CERT Cybersecurity Training & Education

(1)

CERT Cybersecurity

Training & Education

(2)

(3)

Our security training helps you use

your knowledge, skills, and experience

to successfully and effectively resist,

recognize, and recover from attacks on

networked systems.

The CERT approach to security training builds your knowledge, skills,

and experience in a continuous cycle of professional development.

Each phase focuses on building a specific area of development that is

leveraged and supplemented by the next phase of development.

Knowledge building

provides you with the fundamental concepts related to a particular

topic area.

Skill building

develops your hands-on technical skills based on the foundational

knowledge you learned in the Knowledge Building phase.

Experience building

develops your ability to adapt and successfully apply your security skills

in changing and unfamiliar real-world environments.

Evaluation

uses performance metrics to assess your learning and identify areas of

improvement for continued professional development.

For more information about the CERT approach to security training

See

cert.org/cyber-workforce-development

.

(4)

Our Cybersecurity Certificates

CERT Certificate in Digital Forensics ... 2

Insider Threat Program Manager (ITPM) Certificate ... 2

Insider Threat Vulnerability Assessment (ITVA) Certificate ... 3

Insider Threat Program Evaluator (ITPE) Certificate ... 3

SEI Certificate in Incident Response Process ... 4

SEI Certificate in Information Security ... 4

CISO-Executive Certificate ... 5

Secure Coding Professional Certificate: C and C++ ... 6

Secure Coding Professional Certificate: Java ... 6

Our Cybersecurity Courses

Incident Handling Courses ...7

Overview of Creating and Managing CSIRTs ... 8

Creating a Computer Security Incident Response Team ... 9

Managing Computer Security Incident Response Teams ... 10

Fundamentals of Incident Handling ... 11

Advanced Incident Handling ... 12

Malware Analysis Apprenticeship ... 13

Advanced Forensic Response & Analysis ... 14

Network & Software Security Courses ...15

Information Security for Technical Staff ... 16

Applied Cybersecurity, Incident Response, and Forensics ... 17

Managing Enterprise Information Security: A Practical Approach for Achieving Defense-in-Depth ... 18

DevOps Process and Implementation ... 19

DevOps in Practice Workshop ... 20

Secure Coding in C and C++ ... 21

Secure Coding in Java ... 22

Software Assurance Methods in Support of Cyber Security ... 23

Security Requirements Engineering Using the SQUARE Method ... 24

Risk Assessment & Insider Threat Courses ...25

Introduction to the CERT Resilience Management Model ... 26

CERT Resilience Management Model Appraisal Boot Camp ... 27

CERT Resilience Management Model (CERT-RMM) Users Group Workshop Series ... 28

Assessing Information Security Risk Using the OCTAVE Approach ... 29

Measuring What Matters: Security Metrics Workshop ... 30

Insider Threat Awareness Training ... 31

Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats ... 32

Building an Insider Threat Program ... 33

Insider Threat Program Manager: Implementation and Operation ... 34

Insider Threat Vulnerability Assessor Training ... 35

SGMM Navigator Training ... 36

CERT STEPfwd Platform ...37

(5)

The CERT Approach to Cybersecurity Training

Technology has become such an integral part of our lives and business operations that it is important to have a skilled workforce to protect networked systems. You are faced with the ongoing challenge of ensuring that you have the most current knowledge, skills, and experiences to protect your organization from cyberattacks. However, this challenge is particularly difficult because industry trends, practices, and technologies are constantly changing.

Attackers continually find new ways to circumvent security controls and infiltrate systems. Likewise, security practices and technologies evolve to keep pace with this changing landscape. To protect your organization, you must adapt to the changes in the ecosystem, whether they are problems posed by attackers or solutions supplied by researchers and developers. To apply the latest security practices and technologies successfully, you need to have the right knowledge, skills, and experience.

How can we help?

We developed training and certificate programs that help you learn how to tackle these cybersecurity challenges. The right training can help you by providing • knowledge, skill development, and experience most relevant to your responsibilities • a high level of cybersecurity proficiency

• a focus on high-priority, high-payoff elements of cybersecurity • efficient and effective approaches you can apply in your organization • affordable, high-quality training solutions

• scalable training solutions that can reach all relevant staff in your organization We have also responded to your need for flexible training options by developing remote training capabilities. Our STEP (Simulation, Training, and Exercise Platform) environment provides “anytime, anywhere” access to materials that include demonstrations, hands-on training labs, and an exercise environment that allows you to improve your skills through realistic and flexible training scenarios.

Who we are

For nearly 30 years, the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University has been a leader in cybersecurity. Originally focused on incident response, we have expanded into cybersecurity areas such as network situational awareness, malicious code analysis, secure coding, resilience management, insider threats, digital investigations and intelligence, workforce development, DevOps, forensics, software assurance, vulnerability discovery and analysis, and risk management.

(6)

Our Cybersecurity Certificates and Courses

Take our courses individually or earn a certificate by combining courses.

Certificates

Formally acknowledge your professional accomplishments by earning one of our professional certificates in fields such as insider threat, digital forensics, and security management. You can benefit from the skills you acquire and the recognition the certificate provides in your continuing education and professional development. See our complete list of certificate programs on pages 1–5.

Courses

We offer courses in multiple cybersecurity topics grouped into three categories: 1. Incident Handling

2. Network & Software Security 3. Risk Assessment & Insider Threat

See our complete list of courses and descriptions starting on page 7.

Flexible delivery options

P

Public courses

We offer public training courses, delivered in the Pittsburgh, PA and Arlington, VA SEI offices. Review the current schedule of public courses at cert.org/training. Pricing: Per student

O

Onsite courses

We offer courses delivered onsite at your facility. Pricing: Flat fee

L

Live, virtual courses

We deliver courses via synchronous distance learning from the CERT Distributed Learning Center (CDLC). The CDLC is equipped with the latest videoconferencing technology to allow you to attend a course from a remote location as though you were there with the other students in a virtual classroom.

