Monday, March 9, 2009

SANS Orlando 2009

I just got back from the SANS event in Orlando, and it was another great conference they put on. My brain still hurts from the firehose of information that I received, of which I will spend the next few weeks reading, and re-reading, in order to drive the concepts home. Where I am currently employed, we already have an established Project Management Office, and a Change Control/Request process in place. This being said, there are still many areas that can be improved, and my hope is to be able to take what I learned in class and use it to improve some of our current processes that we have in place.

Aside from the project management course, for which Jeff Frisk did a stellar job providing examples in class, and made the material enjoyable to read - which very easily could have been uber dry and tough to get through - the evening sessions were great! Two of the sessions, "The Enemy Within - Detecting Suspicious Network Traffic via Security Visualization Techniques" and, "Wireless Intrusion Detection Tactics - Hands-On Workshop" were a lot of fun. This was more up my alley of interest, since it was technical hands-on material, instead of sitting while listening to a lecture.

The Enemy Within - Detecting Suspicious Network Traffic via Security Visualization Techniques, evening session consisted of performing labs with DAVIX "". Andy Patrick was the presenter and he provided an overview of various tools (Afterglow, Graphviz, GnuPlot, Inetvis, Ntop, Parvis, RadialNet, Rumint, etc...) that are used for visualization, and then we dug into performing some labs. I found this session very interesting since these tools allow a security administrator to 'see' the port scans and malicious network entities, in a different light. Although this will not eliminate the need to analyze packet captures, it can greatly assist an admin in identifying what might need to be more closely looked at in your network.

Applied Security Visualization by Raffael Marty (
Security Data Visualization by Greg Conti (

Wireless Intrusion Detection Tactics - Hands-On Workshop, was pretty cool, and attendees left with a new Linksys WRT54GL AP flashed with OpenWRT, and ready for use at home/work as a Wireless Intrusion Detection Scanner (WIDS). In brief, we flashed a WRT54GL Wireless router with OpenWRT and configured it to act as a WIDS in class (running Kismet). The purpose of having a WIDS is to detect various wireless network attacks (NetStumbler or WEP Cracking taking place), as well as wireless client attacks (KARMA or Client Driver attacks). Paul mentioned how he would also use his at work to help identify client connectivity problems.
Much of what was covered in the class is also covered in the book. For anyone interested in this topic, check out the resources below...or drop a note on our blog, and we'll get back to you!

Linksys WRT54G Ultimate Hacking by Paul Asadoorian; Larry Pesce (Author)
Their Site:
OpenWRT Website:

Overall, this conference was a great time. Due to the way some of the presentations were arranged, I didn't get to attend many of the other talks that were taking place, since there was a lot of overlap in the evenings. I may volunteer for a conference later this year, but I will have to see what's going on in life, before I apply for something like that again.

As always, let us know if you have any comments or questions regarding the post.

No comments:

Post a Comment