Security Gatherings for the Little Guys

NeedaFirewall writes: "With all of the recent vulnerability announcements and increased concern about terrorism, a lot of folks are starting to take security and privacy more seriously, both at the network and node levels. Large companies can afford to send their IT people to detailed technical security conferences offered by the likes of SANS, Blackhat, and others. Some of these cost thousands of dollars for a single seminar, class, or other event. Small companies and individual programmers, network admins, etc (like me!) often can't afford these. Where can they go to learn more about security? Are there quality security conferences, seminars, trade shows, and the like out there that the little guys can afford? Particularly broad-scope gatherings that can teach these 'security newbies' the basics and alert them to the most pertinent threats?"

rubi-con

[buridan]

i did rub-con last year, it was quite interesting in a wide variety of ways http://www.rubi-con.org . check it out

Just sneak into the conference

And if you're cought, pretend that you were testing their security procedures.

h2k2 might help

[e-gold]

http://www.h2k2.net/ is about to happen in NYC. I wish I could afford to go (time and money probably don't permit). Listening at places like that can help in strange ways in the future...
JMR

Speaking ONLY for myself, as always.

DefCon

[pexatus]

DefCon is run every year at the same time as Black Hat, by the same people, with half of the same speakers. It costs about $40 (or did in 1998). Most of the cmopanies that send people to Black Hat tell them to stay for DefCon as well.

If you're that concerned about getting info from Black Hat, talk to one of the people at DefCon who went and ask if you can photocopy his or her notes. They're the best thing you get for your $1000 Black Hat registration anyway.

Re:DefCon

[megabeck42]

$75 this year, but they're paying the speakers, so it should have a better set of talks.

There's always RTFL (read the friggin' literature)

[Skyshadow]

When I did sysadmin work, I kept up on security threats by reading the literature available. CERT notices, security reports from vendor sites and posted to newsgroups, read the cracker pubs to keep up on attack methods, etc.

Computer (esp. network) security isn't really something that can be learned in a class. It's more of an ongoing awareness of what the threat of the week is. If history has shown us anything, it's that any useful networked system has flaws and can be broken into. As such, it's important to always keep on the forefront of what the enemy is up to.

Irritatingly time-consuming? You bet. A pain in the ass to keep up with? Oh yeah. The only effective way to keep systems and networks secure? Unfortunately.

Small budget security training

[totallygeek]

This is interesting. Where I work they gave me a $7,500 security training budget for myself. I was faced with just the opposite problem -- where to go for decent training, and not just a "hang out" conference. I feel that I stay up to date via newsgroups, websites and tech journals.

To answer your question, how about asking a nearby college or computer company? I hit up SCO once about security (many, many years ago), and was invited to one of their "internal" security classes for under $500.

Re:Small budget security training

[Telastyn]

I'd also recommend spending some of the cash on a programming course if you've not taken one. Generally something in C would be best as it's one of the most common (and low-level and broken) languages. Understanding the bugs that can lead to exploits can help alot in understanding exploits themselves.

Intro Cisco courses are also a great help in the same vein as the first bit of the course goes over networking details if you're mainly a systems admin, and aren't up to snuff on the details of networking.

defcon - not just for the l33t

[maestro^]

defcon is becoming more 'mainstream' every year and is a good conference on the cheap. for $75 you get many tracks from newbie to uberhax0r. its also a good excuse to get out of the office and spend a weekend in vegas.

Try community colleges?

[interstellar_donkey]

In my neck of the woods (Phoenix metro area), I often hear ads on the local NPR station for networking and security seminars at the local community college.

These are typically touted as free or very inexpensive. Not being a security guy I can't really comment on how good they are, but it probably could'nt hurt to check one out.

My guess would be many small community colleges offer something like this.

Find your local Infosec groups!

[Garin]

The key to learning more about security and making connections is to get involved with your local scene (or generate one, if necessary).

Find your local ISSA chapter (issa.org),and in Canada there is the CIPS Security Interest Group (through cips.ca). Also, talk to your local VARs and express an interest in security products. Usually they'll invite you to free morning seminars pushing security products.

The point of going to these meetings is to find peers. Once you know a few people, swap email addresses and war stories, that kind of thing, you'll get a base.

I've used these groups to meet colleagues, put together CISSP study groups, discuss issues, and share job opportunities and the like. Once you get a critical mass of people, it becomes very useful and interesting. It's not the same as a conference, but it is far better than working in a vacuum.

