Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

Security Gatherings for the Little Guys 187

Posted by timothy from the do-lug-meeting-presentations-count dept.
NeedaFirewall writes: "With all of the recent vulnerability announcements and increased concern about terrorism, a lot of folks are starting to take security and privacy more seriously, both at the network and node levels. Large companies can afford to send their IT people to detailed technical security conferences offered by the likes of SANS, Blackhat, and others. Some of these cost thousands of dollars for a single seminar, class, or other event. Small companies and individual programmers, network admins, etc (like me!) often can't afford these. Where can they go to learn more about security? Are there quality security conferences, seminars, trade shows, and the like out there that the little guys can afford? Particularly broad-scope gatherings that can teach these 'security newbies' the basics and alert them to the most pertinent threats?"
This discussion has been archived. No new comments can be posted.

Security Gatherings for the Little Guys More

Security Gatherings for the Little Guys

Comments Filter:

  • rubi-con (Score:3, Informative)

    by buridan ( 122382 ) on Monday July 08, 2002 @04:16PM (#3844450)
    i did rub-con last year, it was quite interesting in a wide variety of ways http://www.rubi-con.org . check it out

    • Re:rubi-con (Score:2, Informative)

      by Eol1 ( 208982 )
      wh00t ... Did Rubi-Con also last year and planning to go again this year. Damn good (and even informative <grin>) convention. Reasonably priced also (read: cheap).

    • Re:rubi-con (Score:2, Informative)

      by noweb4u ( 52880 )
      I know two of the organizers personally. They're planning to make it even better this year, with better speakers, more organization, and less random vandalism. I understand they are also going to have a commons area this time, other than the heavily smoke filled network room.
      The price is up $10 this year, but it's going to be well worth it. That and forno already said he'd be a speaker again next year (just not a keynote ;-) ).
      I'd suggest if you live in the midwest, especially Michigan, this is the place to go. :-)
    • If you're anywhere in the midwest, rubi-con is highly recommended. I went this year for the first time, and enjoyed it tremendously. Sure, you run into a lot of the kiddie types, but there were some very useful sessions to me as a developer, and even more for me as a general security wonk.

  • Just sneak into the conference (Score:5, Funny)

    by Anonymous Coward on Monday July 08, 2002 @04:16PM (#3844454)
    And if you're cought, pretend that you were testing their security procedures.

  • h2k2 might help (Score:5, Informative)

    by e-gold ( 36755 ) <jray&martincam,com> on Monday July 08, 2002 @04:18PM (#3844465) Homepage Journal
    http://www.h2k2.net/ [h2k2.net] is about to happen in NYC. I wish I could afford to go (time and money probably don't permit). Listening at places like that can help in strange ways in the future...
    JMR

    Speaking ONLY for myself, as always.

  • DefCon (Score:5, Informative)

    by pexatus ( 216363 ) on Monday July 08, 2002 @04:18PM (#3844469)
    DefCon is run every year at the same time as Black Hat, by the same people, with half of the same speakers. It costs about $40 (or did in 1998). Most of the cmopanies that send people to Black Hat tell them to stay for DefCon as well.

    If you're that concerned about getting info from Black Hat, talk to one of the people at DefCon who went and ask if you can photocopy his or her notes. They're the best thing you get for your $1000 Black Hat registration anyway.

    • Re:DefCon (Score:3, Informative)

      by megabeck42 ( 45659 )
      $75 this year, but they're paying the speakers, so it should have a better set of talks.
      • $75 this year, but they're paying the speakers, so it should have a better set of talks.

        How much can they afford to pay the speakers if the conference is $75?

        I arrived at the WWW2002 conference this year to find that they charge speakers the conference fee! Fortunately I was giving a tutorial and got a free admission but some of the speakers I invited for my panels were somewhat put out.

        I suspect that at that price the speakers are not getting much more than a cheap air fare.

        I do charge for appearing at some conferences but DefCon is not the sort of place I would expect an large honorarium from.

        Last year there was a fringe meeting held just before the RSA conference called CodeCon. The hook there was you had to have written code to speak. It was a reasonably good setup, only the venue was Jammie Z's nightclub which meant an ID check at the door (which kept out some of the cipherpunks) and there was no good place to network duing talks.

        Next year I plan to skip the RSA talks, and do CodeCon and the RSA floor show.

    • As someone who went to the 'Con last year (it was my first year) I can highly recommend it. It's nothing like you've ever seen before, and you'll learn more about the inner-workings of security in 3 days than you could in a year at an 'institution of higher learning'. See the Defcon site [defcon.org] for more information.

    • Re:DefCon (Score:2, Informative)

      by FuegoFuerte ( 247200 )
      DefCon is run every year at the same time as Black Hat, by the same people, with half of the same speakers. It costs about $40 (or did in 1998).

      A few things about Defcon... it's not at the same time as BlackHat, it's just following (which may be what you meant... just hard to tell). This year it's August 2-4. As someone else already mentioned, it's $75. It was going to be $100 but too many people complained or something (conjecture). The price increase was for two reasons: One, so speakers could be paid *iff* they have a good speach. Therefore, speakers who suck won't get paid. So, if they know they suck and won't get paid, they're not as likely to try speaking. Second, the price increase is an attempt to discourage script kiddies and other imbeciles (such as many on /. who are probably reading this now, though not all) from coming to the con and pissing people off.