Pricing: Flat fee

S

STEPfwd

Using the STEPfwd platform, we provide components of traditional classroom training, including lectures, slide presentations, hands-on labs, team cyber exercises, and quizzes from the convenience of a web browser.

(7)

Our Cybersecurity Certificates

Join the many cybersecurity professionals

who have benefited not only from the skills

they acquire, but also from the recognition of

their continuing education and professional

development.

(8)

CERT Certificate in Digital Forensics

sei.cmu.edu/training/v34.cfm

Knowledgeable first responders apply good forensic practices to routine administrative procedures and alert verification, and know how routine actions can adversely affect the forensic value of data. This awareness greatly enhances system and network administrators’ effectiveness when responding to security alerts and other routine matters.

This certificate is designed to familiarize you, as an experienced system and network computer professional, with the essential elements of digital forensics and build on your existing technical skill set. Completing this professional certificate prepares you to approach both routine and unusual cybersecurity events in a systematic forensic manner.

You will take two live, virtual classes: Introduction to Computer Forensics and Advanced Digital Forensics. You have 12 months to complete both courses. When you complete all elements of each course, you are awarded an electronic certificate of course completion. When you complete both courses, you are awarded the CERT Certificate in Digital Forensics.

For more information

Visit our website for additional information about topics, prerequisites, materials, and schedule.

Insider Threat Program Manager (ITPM) Certificate

cert.org/insiderthreat/insider-threat-program-manager-itpm-certificate.cfm

This certificate program helps you, as an insider threat program manager, develop a formal insider threat program. Its training components cover areas such as insider threat planning, identification of internal and external stakeholders, components of an insider threat program, insider threat team development, strategies for effective communication of the program, and how to effectively implement and operate the program within your organization.

Required Courses

• Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats Page 32

• Building an Insider Threat Program Page 33

• Insider Threat Program Implementation and Operation Page 34 • Insider Threat Program Manager Certificate Exam

For more information

(9)

Insider Threat Vulnerability Assessment (ITVA) Certificate

cert.org/insiderthreat/insider-threat-vulnerability-assessor-itva-certificate.cfm

This certificate enables you, as a prospective assessor, to help organizations gain a better understanding of their insider threat risk as well as effectively identify and manage the associated risks. In the courses that support this certificate, you use an assessment methodology to assist organizations by measuring how prepared they are to prevent, detect, and respond to the insider threat.

Required Courses

• Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats Page 32

• Insider Threat Vulnerability Assessor Training Page 35 • Insider Threat Vulnerability Assessor Certificate Exam

For more information

Visit our website for additional information about this certificate program.

Insider Threat Program Evaluator (ITPE) Certificate

cert.org/insiderthreat/

This certificate enables you, as a prospective evaluator, to help organizations gain a better understanding of the effectiveness of their established insider threat programs. In the courses that support this certificate, you learn how to build an insider threat program and perform an insider threat program evaluation.

Required Courses

• Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats Page 32

• Insider Threat Program Evaluator Training (available late Spring/Summer 2016) • Insider Threat Program Evaluator Certificate Exam

License the ITVA toolset and methodology

Organizations can license the CERT Insider Threat Vulnerability Assessment toolset for internal use or to assess others for potential vulnerabilities. See sei.cmu.edu/certification/opportunities/itva/for more information.

(10)

SEI Certificate in Incident Response Process

sei.cmu.edu/training/certificates/security/response.cfm

This certificate introduces you, as a prospective computer security incident response team (CSIRT) member, with a basic introduction to the main incident handling tasks and critical thinking skills that will help you perform your job. The second course covers common and emerging attacks that target a variety of operating systems and architectures.

Ultimately, this certificate is designed to provide you with insight into the type and nature of work that you will perform as an incident handler. It will provide an overview of the incident handling arena, including CSIRT services, intruder threats, the nature of incident response activities, and the steps that incident handlers can take in response to system compromises at the privileged level.

Required courses

• Fundamentals of Incident Handling Page 11 • Advanced Incident Handling Page 12

For more information

SEI Certificate in Information Security

sei.cmu.edu/training/certificates/security/infosecurity.cfm

This certificate is designed to provide you with practical techniques for protecting the security of your organization’s information assets and resources and increase the depth of your knowledge and skills to prepare you to administer and secure your information systems and networks. Security issues, technologies, and recommended practices are addressed at increasing layers of complexity, beginning with concepts and proceeding on to technical implementations.

The courses required for this certificate involve extensive hands-on laboratories using a heterogeneous network environment, scenario-based exercises, lectures/ briefings, and open discussion to help participants develop their understanding of the problems and strategies for securing information systems and networks.

Required courses

• Information Security for Technical Staff Page 16

• Applied Cybersecurity, Incident Response, and Forensics Page 17

For more information

(11)

CISO-Executive Certificate

heinz.cmu.edu/school-of-information-systems-and-management/cio-institute/chief-information-security-officer-executive-education-and-certification-program/index.aspx

This certificate enables you, as a Chief Information Security Officer (CISO), to develop and manage IS resources, and design and implement organizational IS policies. In the courses that support this certificate, you learn everything from security metrics to enterprise security governance to crisis communication to information security law. The CISO-Executive Education and Certificate Program is designed to address the issues CISOs face and provides a unique opportunity for peer-based, customized executive education. This program was developed and is jointly supported by the Heinz College CIO Institute at Carnegie Mellon and the CERT Division of the Software Engineering Institute (SEI).

