INFORMATION SECURITY TRAINING CATALOG (2016)

INFORMATICS AND INFORMATION SECURITY

RESEARCH CENTER

CYBER SECURITY INSTITUTE

INFORMATION SECURITY

TRAINING CATALOG

(2016)

Revision 4.0

©2015 TÜBİTAK BİLGEM SGE Siber Güvenlik Enstitüsü

P.K. 74, Gebze, 41470 Kocaeli, Türkiye Tel: +90 (262) 648 1000, Fax: +90 (262) 648 1100

http://www.bilgem.tubitak.gov.tr [email protected]

Information Security Trainings

Basic Trainings ... 3

1. Information Security Awareness for End Users ... 4

2. Information Security Awareness for Managers ... 5

3. Social Engineering: Attack and Defense Methods ... 6

Intermediate Level Trainings ... 7

4. Introduction to Information Security ... 8

5. ISO 27001 Information Security Management System Implementation ... 9

6. Cyber Incident Response Team ... 10

7. Protection of Critical Infrastructures ... 11

8. Business Continuity / Disaster Recovery Planning ... 12

9. Windows Security ... 13

10. Microsoft Systems Security ... 14

11. Linux Security ... 15

12. TCP/IP Network Security ... 16

13. Active Network Device Security ... 17

14. System Security Audit ... 18

15. Basic Security Audit ... 19

16. Wireless Network Security ... 20

17. Log Management ... 21

Advanced Trainings ... 22

18. Oracle Database Security ... 23

19. MS SQL Server Database Security ... 24

20. Web Applications Security ... 25

21. Security Information and Event Management Systems ... 26

22. Penetration Testing and Ethical Hacking ... 27

23. Log Analysis ... 28

24. Prevention of DDoS Attacks ... 29

Master Level Trainings ... 30

25. Information Systems Forensics ... 31

26. Computer Network Forensics ... 32

27. Windows Malware Analysis ... 33

28. Secure Software Development ... 34

29. Advanced Penetration Testing and Ethical Hacking ... 35

1. Information Security Awareness for End Users

a. Who Should Attend

Users of information systems.

b.

Prerequisites

Basic knowledge to use information systems as a regular user.

c.

Course Syllabus

 Role of user in information security

 Contribution of user to corporate Information Security Management System (ISMS)

 Access to computers

 Password security

 E-mail security

 Security while accessing the Internet

 Virus protection

 Setup, use and disposal of storage media

 File access and sharing

 Information backup

 Social engineering

 User responsibilities in computer incidents

d. Duration

3 hours

e. Benefits

Attendees will become familiar with the basics of information security and will enhance their awareness about the importance of corporate information security too. They will learn their duties and responsibilities as a contributor to a corporate ISMS.

2. Information Security Awareness for Managers

a. Who Should Attend

Managers who wish to improve their understanding in the field of information security. Staff who has a general understanding about information systems wish to obtain further information about information security.

b. Prerequisites

General information about information systems.

c. Course Syllabus

 Basic concepts of information security

 Security policy

 Organizational security

 Human resource security

 Risk assessment and risk mitigation

 Business continuity

 Information security incident management

 Operating system security

 Network security

 Web security

 Digital certificates and certificate distribution systems

 Password management

 Antivirus systems

d. Duration

2 days

e. Benefits

Attendees will obtain information about the basic concepts of information security and overall fuctioning of ISMS. Introduction will be made based on the technical aspects of information systems security.

3. Social Engineering: Attack and Defense Methods

a. Who Should Attend

All information system users, whereas the attendance of system administrators is critical.

b.

Prerequisites

Classroom should be equipped with one personal computer per attendee since the training includes hands-on exercises.

c.

Course Syllabus

 “Social engineering” concept

 Attack techniques

 Examples of social engineering attacks

 Social engineering tests

 Prevention methods

 Several social engineering applications

d. Duration

2 days

e. Benefits

Attendees will become familiar with the social engineering attacks, which is quite common and may lead to loss of confidential information, or even the reputation of an institution.

Attendees will acquire the capacity of offering social engineering trainings as well.