      More Information: The Defcon Page [defcon.org]

      Also, check out this year's speakers [defcon.org] and this year's slogans [securitytribe.com].

      Oh.... one other thing... DC, if you didn't already know, is held at the Alexis Park in Vegas.
  • Spend some time every morning (drinking your coffee, slowly waking up) looking over bug track and several other security related news groups that I can not think of currently, see if you can break and/or patch the holes/bugs/issues discussed.

    Post if you have questions, post if you have solutions.

  • Easy way... (Score:1, Insightful)

    by Anonymous Coward
    [humor]
    Just get yourself on an older copy of redhat, install, turn on as much as possible, then site back and enjoy! Within 15/20 minutes you should be able to learn many interesting things from your new box!
    [/humor]
  • go there. Get learned, llama'd, and laid

    • The male:female ration at defcon is probably something like 100:1. If you're going to defcon to get laid, chose one of the following options:

      • I am female
      • I am Gay
      • I am bringing my own...
      • HAHA dude..yeah. What you do is setup a booth and a huge poster saying "DDoS" HERE for FREE!!!

        people come running, and so do the womens. (they're the ones with beef with all the other people)...

        ok so maybe that won't work. Maybe you'll get laughed at. Maybe none of the women would talk to you. Regardless, people will know you. (isn't all publicity good?)

        --------
        Experiencing the Slashdot effect now for 4+ years
  • go to [insert your favorite bookstore here]... Some places will have an excellent selection of security related books -- It's a great place to start, and you can pick most of the stuff up from books. $50 for a nice'n thick book is much better than $2k for a 1 day seminar. :-)

    Mike.

  • There's always RTFL (read the friggin' literature) (Score:5, Informative)

    by Skyshadow ( 508 ) on Monday July 08, 2002 @04:20PM (#3844490) Homepage
    When I did sysadmin work, I kept up on security threats by reading the literature available. CERT notices, security reports from vendor sites and posted to newsgroups, read the cracker pubs to keep up on attack methods, etc.

    Computer (esp. network) security isn't really something that can be learned in a class. It's more of an ongoing awareness of what the threat of the week is. If history has shown us anything, it's that any useful networked system has flaws and can be broken into. As such, it's important to always keep on the forefront of what the enemy is up to.

    Irritatingly time-consuming? You bet. A pain in the ass to keep up with? Oh yeah. The only effective way to keep systems and networks secure? Unfortunately.

    • One important link is NSA Infrastructure security page [slashdot.org] Sure they focus here mostly on Windows, but the litterature is good and many of the ideas are pertainent to other environments.
    • I'm in Guyana, South America so the cost of the conferences with airfares etc is way outside the budget.

      I agree that the literature is a good starting point - the reading room [sans.org] at SANS is a mighty fine
      resource.
      When I'm ready (read "can do no more without expert help") I'll look into courses/conferences.
    • Yea except the lit is giving info w/ a presumption of a base of knowledge, and is covering only a specific part of a subsection of security. W/O a broad-based understanding of the underlying priciples reading lit, while helpful, is not in-and-of-itself enough. It's good, mind you, but if you can find everything you need from books/man pgs/whatever then you have a bigger (or differently wired) brain than mine. That first 10% of knowledge is always the bitch.
      I'm SO HAPPY /. posted this question and will be eagerly reading posts from start-to-finish tonight.
    • >
      >"Computer (esp. network) security isn't really something that can be
      >learned in a class. It's more of an ongoing awareness of what the
      >threat of the week is. If history has shown us anything, it's that any
      >useful networked system has flaws and can be broken into. As such,
      >it's important to always keep on the forefront of what the enemy is up
      >to.
      >
      >"Irritatingly time-consuming? You bet. A pain in the ass to keep up
      >with? Oh yeah. The only effective way to keep systems and networks
      >secure? Unfortunately."
      >

      Are you out of your mind?! Keeping up with stuff is the
      best excuse I ever found to lurk on (counts mail filters) Bugtraq,
      Incidents-l, ISN, vuln-watch, nanog, SANS newsbytes, CERT, NTBugtraq,
      sec-focus, (and even... Slashdot, 'cos you'll hear about the new IE/
      IIS hole-du-jour faster here than anywhere ;)

      Seriously, I really enjoy following the changing scene, the constant
      arms war between the kiddies and the defenders. I just wish *I* could
      find someone to pay me to do it. As it is I'm off work this week and
      spending most of my time catching up with list backlog. And loving it.

  • Small budget security training (Score:3, Interesting)

    by totallygeek ( 263191 ) <sellis@totallygeek.com> on Monday July 08, 2002 @04:20PM (#3844492) Homepage
    This is interesting. Where I work they gave me a $7,500 security training budget for myself. I was faced with just the opposite problem -- where to go for decent training, and not just a "hang out" conference. I feel that I stay up to date via newsgroups, websites and tech journals.

    To answer your question, how about asking a nearby college or computer company? I hit up SCO once about security (many, many years ago), and was invited to one of their "internal" security classes for under $500.

