2016 TÜBİTAK BİLGEM Cyber Security Institute

Transcription

1 2016 Revision TÜBİTAK BİLGEM Cyber Security Institute 1

2 Information Security Awareness for End Users Information Security Awareness for Managers Social Engineering: Attack and Defense Methods Introduction to Information Security ISO Information Security Management System Implementation ISO Basics for Managers Cyber Incident Response Team Protection of Critical Infrastructures Business Continuity / Disaster Recovery Planning Windows Security Microsoft Systems Security Linux Security TCP/IP Network Security Active Network Device Security System Security Audit Basic Security Audit Wireless Network Security Log Management Oracle Database Security MS SQL Server Database Security Web Applications Security Security Information and Event Management Systems Penetration Testing and Ethical Hacking Log Analysis Prevention of DDoS Attacks Mobile Device Security Information Systems Forensics Computer Network Forensics Windows Malware Analysis Secure Software Development Advanced Penetration Testing and Ethical Hacking Vulnerability Detection and Development

3 3

4 1. Information Security Awareness for End Users Users of information systems. Basic knowledge to use information systems as a regular user. Role of user in information security Contribution of user to corporate Information Security Management System (ISMS) Access to computers Password security security Security while accessing the Internet Virus protection Setup, use and disposal of storage media File access and sharing Information backup Social engineering User responsibilities in computer incidents 3 hours Attendees will become familiar with the basics of information security and will enhance their awareness about the importance of corporate information security too. They will learn their duties and responsibilities as a contributor to a corporate ISMS. 4

5 2. Information Security Awareness for Managers Managers who wish to improve their understanding in the field of information security. Staff who has a general understanding about information systems wish to obtain further information about information security. General information about information systems. Basic concepts of information security Security policy Organizational security Human resource security Risk assessment and risk mitigation Business continuity Information security incident management Operating system security Network security Web security Digital certificates and certificate distribution systems Password management Antivirus systems 2 days Attendees will obtain information about the basic concepts of information security and overall fuctioning of ISMS. Introduction will be made based on the technical aspects of information systems security. 5

6 3. Social Engineering: Attack and Defense Methods All information system users, whereas the attendance of system administrators is critical. Classroom should be equipped with one personal computer per attendee since the training includes hands-on exercises. Social engineering concept Attack techniques Examples of social engineering attacks Social engineering tests Prevention methods Several social engineering applications 2 days Attendees will become familiar with the social engineering attacks, which is quite common and may lead to loss of confidential information, or even the reputation of an institution. Attendees will acquire the capacity of offering social engineering trainings as well. 6

7 7

8 4. Introduction to Information Security Staff who wants to learn about information security with all domains. None Introduction to information security, fundamental concepts TCP/IP Information security devices and techniques Cryptography Unix/Linux security Windows security Web security Wireless security Social engineering Log management Incident response Malware analysis Cyber attack types Advance persistent threats 10 days Attendees will learn fundamental concepts of information security, they will gain an overview of several concepts of information security such as Windows security, Linux security and cyber threats. Note: Duration and the context of the course may be shortened upon request from organizations. 8

9 5. ISO Information Security Management System Implementation Staff obliged to establish and maintain an ISO based ISMS as well as staff responsible for processes that will be subject to an ISO audit. Familiarity with quality management systems is helpful but not indispensable. What is an ISMS and why is it needed? Plan-Do-Check-Act process in ISO Risk assessment and treatment in information systems ISO control categories o Information security policies o Organization of information security o Human resources security o Asset management o Access control o Cryptography o Physical and environmental security o Operational security o Communications security o System acquisition, development and maintenance o Supplier relationships o Information security incident management o Information security aspects of business continuity management o Compliance ISO conformance audit o Audit planning o Audit checklists o Non-conformances and reporting Several applications 3 days Attendees will be able to establish ISMS in their institutions. Attendees will also be acquainted with audit concepts. 9

10 6. ISO Basics for Managers Managers who want to be familiar with an ISO based ISMS. Familiarity with quality management systems is helpful but not indispensable. What is an ISMS and why is it needed? History of the standard Annex SL structure PDCA (Plan-Do-Check-Act) mapping Clauses of the standard Annex A: Reference control objectives and controls Issues that have to be noticed during compatibility to the standard 3 hours Attendees will be familiar with ISO and ISMS. 10