With classes taught by internationally recognized faculty and industry experts, the CISO-Executive program draws on the strengths of Carnegie Mellon University and the SEI, both recognized across the globe as leaders in information assurance, security, policy, and executive education.

This program focuses on providing essential education and skills for professionals in the field and those seeking to enhance their career growth objectives.

Required course topics

• Security Structure and Operations

• Digital Transformation (DT): Security Implications • Cyber Risk Management & Security Metrics • Operational Cyber Resilience

• Enterprise Security Governance & Planning • A Realistic View of Security Technology • Effective Incident Response

• Managing Operational Threat

• Developing a Crisis Communications Strategy • Information Security Law

• Social Engineering

• Building an Insider Threat Program • External Dependency Management

(12)

Secure Coding Professional Certificate: C and C++

cert.org/go/secure-coding

This certificate program helps you, as a C/C++ developer, increase the security of your software and reduce vulnerabilities in the programs you develop. This program covers areas such as recognizing common programming errors that lead to software vulnerabilities, thwarting buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic, avoiding the incorrect use of dynamic memory management functions, eliminating integer-related problems, and avoiding I/O vulnerabilities including race conditions.

Required Courses

• Secure Software Concepts

• Secure Coding in C and C++ Page 21 • Secure Coding in C and C++ Exam

For more information

Secure Coding Professional Certificate: Java

(available spring 2016)

cert.org/go/secure-coding

This certificate program helps you, as a Java developer, increase the security of your software and reduce vulnerabilities in the programs you develop. This program covers areas such as recognizing common programming errors that lead to software vulnerabilities, avoiding injection attacks, understanding Java’s memory model, learning when to throw and catch exceptions, understanding how common errors can be exploited, employing mitigation strategies to prevent introducing common errors, and avoiding I/O vulnerabilities.

Required Courses

• Secure Software Concepts

• Secure Coding in Java++ Page 22 • Secure Coding in Java Exam

For more information

(13)

Incident Handling Courses

Training in incident handling helps managers, project leaders, CSIRT

staff, and computer forensic professionals create and manage CSIRTs,

prepares incident handlers to respond to system compromises at the

administrator level, teaches technical staff the best practices they can

use for analyzing malicious code, and describes tools and best practices

that can be used to support organizations’ incident response and forensic

analysis investigations.

Our Cybersecurity Courses

Our instructors have years of

experience in the cybersecurity field

and perform cutting-edge research.

(14)

O

Overview of Creating and Managing CSIRTs

One-Day Course • Incident Handling

sei.cmu.edu/training/P68.cfm

This course provides a consolidated view of information that is contained in two other CERT courses: Creating a Computer Security Incident Response Team (page 9) and Managing CSIRTs (page 10). Its main purpose is to highlight best practices in planning, implementing, operating, and evaluating a computer security incident response team (CSIRT).

In this course, you explore the relationships among CSIRTs, incident management, and security management and discuss how successful incident management requires an enterprise view and approach. The course presents a process-based model for structuring incident management activities and provides an introductory view of CSIRTs. Learn more about the purpose and structure of CSIRTs; CSIRT services; and key policies, procedures, methods, tools, and infrastructure components needed to effectively operate a CSIRT.

Who should attend?

• those tasked with creating a CSIRT

• C-level managers (e.g., CIOs, CSOs, CISOs) and CSIRT managers • project leaders and team members

• system and network administrators, and security staff (e.g., privacy officers, audit or risk staff)

• human resources staff • media or public relations staff • CSIRT constituents

• law enforcement members • legal counsel

You will learn to

• understand the terms “incident management” and “CSIRT”

• differentiate between incident management and incident response activities • describe activities conducted in the five processes that make up the CERT Incident

Management Process Model (Prepare, Protect, Detect, Triage, and Respond) • identify the type of work that CSIRT managers and staff may be expected to handle

and the policies and procedures that should be established for a CSIRT • explain the purpose and structure of CSIRTs

• define the variety and level of services that can be provided by a CSIRT

• apply process improvement techniques for operating and evaluating an effective CSIRT

For more information

Visit our website for additional information about topics, prerequisites, materials, and schedule related to this course.

(15)

P

O

Creating a Computer Security Incident Response Team

One-Day Course • Incident Handling • 0.6 CEUs

This course is designed to help you create a computer security incident response team (CSIRT) by covering the following topics:

• requirements for establishing an effective CSIRT • the various organizational models for a CSIRT

• the variety and level of services that can be provided by a CSIRT • the types of resources and infrastructure needed to support a team • policies and procedures that should part of creating a CSIRT

Who should attend?

• current and prospective CSIRT managers • C-level managers (e.g., CIOs, CSOs, CISOs)

• project leaders interested in establishing or starting a CSIRT

• staff who interact with CSIRTs (e.g., CSIRT constituents, media relations, legal counsel, law enforcement, human resources, risk management staff)

You will learn to

• understand the requirements for establishing an effective CSIRT • strategically plan the development and implementation of a new CSIRT • highlight issues associated with assembling a responsive, effective team of

computer security professionals

• identify policies and procedures to establish and implement in a CSIRT • understand various organizational models for a new CSIRT

• understand the variety and level of services that can be provided by a CSIRT

For more information

Take a related course

You may also want to register for the three-day companion course, Managing Computer Security Incident Response Teams, which takes place immediately after this course. See page 10 for details.

(16)

P

O

Managing Computer Security Incident Response Teams

Three-Day Course • Incident Handling • 1.8 CEUs

This course provides you, as a manager of a computer security incident response team (CSIRT), with a pragmatic view of the issues that you face in operating an effective team. The course provides an overview of the incident handling process and the types of tools and infrastructure needed to be effective.