    • Re:Small budget security training (Score:5, Interesting)

      by Telastyn ( 206146 ) on Monday July 08, 2002 @04:40PM (#3844661)
      I'd also recommend spending some of the cash on a programming course if you've not taken one. Generally something in C would be best as it's one of the most common (and low-level and broken) languages. Understanding the bugs that can lead to exploits can help alot in understanding exploits themselves.

      Intro Cisco courses are also a great help in the same vein as the first bit of the course goes over networking details if you're mainly a systems admin, and aren't up to snuff on the details of networking.
      • I'm not certain that understanding the programming behind exploits is all that useful. I mean yes, knowing how a buffer overflow works is interesting, but if apache has a buffer overflow and I'm a sysadmin for a webserver running it, do I really care how a buffer overflow works? No, I just need to get the patch.

        Unless you have the freetime to actively go scrounging through somebody's code that sort of knowledge probably isn't that useful to you. I have never, in my life, met a sysadmin who had freetime. Instead, I think the useful knowledge you need is closely related to the potential vectors of attack.

        For example, one common vector is a network based attack. Thus you should have a strong knowledge of how the network works in detail. Knowing how to construct a solid firewall, and knowing how to limit your attack profile are all important. Knowing cisco stuff, yes, is probably useful here.

        Another common vector is the inside job which, though less frequent is usually far more destructive. There you need to have a strong knowledge of what system you have, who uses them, etc. You need to actively manage what limits are put on the access of individual users, etc.

        None of this really needs a knowledge of C programming. You need to know best practices like keeping your patches up to date, setting up intrusion detection systems, and teaching people the habits of good security (don't EVER tell somebody your password, etc).
        • Well what I was more going at was understanding what *could* be bad and what couldn't. Alot of unknowing admins let alot of things go that are potentially very very bad (plaintext passwords, user installed software, etc) and imo knowing coding can help the admin know what can be done.

          As for inside jobs, it's actually 60% (give or take) of actual FBI cases...
    • If you have that kind of money you should look into some of the week long classes like Ernst and Young's eXtreme Hacking [ey.com]. Its a week long hands on class. Its a mix of lecture and lab excercises.
      I know people that have gone and they say its pretty good. The thing with DefCon/Blackhat and such people only talk about 0-day exploit of the day. The Ernst and Young class is more for corporate america and the complex IT enviornment that admins face.
    • I'm sorry but local universities are almost always a joke (at least from what I have seen in Phoenix). The faculty and staff are usually more behind than up to date. To get to the few that are security savvy is pretty much impossible. The average IT guy that sets up or maintains the lab focuses on security that basically hinders functionality on apps and doesn't secure what is important.

      I've actually dropped out of a local university (supposedly trying to be more up to date and technical) to attend a community college that offers more appropriate classes.

      I would suggest books (which can get very expensive for the good ones), online sites have tons of info for a couple good ones check these out.
      http://www.infosyssec.com/
      http://www.whitehats .com/

      If all else fails check out the community colleges, they seem to be more closely tied to the IT corporations. My CC is the SouthWest hub for Cisco, Novell, and MS. Coolest thing is that they dont stop there, they offer classes on such things as perl, *bsd, solaris, security, etc....

      Plenty of options.
    • Where I work they gave me a $7,500 security training budget for myself. I was faced with just the opposite problem -- where to go for decent training, and not just a "hang out" conference.

      Hey, go on a geek cruise! [geekcruises.com]. For $2000 you get a cabin for 2 and 7 days training!

      I thought this was an incredible boondoggle until I looked at how much you would pay for a hotel for a 5 day course.

  • Check out your local 2600 chapter (Score:2, Insightful)

    by Anonymous Coward
    I know, I know... these aren't the most professional organizations. However, you can often get a feel for what the current kiddies are up to. :)

    Or try your local Windows/NT and Unix/Linux user groups. Security is a frequent theme of these groups' meetings.

  • defcon - not just for the l33t (Score:3, Interesting)

    by maestro^ ( 13683 ) on Monday July 08, 2002 @04:21PM (#3844497) Homepage
    defcon [defcon.org] is becoming more 'mainstream' every year and is a good conference on the cheap. for $75 you get many tracks from newbie to uberhax0r. its also a good excuse to get out of the office and spend a weekend in vegas.

  • 2600 (Score:1, Informative)

    by nixchick ( 590774 )
    Why not attend a 2600 meeting? They take place all over ther world and are free for anyone to attend. Despite what you may think some intellegent life is often present at the meetings.

    They take place on the first Friday of every month and there is a list of them all here [2600.com].
  • Just subscribe to mailing lists like bugtraq [google.com] and the lists at securityfocus [securityfocus.com], that will give you everything you need.

    Or if you're really desperate, you could try #hack, #2600 and #trolls on IRC.
  • http://www.ecst.csuchico.edu/~dranch/LINUX/index-l inux.html#trinityos

    Will help you secure your network.
  • I'm in the same boat. I've taken responsibility for computer security at my little company, but there is no training budget at all. I was pleasantly surprised to find that DallasCon [dallascon.com] had a student price of 40 dollars for their security conference. I got a ton of good information there. Otherwise I rely on web sites like SecurityFocus.com [securityfocus.com] for information.
  • Using the free Nessus [nessus.org] tool can be very, very valuable towards securing your external IP-addressable presence if you don't have thousands of dollars to blow on security.