11 7. Cyber Incident Response Team Staff obliged to establish or manage CERT (Computer Emergency Response Team) in their institutions. Staff working in the information security department of their institutions. Some experience is required about both the business processes and the information system infrastructure of the institution. Introduction (History, computer incident examples, CERT and security organization examples) Basic questions and titles about CERT (What is CERT? What is the scope of operational framework of CERT?) Computer incident management process (incident management service definition and functions) Operational components of CERT (software, hardware, policy and procedures) CERT project plan 2 days Objective of the training is to elevate the level of course attendees to a position where they can establish CERTs in their institutions. 11

12 8. Protection of Critical Infrastructures Managers of the companies operating critical infrastructures Members of corporate cyber incident response teams Basic knowledge on information security Description of critical infrastructure and critical infrastructure sectors Information systems used in critical infrastructures Corporate information systems and industrial control systems SCADA and distributed control systems Topologies and risk analysis Critical infrastructure incidents Vulnerabilities, threats and preventions Physical security/information security integration Information security management Standards and information sources Operators and regulators at national level National cyber security organization 1 day Attendees will gain knowledge on critical infrastructures and industrial control systems; will learn vulnerabilities, threats and prevention techniques. 12

13 9. Business Continuity / Disaster Recovery Planning Staff responsible for the management of business continuity / disaster recovery process, managers of institutions where business continuity / disaster recovery plan does not exist, developers of business continuity / disaster recovery plans, staff that has a role in the business continuity / disaster recovery plan, emergency team members and security auditors. None Principles associated with the management of business continuity project Threats that may target all institutions Risk assessment and designation of security controls How to conduct the business impact analysis Developing the business continuity strategy Design of emergency response and related activities, how to improve readiness How to construct the disaster recovery teams In case of disaster o How to minimize the impact o How to execute recovery in designated duration o Emergency communication requirements Development and application of the business continuity plan Training and awareness activities for quick and correct response Testing and updating the business cotinuity plan 2 days Attendees will accumulate sufficient information to develop business continuity plans in their institutions. 13

14 10. Windows Security Windows network administrators, Microsoft Active Directory administrators, staff from institutions which are planning safe migration to Microsoft systems, staff interested in Microsoft systems security. Basic knowledge of Windows and computer networks. Windows operating system security IPSec, PKI ( Public Key Infrastructure ) and EFS ( Encrypting File System ) Powershell development for Windows environment 3 days Course includes theoretical information as well as hands-on practice to equip attendees with the capability to apply Windows security best practices in their institutions. 14

15 11. Microsoft Systems Security Windows network administrators, Microsoft Active Directory administrators, staff from institutions which are planning safe migration to Microsoft systems, IIS and Exchange administrators, staff interested in Microsoft systems security. Basic knowledge of Windows, Exchange, Active Directory and networks. Microsoft Web Services Security Microsoft PowerShell Active Directory and Network Services Security (Group policy, DNS, DHCP) Patch management in Microsoft systems 4 days Attendees will acquire advance level information within the scope of Microsoft systems security. They will have the capability to apply Microsoft systems security best practices in their institutions. 15

16 12. Linux Security Experts responsible for the security of Linux based systems, system administrators studying how to secure Linux based Internet applications, system administrators eager to learn about security tests and system hardening tools. Experience as Linux system administrator. Secure setup Configuration of startup services Secure configuration of kernel File system access control User access control Management of system logs Security audit tools Security hardening tools Security script programming 3 days Attendees will be able to realize the security hardening of Linux based operating systems. They will acquire ability to use free software security tools on their systems. They will also acquire capability of using or developing tools that will help them discover security breaches in their systems. 16

17 13. TCP/IP Network Security System and network administrators, security and penetration test experts, staff of IT security department, IT security auditors. Basic knowledge of networks. Protocols of the TCP/IP protocol stack Operation principles of different layers of the TCP/IP stack and threats targeting these layers Security vulnerabilities of TCP/IP protocols and mitigation techniques Techniques, protocols and devices that are used to assure network security Packet capturing software such as Wireshark, analysis of packets and protocols Concepts such as SSL, IPSec, VPN and digital certificates Network components such as Firewall, IDS/IPS and Proxy 2 days Applied work about the security of TCP/IP networks will bring a wealth of information and capabilities to the attendees. The attendees are expected to apply good security practices in their institutions network. 17