We discuss issues such as hiring CSIRT staff, identifying critical information, publishing information, establishing effective working relationships, working with law enforcement, evaluating CSIRT operations, building CSIRT service capacity, and the importance of policies and procedures.

There is some content overlap between the Managing CSIRTs course and the Fundamentals of Incident Handling course. We recommend that attendees register for one course or the other, but not both.

Who should attend?

• managers responsible for implementing and working with a CSIRT • those who want to learn more about operating effective CSIRTs

• staff who interact with CSIRTs (e.g., CSIRT constituents, media relations, legal counsel, law enforcement members, human resources staff, risk management staff)

You will learn to

• recognize the importance of establishing well-defined policies and procedures for incident management processes

• identify policies and procedures that should be established and implemented for a CSIRT

• recognize various processes involved in detecting, analyzing, and responding to computer security events and incidents

• identify components needed for protecting and sustaining CSIRT operations • manage a responsive, effective team of computer security professionals • evaluate CSIRT operations and identify performance gaps, risks, and needed

improvements

For more information

Before attending this course, we encourage you to attend the companion course, Creating a Computer Security Incident Response Team, which is offered the day before this course. See page 9 for details.

(17)

P

O

Fundamentals of Incident Handling

Five-Day Course • Incident Handling • 3.1 CEUs

This course provides you, as a prospective incident handler, with a basic

introduction to the main incident handling tasks and critical thinking skills that will help you do your daily work. The course provides insight into the work that incident handlers perform and provides an overview of the incident handling arena, including CSIRT services, intruder threats, and the nature of incident response activities. You learn how to gather the information required to handle an incident, learn more about CSIRT policies and procedures, understand the technical issues related to commonly reported attack types, and identify potential problems to avoid while performing CSIRT work. You participate in sample incidents and perform analysis and response tasks related to them.

There is significant content overlap between the Fundamentals of Incident Handling course and the Managing CSIRTs course. We recommend that attendees register for one course or the other, but not both.

Who should attend?

• CSIRT technical staff with one to three months of experience

• experienced CSIRT staff who want to benchmark their CSIRT processes and skill sets against best practices

• anyone who wants to learn about basic incident handling functions and activities

You will learn to

• recognize the importance of following well-defined processes, policies, and procedures

• understand the issues involved in providing a CSIRT service

• critically analyze and assess the impact of computer security incidents

• effectively build and coordinate response strategies for computer security incidents

For more information

Get a certificate

This course is part of our Certificate in Incident Response Process. See page 4 for details.

(18)

P

O

Advanced Incident Handling

sei.cmu.edu/training/p23b.cfm

In this course, you learn techniques for detecting and responding to current and emerging computer security threats and attacks that are targeted at a variety of operating systems and architectures.

Building on the methods and tools discussed in the Fundamentals of Incident Handling course, this course provides guidance that you, as an incident handler, can use when responding to system compromises at the privileged (root or administrator) level.

You work in a team throughout the week-long course to handle a series of escalating incidents that are presented as part of an ongoing scenario. You review broader aspects of CSIRT work such as computer forensics; artifact analysis; vulnerability handling; and the development of advisories, alerts, and management briefings.

Who should attend?

• current computer security incident response team (CSIRT) members • technical staff with three to six months of incident handling experience

• system and network administrators responsible for identifying and responding to security incidents

You will learn to

• detect and characterize various attack types

• understand the complexity of and effectively respond to privileged and major events and incidents within your CSIRT

• gain a practical understanding of various methods for analyzing artifacts left on a compromised system

• explore new developments in the area of computer forensics

• obtain practical experience in the analysis of vulnerabilities and the coordination of vulnerability handling tasks

• formulate effective advisories, alerts, and management briefings

For more information

This course is part of our Certificate in Incident Response Process. See page 4 for details.

(19)

O

Malware Analysis Apprenticeship

sei.cmu.edu/training/p88.cfm

This hands-on course, available only to U.S. government employees and contractors, teaches you best practices for analyzing malicious code. In the course, you are given real-world malicious code samples to dissect. You gain a fundamental understanding of a variety of malware analysis tools and techniques that can directly support your organization’s incident response function and improve your performance.

Who should attend?

Technical U.S. government employees and contractors who manage or support networked information systems

You will learn to

• differentiate between common classes of malware

• identify common attack vectors used to inject malicious code into a system • understand fundamental malware analysis techniques

• perform surface analysis of malware, including calculating cryptographic hashes and file sizes

• build a secure environment where analyses can be performed • identify malware network touch points via runtime analysis • run a malicious program using a debugger

• recognize common malware fingerprints in assembly • identify custom encoding routines

For more information

(20)

P

O

Advanced Forensic Response & Analysis

Three-Day Course • Incident Handling • 2.5 CEUs

This fast-paced, advanced course is designed for you if you are looking to expand your solid knowledge of incident response and forensic analysis. The course helps you improve your collection and processing skills by outlining a structured process (or flow) you can use to conduct incident response and intrusion investigations. You learn common areas where you can find evidentiary data to improve your investigations and learn the pros and cons of

• common evidence collection measures • forensic analysis steps

• methods for organizing analysis results to identify evidentiary data

Who should attend?

• forensic analysts in the public or private sector

• active computer forensic professionals with an understanding of core forensic and information technology principles

• those who conduct incident response, intrusion investigations, or other types of computer forensic investigations

You will learn to

• prepare for an intrusion investigation, including performing reconnaissance and developing a known toolset

• recognize best practices for responding to an incident

• understand methods for collecting data that’s most relevant to your investigation • perform analysis of victim and perpetrator systems

• identify malicious applications

• correlate system events with file activity

• perform runtime analysis of malicious applications • identify resident artifacts subsequent to the intrusion

For more information

(21)

Network & Software Security Courses

Network Security training provides technical staff members, engineers,

software managers, and technical leads best practices and practical

techniques for protecting the security of their organization’s information

assets and resources. Topics covered include the SQUARE methodology,

secure coding in C and C++, and four critical software assurance areas:

security requirements, software supply chain assurance, mission thread

analysis, and measurement.