    Note this will only identify some potential holes in your firewall, and won't secure you against other vectors like email worms, malicious employees, nuclear weapons, hair gel, etc.
  • In my neck of the woods (Phoenix metro area), I often hear ads on the local NPR station for networking and security seminars at the local community college.

    These are typically touted as free or very inexpensive. Not being a security guy I can't really comment on how good they are, but it probably could'nt hurt to check one out.

    My guess would be many small community colleges offer something like this.

  • But try Google, search for 'White Hat tutorial', or 'Network Security'.

    Also, keep up to date on CERT [cert.org] warnings.

    Same as everything else though, the best tool is the machine you want to secure.. go play.

    -Gih
    The number you have dialed 9..1..1.. has been changed to an unlisted number, thank you ........

  • Find your local Infosec groups! (Score:4, Insightful)

    by Garin ( 26873 ) on Monday July 08, 2002 @04:23PM (#3844512)
    The key to learning more about security and making connections is to get involved with your local scene (or generate one, if necessary).

    Find your local ISSA chapter (issa.org),and in Canada there is the CIPS Security Interest Group (through cips.ca). Also, talk to your local VARs and express an interest in security products. Usually they'll invite you to free morning seminars pushing security products.

    The point of going to these meetings is to find peers. Once you know a few people, swap email addresses and war stories, that kind of thing, you'll get a base.

    I've used these groups to meet colleagues, put together CISSP study groups, discuss issues, and share job opportunities and the like. Once you get a critical mass of people, it becomes very useful and interesting. It's not the same as a conference, but it is far better than working in a vacuum.
  • who live and administer networks in the periphery, are there any net resources ?
  • http://www.securityfocus.com/
    • Securityfocus.com is excellent. I subscribe to all the mailing lists to keep up to date on what's happening. If you just want to learn about security, get some books. Follow the CISSP recommended reading. Honestly, security is a full time job. If you want to do the best you can without investing a lot of time, learn how to set up a firewall, keep up to date on vendor patches, and lock down any services exposed to the internet. Most vendors have guides on locking down services. Mix those things with common sense like good passwords, and you should be fine. IMO, most of these seminars are a waste of money. Most are just repeats of information that's already out there. It's not like there's super secret hacker information that only those that pay $ can learn how to protect against.

  • ISSA (Score:2, Insightful)

    by splume ( 560873 )
    Join your local ISSA [issa.org] group. Yes, they local chapters may vary, but on the whole I have found that is is worthwhile. In the Denver chapter we had some great speakers this past year. Plus, you get a couple of hours away from the office every lunch to network with others in your same position.

  • About SANS (Score:3, Informative)

    by lamj ( 153635 ) <jasonlam&flashmail,com> on Monday July 08, 2002 @04:25PM (#3844543)
    I work with SANS so I know more about SANS than other organizations.

    SANS offers courses online so you would save on travelling fees. And yes, I would agree on the fact that travelling is expensive. I am going to a SANS conference next month and the hotels + travel + food is going to cost $2000+ and it's coming out of my own pocket.

    Aside from that, SANS also have volunteer program that you can go for a conference for free (will be $500 in October) but they require you to do all the setup and monitoring for them (hard work, trust me). But you will still have to pay for your lodging and food.

    In the end, just like anything else, there's really no free lunch. But if you are determined enough to learn, you will pay out of your own pocket to go. (like me)

    • Also........

      For those of you that are considering the value of security conference, I can tell you from my first hand experience that it is worth every single pennies.

      I was at one point of time like many of the readers thinking that I could learn a lot on my own and become an expert on a specific area. But after I went to couple of the security conference and sit in the class taught by some world foremost info security persons, I notice that it's an immediate boost of knowledge for me. Things that would take me a year to learn and try, I learned and experienced it within the few days of the conference.

      For those who are going to SANS conference, don't skip the certification part. It really makes you learn a lot. (Highly biased) You would be required to write a paper on a specific area, it's not easy and it would mean practical experience for you (cause you have to do it first hand in order to write the paper).
    • I did a SANS conference, and if you're serious and don't know where to start it really is worth every damn cent you pay for it. It seems like a big dollar amount, but if you're not sure about InfoSec and you need to learn fast and well - this is the best way to do it. The boot camps they offer also let you deal with specific issues to your systems with direct feedback from the instructors.
    • I attended the SANS Network Security 2001 conference last fall in San Diego. I didn't initially even want to go, but was pressed into it by management.

      I was surprised at the quality of the presentations. I attended Track 5 taught by Jason Fossen, and learned quite a bit that I had not seen before, especially with regards to configuring IIS and PKI.

      I went on to complete the GCWN certification, which was also an interesting learning experience. It's one thing to talk about these various ideas, but it's quite another to try to formulate them into a cohesive paper and communicate it to others. I've used a lot of the knowledge from the class and the research I did for my practical to help secure our new desktop images for Windows XP, something that probably wouldn't have happened if I hadn't taken that initiative.

