comments, write Andrew Santosusso, Associate Editor, 
      Newsletters at: andrew_santosussoat_private
    * For advertising information, write Dan Chupka, Account Executive at:
    * For recruitment advertising information, write Jamie Swartz, Eastern
      Regional Sales Manager at: jamie_swartzat_private or Paul Duthie,
      Western Regional Sales Manager at: paul_duthieat_private
    * For all other inquiries, write Jodie Naze, Product Manager, 
      Newsletters at: jodie_nazeat_private
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 02:00:49 PDT