Upload
natalie-ferguson
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Network Security Network Security WorkshopWorkshop
BUSAN 2003BUSAN 2003
Saravanan KulanthaiveluSaravanan [email protected]@nrg.cs.usm.my
Security AuditSecurity Audit
"The world isn’t run by weapons "The world isn’t run by weapons anymore, or energy, or money. It’s run anymore, or energy, or money. It’s run by little ones and zeros, little bits of by little ones and zeros, little bits of data... There’s a war out there... and data... There’s a war out there... and it’s not about who’s got the most it’s not about who’s got the most bullets. It’s about who controls the bullets. It’s about who controls the information.“information.“
Federation of American Scientists - Intelligence Resource Federation of American Scientists - Intelligence Resource ProgramProgram
Workshop OWorkshop Outline utline (2)(2)Security AuditSecurity AuditIntrusion Detection Intrusion Detection Incident ResponseIncident Response
FAQFAQ
We already have firewalls in place. Isn't We already have firewalls in place. Isn't that enough?that enough?
We did not realize we could get security We did not realize we could get security audits. Can you really get security audits, audits. Can you really get security audits, just like financial audits?just like financial audits?
We have already had a security audit. We have already had a security audit. Why do we need another one?Why do we need another one?
AnswersAnswers
Firewalls and other devices are simply tools to Firewalls and other devices are simply tools to help provide security. They do not, by help provide security. They do not, by themselves, provide security. Using a castle as themselves, provide security. Using a castle as an analogy, think of firewalls and other such an analogy, think of firewalls and other such tools as simply the walls and watch towers. tools as simply the walls and watch towers. Without guards, reports, and policies and Without guards, reports, and policies and procedures in place, they provide little procedures in place, they provide little protection.protection.
Security audits, like financial audits should be Security audits, like financial audits should be performed on a regular basis.performed on a regular basis.
Security Audit-DefinitionsSecurity Audit-Definitions
A A security auditsecurity audit is a policy-based assessment of is a policy-based assessment of the procedures and practices of a site, assessing the procedures and practices of a site, assessing the level of risk created by these actionsthe level of risk created by these actions
A assessment process, which will develop A assessment process, which will develop systems and procedures within an organization, systems and procedures within an organization, create awareness amongst the employees and create awareness amongst the employees and users and ensure compliance with legislation users and ensure compliance with legislation through periodic checking of processes, through periodic checking of processes, constituents and documentation.constituents and documentation.
Why Audit?Why Audit?
Determine Vulnerable AreasDetermine Vulnerable Areas Obtain Specific Security InformationObtain Specific Security Information Allow for RemediationAllow for Remediation Check for ComplianceCheck for Compliance Ensure Ongoing SecurityEnsure Ongoing Security
To ensure that the site’s To ensure that the site’s networks and systems are networks and systems are
efficient and foolproofefficient and foolproof
Who needs security auditing?Who needs security auditing?
A security audit is necessary for every A security audit is necessary for every organization using the Internet.organization using the Internet.
A ongoing process that must be tried A ongoing process that must be tried and improved to cope up with the and improved to cope up with the ever-changing and challenging ever-changing and challenging threats.threats.
Should not be feared of being audited. Should not be feared of being audited. Audit is good practice.Audit is good practice.