4. Introduction to Information Security

a. Who Should Attend

Staff who wants to learn about information security with all domains.

b. Prerequisites

None

c. Course Syllabus

 Introduction to information security, fundamental concepts

 TCP/IP

 Information security devices and techniques

 Cryptography  Unix/Linux security  Windows security  Web security  Wireless security  Social engineering  Log management  Incident response  Malware analysis

 Cyber attack types

 Advance persistent threats

d. Duration

10 days

e. Benefits

Attendees will learn fundamental concepts of information security, they will gain an overview of several concepts of information security such as Windows security, Linux security and cyber threats.

5. ISO 27001 Information Security Management

System Implementation

a. Who Should Attend

Staff obliged to establish and maintain an ISO 27001 based ISMS as well as staff responsible for processes that will be subject to an ISO 27001 audit.

b. Prerequisites

Familiarity with quality management systems is helpful but not indispensable.

c. Course Syllabus

 What is an ISMS and why is it needed?

 “Plan-Do-Check-Act” process in ISO 27001

 Risk assessment and treatment in information systems

 ISO 27001 control categories

o Information security policies o Organization of information security o Human resources security o Asset management o Access control o Cryptography o Physical and environmental security o Operational security o Communications security o System acquisition, development and maintenance o Supplier relationships o Information security incident management o Information security aspects of business continuity management o Compliance

 ISO 27001 conformance audit

o Audit planning o Audit checklists

o Non-conformances and reporting

 Several applications

d. Duration

3 days

e. Benefits

Attendees wil be able to establish ISMS in their institutions. Attendees will also be acquainted with audit concepts.

6. Cyber Incident Response Team

a. Who Should Attend

Staff obliged to establish or manage CERT (Computer Emergency Response Team) in their institutions. Staff working in the information security department of their institutions.

b. Prerequisites

Some experience is required about both the business processes and the information system infrastructure of the institution.

c. Course Syllabus

 Introduction (History, computer incident examples, CERT and security organization examples)

 Basic questions and titles about CERT (What is CERT? What is the scope of operational framework of CERT?)

 Computer incident management process (incident management service definition and functions)

 Operational components of CERT (software, hardware, policy and procedures)

 CERT project plan

d. Duration

2 days

e. Benefits

Objective of the training is to elevate the level of course attendees to a position where they can establish CERTs in their institutions.

7. Protection of Critical Infrastructures

a. Who Should Attend

 Managers of the companies operating critical infrastructures

 Members of corporate cyber incident response teams

b. Prerequisites

Basic knowledge on information security

c. Course Syllabus

 Description of critical infrastructure and critical infrastructure sectors

 Information systems used in critical infrastructures

 Corporate information systems and industrial control systems

 SCADA and distributed control systems

 Topologies and risk analysis

 Critical infrastructure incidents

 Vulnerabilities, threats and preventions

 Physical security/information security integration

 Information security management

 Standards and information sources

 Operators and regulators at national level

 National cyber security organization

d. Duration

1 day

e. Benefits

Attendees will gain knowledge on critical infrastructures and industrial control systems; will learn vulnerabilities, threats and prevention techniques.

8. Business Continuity / Disaster Recovery Planning

a. Who Should Attend

Staff responsible for the management of business continuity / disaster recovery process, managers of institutions where business continuity / disaster recovery plan does not exist, developers of business continuity / disaster recovery plans, staff that has a role in the business continuity / disaster recovery plan, emergency team members and security auditors.

b. Prerequisites

None

c. Course Syllabus

 Principles associated with the management of business continuity project

 Threats that may target all institutions

 Risk assessment and designation of security controls

 How to conduct the business impact analysis

 Developing the business continuity strategy

 Design of emergency response and related activities, how to improve readiness

 How to construct the disaster recovery teams

 In case of disaster

o How to minimize the impact

o How to execute recovery in designated duration o Emergency communication requirements

 Development and application of the business continuity plan

 Training and awareness activities for quick and correct response

 Testing and updating the business cotinuity plan

d. Duration

2 days

e. Benefits

Attendees will accumulate sufficient information to develop business continuity plans in their institutions.

9. Windows Security

a. Who Should Attend

Windows network administrators, Microsoft Active Directory administrators, staff from institutions which are planning safe migration to Microsoft systems, staff interested in Microsoft systems security.

b. Prerequisites

Basic knowledge of Windows and computer networks.

c. Course Syllabus

 Windows operating system security (XP/2003/Windows 7/2008-R2)

 IPSec, PKI (“Public Key Infrastructure”) and EFS (“Encrypting File System”)

 “Powershell” development for Windows environment

d.