About SANS

[lamj]

I work with SANS so I know more about SANS than other organizations.

SANS offers courses online so you would save on travelling fees. And yes, I would agree on the fact that travelling is expensive. I am going to a SANS conference next month and the hotels + travel + food is going to cost $2000+ and it's coming out of my own pocket.

Aside from that, SANS also have volunteer program that you can go for a conference for free (will be $500 in October) but they require you to do all the setup and monitoring for them (hard work, trust me). But you will still have to pay for your lodging and food.

In the end, just like anything else, there's really no free lunch. But if you are determined enough to learn, you will pay out of your own pocket to go. (like me)

Re:About SANS

[_Sprocket_]

I would like to add a few supportive words for SANS.

The courses tend to be top notch. But that is just part of SANS' value. SANS conferences also feature a series of night courses and informal Birds of a Feather (BOF) meetings (complete with snacks and refreshments). The BOFs cover a whole slew of subjects and if you wish to add to a subject (whether you are an expert or simply curious), you are welcome to sign up and form one and room / snacks are provided for you. These add incredible value to attending a SANS conference.

SANS also does a lot of other interesting things. They have a top-notch certification program (which has generated some interesting documents available to the public). And they are offering more and more of their certification tracks via online training programs as well as starting a localized mentor program to work with the online component.

Re:Easy way...

[Junta]

Step 2: post systems IP address to slashdot and say 'hack this'...... you should at least quickly see all the scripts that are all the fad right now.....

Re:There's always RTFL (read the friggin' literatu

[Demerara]

I'm in Guyana, South America so the cost of the conferences with airfares etc is way outside the budget.

I agree that the literature is a good starting point - the reading room at SANS is a mighty fine
resource.
When I'm ready (read "can do no more without expert help") I'll look into courses/conferences.

Defcon MIGHT be a good bet

[sterno]

I've gone the last two years and though the price is quite good, from year to year the quality can vary a lot. Two years ago it was really quite good. A decent number of interesting speakers, got to hang out a bit with Bennett Haselton, the guy who runs peacefire.org. Overall had a good time.

The last year though the topics really didn't seem to be quite as good and there were endless mindless pranks going on. I'm all for clever interesting pranks, but this was dumb stuff like smashing hotel lights, etc. I mean, the prank hilight was dry ice in the pool. Neat effect, but hardly breaking new ground :)

That's the only problem with Defcon is that it tends to attract a certain anti-establishment sophmoric crowd (because unlike most similar cons, they can afford to get in :). While certainly there's something inherently anti-establishment about a hacker convention in the first place, that energy can be channeled into mindless destruction or it can be channeled into creative/constructive efforts. Seems that this varies from year to year :)

It's sorta well suited to vegas. You put down your money and take somewhat of a gamble on what you are going to get. I'd suggest checking the website for the speaker list and see if they have things that interest you. If it looks good, then go for it, give or take airfare and hotel it's a bargain.

Low budget, but a lot of personal commitment

[2Bits]

I personally don't have the budget to attend any of these expensive conferences either. And my company, although with an annual revenue of $5B, would not pay for that, as I'm in the consulting division, and the manager does not believe that the cost would justify any benefits to the company (weird logic, I know, but I can't fire the manager, can I?).

So, my low budget solution is the following:

- Lurk around in the newsgroups like alt.computer.security, alt.hacker, alt.security.pgp, alt.sources.crypto, comp.lang.java.security, comp.os.linux.security, etc, just a bunch of security newsgroups.
- Subscribe to security related mailing lists, like Bruce Schneier's Cryptogram.
- Buy and read a lot of security related books
- Download and play around with free and/or commercial (if available) softwares
- visit frequently security related web sites, e.g. linuxsecurity.com,rootprompt.org (they do have some security related articles), ... and a bunch of security related commercial company to see what they are doing, sometimes they have white papers that are quite good.

Sure, sometimes I wish I could attend some of the training sessions at the conference, that'd have saved me a lot of time.

And this requires a lot of personal commitment, and a lot of time. But I've learned a lot, thanks to a lot of people who are willing to share their tricks of trade and their knowledge.

Note that this also takes up a lot of my time at work, but the manager is not clued enough to know that, just like she does not know that a lot of people would spend time doing what she tries to disapprove at work (like spending time learning a new tools/prog.lang/etc). Cost-effective-wise and employee-satisfaction-wise, it is better to spend $5K to send an employee to a conference/seminar/training. Unfortunately, most managers and executives can't figure that out, although they would throw at you all these buzzwords like ROI, CBA (cost benefit analysis), and other craps.