(22)

P

O

L

Information Security for Technical Staff

Five-Day Course • Network & Software Security • 2.7 CEUs

This course provides you with practical techniques for protecting the security of your organization’s information assets and resources. In the course, you focus on understanding and applying the concept of survivability and effectively managing risk, threats, policy, system configuration, availability, and personnel.

The course features extensive hands-on labs and demonstrations that cover topics such as network scanning and enumeration; packet capture and analysis; Windows Group Policy and Security templates; network traffic encryption with IPSec; intrusion detection and prevention with Snort; information on personal and enterprise firewalls, password cracking, and extensive hacking/hardening of Linux, Windows, and Cisco platforms in both wireless and cabled networks. You use a laptop during the course and have access to a wide variety of networked systems.

Who should attend?

Technical staff members who manage or support networked information systems; and have

• two years of practical experience with networked systems or equivalent training/education

• some degree of familiarity with the ISO/OSI 7-layered reference model and Ethernet, TCP/IP, and network operating systems such as Windows NT/2000/XP and Unix

You will learn to

• describe the components of survivability, risk and asset management as applied to networked systems, and the Security Knowledge in Practice (SKiP) methodology • summarize key security concerns of the TCP/IP protocol suite

• describe common methods of gathering information on networked systems • describe the types of vulnerabilities and threats and common attack methods • describe best practices for actively defending systems from intrusions

For more information

This course is part of the curriculum for the Certificate in Information Security. See page 4 for details.

(23)

P

O

Applied Cybersecurity, Incident Response, and Forensics

Five-Day Course • Network & Software Security • 3.3 CEUs

This hands-on course is designed to increase your knowledge and skills as someone who administers and secures information systems and networks. The course covers vulnerability assessments, systems administration, network monitoring, incident response, digital forensics, and Intrusion Detection Systems. ,You have direct administrative access to networked systems (e.g., Windows, Linux

and Cisco), which will be modified and instrumented throughout the course. Working in a team, you

• review host and network system hardening concepts in hands-on labs • begin implementing a network “get well” plan for a sample infrastructure • apply your new skills to detect, analyze, and respond to real-world threats • compete in identifying vulnerabilities and prioritizing defensive measures

Who should attend?

Technical staff members who manage or support networked information systems; we recommend you have

• one year of practical experience with networked systems or equivalent training/education

• six months of security administration experience

• background in data networking with entry-level Unix or Windows system administration experience

• familiarity with the OSI model and the TCP/IP protocol stack

You will learn to

• install and configure network access control technologies and intrusion detection sensors

• implement techniques for hardening host systems and services

• implement technology for monitoring the status/availability of network services • implement system logging and networking monitoring

• safely collect and secure sensitive incident response data • analyze and respond to network and system events

(24)

P

O

Managing Enterprise Information Security: A Practical Approach

for Achieving Defense-in-Depth

Three-Day Course • Network & Software Security • 1.8 CEUs

In this course, you are introduced to the CERT Defense-in-Depth Framework, which consists of eight operationally focused and interdependent management components. In the course, you synergistically apply these components to a fictitious organization’s IT enterprise. You learn high-level best practices for effectively integrating the eight components into all aspects of IT operations. You then use a scenario to reinforce these best practices.

Who should attend?

Technical staff members, IT managers, security managers, system administrators, and IT security staff who have

• two years of practical experience with networked systems or equivalent training/ education

• some degree of familiarity with the ISO/OSI 7-layered reference model and Ethernet, TCP/IP, and major network operating systems such as Windows NT/2000/XP and Unix

You will learn to

• describe the CERT Defense-in-Depth framework and its components • holistically examine IT operations for information assurance threats and

vulnerabilities

• apply the framework to improve the overall security posture of IT operations

For more information

(25)

O

DevOps Process and Implementation

One-Day Course • Network & Software Security • 0.5 CEUs

In this course, you receive comprehensive training on DevOps principles and process and techniques for project planning, development, and deployment from start to finish. Using technical demonstrations and practical scenarios, you learn about use cases on Continuous Integration (CI) tools and practices, and reference architectures.

Who should attend?

Those working in software development, including technical managers, technical leads, developers, QA engineers, release/deployment engineers, and operational support staff who

• want to bring DevOps to their organization • want to improve their existing DevOps strategy • are challenged by slow deployment cycles

• see a disconnect among business needs, development, and operational teams • are looking for strategies to convince their organization of the benefits of DevOps

You will learn to

• recognize the realities of DevOps, from tools and techniques to culture and specific organizational business and operational needs

• navigate the challenging tasks of adapting DevOps theories, practices, and tools to meet your particular business needs

• provide measurable value to your organization

For more information

You may also want to register for the one-day companion workshop, DevOps in Practice Workshop. See page 20 for details.

(26)

P

O

DevOps in Practice Workshop

One-Day Workshop • Network & Software Security • 0.5 CEUs

In this workshop, you receive a comprehensive, hands-on review of DevOps topics and process and techniques for project planning, development, and deployment from start to finish. Specifically, this workshop exposes you to reference architectures and hands-on experience with Continuous Integration (CI) tools and practices, including technical demonstrations and practical scenarios.

Who should attend?

Those working in software development who have direct knowledge and hands-on experience with their organization’s development processes, including

• technical managers • technical leads • developers • QA engineers

• release/deployment engineers • operational support staff

You will learn to

• understand Dev Ops values and principles

• understand how modern automation and tooling solves common problems in software development and delivery

• recognize best practices employed by DevOps industry leaders

• better identify process improvements at your organization through new perspectives on software development and delivery

• best begin a DevOps transformation in your organization

For more information

You may also want to register for the one-day companion course, DevOps Process and Implementation. See page 19 for details.