Duration

3 days

e. Benefits

Course includes theoretical information as well as hands-on practice to equip attendees with the capability to apply Windows security best practices in their institutions.

10. Microsoft Systems Security

a. Who Should Attend

Windows network administrators, Microsoft Active Directory administrators, staff from institutions which are planning safe migration to Microsoft systems, IIS and Exchange administrators, staff interested in Microsoft systems security.

b. Prerequisites

Basic knowledge of Windows, Exchange, Active Directory and networks.

c. Course Syllabus

 Microsoft Web Services Security (IIS 7.5)

 Microsoft “PowerShell”

 Active Directory and Network Services Security (Group policy, DNS, DHCP)

 Patch management in Microsoft systems

d. Duration

4 days

e. Benefits

Attendees will acquire advance level information within the scope of Microsoft systems security. They will have the capability to apply Microsoft systems security best practices in their institutions.

11. Linux Security

a. Who Should Attend

Experts responsible for the security of Linux based systems, system administrators studying how to secure Linux based Internet applications, system administrators eager to learn about security tests and system hardening tools.

b. Prerequisites

Experience as Linux system administrator.

c. Course Syllabus

 Configuration of startup services

 Secure configuration of kernel

 File system access control

 User access control

 Management of system logs

 Security audit tools

 Security hardening tools

 Security script programming

d. Duration

3 days

e. Benefits

Attendees will be able to realize the security hardening of Linux based operating systems. They will acquire ability to use free software security tools on their systems. They will also acquire capability of using or developing tools that will help them discover security breaches in their systems.

12. TCP/IP Network Security

a. Who Should Attend

System and network administrators, security and penetration test experts, staff of IT security department, IT security auditors.

b. Prerequisites

Basic knowledge of networks.

c. Course Syllabus

 Protocols of the TCP/IP protocol stack

 Operation principles of different layers of the TCP/IP stack and threats targeting these layers

 Security vulnerabilities of TCP/IP protocols and mitigation techniques

 Techniques, protocols and devices that are used to assure network security

 Packet capturing software such as Wireshark, analysis of packets and protocols

 Concepts such as SSL, IPSec, VPN and digital certificates

 Network components such as Firewall, IDS/IPS and Proxy

d. Duration

2 days

e. Benefits

Applied work about the security of TCP/IP networks will bring a wealth of information and capabilities to the attendees. The attendees are expected to apply good security practices in their institutions’ network.

13. Active Network Device Security

a. Who Should Attend

System and network administrators, security and penetration test experts, staff of IT security department, IT security auditors.

b. Prerequisites

Basic knowledge of networks

c. Course Syllabus

Within the scope of (hardening of) active devices, network design and assuring the security of networks, the following topics will be studied theoretically with hands-on exercises.

 Steps toward hardening of active devices that are commonly used today in the internal networks and they are also used to connect networks to the outside world, such as

o Backbone switch, o Router,

o Firewall, o Content filter

 Security controls applicable to active devices, such as

o Physical security, o Equipment security, o Identity authentication,

o Authorization and monitoring, o Patch management,

o Access control lists,

o Remote management conrtrol, etc.

d. Duration

2 days

e. Benefits

The attendees are expected to learn security controls applicable to active network devices through the theoretical and the applied parts of the course. The attendees are also expected to apply these security controls in their institutions.

14. System Security Audit

a. Who Should Attend

Information technology auditors, information security experts eager to enhance their system security audit abilities, system and network administrators willing to understand the security audit approach and prepare their systems to security audits.

b. Prerequisites

Basic network and operating system (Windows and Unix) information, familiarity with peripheral protection systems.

c. Course Syllabus

 Vulnerability and threat definitions

 Open source security vulnerability scanners and how to use them

 Discovering the topology of a network

 Peripheral protection systems audit

 Windows audit

 Audit of Unix/Linux systems

d. Duration

4 days

e. Benefits

Attendees will learn how to use security vulnerability scanners. Attendees will also learn how to conduct security audit of operating systems, peripheral protection systems and web applications.

15. Basic Security Audit

a. Who Should Attend

Information technology auditors, information security experts eager to enhance their system security audit abilities, system and network administrators willing to understand the security audit approach and prepare their systems to security audits.

b.

