Seminar Descriptions
On this page, you can find descriptions for each of the seminars given by our Principal, Craig McGuffin.
For a schedule of upcoming seminars, follow this link.
Please click on any of the following titles to see a description of the seminar:
(1-day and 2-day versions)
Use of the UNIX Operating System is growing rapidly, with variants used on millions of computers throughout the world. Part of the reason for its increasing popularity is the number of different processors which can run UNIX. Add to this the flexibility of communications between UNIX platforms, as well as with other operating systems, and you have an ideal environment to support current and future business computing requirements.
But can UNIX be secured? Are there greater risks with UNIX? Does it have all the required security mechanisms to protect our important business systems and data? How do we audit a UNIX system to see if adequate security is in place?
What the seminar covers:
During this session, you will learn the answers to important questions about UNIX security, and receive practical advice on how to audit a UNIX system. The seminar starts with an introduction to key UNIX concepts and facilities, such as the structure of the file system and commonly used shell commands. Next, we examine UNIX security facilities such as those for user identification and authentication, access control, and system monitoring. Common security problems and exposures are highlighted, along with UNIX-based tools and techniques which can be used to find them. You will also receive useful programs and reference material that help in performing UNIX security audits.
Auditing Client/Server Systems
(1-day and 2-day versions)
"Client/server systems" -- it’s no longer just a term used to try and make an application sound new and unique. Bringing together today’s powerful mini- and micro-computers, with existing mainframe processing power, and the high-capacity networks that connect them, client/server systems are being used as the basis for more and more key business applications.
Just because microcomputers and LANs may be involved doesn’t mean that client/server systems are easy to figure out. Nor is there a single model for client/server processing. Client/server applications are among the most complex and can feature many different combinations of hardware platforms, operating systems, distributed database components, cooperating application processes, and network protocols.
It’s critical that we be fully competent to evaluate client/server applications, especially during their development. But where we once had to deal with only one hardware platform and one or two key layers of security software, we now face the intricacies of these advanced processing environments. The key to a proper evaluation is understanding how the systems work, how they are controlled, and how they can be reviewed.
What the seminar covers:
During this session, you will learn practical approaches and techniques for reviewing and evaluating client/server systems. Starting with an overview of how client/server systems function, you will see representative examples of client/server processing. We will then consider the security and audit complexities of the client/server environment, as well as examining the typical control exposures which can arise. An approach to auditing a client/server system will be reviewed, covering the control and security of all key processing components, as well as other important audit issues and concerns.
Throughout the course, important concepts will be reinforced through demonstrations of client/server processing using the UNIX operating system and a TCP/IP network (which are used with many client/server applications)
Understanding, Building and Securing Client/Server Networks
(2-day and 3-day versions)
What the seminar covers:
During this seminar, you’ll learn how to review and audit the security of client/server networks, based on a solid understanding of how they work. This hands-on workshop allows you to:
- Build and connect to a client/server network.
- Understand the different ways a client/server network can be configured.
- Understand the interrelationships between various client/server network components.
- Install & implement security and audit features in client/server networks.
The lab features your Windows95 PC connected to an Ethernet network. On the network, you’ll have the chance to communicate with other participants, as well as connect to and use NetWare, Windows NT Server, and UNIX / Oracle servers. This will give you experience with components from some of the most popular client/server environments.
In order to participate fully in the seminar, you’ll need to bring a Windows95 computer with a supported Ethernet card. All other components required to build the network will be provided.
Practical Applications of Encryption
(3-hour, 1-day, and 2-day versions)
Perhaps you think of encryption as some elaborate technique that really has no practical application outside of the military. However, at the same time you are hearing and reading about the risks posed to your business data due to threats like network computing, personal computers and laptops and electronic mail. Can you really protect this information against unauthorized disclosure or modification. Encryption may be the answer.