      Very worthwhile, and worth every penny. Although I can see where an individual would have a hard time coming up with the cash, as I believe the conference, travel, lodging and so forth resulted in about a $5k reimbursement check. I think if you were in consulting this would be a valuable skill to sell yourself with and make back that $5k pretty quickly.

    • Re:About SANS (Score:3, Informative)

      by _Sprocket_ ( 42527 )
      I would like to add a few supportive words for SANS.

      The courses tend to be top notch. But that is just part of SANS' value. SANS conferences also feature a series of night courses and informal Birds of a Feather (BOF) meetings (complete with snacks and refreshments). The BOFs cover a whole slew of subjects and if you wish to add to a subject (whether you are an expert or simply curious), you are welcome to sign up and form one and room / snacks are provided for you. These add incredible value to attending a SANS conference.

      SANS also does a lot of other interesting things. They have a top-notch certification program (which has generated some interesting documents available to the public). And they are offering more and more of their certification tracks via online training programs as well as starting a localized mentor program to work with the online component.
  • Well I work for a small company TIM Computer Systems Inc. [timcomputer.com] and we do offer security training for Unix/Linux systems every once in a while. Other then going to those big guys that Cost huge amount of dollars try smaller companies in your areas. Just open the Yellow Pages and call a bunch of computer companies up and ask them if they do computer security training. You may be suprised on the skills you can learn from these small companies.
  • why go to expensive seminars when you have such a great resource [slashdot.org] right here at your fingertips

  • Look into IPCop [ipcop.org] or come out to a local user group (LUG). Both have people with skills to and they want help out. At the same time, they and you will give back, by helping bring others up to speed with both knowledge and questions. So do a presentation, or start a security SIG.

    Yes, joining CERT notices or Bug Track will be your first information feed, but it is putting into action by talking to friends, testing firewalls, and helping others gets the information in use.

  • I've found some of the monthly 2600 meetings [2600.com] helpful. They're a good place to go to to meet new people (beats sitting in front of the computer all day), and who knows, you just might learn something useful (or useless).

  • Basics (Score:2)

    by Lando ( 9348 )
    I'm assuming you are using UNIX... I consider Windows insecure and don't use it myself...

    Start out by getting and reading a copy of "Practical UNIX & Internet Security" Oreilly Simson Garfinkel and Gene Spafford.

    After that read the documentation on your tools, apache, bind, sendmail, etc and watch www.securityfocus.com

    • Re:Basics (Score:4, Informative)

      by PotatoMan ( 130809 ) on Monday July 08, 2002 @04:59PM (#3844795)
      My self-education went like this:

      1) "Computer Networks" by Andrew S. Tannenbaum

      This will teach you what's really going on

      2) "Firewalls and Internet Security" by Cheswick and Bellovin.

      The BEST book on firewalls. Online version at
      http://www.wilyhacker.com

      3) "Hacking Exposed" by McClure, Scambray and Kurtz.

      Not as systematic as the others, but this one has the specifics that let you see what the other books were talking about.

      4) Run a GNU/Linux system and start watching logs, etc. I'm on a dial-up and get hit several times per week. Follow up and see if you can figure out what they're doing; hopefully they don't get in!

      5) Keep abreast with CERT, SANS, BUGTRAQ, etc.

      6) There is no Royal Road to NetSec; you'll just have to dig in and learn it the hard way.
      • I recommend Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis as well. I think that besides subscribing to the mailing lists and attending conferences, someone interested in InfoSex should get a few good books on the subjects and start reading. Then, go on e-bay or dumpster dive or do whatever it takes to get your hands on a few old computers. Set up a honeynet on a dsl or cable connection in your basement and log everything. Try things out. Pore over the logs. Watch people attack you, see what they do. Maybe get some friends to try to break in to your honeynet. Learning about InfoSec is like learning about anything: read lots, talk to others interested in the same thing, and get your hands dirty.

        If you really want to get into how software can be compromised, start looking to learn about secure coding practices and learn how to audit code. If you want a job but have no formal training, being a recognized code auditor whose patches have been incorporated into open-source programs is a good way to get a positive reputation.

      • Wow. That www.wilyhacker.com link is *brilliant*. Clear, concise, fittingly illustrated PDFs. Thanks!
  • The cheapest method I've found is-

    Read your log files! You do have log files don't you? They contain the best and latest information on the most common attacks in use today. If you see something there, and you don't know what it is Google [google.com] it!

  • I'm surprised USENIX Security was not mentioned. After all, it's very affordable for the "little guys" if you are a student. And where else can you meet security researchers like Whitfield Diffie, one of the inventors of public key cryptography? Several of the papers from the symposium have already been mentioned on slashdot: The deadline for discounted registration is this Wednesday. See http://www.usenix.org/sec02/ [usenix.org] to register.

  • Low budget, but a lot of personal commitment (Score:5, Informative)

    by 2Bits ( 167227 ) on Monday July 08, 2002 @04:48PM (#3844727)
    I personally don't have the budget to attend any of these expensive conferences either. And my company, although with an annual revenue of $5B, would not pay for that, as I'm in the consulting division, and the manager does not believe that the cost would justify any benefits to the company (weird logic, I know, but I can't fire the manager, can I?).