Audit PhasesAudit Phases External AuditExternal Audit
Public information collectionPublic information collectionExternal PenetrationExternal Penetration
• Non-destructive testNon-destructive test• Destructive testDestructive test
Internal AuditInternal AuditConfidential information collectionConfidential information collectionSecurity policy reviewingSecurity policy reviewingInterviewsInterviewsEnvironment and Physical SecurityEnvironment and Physical SecurityInternal Penetration Internal Penetration Change ManagementChange Management
ReportingReporting
Audit Phases-External Audit Phases-External
Hackers view of the networkHackers view of the network Simulate attacks from outsideSimulate attacks from outside Point-in-time snapshotsPoint-in-time snapshots Can NEVER be 100%Can NEVER be 100%
External Audit-Public External Audit-Public Information GatheringInformation Gathering Search for information about the target and its Search for information about the target and its
critical services provided on the Internet.critical services provided on the Internet. Network IdentificationNetwork Identification
Identify IP addresses range owned/usedIdentify IP addresses range owned/used Network FingerprintingNetwork Fingerprinting
Try to map the network topologyTry to map the network topologyPerimeter models identificationsPerimeter models identifications
OS & Application fingerprintingOS & Application fingerprintingOS finger printingOS finger printingPort scanning to define services and applicationPort scanning to define services and applicationBanner grabbingBanner grabbing
External Audit - Some External Audit - Some CommandmentsCommandments Do not make Do not make ANYANY changes to the systems or changes to the systems or
networksnetworks Do not impact processing capabilities by Do not impact processing capabilities by
running scanning/ testing tools during business running scanning/ testing tools during business hours or during peak or critical periodshours or during peak or critical periods
Always get permission before testingAlways get permission before testing Be confidential and trustworthyBe confidential and trustworthy Do not perform unnecessary attacksDo not perform unnecessary attacks
External Audit-Penetration External Audit-Penetration TestTest Plan the penetration processPlan the penetration process
Search for vulnerabilities for information gathered and obtain the Search for vulnerabilities for information gathered and obtain the exploitsexploits
Conduct vulnerabilities assessments (ISO 17799)Conduct vulnerabilities assessments (ISO 17799) Non-destructive testNon-destructive test
Scans / test to confirm vulnerabilitiesScans / test to confirm vulnerabilities Make SURE not harmfulMake SURE not harmful
Destructive testDestructive test Only for short term effect (DDOS….)Only for short term effect (DDOS….) Done from various locationsDone from various locations Done only off-peak hours to confirm effect Done only off-peak hours to confirm effect
Record everythingRecord everything Save snapshots and record everything for every test done even it Save snapshots and record everything for every test done even it
returned false resultreturned false result Watch out for HONEYPOTSWatch out for HONEYPOTS
Internal AuditInternal Audit
Conducted at the premisesConducted at the premises A process of hacking with full knowledge of the A process of hacking with full knowledge of the
network topology and other crucial network topology and other crucial information. information.
Also to identify threats within the organization Also to identify threats within the organization Should be 100% accurate.Should be 100% accurate. Must be cross checked with external Must be cross checked with external
penetration report.penetration report.
Internal Audit-Policy reviewInternal Audit-Policy review
Everything Everything starts with the starts with the security policysecurity policy
If there is no If there is no policy, there is policy, there is not need of not need of security audit.security audit.
PolicyPolicy
StandardsStandards
Procedures, Guidelines Procedures, Guidelines & Practices& Practices
Internal Audit-Policy reviewInternal Audit-Policy review
Policies are studied properly and classified Policies are studied properly and classified Identify any security risk exist within the policyIdentify any security risk exist within the policy Interview IT staffs to gain proper Interview IT staffs to gain proper
understanding of the policiesunderstanding of the policies Also to identify the level of implementation of Also to identify the level of implementation of
the policies.the policies.
Internal Audit-Information Internal Audit-Information gatheringgathering Discussion of the network topology Placement of perimeter devices of routers and
firewalls Placement of mission critical servers Existence of IDS Logging
Cross check with
Cross check with
security policy
security policy
Internal Audit-Internal Audit-Environment & Environment & Physical SecurityPhysical Security
Locked / combination / card swipe doorsLocked / combination / card swipe doorsTemperature / humidity controlsTemperature / humidity controlsNeat and orderly computing roomsNeat and orderly computing roomsSensitive data or papers laying around?Sensitive data or papers laying around?Fire suppression equipmentFire suppression equipmentUPS (Uninterruptible power supply)UPS (Uninterruptible power supply)
Section 8.1 of the ISO 17799 Section 8.1 of the ISO 17799 document defines the concepts of document defines the concepts of secure area, secure perimeter and secure area, secure perimeter and controlled access to such areas.controlled access to such areas.