What the seminar covers:
This seminar provides you with an understanding of what encryption is and how you can use it to protect your important data. During this session you will learn how to use practical, effective tools and techniques for encrypting data and electronic mail. First you will develop a solid understanding of private and public key techniques. We will also consider the different types of keys function and how they are managed. You will then examine a number of actual encryption applications, including demonstrations of encryption packages.
Throughout the seminar you are exposed to live demonstrations of the different products, to help enhance your understanding of their operation and application to your security needs.
Understanding and Using Virtual Private Networks
(1-day)
Virtual Private Networks (VPNs) use modern encryption techniques to protect data communications. They allow secure networking from remote sites (such as branch locations) to corporate offices using the Internet. This avoids the cost of establishing dedicated network facilities – instead, the remote site can easily obtain inexpensive access through their local Internet Service Provider (ISP). The VPN will then allow secure communications, even though data is passing over a public, unsecure network. The concept behind a VPN also extends to remote access by staff from their home, or while travelling. By using encryption over remote access links,
the remote user can work almost exactly like they do in their corporate offices, while the confidentiality and integrity of sensitive data is protected.What the seminar covers:
This seminar will help you understand how Virtual Private Networks facilitate secure data connections over public networks such as the Internet. We’ll review the main elements of data encryption, and see how these techniques are employed to protect your sensitive information while traversing the network. You’ll also discover some of the obstacles that a company can encounter when trying to use VPN technology, and get the background on security weaknesses that have already been identified and reported. In addition, you’ll see how using a Public Key Infrastructure (PKI) can assist in VPN deployment. The seminar will include a live demonstration of VPN techniques, to help solidify your understanding of the important issues.
A Survey of Network Operating Systems Security
(2-days)
The typical business of today uses many different types of computer operating systems. Especially where client/server applications are involved, it’s common to see a combination of UNIX, Windows NT Server, and Novell NetWare computers supporting workstation users and their critical business applications. The result is that today’s information system auditor must be prepared to deal with the security and control issues associated with these major operating environments. A solid foundation in each will help you identify important vulnerabilities, and select which areas need more in-depth analysis.
What the seminar covers:
During this two-day session, you will obtain an overview of the key security features within UNIX, Windows NT Server (version 4.0), and Novell NetWare (versions 3.x and 4.x). You’ll learn the answers to important questions about their security, and receive practical advice on how to audit each system. For each operating system, we’ll examine the security facilities for user identification and authentication, access control, and system monitoring. Common security problems and exposures are highlighted, along with automated tools and techniques which can be used to find them. You will also receive useful pointers and reference material that will help you to perform security audits within these environments.
Throughout the seminar you will see live demonstrations of the each of the operating systems, to help enhance your understanding.Securing the Desktop
(1-day and 2-day versions)
As auditors and information security professionals, we are well aware of the need to protect business systems against unauthorized access. However, most of our efforts are focused on securing the mainframe and important minicomputers and servers within our organizations. In many cases, this means ignoring end-user workstations, since we think of them only as personal computers. Are we overlooking the protection of critical business information?
What the seminar covers:
This seminar provides you with an overview of the security risks and controls surrounding today’s powerful end-user workstations. Starting with a review of the available controls for Windows 3.x, Windows for Workgroups 3.x, and Windows 95 controls, you will then see the extended security and controls inherent to Windows NT Workstation. You will then learn to what extent workstations can realistically be secured through their integration with key features available from today’s file server operating systems.
Network Penetration and Monitoring
(3-hour, 1-day, and 2-day versions)
We often hear about the security exposures associated with use of networks -- snooping and stealing passwords, capturing data, masquerading as another user or workstation. Is it really that easy to penetrate network security? Just how easy is it to connect to a network, by-pass security mechanisms, or view and modify business data?
This session will include explanations and live demonstrations of the penetration tools and techniques available to take advantage of security exposures found within networks such as those based on Novell NetWare, and UNIX-based client/server architectures. An Ethernet network with TCP/IP; IPX/SPX and NetBEUI communication protocols will be used in the demonstration. Areas covered will include network entry; physical access to cable; password grabbers and trojan horses; Ethernet packet capture and analysis; remote workstation operations and other areas. The focus of the session will be on the accessibility and ease of use of the software tools and penetration techniques. The session will include a discussion of the control procedures and techniques currently available to address these security problems.