(27)

O

Secure Coding in C and C++

Four-Day Course • Network & Software Security • 2.4 CEUs

In this course, you learn common programming errors in C and C++ and how these errors can lead to code that is vulnerable to exploitation. The course focuses on security issues intrinsic to the C and C++ programming languages and associated libraries. This course is useful to you if you are involved in developing secure C and C++ programs regardless of the specific application.

You bring your own laptop, equipped with the latest version of Adobe Reader and VMware Player for hands-on instruction. What you learn applies to various development environments, but the examples are specific to Microsoft Visual Studio and Linux/GCC and the 32-bit Intel Architecture (IA-32).

Who should attend?

Developers with basic C and C++ programming skills, but not necessarily an in-depth knowledge of software security

You will learn to

• avoid programming errors that lead to software vulnerabilities • understand how these errors can be exploited

• implement mitigation strategies for preventing the introduction of these errors • improve the overall security of any C or C++ application

• thwart buffer overflows and stack-smashing attacks that exploit insecure string manipulation logic

• avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions

• eliminate integer-related problems: integer overflows, sign errors, and truncation errors

• correctly use formatted output functions without introducing format-string vulnerabilities

• avoid I/O vulnerabilities, including race conditions

For more information

(28)

O

Secure Coding in Java

Four-Day Course • Network & Software Security • 2.2 CEUs

In this course, derived from the Addison Wesley books The CERT Oracle Secure Coding Standard for Java and Java Coding Guidelines, you learn common programming errors in Java and how these errors can lead to code that is vulnerable to exploitation. The course concentrates on security issues intrinsic to the Java programming languages and associated libraries.

Who should attend?

• Java developers

• anyone involved in developing secure Java programs regardless of the specific application

You will learn to

• improve the overall security of any Java application • avoid injection attacks, such as SQL injection and XSS

• understand Java’s memory model with a thorough grounding of concurrency • prevent race conditions while avoiding deadlock

• recognize when to throw and catch exceptions

• avoid I/O vulnerabilities, including file-based race conditions

• know how historical exploits on Java were executed and later disabled

For more information

(29)

O

Software Assurance Methods in Support of Cyber Security

One-Day Course • Network & Software Security • 0.65 CEUs

This course is designed to expose you, as a manager, engineer, or acquirer, to concepts and resources you can use now to address software security assurance across the acquisition and development lifecycles. This workshop focuses on four critical software assurance areas:

• security requirements

• software supply chain assurance • mission thread analysis • measurement

Who should attend?

Those who are concerned with software security assurance across the acquisition and development lifecycles, including

• software managers • technical leads

• software and lead engineers

• software and system acquisition experts • program/project managers

You will learn to

• understand the challenges of software assurance

• recognize key concepts and methods for security risk analysis and

measurement, security requirements elicitation, mission thread analysis, supply chain risk analysis

• begin planning how to address software assurance for acquisition and development programs

• understand the best practices that can be implemented for software assurance

For more information

(30)

O

Security Requirements Engineering Using the SQUARE Method

Two-Day Course • Network & Software Security • 1.3 CEUs

In this workshop, you receive an overview of security requirements engineering and the SQUARE methodology. The SQUARE methodology is an end-to-end process for security requirements engineering that helps you build security into the early stages of the production lifecycle. In the workshop, you discuss all nine steps of the SQUARE methodology in detail and participate as part of team case study. Requirements engineering defects, including those in security requirements, cost 10 to 200 times more to correct during implementation than if they are detected during requirements development. A study found returns on investment of 12 to 21 percent when security analysis and secure engineering practices are introduced early in the development cycle.

Who should attend?

Those concerned with security requirements in developed or acquired software, including • software managers • technical leads • software engineers • requirements engineers • security specialists

You will learn to

• understand the challenges of security requirements engineering

• see how important it is to develop security requirements in the same time frame as functional requirements, rather than as an add-on patch

• understand why the methods used to identify functional requirements may not work directly for security requirements

• recognize methods for security risk analysis, security requirements elicitation, and security requirements prioritization

• apply the SQUARE method for security requirements engineering

For more information

(31)

Risk Assessment & Insider Threat Courses

Risk Assessment and Insider Threat training teaches managers,

executives, security and business continuity professionals, risk

managers, compliance personnel, and insider threat program

managers to develop strategies for protecting their organizations

from security threats and to better manage their risks. Topics

covered include the CERT Resilience Management Model (CERT-RMM),

OCTAVE Allegro method, and insider threat program management

best practices.

(32)

P

O

Introduction to the CERT Resilience Management Model

Three-Day Course • Risk Assessment & Insider Threat • 1.9 CEUs

This course introduces you to a model-based process improvement approach for managing operational resilience using the CERT Resilience Management Model (CERT-RMM). CERT-RMM is a maturity model that promotes the convergence of security, business continuity, and IT operations activities to help organizations actively direct, control, and manage operational resilience and risk.

By improving operational resilience processes (e.g., vulnerability analysis, incident management, service continuity), you can improve and sustain the resilience of mission-critical assets and services. Using CERT-RMM as a guide, you can evaluate your current security, business continuity, and IT operations practices and make effective decisions about which practices are working and which need to be replaced.

Who should attend?