Cross check with
Cross check with
security policy
security policy
Internal Audit-PenetrationInternal Audit-Penetration
For Internal penetration test, it can divided to few For Internal penetration test, it can divided to few categoriescategories
Network Network Perimeter devicesPerimeter devicesServers and OSServers and OSApplication and servicesApplication and servicesMonitor and responseMonitor and response
Find vulnerabilities and malpractice in each Find vulnerabilities and malpractice in each categorycategory
Cross check with
Cross check with
security policy
security policy
Internal Audit-NetworkInternal Audit-Network
Location of devices on the networkLocation of devices on the network Redundancy and backup devicesRedundancy and backup devices Staging networkStaging network Management networkManagement network Monitoring networkMonitoring network Other network segmentationOther network segmentation Cabling practicesCabling practices Remote access to the networkRemote access to the network
Cross check with
Cross check with
security policy
security policy
Internal Audit-Perimeter DevicesInternal Audit-Perimeter Devices
Check configuration of perimeter devices likeCheck configuration of perimeter devices likeRoutersRoutersFirewallsFirewallsWireless AP/BridgeWireless AP/BridgeRAS serversRAS serversVPN serversVPN servers
Test the ACL and filters like egress and ingressTest the ACL and filters like egress and ingressFirewall rulesFirewall rulesConfiguration Access method Configuration Access method Logging methodsLogging methods
Cross check with
Cross check with
security policy
security policy
Internal Audit-Server & OSInternal Audit-Server & OS
Identify mission critical servers like Identify mission critical servers like DNS,Email and others..DNS,Email and others..
Examine OS and the patch levelsExamine OS and the patch levels Examine the ACL on each serversExamine the ACL on each servers Examine the management control-acct & Examine the management control-acct &
password password Placement of the serversPlacement of the servers Backup and redundancyBackup and redundancy
Cross check with
Cross check with
security policy
security policy
Internal Audit-Application & Internal Audit-Application & ServicesServices
Identify services and application running on the Identify services and application running on the critical mission servers.Check vulnerabilities for the critical mission servers.Check vulnerabilities for the versions running.Remove unnecessary versions running.Remove unnecessary services/applicationservices/application
DNSDNS• Name services(BIND)Name services(BIND)
EmailEmail• Pop3,SMTPPop3,SMTP
Web/HttpWeb/HttpSQLSQLOthersOthers
Cross check with
Cross check with
security policy
security policy
Internal Audit-Monitor & Internal Audit-Monitor & ResponseResponseCheck for procedures onCheck for procedures on Event Logging and AuditEvent Logging and Audit
What are logged?What are logged? How frequent logs are viewed?How frequent logs are viewed? How long logs are kept?How long logs are kept?
Network monitoringNetwork monitoring What is monitored?What is monitored? Response Alert?Response Alert?
Intrusion DetectionIntrusion Detection IDS in place?IDS in place? What rules and detection used?What rules and detection used?
Incident ResponseIncident Response How is the response on the attack?How is the response on the attack? What is recovery plan?What is recovery plan? Follow up?Follow up?
Cross check with
Cross check with
security policy
security policy
Internal Audit-Analysis and Internal Audit-Analysis and ReportReport Analysis result Analysis result
Check compliance with security policyCheck compliance with security policyIdentify weakness and vulnerabilitiesIdentify weakness and vulnerabilitiesCross check with external audit reportCross check with external audit report
Report- key to realizing valueReport- key to realizing valueMust be 2 partsMust be 2 parts
• Not technical (for management use)Not technical (for management use)• Technical (for IT staff)Technical (for IT staff)
Methodology of the entire audit processMethodology of the entire audit processSeparate Internal and ExternalSeparate Internal and ExternalState weakness/vulnerabilities State weakness/vulnerabilities Suggest solution to harden securitySuggest solution to harden security
Tools Tools
More Tools….More Tools….
Inetmon Inetmon FirewalkFirewalk DsniffDsniff RafaleXRafaleX NetStumblerNetStumbler RAT (Router Audit Tool)-CISRAT (Router Audit Tool)-CIS Retina scan toolsRetina scan tools MBSAMBSA
Nmap-Defacto StandardNmap-Defacto Standard
Even in matrix , nmap was used Even in matrix , nmap was used
Intrusion DetectionIntrusion Detection Intrusion Detection is the process of monitoring Intrusion Detection is the process of monitoring
computer networks and systems for violations of computer networks and systems for violations of security.security.
An Intrusion – any set of actions that attempt to An Intrusion – any set of actions that attempt to compromise the integrity,confidentially or compromise the integrity,confidentially or availability of a resource.availability of a resource.