18 14. Active Network Device Security System and network administrators, security and penetration test experts, staff of IT security department, IT security auditors. Basic knowledge of networks Within the scope of (hardening of) active devices, network design and assuring the security of networks, the following topics will be studied theoretically with hands-on exercises. Steps toward hardening of active devices that are commonly used today in the internal networks and they are also used to connect networks to the outside world, such as o Backbone switch, o Router, o Firewall, o Content filter Security controls applicable to active devices, such as o Physical security, o Equipment security, o Identity authentication, o Authorization and monitoring, o Patch management, o Access control lists, o Remote management conrtrol, etc. 2 days The attendees are expected to learn security controls applicable to active network devices through the theoretical and the applied parts of the course. The attendees are also expected to apply these security controls in their institutions. 18

19 15. System Security Audit Information technology auditors, information security experts eager to enhance their system security audit abilities, system and network administrators willing to understand the security audit approach and prepare their systems to security audits. Basic network and operating system (Windows and Unix) information, familiarity with peripheral protection systems. Vulnerability and threat definitions Open source security vulnerability scanners and how to use them Discovering the topology of a network Peripheral protection systems audit Windows audit Audit of Unix/Linux systems 4 days Attendees will learn how to use security vulnerability scanners. Attendees will also learn how to conduct security audit of operating systems, peripheral protection systems and web applications. 19

20 16. Basic Security Audit Information technology auditors, information security experts eager to enhance their system security audit abilities, system and network administrators willing to understand the security audit approach and prepare their systems to security audits. Basic network and Windows operating system information. Vulnerability and threat definitions Open source security vulnerability scanners and how to use them o Nessus, Nmap, MBSA Windows audit o Security templates o Security Configuration and Analysis 1 day Attendees will learn how to use security vulnerability scanners and how to conduct security audit of Windows operating system. Note: This course is a one-day-long (shorter) version of System Security Audit. 20

21 17. Wireless Network Security Wireless network administrators, system or network administrators who wish to install and setup wireless networks, IT experts who wish to obtain information about wireless network security. Basic knowledge of networks. Security risks in wireless local area networks Secure wireless communication architecture Software tools that are used for securing or attacking wireless networks 2 days Attendees will obtain information about the risks of wireless communication and techniques to mitigate these risks. Additional information will be supplied about wireless network audit tools. 21

22 18. Log Management System and network administrators Information systems experts b. Information security managers and expertsprerequisites Basic knowledge of operating systems and information systems. Basic concepts about log management, Configuration settings needed in order to collect logs, Log analysis techniques, Crucial points in log management system setup, Analysis of large log files, Instant tracking of log files, Log files to be investigated during a security breach, Log files to be collected due to legal or institutional policies, Common mistakes and problems of log collection process, Log collection standards. 2 days Attendees will obtain knowledge on how to setup log management systems in order to collect logs efficiently from information systems due to legal or institutional policies and obtain ability to analyse these logs according to corporate needs. 22

23 23

24 19. Oracle Database Security Database administrators, database security auditors. General information about databases and basic database management. Database basics Identity control Access control lists Database security audits Network security Database backup Audit of access tools Advanced security measures 3 days At the end of the course, auditors will be able to conduct security audit of databases whereas managers will be able to implement secure management of databases. 24

25 20. MS SQL Server Database Security Database administrators, database security auditors. General information about databases and basic knowledge of database management. SQL Server, general topics Operating system configuration Network configuration SQL Server setup and maintenance SQL Server configuration Access control and authorization Audit and log management Backup and disaster recovery procedures Replication Software application development Surface Area Configuration tool SQL Server test and monitoring tools 3 days At the end of the course, attendees will learn SQL Server database security mechanisms and factors affecting security. They will gain ability to conduct security audit to an SQL Server database. Database managers, in the meantime, will learn how to manage their database securely. 25

26 21. Web Applications Security HTTP based application developers and auditors. Basic knowledge of Web technologies (HTTP, HTML, web servers, internet browsers) and at least one of the programming languages used in web applications (PHP, Java, ASP.NET, Perl, etc.). Information gathering Configuration management User authentication Input / output validation Session management Authorization Application logic Log management Failure management Secure application management 2 days The attendees will learn important security components of HTTP based applications, most common mistakes, how to avoid making these mistakes and how to assure sustainable application security. 26