TCP/IP — Security and Control
(3-hour and 1-day versions)
TCP/IP is an extremely popular network protocol used to link computers and transfer data. This protocol is at the heart of many client / server systems, as well as being the language of the Internet. While using TCP/IP brings tremendous opportunities for sharing and obtaining information, it also introduces a whole new series of security exposures—ones which are beyond those of traditional computer systems and networks. Can you protect your mission-critical business systems if you are using TCP/IP-based networks?
What the seminar covers:
During this session, you will learn about the fundamentals of Transmission Control Protocol / Internet Protocol, including details on the physical network media, lower-level protocols, and devices. We will then discover how TCP/IP enables the exchange of information between client and server processes. We’ll also cover the common TCP/IP-based applications you’ll find in your networks, including the function of each, and their security and audit implications. Finally, we’ll consider the mechanisms and procedures that can be used to address the security and audit exposures identified. This includes host- and network-based facilities, as well as an introduction to the use of encryption to protect TCP/IP network confidentiality and integrity.
Electronic Mail — Meeting the Security Challenges
(90 min)
The use of electronic mail (“e-mail”) is growing daily by leaps and bounds, taking full advantage of the steady advances in computer and network connectivity. With the help of gateways and efforts at standardization, e-mail systems have gone from simple systems linking a few users on a single computer, to vast international networks connecting correspondents on literally millions of different hosts.
As security professionals, we routinely deal with controls over access to computerized facilities and data. But what about e-mail? Do we know who can access our mailboxes? What about mail in transit? Can we even know which systems our mail passes through? Can anyone else view it? Can they change it? Can they forge our identity?
What the seminar covers:
During this session, you will discover the security issues arising from the use of e-mail in today’s business environment. We will first consider the application of existing corporate security policies, procedures, and guidelines to e-mail systems and messages. Using examples drawn from real-world e-mail systems, we will then apply security and audit principles to review e-mail systems, and see the major areas of exposure to loss of confidentiality and integrity. You will also receive suggestions on effective ways to deal with the security exposures uncovered.
Digital Communications: Their Issues and Impacts
(90 mins)
Digital, analog, Ethernet, Token Ring, ISDN, ATM, microwave, cellular, PCS, fiber optic, broadband, Frame Relay, circuits, packets, PBXs…..you’ve heard the seemingly endless list of buzz words, catch phrases, and acronyms from the world of voice and data networks. What does it all mean? More importantly, how significant is the world of digital communications to our work as audit and control professionals?
What the seminar covers:
During this session we’ll try to clear away some of the confusion surrounding digital communications. You will develop a better understanding of voice and data networks, and their significance to your enterprise. You’ll learn more about how communications work, including digital and analog techniques. You will also be introduced to the common network technologies used today, and in the near future. An important area of focus will be the relevant business, security, and audit implications of using digital communications as part of our information systems.
Craig R. McGuffin, C.A.
Principal — C.R. McGuffin Consulting Services
Craig McGuffin has over 20 years of experience in the field of computer and network security. He holds a Chartered Accountant designation, and has a background in computer science obtained through his Bachelor of Mathematics (Honours) from the University of Waterloo. He has worked as an Information Systems auditor, security consultant, and security manager, obtaining experience in all major computing and data communications environments.
Craig is the Principal of C.R. McGuffin Consulting Services, a Toronto-based firm which helps its clients manage and control today’s computer technology. The firm provides assistance in the areas of internal controls and security, as well as information resource management, system development and implementation, and special investigations into complex information system problems and issues.
Craig is the co-author of two books on computer technology, as well as an award-winning and popular speaker on the use of computer technology, controls and security at universities, training seminars and conferences, on six continents.