All intrusion are defined relative to a security All intrusion are defined relative to a security policypolicySecurity policy defines what is permitted and what is Security policy defines what is permitted and what is
denied on a network/systemdenied on a network/systemUnless you know what is and is not permitted, its Unless you know what is and is not permitted, its
pointless to attempt to catch intrusionpointless to attempt to catch intrusion
Intrusion DetectionIntrusion Detection
Manual DetectionCheck the log files for unusual behaviorCheck the setuid and setgid of filesCheck important binariesCheck for usage of sniffing programs
Automatic (partially??)Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
GoalTo detect intrusion real time and respond to it
False positiveNo intrusion but alarmToo many make your life miserable
False negativeIntruder not detectedSystem is compromised
Intrusion Detection -Detection Intrusion Detection -Detection SchemesSchemes Misuse Detection
The most common technique, where incoming/outgoing traffic is compared against well-known 'signatures'. For example, a large number of failed TCP connections to a wide variety of ports indicate somebody is doing a TCP port scan
Anomaly Detection Uses statistical analysis to find changes from baseline behavior
(such as a sudden increase in traffic, CPU utilization, disk activity, user logons, file accesses, etc.). This technique is weaker than signature recognition, but has the benefit that can catch attacks for which no signature exists. Anomaly detection is mostly a
theoretical at this point and is the topic of extensive research
Intrusion Detection -Detection Intrusion Detection -Detection • Misuse Detection
• Detect Known Attack Signatures• Advantage:
• Low False Positive Rate
• Drawbacks:• Only Known Attacks• Costs for Signature Management
• Anomaly Detection• Learn Normal Profiles from User and System Behavior• Detect Anomaly• Advantage
• Detect Unknown Attacks
• Drawbacks• Difficulty of Profiling• Profile can be controlled by intruders• High false positive rate
Network IDSNetwork IDS Uses network packets as the data source Searches for patterns in packets Searches for patterns of packets Searches for packets that shouldn't be there May ‘understand’ a protocol for effective
pattern searching and anomaly detection May passively log, alert with
SMTP/SNMP or have real-time GUI
Network IDS StrengthNetwork IDS Strength Lower cost of ownership
Fewer detection points requiredGreater viewMore manageable
Detects attacks that host-based systems missIP based Denial of ServicePacket or Payload Content
More difficult for an attacker to remove evidenceUses live network trafficCaptured network traffic
Network IDS StrengthNetwork IDS Strength Real time detection and response
Faster notification and responsesCan stop before damage is done (TCP reset)Detects unsuccesful attacks and malicious intent
Outside a DMZ See attempts blocked by firewallCritical information obtained can be used on policy
refinement Operating system independence
Does not require information from the target OSDoes not have to wait until the event is loggedNo impact on the target
Network IDS LimitationsNetwork IDS Limitations
Obtaining packets - topology & encryption Number of signatures Quality of signatures Performance Network session integrity Understanding the observed protocol Disk storage
Host Based IDSHost Based IDS Signature log analysis
application and system File integrity checking
MD5 checksums Enhanced Kernel Security
API access controlStack security
Some products listen to port activity and alert administrator when specific ports are accessed
Host IDS Strength Host IDS Strength Verifies success or failure of an attack
Log verification Monitors specific system activities
File access Logon / Logoff activityAccount changesPolicy changes
Detects attacks that network-based IDS may missKeyboard attacksBrute-Force logins
Host Based IDS LimitationsHost Based IDS Limitations
Places load on system Disabling system logging Kernel modifications to avoid file integrity
checking (and other stuff) Management overhead Network IDS Limitations
Characteristic of a Good IDSCharacteristic of a Good IDS
Impose minimal overheadDoes not slowdown the system
Observe deviations from normal behavior Easily tailored to any system Cope with changing system behavior over
time as applications are being addedHigh adaptation
Network HoneypotsNetwork Honeypots
Sacrificial system(s) or sophisticated simulations
Any traffic to the honeypot is considered suspicious
If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed
Network Honeypots Network Honeypots
Honeypot HTTP DNS
Firewall
Some IDSSome IDS
CommercialReal Secure by ISSVCC/Tripwire TMCMDS by SAICNetRanger by Wheelgroup
Freeware/OpensourceSnort (www.snort.org)
Incident ResponseIncident Response
• Incident: An action likely to Incident: An action likely to lead to grave consequences lead to grave consequences • Data loss may lead to commercial Data loss may lead to commercial
loss.loss.• Confidentiality breached.Confidentiality breached.• Political issues…Political issues…• Network breakdown lead to Network breakdown lead to
service and information flow service and information flow disruption.disruption.