• security and business continuity professionals

• process improvement professionals, particularly those looking to extend process improvement approaches into the operations phase of the lifecycle

• enterprise and operational risk management professionals

• anyone interested in applying a maturity model approach to managing operational resilience

You will learn to

• understand the challenges of managing operational resilience

• have a working knowledge of key operational resilience, operational risk, and resilience management concepts and their relationships

• understand the CERT-RMM model structure and how to use it

• apply a process improvement and maturity model approach to managing operational resilience

• have a working knowledge of the 26 CERT-RMM process areas

• understand how CERT-RMM is used to appraise an organization’s capability for managing operational resilience

• begin planning for a process improvement effort in your organization

For more information

(33)

O

CERT Resilience Management Model Appraisal Boot Camp

Two-Day Course • Risk Assessment & Insider Threat • 1.5 CEUs

If you are seeking to become an SEI-certified CERT-RMM Lead Appraiser, you must complete this course as part of your certification requirements. This boot camp provides an overview of the CERT-RMM Capability Appraisal Method (CAM) and gives you the knowledge you need to apply your SCAMPI experience in a CERT-RMM context. The CAM is a tailored version of the SCAMPI method that addresses the unique challenges of appraising capability using CERT-RMM in the operations phase of the lifecycle.

At the boot camp, you learn about important decisions for scoping an appraisal, characterizing practices, and deriving capability levels. You also learn about appraisal considerations for unique CERT-RMM model attributes (e.g., Targeted Improvement Roadmaps). In addition, you learn to properly interpret CERT-RMM process areas that were sourced from CMMI models, such as Resilience Requirements Development and Organizational Training and Awareness. This course is solely for CMMI Lead Appraisers who are looking to extend their process improvement capabilities into the operations phase of the lifecycle. After attending the course, you qualify as a candidate CERT-RMM Lead Appraiser.

Who should attend?

• candidate CERT-RMM Lead Appraisers

You will learn to

• apply the CAM process to perform a CERT-RMM capability appraisal • identify the major differences in using the SCAMPI process for CERT-RMM

appraisals rather than CMMI models

• identify the CERT-RMM fine-grained scoping options: practice-level, asset, and resilience domains

• define and scope a CERT-RMM appraisal

• establish Targeted Improvement Roadmaps to commence a CERT-RMM process improvement effort

For more information

(34)

O

CERT Resilience Management Model (CERT-RMM) Users Group

Workshop Series

Four Two-Day Workshops • Risk Assessment & Insider Threat • 2.0 CEUs

You can improve your organizational resilience by attending a year-long series of workshops at an SEI facility. At these workshops, you experience hands-on activities to help you understand, compare, and enhance your organizational resilience using the CERT-RMM as the guide. The focus of each workshop session in the year-long series is guided by the needs of the organizations that register. Organizations that become a member of the users group receive

• registration for four two-day CERT-RMM workshops at a SEI facility (Participating organizations may send up to three attendees to each workshop.)

• participation in the Introduction to the CERT Resilience Management Model training course, which is delivered during the first workshop

• invitations to contribute to discussion forums and other interim collaboration opportunities, organized and conducted by CERT-RMM technical leaders, between the workshops

Who should attend?

• those interested in a deep understanding of operational resilience and would like to implement the CERT-RMM internally in their organization

• security and business continuity professionals • process improvement professionals

• operational risk professionals

You will learn to

• benchmark your organization’s resilience activities against the CERT-RMM • begin to answer key resilience measurement and analysis questions about your

organization and identify measures you can use to evaluate and improve your resilience

• improve the effectiveness and efficiency of operational risk/management activities • participate in peer-to-peer comparisons

• reduce the complexity and improve the efficiency of compliance activities

For more information

(35)

P

O

L

Assessing Information Security Risk Using the

OCTAVE Approach

Three-Day Course • Risk Assessment & Insider Threat • 2 CEUs

sei.cmu.edu/training/P10B.cfm

In this course, you learn to perform information security risk assessments using the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro method. OCTAVE Allegro focuses on information assets in their operational context to identify and analyze risks based on where they originate and where information is stored, transported, and processed. By focusing on operational risks to information assets, you learn to view risk assessment in the context of your organization’s strategic objectives and risk tolerances.

OCTAVE Allegro satisfies the requirement for an annual risk assessment outlined in paragraph 12.1.2 of Standard PCI-DSS v2.0.

Who should attend?

• those who want an in-depth understanding of the OCTAVE Allegro Risk Assessment Methodology

• security professionals, business continuity planners, compliance personnel, risk managers, and others who require the knowledge and skills to understand operational risk and perform risk assessments

• those who need to perform formal risk assessments to satisfy PCI-DSS requirements

You will learn to

• understand the various elements of operational risk

• understand the connections among information security, business continuity, IT operations, and operational risk management

• understand operational risk, threat, vulnerabilities, impact, services, and their related assets

• understand the purpose of the OCTAVE Allegro structured risk management approach

• how to prepare an organization for a risk assessment using OCTAVE Allegro • how to get started and when to tailor the process to meet unique

organizational needs

For more information

(36)

P

O

Measuring What Matters: Security Metrics Workshop

Two-Day Course • Risk Assessment & Insider Threat • 1.3 CEUs

It is critical to measure the right things to make informed management decisions, take the appropriate actions, and change behaviors. But how do you figure out what those right things are? In this course, you use real-world strategic objectives to develop specific business goals and the applicable questions, indicators, and actionable metrics that you can implement at your own organization to improve your ability to manage operational risks, particularly cybersecurity risks.

Organizations today often make cyber risk management decisions based on fear, uncertainty, and doubt (FUD); the latest attack; compliance mandates (e.g., HIPAA, FISMA, SOX, PCI); and security risk frameworks that have little to do with the way the rest of the organization measures risk and prioritizes operational risk management activities. Instead, an organization’s information risk management approach should align with its business objectives. A measurement approach tied to strategic business objectives ensures that planning, budgeting, and the allocation of operational resources focus on what matters most to the organization. In addition, using such an approach helps identify metrics that may not be worth the investment to collect.