Prerequisites

Basic network and Windows operating system information.

c.

Course Syllabus

 Vulnerability and threat definitions

 Open source security vulnerability scanners and how to use them o Nessus, Nmap, MBSA

 Windows audit

o Security templates

o Security Configuration and Analysis

d. Duration

1 day

e. Benefits

Attendees will learn how to use security vulnerability scanners and how to conduct security audit of Windows operating system.

16. Wireless Network Security

a. Who Should Attend

Wireless network administrators, system or network administrators who wish to install and setup wireless networks, IT experts who wish to obtain information about wireless network security.

b. Prerequisites

Basic knowledge of networks.

c. Course Syllabus

 Security risks in wireless local area networks

 Secure wireless communication architecture

 Software tools that are used for securing or attacking wireless networks

d. Duration

2 days

e. Benefits

Attendees will obtain information about the risks of wireless communication and techniques to mitigate these risks. Additional information will be supplied about wireless network audit tools.

17. Log Management

a. Who Should Attend

 System and network administrators

 Information systems experts

b.

Prerequisites

Basic knowledge of operating systems and information systems.

c. Course Syllabus

 Basic concepts about log management,

 Configuration settings needed in order to collect logs,

 Log analysis techniques,

 Crucial points in log management system setup,

 Analysis of large log files,

 Instant tracking of log files,

 Log files to be investigated during a security breach,

 Log files to be collected due to legal or institutional policies,

 Common mistakes and problems of log collection process,

 Log collection standards.

d. Duration

2 days

e. Benefits

Attendees will obtain knowledge on how to setup log management systems in order to collect logs efficiently from information systems due to legal or institutional policies and obtain ability to analyse these logs according to corporate needs.

18. Oracle Database Security

a. Who Should Attend

Database administrators, database security auditors.

b. Prerequisites

General information about databases and basic database management.

c. Course Syllabus

 Identity control

 Access control lists

 Database security audits

 Network security

 Database backup

 Audit of access tools

 Advanced security measures

d. Duration

3 days

e.

Benefits

At the end of the course, auditors will be able to conduct security audit of databases whereas managers will be able to implement secure management of databases.

19. MS SQL Server Database Security

a. Who Should Attend

Database administrators, database security auditors.

b. Prerequisites

General information about databases and basic knowledge of database management.

c. Course Syllabus

 SQL Server 2005/2008, general topics

 Operating system configuration

 Network configuration

 SQL Server 2005/2008 setup and maintenance

 SQL Server 2005/2008 configuration

 Access control and authorization

 Audit and log management

 Backup and disaster recovery procedures

 Replication

 Software application development

 “Surface Area Configuration” tool

 SQL Server 2005/2008 test and monitoring tools

d. Duration

3 days

e.

Benefits

At the end of the course, attendees will learn SQL Server 2005/2008 database security mechanisms and factors affecting security. They will gain ability to conduct security audit to an SQL Server 2005/2008 database. Database managers, in the meantime, will learn how to manage their database securely.

20. Web Applications Security

a. Who Should Attend

HTTP based application developers and auditors.

b. Prerequisites

Basic knowledge of Web technologies (HTTP, HTML, web servers, internet browsers) and at least one of the programming languages used in web applications (PHP, Java, ASP.NET, Perl, etc.).

c. Course Syllabus

 Configuration management

 User authentication

 Input / output validation

 Session management

 Authorization

 Application logic

 Log management

 Failure management

 Secure application management

d. Duration

2 days

e. Benefits

The attendees will learn important security components of HTTP based applications, most common mistakes, how to avoid making these mistakes and how to assure sustainable application security.

21. Security Information and Event Management

Systems

a. Who Should Attend

Information system administrators, information system security administrators, IT auditors.

b.

Prerequisites

Familiarity with information system components and security components of IT systems.

c.