• Many more..Many more..
Incident ResponseIncident Response• Response: An act of responding.Response: An act of responding.
• Something constituting a reply or a reaction.Something constituting a reply or a reaction.• The activity or inhibition of previous activity of an organism or The activity or inhibition of previous activity of an organism or
any of its parts resulting from stimulationany of its parts resulting from stimulation• The output of a transducer or detecting device resulting from a The output of a transducer or detecting device resulting from a
given input.given input.• Ideally Incident Response would be a set of policies that allow an Ideally Incident Response would be a set of policies that allow an
individual or individuals to react to an incident in an efficient and individual or individuals to react to an incident in an efficient and professional manner thereby decreasing the likelihood of grave professional manner thereby decreasing the likelihood of grave consequences.consequences.
• ISO 17799 ISO 17799 Outlines Comprehensive Incident Response and Internal Outlines Comprehensive Incident Response and Internal
Investigation ProceduresInvestigation Procedures Detailed Provisions on Computer Evidence Preservation and Detailed Provisions on Computer Evidence Preservation and
HandlingHandling
Minimize overall impactMinimize overall impact..
Hide from public scrutiny.Hide from public scrutiny.
Stop further progression.Stop further progression.
Involve Key personnel.Involve Key personnel.
Control situation.Control situation.
Incident ResponseIncident Response -Purpose -Purpose
Minimize overall impactMinimize overall impact..
Recover Quickly & Efficiently.Recover Quickly & Efficiently.
Respond as if going to prosecute.Respond as if going to prosecute.
If possible replace system with new If possible replace system with new one.one.
Priority one, business back to normal.Priority one, business back to normal.
Ensure all participants are notified.Ensure all participants are notified.
Record everything.Record everything.
Incident ResponseIncident Response -Purpose -Purpose
Minimize overall impactMinimize overall impact..
Recover Quickly & Efficiently.Recover Quickly & Efficiently.
Secure System.Secure System.
Lock down all known avenues of Lock down all known avenues of attack.attack.
Assess system for unseen Assess system for unseen vulnerabilities.vulnerabilities.
Implement proper auditing.Implement proper auditing.
Implement new security measures.Implement new security measures.
Incident ResponseIncident Response -Purpose -Purpose
Minimize overall impactMinimize overall impact..
Recover Quickly & Efficiently.Recover Quickly & Efficiently.
Secure System.Secure System.
Follow-up (A continuous process)Follow-up (A continuous process)
Ensure that all systems are secure.Ensure that all systems are secure.
Continue prosecution.Continue prosecution.
Securely store all evidence and notes.Securely store all evidence and notes.
Distribute lessons learned.Distribute lessons learned.
Incident ResponseIncident Response -Purpose -Purpose
Incident VerificationIncident Verification
How are we certain that an incident occurred?
Verify the Incident! Where to find information?
Intrusion LogsFirewall LogsInterviews
• Emails, Network Admin, Users, ISP, etc…
Verification: What do we Verification: What do we know?know? Three situationsThree situations
1. Verification without touching the system1. Verification without touching the system2. Verification by touching the system 2. Verification by touching the system
minimally. You have a clue or two where to minimally. You have a clue or two where to look.look.
3. Verification by full analysis of live system 3. Verification by full analysis of live system to find any evidence that an incident has to find any evidence that an incident has occurred.occurred.
Secure Incident SceneSecure Incident Scene
What exactly does this mean?What exactly does this mean?Limit the amount of activity on the system to Limit the amount of activity on the system to
as little as possibleas little as possible• Limit damage by isolatingLimit damage by isolating
• ONE person perform actionsONE person perform actions
• Limit affecting the crime environmentLimit affecting the crime environment
• Record your actionsRecord your actions
Preserve Everything!Preserve Everything!
Anything and everything you do will Anything and everything you do will change the state of the systemchange the state of the systemPOWER OFF? Changes it.POWER OFF? Changes it.Leave it plugged in? Changes it.Leave it plugged in? Changes it.Obtaining a backup will change the systemObtaining a backup will change the systemUnplug the network? Changes it.Unplug the network? Changes it.Even Even Doing NothingDoing Nothing will ALSO change the will ALSO change the
state of the system. state of the system.
