Advanced Security WWW10 Workshop

Contact

Abstract

Each day, attrition.org reports the 50-100 web sites reported to have been defaced in the previous 24 hours. On a nearly weekly basis, the news media carries stories of high-profile organizations sites being compromised and personal or financial information being sold to the highest bidder.

Webmasters and system administrators of high profile web sites must secure systems that are particularly susceptible to attack but many smaller sites have also experienced defacement as the attackers leave messages about poor security practices and lax site administration.

Threats to Web-based services are constantly changing, and the tools and advice for addressing that threat are renewed frequently. Webmasters need to know the current best practices in the security areas and they need to be an integrated part of a site's security team. This workshop is designed to show proactive steps Webmasters can take to improve the total security environment of their site.

Focus

The workshop will cover a range of advanced security issues arising from the use of the Web to collect and store sensitive information having personal, financial or privacy implications. Subject to the position papers received, the workshop will focus on:

• Protecting from home page defacement - From 10 to 20 systems are publicized each day for having their home Web page defaced for political purposes or just for the fun of it. What are the best practices for minimizing impact of Web page defacements?
• Encryption and Privacy Issues - Providing more services and more specific services to users often means collecting and retaining more information about who they are and what they do or like. Encrypting the information can make it safer from prying eyes, but what are the technical and political limitations we should be aware of?
• Know the enemy - Web logs not only tell you what your popular pages are, they also tell you who is probing your server for security holes. What are current best practices for tools and techniques to know what holes are being tested and where the possible attacks are coming from?
• Security Incident response - Once an intrusion is discovered, it is important to work with your security team (or to create a security team if you don't have one yet). What are the considerations for putting the appropriate procedures in place to handle a security incident when it occurs?
• Intranet Authentication/Authorization - setting up servers and areas that serve the needs of particular projects but that are not open to the general Internet or corporate population.

Specific Goals and Expected Outcomes

Threats to Web-based services are constantly changing, and the tools and advice for addressing that threat are renewed frequently. Webmasters need to know the current best practices in the security areas above and the topical areas may be adjusted in the light of topical interest due to attacks or incidents near the time of the conference, and they need to be an integrated part of a site's security team. This workshop is designed to show proactive sets Webmasters can take to improve the total security environment of their site.

Call for Position Papers

Anyone wishing to attend the workshop is asked to submit a position paper. We will use these papers to ensure that the workshop is meets attendee needs, and to ensure that attendees have an appropriate level of understanding of security issues.

Position papers, should briefly include all of the following:

1. Describe your experience with web and or computer security.
2. Using the interest areas described below, prioritize the main interest areas and add any that I've missed. Use a scale of 1 - 5, where 1 is "critically important" and 5 is "unimportant."

Position Papers Accepted

• Wen Fang

Workshop Format

09:00 Assemble. Greetings, introductions and day's overview from Bob Cowles - 10-15 mins
09:15 Protecting from Home Page Defacement
10:30 Morning Coffee
11:00 Intranet Authentication/Authorization
12:30 Lunch
13.30 Encryption and Privacy Issues
14:30 Know the Enemy - Web Logs 
15:30 Coffee break
16:00 Security Incident Response  
17:30 Summary, wind up and open discussion

Web Security Links

• The WWW Security FAQ
  http://www.w3.org/Security/faq/www-security-faq.html

• Microsoft -- Web Site Security
  http://www.microsoft.com/technet/security/web.asp

• About Web Security (and some Privacy info) -- 2 pages
  http://www.html.about.com/compute/html/cs/websecurity1/

• Security page of Juan Carlos Garcia Cuartango
  http://pages.whowhere.com/computers/cuartangojc/

• Web Surfing - Security software (Linux) (11 pages)
  http://www.davecentral.com/websecure.html

• Web Authoring - Access control software (Linux) (3 pages)
  http://www.davecentral.com/webacc.html

• CERT Coordination Center - Web Security
  http://www.cert.org/other_sources/websec.html

• Computer Privacy: What Do Your Surfing Habits Reveal About You?
  http://www.sans.org/infosecFAQ/legal/privacy.htm

Last update Bob Cowles, March 04, 2001