Course Syllabus

 Centralized log management systems

 Requirement for event correlation systems

 Advantages of event correlation systems

 Event correlation steps

 OSSIM attack correlation systems

 OSSIM overview

 Basic components of OSSIM

 Tools utilized by OSSIM

 OSSIM setup

 OSSIM component configuration

 Policies

 Data fusion from separate components

 Attack correlation

 System maintenance and update

d. Duration

4 days

e. Benefits

Attendees will obtain information about centralized attack correlation systems. They will learn how to gather logs being accumulated on separate security components centrally, how to monitor attacks conducted from an internal or an external network and take necessary steps against

22. Penetration Testing and Ethical Hacking

a. Who Should Attend

Staff responsible of conducting penetration tests and security audits, staff working in information security.

b. Prerequisites

 Experience and awareness of security issues

 Intermediate level of knowledge on Linux, Windows and TCP/IP

 Intermediate level of experience about information system infrastructure.

c. Course Syllabus

 Introduction (What is “Penetration test”? Crucial points before, during and after penetration tests and penetration test methodologies)

 Discovery (Discovery categories. Applied nmap exercise; port scanning, service and operating system discovery, etc.)

 Vulnerability discovery (Vulnerability concept. Nessus exercise; policy designation, scanning and vulnerability analysis)

 Exploit (Exploit and payload concepts. Metasploit exercise; msfconsole, meterpreter, post-exploit and auxiliary modules, etc.)

 Network penetration tests and layer two attacks (Network sniffing, MAC table flooding, ARP poisoning, VLAN hopping, DHCP IP pool exhaustion attacks)

 External network tests and information gathering (Active and passive information gathering, “Google hacking”, etc.)

 Social engineering (Using e-mail and telephone. Customized payload and malware generation – macro, pdf and exe. “Relay” vulnerability. “Post-exploitation”)

 Web application tests (Input-output detection, XSS and SQL-i attacks)

d. Duration

5 days

e. Benefits

23. Log Analysis

a. Who Should Attend

 System and network administrators

 Information systems experts

 Information security managers and experts

b. Prerequisites

Basic knowledge of operating systems, databases and computer networks.

c. Course Syllabus

 Overview to log analysis,

 Log analysis standards, rules and legal regulations,

 Log collection and viewer tools,

 Common mistakes in log analysis,

 Incident response,

 Log analysis in different stages of incident response,

 Contribution of log analysis to incident response.

d. Duration

5 days

e. Benefits

Attendees will learn basic concepts about log collection and log analysis, will obtain ability to use log analysis in incident response, will learn which logs can be used in which part of an incident response. Furthermore attendees will obtain ability to use several log collection tools.

24. Prevention of DDoS Attacks

a. Who Should Attend

System and network administrators

b. Prerequisites

 Basic knowledge on TCP/IP

 Basic knowledge on network device management

c. Course Syllabus

 DoS/DDoS attack types

 DoS/DDoS mitigation techniques

d. Duration

2 days

e. Benefits

Attendess will gain experience on:

 Sniffing network traffic

 Network traffic analysis

 DoS/DDoS attack types

25. Information Systems Forensics

a. Who Should Attend

Staff from IT department who are eager to conduct information systems forensic analysis.

b. Prerequisites

Basic knowledge of Linux and Windows operating systems.

c. Course Syllabus

 Computer incident response

 Preliminary stages of computer forensic analysis

 Information about NTFS, FAT32, ext2, ext3 file systems such as, how files are opened, saved and deleted in these systems

 Non-volatility of data in different components of a computer (RAM, “Stack” area, hard disks etc.) Data storage and retrieval from these components

 Conducting computer incident forensic analysis on a Linux system and presentation of related tools

 In the applied part of the course, setting up the forensic analysis environment and conducting, with tools, the analysis of a suspected file

 Conducting computer incident forensic analysis on a Windows system and presentation of related tools

 Legal framework about forensic analysis and storage of data in a format which is suitable for presenting to a court as an evidence

d. Duration

3 days

e. Benefits

Attendees will be able to conduct computer forensic analysis on their own.

26. Computer Network Forensics

a. Who Should Attend

Network, system and security administrators, IT staff eager to conduct computer network forensic analysis.

b. Prerequisites

Basic knowledge of TCP/IP, networks, Linux and Windows operating system.

c. Course Syllabus

The following topics will be covered in order to conduct incident analysis and to collect evidence in case of a cybercrime without refering to storage components such as hard disks and RAM. Another objective is to detect incidents and malicious network traffic exploiting incorrect configuration of network components.

 Foundations of forensic analysis

 Network packet capturing technologies: Hardware, software and tools

 Basic network protocols and components

 Network security component log analysis: Logs of firewalls, intrusion detection and prevention systems, etc.