Incident Scene SnapshotIncident Scene Snapshot
Record state of computerRecord state of computerPhotos, State of computer, What is on the screen?Photos, State of computer, What is on the screen?What is obviously running on the screen?What is obviously running on the screen?
• Xterm?Xterm?
• X-windows?X-windows?
Should you port scan the affected computer?Should you port scan the affected computer?• Pros: You can see all active and listening portsPros: You can see all active and listening ports
• Cons: It affects the computer and some backdoors log how Cons: It affects the computer and some backdoors log how many connections come into them and could tip off the bad many connections come into them and could tip off the bad guyguy
Unplug power from system?Unplug power from system?
This method may be the most damaging to effective analysis though there are some benefits as wellBenefits include that you can now move the
system to a more secure location and that you can physically remove the hard drive from the system
Cons… you lose evidence of all running processes and memory
Unplug from Network?Unplug from Network?
Unplug from the network?Unplug it from the network and plug the
distant end into a small hub that is not connected to anything else.
Most systems will write error messages into log files if not on a network.
If you make the computer think it is still on a network, you will succeed in limiting the amount of changes to that system.
Backup or Analyze?Backup or Analyze?
Should you backup the system first? Should you find the extent of the damage? Set up in policy for your incident response:
It depends on the system and what you need it for.To get BEST evidence BACKUP first at the cost of
time to get answersTo get FAST answers ANALYZE first at the cost of
getting best evidenceLabel systems with priority. Some will need answers
quicker than your ability to get best evidence.
Finding CluesFinding Clues
Once backup is done start looking for clues Once backup is done start looking for clues Be careful to avoid tampering with the Be careful to avoid tampering with the
system when it is in the middle of a backup.system when it is in the middle of a backup. Even though the emphasis might be to Even though the emphasis might be to
quickly assess the WHAT of a situation, if quickly assess the WHAT of a situation, if you try and answer that question without you try and answer that question without preserving the scene of the crime you will preserving the scene of the crime you will inadvertently erase the evidence you seekinadvertently erase the evidence you seek
Be patient. It’s meticulousBe patient. It’s meticulous
Finding CluesFinding Clues
What are we really looking for?What are we really looking for?DATES and TIMESDATES and TIMESTROJAN BINARIESTROJAN BINARIESHIDDEN DIRECTORIESHIDDEN DIRECTORIESOUT OF PLACE FILES OR SOCKETSOUT OF PLACE FILES OR SOCKETSABNORMAL PROCESSESABNORMAL PROCESSES
We need to find one clue, and once we do, We need to find one clue, and once we do, everything else almost always falls into everything else almost always falls into placeplace
What Next?What Next?
Prosecute??Prosecute?? Apply short-term solutions to contain Apply short-term solutions to contain
an intrusionan intrusion Eliminate all means of intruder access Eliminate all means of intruder access Return systems to normal operation Return systems to normal operation Identify and implement security lessons Identify and implement security lessons
learned learned
Useful LinksUseful Links
http://www.securityfocus.com http://packetstormsecurity.org http://icat.nist.gov/icat.cfm http://wiretrip.net http://www.guninski.com/ http://nsfocus.com
Incident Response Resources
Incident Response, Electronic Discovery, and Computer Forensics,www.incident-response.org
Security Focus, www.securityfocus.com The Federal Computer Incident Response Center (FedCIRC) ,www.fedcirc.gov The Canadian Office of Critical Infrastructure Protection and Emergency
Preparedness www.ocipep.gc.ca
Incident Handling Links & Documents (75 links) http://www.honeypots.net/incidents/links
SEI: Handbook for Computer Security Incident Response Teamshttp://www.sei.cmu.edu/pub/documents/98.reports/pdf/98hb001.pdf
CERT/CC: Computer Security Incident Response http://www.cert.org/csirts/
CERT/CC: Responding to Intrusions http://www.cert.org/security-improvement/modules/m06.html
AuCERT: Forming an Incident Response Team http://www.auscert.org.au/render.html?it=2252&cid=1920
SANS: S.C.O.R.E http://www.sans.org/score/
White Papers White Papers
http://www.ins.com/knowledge/whitepapers.aspInformation Security Management: Understanding ISO 17799Microsoft IIS Unicode ExploitWorrisome New Windows AttacksPKI: How it Works IPSec: What Makes it Work
Funny things happen! BewareFunny things happen! Beware
Thank YouThank You