    So, my low budget solution is the following:

    - Lurk around in the newsgroups like alt.computer.security, alt.hacker, alt.security.pgp, alt.sources.crypto, comp.lang.java.security, comp.os.linux.security, etc, just a bunch of security newsgroups.
    - Subscribe to security related mailing lists, like Bruce Schneier's Cryptogram.
    - Buy and read a lot of security related books
    - Download and play around with free and/or commercial (if available) softwares
    - visit frequently security related web sites, e.g. linuxsecurity.com,rootprompt.org (they do have some security related articles), ... and a bunch of security related commercial company to see what they are doing, sometimes they have white papers that are quite good.

    Sure, sometimes I wish I could attend some of the training sessions at the conference, that'd have saved me a lot of time.

    And this requires a lot of personal commitment, and a lot of time. But I've learned a lot, thanks to a lot of people who are willing to share their tricks of trade and their knowledge.

    Note that this also takes up a lot of my time at work, but the manager is not clued enough to know that, just like she does not know that a lot of people would spend time doing what she tries to disapprove at work (like spending time learning a new tools/prog.lang/etc). Cost-effective-wise and employee-satisfaction-wise, it is better to spend $5K to send an employee to a conference/seminar/training. Unfortunately, most managers and executives can't figure that out, although they would throw at you all these buzzwords like ROI, CBA (cost benefit analysis), and other craps.

  • DNSCon (Score:1)

    by XorA ( 147020 )
    http://www.dnscon.org runs in Blackpool England every year and is slowly expanding, entrance is very cheap about 20UKP. This is a great place to go to talk techy about security because most of the people attending and speaking actually work on the frontline.

  • Security is an illusion ... (Score:3, Interesting)

    by Proudrooster ( 580120 ) on Monday July 08, 2002 @04:53PM (#3844759) Homepage
    When it comes to security, I have found that training classes and seminars are "cool" and "fun" to watch, but have very little applicability to the configuration at my local site.

    I share the same opinion of others. The best way to stay on top of security is to subscribe to Bugtraq. Other subscription lists like CERT and vendor specific lists, are always lagging behind (sometimes as much as WEEKS) since they tend NOT to announce a security issue until the vendor has a fix/patch available. Bugtraq is pretty close to zero day disclosure and is not vendor specific, thus you have to wade through the subjects to see if anything applies to your site. Additionally, BUGTRAQ is moderated which cuts down on the quantity and noise, unlike other sources which can become excessive.

    To subscribe to the list, send a message to:
    bugtraq-subscribe@securityfocus.com

    This is my securty mantra, "security is an illusion".

    If you are connected to the Internet, you can be hacked. All humans make mistakes and all code is written by humans. The best you can do is manage your risk and increase your odds of not being a hackable target by staying informed and being proficient in application configuration.

    My advice is to spend your training money on the specific applications that are Internet facing e.g. (RedHat, Apache, Sendmail, DNS, POP3S, IMAPS, Oracle, MySQL, CISCO IOS), make sure you understand the security configuration and hit it hard in the class. Application Security Mis-configuration and weak passwords are probably the number one source of Internet compromises. Often times if you have your applications locked down and secure, the security exploit of the day may be a non issue.

    Good Luck!
  • The most up to date security list in the world and it's free.

    BugTraq [securityfocus.com]
  • For a mere $5 a head I will personally hold a seminar in a local auditorium explaining how to NOT open email attachments. Company sponsoring the event must pay all of my travel expenses (food, hotel, escorts, etc...)
  • There's always the smaller, less formal things put together by folks like securitygeeks [securitygeeks.com]. They often have big names speaking at them, and they usually discuss some pretty cool topics. I really need to get out to the DC area securitygeeks meetings myself one of these days. You may also want to look up your local 2600 meetings.
  • DNSCON (website is http://www.dnscon.org) is quite a good and affordable computer security conference held every august in Blackpool, UK.

    Entrance costs about £15 (around $30 dollars)

    It's run by a very knowlegeable guy called Jonathon Wignall.

    Its open to all (both security professionals and members of the public.)

    Sorry if this doesn't help you.

  • read some books? (Score:5, Interesting)

    by wobblie ( 191824 ) on Monday July 08, 2002 @05:04PM (#3844834)
    Well, first you must know tcp/ip very well. ORA's "Internet Core Protocols" is an excellent start and a very good book.

    The "hacking unix exposed" series of books are also very good.

    Forget windows. Get yourself a free unix and learn tcpdump and netfilter or ipfilter inside and out.

    Talking about learning security by going to conferences is kinda ridiculous, like expecting to learn archeology by going to archeology conferences.
  • Some security consulting firms host free 1-day seminars which combine some useful security information with blatant sales pitches for their security products. Just be cautioned that the speaker giving the talk may mix useful information with a few thinly-veiled attempts to scare you into buying their services. But pick their brains clean if you get a chance to ask questions, it's free.

  • Cheapest.. (Score:2, Informative)

    by nolife ( 233813 )
    This may have been mentioned already...

    Subscribe to mailing lists like Bugtraq [securityfocus.com] and NT Bugtraq [ntbugtraq.com] and any other OS or application specific products you are supporting. Not bleeding edge but not worth ignoring either.
  • At work we use a vulnerability notification service to keep up-to-date with the software we are using. It works really good and we don't have to spend our days searching and browsing bugtraq and securityfocus.