 Analysis of network protocols (HTTP, SMTP, DNS etc.)

 Deep packet inspection

 Detection of malicious network traffic: “Man in the middle attack”, “DNS cache poisoning” etc. attacks

 Detection of network traffic tunneling techniques: DNS, ICMP, SSH tunnelling etc.

 Analysis of encrypted network traffic: “SSL traffic listening” technique

 Reconstruciton of network traffic to obtain original data

 Network flow analysis

d. Duration

4 days

e. Benefits

Attendees will be able to conduct forensic analysis and to collect evidence without accessing storage components after cybercrimes. They will be able to detect malicious network traffic and security incidents due to network components as well.

27. Windows Malware Analysis

a. Who Should Attend

IT staff eager to conduct Windows malware analysis.

b.

Prerequisites

 Being familiar with high-level programming features such as parameters, loops and functions,

 Being informed about basic concepts of Windows operating system (“process”, “thread”, “memory management”, “registry”, “handle” etc.),

 Having basic information about IP, HTTP, TCP, UDP, etc. network protocols, Wireshark etc. packet capturing tools,

 Having introductory level knowledge of assembly and x86 architecture is required.

c.

Course Syllabus

 Windows operating system, basic concepts

 Basic static analiysis

 Behaviour analysis

 Code analysis

 Hidden execution methods

 Static analiysis prevention methods

 Dinamic analysis prevention methods

 Memory dump analysis

 Analysis of Web (browser) based malware

 Analysis of malicious documents

d. Duration

5 days

e. Benefits

Attendees will obtain applicable information about reverse engineering. Attendees will also acquire Windows and web based malware and malicious document analysis capability.

28. Secure Software Development

a. Who Should Attend

Software developers/engineers, software project managers, software quality control team and system architects.

b. Prerequisites

Intermediate experience with a programming language.

c. Course Syllabus

 Security problems of software

 Security problems of technology components where software is running

 Basic elements of secure software development process

 How to integrate a secure software development lifecycle to a software development process

 Source code samples, demonstrating most common vulnerabilities and how to prevent them

 Technology that maybe applied to assure secure operation of components such as application server and database, where software is running, since software depends on these systems.

d. Duration

3 days

e. Benefits

Attendees will learn basic secure coding principles, secure software design and development, threat modeling and principles of security tests.

29. Advanced Penetration Testing and Ethical

Hacking

a. Who Should Attend

Staff responsible of conducting penetration tests and security audits.

b. Prerequisites

 Penetration testing and ethical hacking training course

 Intermediate level of knowledge on Linux, Windows and TCP/IP

 Basic level of programming experience (Scripting languages)

c. Course Syllabus

 Exploitation and post-exploitation (mimikatz, metasploit modules, meterpreter modules, incognito, remote registry, golden ticket, pivoting)

 Man-in-the-middle attacks (ARP spoof, SSL Strip, SMB redirect, fake SMB Auth, LLMNR poisining, DHCP starvation, rogue DHCP server, DNS spoofing, Mimf, scapy snipets)

 Password cracking (password types, offline/online password cracking, john, cain, hydra, rainbow tables, crunch, ophcrack, python scripts)

 Wireless network pentesting (Sniffing, de-authentication, man-in-the-middle attacks, handshake capture, password cracking, network decryption, wps pin cracking, rogue ap, radius server attacks, scapy snipets)

 Heartbleed, Shellshock

d. Duration

5 days

e. Benefits

Attendees will be able to participate and contribute to penetration tests with advanced attack techniques.

30. Vulnerability Detection and Development

a. Who Should Attend

Vulnerability researchers and software developers

b. Prerequisites

Basic knowledge on information security

c. Course Syllabus

 Fundamentals of fuzzing

 Network protocol fuzzing

 Mutation based fuzzing

 File format fuzzing

 Reverse Engineering Methods for Vulnerability Analysis

d. Duration

3 days

e. Benefits

©2015 TÜBİTAK BİLGEM SGE Siber Güvenlik Enstitüsü

P.K. 74, Gebze, 41470 Kocaeli, Türkiye Tel: +90 (262) 648 1000, Fax: +90 (262) 648 1100

http://www.bilgem.tubitak.gov.tr [email protected]