Who should attend?

Directors and managers of • operational risk management • information technology (IT) • cybersecurity/information security • IT and cybersecurity compliance • IT and cybersecurity audit

• security professionals who support these directors and managers

You will learn to

• refine a strategic or business objective that meets that SMARTER criteria—Specific, Measureable, Achievable, Relevant, Time—bound, Evaluated, Reviewed—and can be used to initiate the Goal–Question–Indicator–Metric (GQIM) process

• identify a core set of business goals based on your business objective

• formulate one or more key questions and indicators for each goal (Answers to the questions help determine how well the goal is being achieved and the indicators further inform the answer to each question.)

• identify one or more metrics for each indicator that most directly informs the answer to one or more questions

For more information

(37)

L

Insider Threat Awareness Training

One-Hour Course • Risk Assessment & Insider Threat

sei.cmu.edu/training/V29.cfm

This course provides you with a basic understanding of insider threats within an organization and what you, as an employee, should be aware are your responsibilities to protect your organization’s critical assets. You learn how your work can be affected and how you can be targeted by insider threats.

This training is necessary for compliance with the anticipated guidelines set forth in the National Industrial Security Program Operating Manual (NISPOM) in accordance with Executive Order 13587.

Who should attend?

• all employees (especially those with security clearances) • senior executives

• insider threat program team members • insider threat program managers • contractors and subcontractors • suppliers and business partners

You will learn to

• define an insider and the threats they impose to critical assets • recall common motivations of malicious insiders

• name different types of insider threats

• recognize how you can become an unintentional insider threat

• discuss impacts to your organization, the general public, and national security • describe the consequences of being a malicious or unintentional insider • understand how you can be targeted by a malicious individual as well as

external adversaries

• identify reportable behaviors of malicious insiders • identify steps you can take to protect yourself

• know what to do if you see or suspect an insider threat • recognize resources available to you in your organization

(38)

L

Insider Threat Overview: Preventing, Detecting, and Responding

to Insider Threats

Five-Hour Online Course • Risk Assessment & Insider Threat • 0.5 CEUs

This course provides you with a thorough understanding of insider threat terminology, identifies different types of insider threats, teaches you how to recognize both technical and behavioral indicators, and outlines mitigation strategies.

This training course supports organizations implementing and managing insider threat detection and prevention programs based on various government mandates or guidance including Presidential Executive Order 13587, the National Insider Threat Policy and Minimum Standards, and proposed changes set forth in the National Industrial Security Program Operating Manual (NISPOM).

Who should attend?

• insider threat program team members • insider threat program managers

You will learn to

• define an insider and the threats he or she can impose to critical assets • recognize the difference between malicious and unintentional insider threats • recognize the most common types of insider threats

• identify legislation enacted to help prevent insider threats

• describe the activity, behavioral and technical precursors, and characteristics of fraud and theft of intellectual property

• recognize and avoid unintentional insider threats • recognize controls to potentially prevent insider attacks • identify best practices for insider threat mitigation • recognize the purpose of an insider threat program

For more information

This course is a required component of the Insider Threat Program Manager, Insider Threat Vulnerability Assessor, and Insider Threat Program Evaluator certificate programs. See cert.org/insiderthreat or pages 2–3 for details.

(39)

L

Building an Insider Threat Program

Seven-Hour Online Course • Risk Assessment & Insider Threat • 1.0 CEUs

This course provides you with a thorough understanding of the organizational models for an insider threat program, the necessary components of an effective program, the key stakeholders who must be involved in the process, and basic education on the implementation and guidance of the program.

This training course supports organizations implementing and managing insider threat detection and prevention programs based on various government mandates or guidance including: Presidential Executive Order 13587, the National Insider Threat Policy and Minimum Standards, and proposed changes set forth in the National Industrial Security Program Operating Manual (NISPOM).

Who should attend?

You will learn to

• state key components of an insider threat program • identify critical participants in establishing the program • create an implementation plan and roll-out

• identify the type of staff and skills needed on an insider threat program operational team

• identify the types of policies and procedures needed for an insider threat program • identify existing policies and procedures to be updated to support the insider

threat program

• determine the infrastructure requirements needed to support insider threat program operations

• identify the governance and management support needed to sustain a formal insider threat program

For more information

(40)

P

O

Insider Threat Program Manager: Implementation and Operation

Three-Day Course • Risk Assessment & Insider Threat • 2.2 CEUs

This course builds on the concepts in the prerequisite courses Insider Threat Overview: Preventing, Detecting, and Responding to Insider Threats and Building an Insider Threat Program. This course teaches you a process roadmap that you can follow to build a robust insider threat program. The roadmap includes various techniques and methods for developing, implementing, and operating program components.

This course supports organizations implementing and managing insider threat detection and prevention programs based on government mandates or guidance including Presidential Executive Order 13587, the National Insider Threat Policy and Minimum Standards, and proposed changes in the National Industrial Security Program Operating Manual (NISPOM).

Who should attend?

You will learn to

• identify critical assets and protection schemes

• identify methods to gain management support and sponsorship • plan implementation of an insider threat program

• identify policy and process updates that accommodate insider threat components • identify sources and priorities for data collection

• identify infrastructure changes and enhancements necessary for implementing and supporting an insider threat program

• outline operational considerations and requirements needed to implement the program

• build policies and processes to help hire the right staff and develop a culture of security

• improve your security awareness training

For more information

This course is recommended for anyone pursing the certificates for the Insider Threat Vulnerability

Assessor or Insider Threat Program Evaluator, but is not required.

This course is a required component of the Insider Threat Program Manager certificate program. See cert.org/insiderthreat or page 2 for details.

CERT Cybersecurity Training & Education