    We looked at several providers such as Securityfocus ARIS and Vigilinx, but we soon found out those cost very big bucks. :(

    But then we found a cheep alternative at www.securitywarnings.com [securitywarnings.com] and it was exactly what we was looking for.

    Cheers
    /Hubble

  • How About Books? (Score:4, Informative)

    by Squeamish Ossifrage ( 3451 ) on Monday July 08, 2002 @05:22PM (#3844959) Homepage Journal

    You asked about conferences, but it seems like what you're really looking for is education in general. Especially as a "newbie," conferences aren't going to be your best bet anyway: They tend to cover what's new and particular topics of interest, but can't and don't provide general background knowlege.

    You can get a lot of good books for the price of a conference admission, and that's probably a better way to get started, anyhow. Here are a few recommendations from my bookshelf:

    • Building Secure Software, Viega & McGraw, $55 at Amazon
    • Network Intrusion Detection, Northcutt, McLachlan & Novak, $32
    • UNIX System Administration Handbook, Nemeth et. al. $68
    • Secrets and Lies, Schneider $21
    • Hacking Exposed, McClure, Scambray & Kurtz $35
    1. setup a box with default installation of an older distro
    2. turn on extensive logging [snort.org]
    3. connect to the internet
    4. wait...
    5. when cracked, do forensic analysis [washington.edu]
    nothing can beat real life practice. it just needs time.
  • If you'll visit IBM's Security Solutions [ibm.com] webpage you'll find tons of information in the form of white papers, webcasts, links to other security websites, etc., etc. They also offer computer based training and other resources you may be able to take advantage of at little or no cost.
  • Registration for that was only $50. I hope to go to blackhat later too.
  • Why is it assumed that if you don't work for a big company, you must be a "newbie" or not know as much?

    That's bullshit, as I'm sure many people who consult or work for smaller companies can attest.

  • USENIX!!! (Score:3, Interesting)

    by Crispin Cowan ( 20238 ) <crispin@NospAm.crispincowan.com> on Monday July 08, 2002 @06:20PM (#3845259) Homepage
    USENIX Security Symposium [usenix.org]: not just more affordable than SANS, it's also better. SANS is baby-food for people with more time than money: nice, competent people RTFM to you out loud.

    In contrast, USENIX is actual security technology. Take the tutorials [usenix.org] for in-depth learning on important issues, and the technical sessions [usenix.org] for cutting-edge practical security research. We have a paper this year on the LSM (Linux Security Modules) [immunix.org] project.

    Crispin
    ----
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. [wirex.com]
    Immunix: [immunix.org] Security Hardened Linux Distribution
    Available for purchase [wirex.com]

  • There is really only 1 way to achieve any decent security skills. You need 2 people, say 2 sysadmins, and you play white and black hats.

    One of you emulates the attacker, investigating the tools and mindset the intruder may take, and the other, investigate security tools to investigate better lock down policy's.

    You then swap notes, and then hats and start again.

    Computer and network security is a long and involved process, but perhaps one of the most interesting.

    It's also the most misunderstood field and sometimes, profession.
  • The best and free (as in beer with InfraGard) resources is to hookup with your local InfraGard chapter. It's sponsored by the FBI so you get good info, and being a member is free (as in beer) and you get really great security updates and e-mails delivered daily.

    For HTCIA (HighTech Crime Investigation Association), the atmosphere is similar as there is a lot of info-sharing between HTCIA and InfraGard. HTCIA does require annual dues and per-meeting dues (self-sponsored organization).

    You can visit InfraGard [infragard.net]'s main site to see where you and your local chapter are. Then find the next meeting time and follow any applicable directions to get there and show up! I'm a member of our local chapter, and we welcome anyone and everyone dealing with InfoSec, Technology, and general Security. InfraGard is a bit more popular due to the local law enforcement participation (at least in our chapter). Our local chapter is here [ncinfragard.org] for anyone in the North Carolina RTP area.
  • If you are in San Francisco there is the San Francisco OpenBSD Users Group. Security minded and so-on.

    If none exists, start one.
  • You can learn most of what you need to about computer security by just installing RedHat, leaving it default, and putting it up on your DSL account.

    Now, count the hours/days until you're compromised. Watch how they did it so easily, learn how to stop it next time. I couldn't think of a better way to start...
  • Linuxsecurity.com [linuxsecurity.com] has a mailing list you can subscribe to in order to get frequent updates on things. Another poster stated a few obvious things (which are always good advices) including: CERT, SANS, BUGTRAQ, linux networking, etc.