Security is an illusion ...

[Proudrooster]

When it comes to security, I have found that training classes and seminars are "cool" and "fun" to watch, but have very little applicability to the configuration at my local site.

I share the same opinion of others. The best way to stay on top of security is to subscribe to Bugtraq. Other subscription lists like CERT and vendor specific lists, are always lagging behind (sometimes as much as WEEKS) since they tend NOT to announce a security issue until the vendor has a fix/patch available. Bugtraq is pretty close to zero day disclosure and is not vendor specific, thus you have to wade through the subjects to see if anything applies to your site. Additionally, BUGTRAQ is moderated which cuts down on the quantity and noise, unlike other sources which can become excessive.

To subscribe to the list, send a message to:
bugtraq-subscribe@securityfocus.com

This is my securty mantra, "security is an illusion".

If you are connected to the Internet, you can be hacked. All humans make mistakes and all code is written by humans. The best you can do is manage your risk and increase your odds of not being a hackable target by staying informed and being proficient in application configuration.

My advice is to spend your training money on the specific applications that are Internet facing e.g. (RedHat, Apache, Sendmail, DNS, POP3S, IMAPS, Oracle, MySQL, CISCO IOS), make sure you understand the security configuration and hit it hard in the class. Application Security Mis-configuration and weak passwords are probably the number one source of Internet compromises. Often times if you have your applications locked down and secure, the security exploit of the day may be a non issue.

Good Luck!

Re:Basics

[PotatoMan]

My self-education went like this:

1) "Computer Networks" by Andrew S. Tannenbaum

This will teach you what's really going on

2) "Firewalls and Internet Security" by Cheswick and Bellovin.

The BEST book on firewalls. Online version at
http://www.wilyhacker.com

3) "Hacking Exposed" by McClure, Scambray and Kurtz.

Not as systematic as the others, but this one has the specifics that let you see what the other books were talking about.

4) Run a GNU/Linux system and start watching logs, etc. I'm on a dial-up and get hit several times per week. Follow up and see if you can figure out what they're doing; hopefully they don't get in!

5) Keep abreast with CERT, SANS, BUGTRAQ, etc.

6) There is no Royal Road to NetSec; you'll just have to dig in and learn it the hard way.

read some books?

[wobblie]

Well, first you must know tcp/ip very well. ORA's "Internet Core Protocols" is an excellent start and a very good book.

The "hacking unix exposed" series of books are also very good.

Forget windows. Get yourself a free unix and learn tcpdump and netfilter or ipfilter inside and out.

Talking about learning security by going to conferences is kinda ridiculous, like expecting to learn archeology by going to archeology conferences.

How About Books?

[Squeamish+Ossifrage]

You asked about conferences, but it seems like what you're really looking for is education in general. Especially as a "newbie," conferences aren't going to be your best bet anyway: They tend to cover what's new and particular topics of interest, but can't and don't provide general background knowlege.

You can get a lot of good books for the price of a conference admission, and that's probably a better way to get started, anyhow. Here are a few recommendations from my bookshelf:

• Building Secure Software, Viega & McGraw, $55 at Amazon
• Network Intrusion Detection, Northcutt, McLachlan & Novak, $32
• UNIX System Administration Handbook, Nemeth et. al. $68
• Secrets and Lies, Schneider $21
• Hacking Exposed, McClure, Scambray & Kurtz $35

USENIX!!!

[Crispin+Cowan]

USENIX Security Symposium: not just more affordable than SANS, it's also better. SANS is baby-food for people with more time than money: nice, competent people RTFM to you out loud.

In contrast, USENIX is actual security technology. Take the tutorials for in-depth learning on important issues, and the technical sessions for cutting-edge practical security research. We have a paper this year on the LSM (Linux Security Modules) project.

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase

Software Developers, See HOWTO!

[dwheeler]

If you're writing software for Linux/Unix systems, go see my book, the Secure Programming for Linux and Unix HOWTO available at http://www.dwheeler.com/secure-programs. It's freely available and redistributable (GFDL license), and it's got lots of information on how to write secure programs. There's lots of information on the Internet on how to write secure programs, but this book gives a lot of information in one place. Enjoy!