27 22. Security Information and Event Management Systems Information system administrators, information system security administrators, IT auditors. Familiarity with information system components and security components of IT systems. Centralized log management systems Requirement for event correlation systems Advantages of event correlation systems Event correlation steps OSSIM attack correlation systems OSSIM overview Basic components of OSSIM Tools utilized by OSSIM OSSIM setup OSSIM component configuration Policies Data fusion from separate components Attack correlation System maintenance and update 4 days Attendees will obtain information about centralized attack correlation systems. They will learn how to gather logs being accumulated on separate security components centrally, how to monitor attacks conducted from an internal or an external network and take necessary steps against an attack. 27

28 23. Penetration Testing and Ethical Hacking Staff responsible of conducting penetration tests and security audits, staff working in information security. Experience and awareness of security issues Intermediate level of knowledge on Linux, Windows and TCP/IP Intermediate level of experience about information system infrastructure. Introduction (What is Penetration test? Crucial points before, during and after penetration tests and penetration test methodologies) Discovery (Discovery categories. Applied nmap exercise; port scanning, service and operating system discovery, etc.) Vulnerability discovery (Vulnerability concept. Nessus exercise; policy designation, scanning and vulnerability analysis) Exploit (Exploit and payload concepts. Metasploit exercise; msfconsole, meterpreter, post-exploit and auxiliary modules, etc.) Network penetration tests and layer two attacks (Network sniffing, MAC table flooding, ARP poisoning, VLAN hopping, DHCP IP pool exhaustion attacks) External network tests and information gathering (Active and passive information gathering, Google hacking, etc.) Social engineering (Using and telephone. Customized payload and malware generation macro, pdf and exe. Relay vulnerability. Post-exploitation ) Web application tests (Input-output detection, XSS and SQL-i attacks) 5 days Attendees will be able to participate and contribute to penetration tests. 28

29 24. Log Analysis System and network administrators Information systems experts Information security managers and experts Basic knowledge of operating systems, databases and computer networks. Overview to log analysis, Log analysis standards, rules and legal regulations, Log collection and viewer tools, Common mistakes in log analysis, Incident response, Log analysis in different stages of incident response, Contribution of log analysis to incident response. 5 days Attendees will learn basic concepts about log collection and log analysis, will obtain ability to use log analysis in incident response, will learn which logs can be used in which part of an incident response. Furthermore attendees will obtain ability to use several log collection tools. 29

30 25. Prevention of DDoS Attacks System and network administrators Basic knowledge on TCP/IP Basic knowledge on network device management Information security DoS/DDoS attack types DoS/DDoS mitigation techniques 2 days Attendess will gain experience on: Sniffing network traffic Network traffic analysis DoS/DDoS attack types DoS/DDoS mitigation techniques 30

31 26. Mobile Device Security IT staff eager to conduct mobile application penetration testing and analyze mobile malwares. Basic knowledge about IP, HTTP, TCP, UDP, etc. network protocols, Wireshark etc. packet capturing tools Have a working knowledge on *NIX operating systems. Familiarity with basic security concepts and penetration testing. Basic knowledge about mobile application development and ability to read a written code. Basic concepts on mobile security Android operating system internals Security features of Android operating system Android application penetration testing ios operating system internals Security features of ios operating system ios application penetration testing Mobile malwares and analysis 5 days Attendees will obtain the knowledge about internals and security features of Android and ios platforms. At the end of the training they will be equipped with the ability to conduct penetration testing on mobile applications and analyze mobile malwares. Important: Attendees should bring their own Jailbroken ios devices (iphone, ipad, ipod) in order to complete hands-on ios penetration testing exercises. 31

32 32

33 27. Information Systems Forensics Staff from IT department who are eager to conduct information systems forensic analysis. Basic knowledge of Linux and Windows operating systems. Computer incident response Preliminary stages of computer forensic analysis Information about NTFS, FAT32, ext2, ext3 file systems such as, how files are opened, saved and deleted in these systems Non-volatility of data in different components of a computer (RAM, Stack area, hard disks etc.) Data storage and retrieval from these components Conducting computer incident forensic analysis on a Linux system and presentation of related tools In the applied part of the course, setting up the forensic analysis environment and conducting, with tools, the analysis of a suspected file Conducting computer incident forensic analysis on a Windows system and presentation of related tools Legal framework about forensic analysis and storage of data in a format which is suitable for presenting to a court as an evidence 3 days Attendees will be able to conduct computer forensic analysis on their own. 33