    A few bible-books in my library include:
    • "TCP/IP Illustrated Vol.1" by Richard Stevens published by Addison-Wesley
    • "Intrustion Detection: An Analysts Handbook" by Stephen Northcutt published by New Riders
    • "Unix System Administration" aka The Red Book by Nemeth, et. al. I believe the Purple Book is the 3rd edition (I am open to corrections)
    • 2600 The Hacker Quartlery. A quarerly zine that most slashdotters have read, subscribe to, (or in this new-age, have either never heard of it and/or will flame or mod this into oblivion)
    • the "Hacking Exposed" series by Stuart McClure, et. al.
    Grab any or all of these (ESPECIALLY the Stevens book above!!) and start reading.
    Install more than 1 linux box (and RedHat, SuSE, Debian [and anything else that's popular] DOES NOT count. Use Slackware so you can have some semblance of control and learn how things work).
    Don't install X; tough it out with the shell. <elitism>We all did.</elitism>
    Grab your hands on a Solaris machine, x86 will suffice but try to get a Sparc. That way you'll understand how to do things across multiple platforms.
    Setup a network and a routing firewall inside (ie: no masquerading). Then learn that and setup a masquerading firewall for all that to get to the Internet through your gateway.
    Oh, Get nmap! [insecure.org] And learn how to use it SAFELY and WISELY on your own stuff.
    Read Read Read Read Read! Drop your girlfriend. Sex is good but if you wanna learn it hard, she'll have to go. If she's a geeky girl, have her help you out. She can learn too.

    After that, let us know how you did. Take a security test somewhere. Online or Real World, it don't matter. It's fun shit! We love it. But it's hard work to learn it. Once you do, you'll never be the same again and you'll be very very l33t.
  • In a shameless plug, I'm hosting a BOF at O'Reilly's OSCon 2002 in San Deigo that's geared towards the systems administrator and one of the main topics I hope to cover is security. The conference is pricey, but not as much as others I've been to. If you're coming to O'Reilly, swing by on Tuesday night.

  • Software Developers, See HOWTO! (Score:3, Insightful)

    by dwheeler ( 321049 ) on Monday July 08, 2002 @09:59PM (#3846521) Homepage Journal
    If you're writing software for Linux/Unix systems, go see my book, the Secure Programming for Linux and Unix HOWTO available at http://www.dwheeler.com/secure-programs [dwheeler.com]. It's freely available and redistributable (GFDL license), and it's got lots of information on how to write secure programs. There's lots of information on the Internet on how to write secure programs, but this book gives a lot of information in one place. Enjoy!
  • I actually emailed SANS and asked if there were "scholarship" programs. Here is the text of my email and their response.

    Delivered-To: dcooley@panicdump.org
    Date: Wed, 5 Jun 2002 18:34:16 -0400
    From: Beth Corcoran
    To: dcooley@panicdump.org
    Subject: Re: Payment Options
    In-Reply-To:
    User-Agent: Internet Messaging Program (IMP) 3.0

    Quoting Don Cooley :

    > SANS folks,
    >
    > I don't know how exactly to ask this so I will just explain my situation.
    >
    > I currently work at a startup dot com.
    >
    > They have cancelled all training and let go of everyone in IT except me.
    >
    > I am the lone Windows/Solaris/BSD/Linux admin. (I am learning wireless/Cisco
    > also)
    >
    > I live in Denver. I would really LOVE to go to SANS this year.
    >
    > Do you have any scholarships for systems/security admins?
    >
    > I would also be willing to do data entry, technical reviews, (I have done one
    > for O'Reilly)
    > etc... "insert odd job" for the chance to go the SANS conference this year.
    >
    > Please let me know if there is any way I could *work off* the price of the
    > tuition.
    >
    > Thanks for your time.
    >
    > Don Cooley
    > Systems/Security Administrator
    > http://www.panicdump.org

    Hello! We do have a Volunteer program where you help the SANS staff "run" the
    conference. You are required certain things, time, labor, etc., that other
    attendees are not obligated to do. For more information, please visit
    http://www.sans.org/conference/volunteer.ph p . The dealine to apply for SANS
    Rocky Mountain is July 1. Please let me know if I can be of further
    assistance.

    Sincerely,
    Beth Corcoran
    Tuition Office Manager
    The SANS Institute
    tel: (540)548-0977
    fax: (540)548-0957
    beth@sans.org
    www.sans.org

    Just look for a SANS coming to a city near you and be a slave for a week.

    Hope that helps

  • I have been involved in running Science Fiction conferences (we call them "cons" for short) for about 20 years now. We have attendancess between a few dozen, and a few thousand, with some going over the 5 thousand membership mark. We get some of the best people in our community to be guests of honour( GoH), and then stock panels with people both attending and from the local area. How much do we charge? Well, the going rate is around $40 for a weekend pass. That usually includes a program book, access to the hospitality suite (with either free or cheap food/drink). You can usually find crash space one someone's floor for $10 a night. And there are usually lots of open parties.

    SF Fans don't have any "sugar daddies" to pay for their memberships, as is expected by the various Computer Conferences, and thus cannot charge large fees. And we are about community, not making money.

    About the only event that has crossed the SF con with the Computer con is Andrew Hutton and his Ottawa Linux Symposium. But then again, he has attended a number of SF cons, including a few I helped run (Can-CON). More people need to learn how to run SF style cons, and run Open Source gatherings on the same format. SF fandom has a model that works, and all it takes is a few people in some of the larger population bases to put together SF style cons to get this going. And seek out your local SF con, and volenteer...it's the best way to learn how to run these things!

    ttyl
    Farrell J. McGovern
    Staff for:
    Maplecon, Pinekone, I-Con, Ad Astra, Concept, and Can-CON.

Slashdot Top Deals

Without life, Biology itself would be impossible.

Close