34 28. Computer Network Forensics Network, system and security administrators, IT staff eager to conduct computer network forensic analysis. Basic knowledge of TCP/IP, networks, Linux and Windows operating system. The following topics will be covered in order to conduct incident analysis and to collect evidence in case of a cybercrime without refering to storage components such as hard disks and RAM. Another objective is to detect incidents and malicious network traffic exploiting incorrect configuration of network components. Foundations of forensic analysis Network packet capturing technologies: Hardware, software and tools Basic network protocols and components Network security component log analysis: Logs of firewalls, intrusion detection and prevention systems, etc. Analysis of network protocols (HTTP, SMTP, DNS etc.) Deep packet inspection Detection of malicious network traffic: Man in the middle attack, DNS cache poisoning etc. attacks Detection of network traffic tunneling techniques: DNS, ICMP, SSH tunnelling etc. Analysis of encrypted network traffic: SSL traffic listening technique Reconstruciton of network traffic to obtain original data Network flow analysis 4 days Attendees will be able to conduct forensic analysis and to collect evidence without accessing storage components after cybercrimes. They will be able to detect malicious network traffic and security incidents due to network components as well. 34

35 29. Windows Malware Analysis IT staff eager to conduct Windows malware analysis. Being familiar with high-level programming features such as parameters, loops and functions, Being informed about basic concepts of Windows operating system ( process, thread, memory management, registry, handle etc.), Having basic information about IP, HTTP, TCP, UDP, etc. network protocols, Wireshark etc. packet capturing tools, Having introductory level knowledge of assembly and x86 architecture is required. Windows operating system, basic concepts Basic static analiysis Behaviour analysis Code analysis Hidden execution methods Static analiysis prevention methods Dinamic analysis prevention methods Memory dump analysis Analysis of Web (browser) based malware Analysis of malicious documents 5 days Attendees will obtain applicable information about reverse engineering. Attendees will also acquire Windows and web based malware and malicious document analysis capability. 35

36 30. Secure Software Development Software developers/engineers, software project managers, software quality control team and system architects. Intermediate experience with a programming language. Security problems of software Security problems of technology components where software is running Basic elements of secure software development process How to integrate a secure software development lifecycle to a software development process Source code samples, demonstrating most common vulnerabilities and how to prevent them Technology that maybe applied to assure secure operation of components such as application server and database, where software is running, since software depends on these systems. 3 days Attendees will learn basic secure coding principles, secure software design and development, threat modeling and principles of security tests. 36

37 31. Advanced Penetration Testing and Ethical Hacking Staff responsible of conducting penetration tests and security audits. Penetration testing and ethical hacking training course Intermediate level of knowledge on Linux, Windows and TCP/IP Basic level of programming experience (Scripting languages) Packet forgery (Scapy) Exploitation and post-exploitation (mimikatz, metasploit modules, meterpreter modules, incognito, remote registry, golden ticket, pivoting) Man-in-the-middle attacks (ARP spoof, SSL Strip, SMB redirect, fake SMB Auth, LLMNR poisioning, DHCP starvation, rogue DHCP server, DNS spoofing, Mimf, scapy snipets) Password cracking (password types, offline/online password cracking, john, cain, hydra, rainbow tables, crunch, ophcrack, python scripts) Wireless network pentesting (Sniffing, de-authentication, man-in-themiddle attacks, handshake capture, password cracking, network decryption, wps pin cracking, rogue ap, radius server attacks, scapy snipets) Heartbleed, Shellshock 5 days Attendees will be able to participate and contribute to penetration tests with advanced attack techniques. 37

38 32. Vulnerability Detection and Development Vulnerability researchers and software developers Basic knowledge on information security Fundamentals of fuzzing Network protocol fuzzing Mutation based fuzzing File format fuzzing Reverse Engineering Methods for Vulnerability Analysis 3 days Attendees will be able to do vulnerability research on softwares. 38

39 Cyber Security Institute The activities of Cyber Security Institute (CSI) which was firstly established as the IT Systems Security Division under the National Electronics and Cryptology Research Institute, was aimed at the improvement of the national cyber security capacity in Since 2012, it has been operating as a separate institute under TÜBİTAK BİLGEM. Cyber Security Institute provides information systems and security consultancy services to the public, private and military organizations and conducts research and development activities. Cyber Security Institute has contributed to the development of IT security know-how through its many successful projects. TÜBİTAK BİLGEM Cyber Security Institute Gebze/Kocaeli/TURKEY Phone: Fax:

40 TÜBİTAK BİLGEM Cyber Security Institute Gebze/Kocaeli/TURKEY Phone: Fax: