Securing your business with IA and cyber security training

Transcription

1 Securing your business with IA and cyber security training Britain is hit by up to 1,000 cyber attacks every hour. Source: British Intelligence Sources, quoted in the Daily Telegraph Cybercrime and information security breaches are on the rise. From phishing scams and Trojan worms to laptops left on trains, businesses need the correct security measures and processes in place to make sure they are protected. At QA, we deliver training to: help you to protect your organisation from hackers and security breaches enable best practice IA (Information Assurance) and cyber security meet all of your needs - we provide a range of security training options including: vendor specific courses policy and guidance courses from professional security bodies government specific IA courses transforming performance through learning

2 You can t afford not to invest in IA and cyber security training Hackers, Trojan worms and Zeus botnets may sound like the stuff of gritty crime novels and Hollywood thrillers, but cybercrime is very real and it is having a very real effect on UK businesses today. The threat Intelligence sources have warned that Britain is being targeted by up to 1,000 cyber attacks every hour in a relentless campaign to steal secrets, access confidential data or disable corporate systems. If your business does not have the right measures in place, your IT systems are at risk of being compromised in fact, they may already have been compromised, and the impact of not recognising or pre-empting online security breaches can be far reaching and long term. Developments in technology have meant that practically all businesses rely on the internet. Whether it be to conduct business meetings, store business data or just to send s the daily running of a business tends to be conducted online. This reliance on the internet comes with its own risks. The online environment offers thieves new ways of accessing confidential company information and so online security needs to be taken very seriously. How to protect your business Approximately 80% of known cyber attacks could have been prevented or successfully overcome with the implementation of basic business security practises targeted at employees, processes and technology. Educating your workforce and raising user awareness is the first step you need to take to protect your business. Your cyber security training needs A company s cyber security training needs can be categorised as follows: All of your employees need to be armed with the knowledge to be able to identify potential threats and to empower them to operate in a secure way Your operational team need the skills to develop and implement secure processes and policies Your IT team need the skills to be able to secure your technical systems and the ability to defend them should they be breached QA offers the definitive cyber security portfolio of training courses which will meet all of your IA and cyber security needs. Nearly two-thirds of critical infrastructure companies report regularly finding malware designed to sabotage their systems. Source: McAfee,

3 The definitive IA and cyber security course portfolio Below are details of all of the IA and cyber security courses which QA offers. It details everything from product/technology-based courses and certification tracks, to best-practise courses which focus on giving a more general overview of IA and cyber security. End User/Technology Awareness Foundation Intermediate Advanced BCS and ISC (2) EC Council CompTIA Technical Non-Certification Courses ISO27001 The Open Group Operating Systems Fundamentals Cyber Security: An Introduction End User Security: Protecting Your Online Footprint Understanding the World Wide Web Fundamentals of Networking and the Internet Understanding the Cyber Threat EC Council Certified Secure Computer User Introduction to TCP/IP Introduction to ISO BCS Certificate in Information Security Management Principles IT Security Fundamentals Introduction to Cyber Security for Industrial Control Systems CompTIA Security + EC Council Secure Computer User Specialist OSI Open Source Intelligence Investigators: An Introduction OSI Social Engineering Attack and Defence ISO Implementation BCS Practitioner Certificate in Information Risk Management BCS Certificate in Data Protection EC Council Certified Network Security Administrator ISC (2) Systems Security Certified Practitioner BCS Practitioner Certificate in Business Continuity Management BCS Certificate in Freedom of Information Understanding and Managing the Threat of Malware PKI and TLS Workshop Stress Testing your Network Security CompTIA Advanced Security Practitioner ISO Lead Implementer ISO Internal Auditor Penetration Testing Tools & Techniques Wireless Security: Hands-On BCS Intermediate and Practitioner Certificates in Enterprise and Solution Architecture TOGAF 9 Foundation and Certified (Level 1 and 2) Developing Secure.NET Web Applications Mitigating the OWASP Top 10 Security Vulnerabilities Developing Secure Java Web Applications Mitigating the OWASP Top 10 Security Vulnerabilities Hands-on cyber security for Industrial Control Systems EC Council Certified Ethical Hacker EC Council Certified Security Analyst ISO/IEC Lead Auditor ISO Registered Auditor Qualification OSI Open Source Intelligence Investigators: Advanced ISC (2) Certified Information Systems Security Professional EC Council Computer Hacking Forensic Investigator CISSP Concentrations Architecture Professional Engineering Professional Management Professional QA also offers IA and cyber security training from the following vendors: info@qa.com All third party trademark rights acknowledged. Acronis Check Point Cisco Citrix Juniper Microsoft Novell Sun Wireshark

4 IA training for government Trust the experts: training using licensed materials from CESG, the National Technical Authority for Information Assurance. The information held by government departments is critically important, highly sensitive and in need of protection. Any security issue or loss of data could put individuals, companies and even the nation as a whole at risk. Government departments have to protect their systems and the information which they hold. The Cabinet Office, through CESG (the National Authority on Information Assurance), sets IA and cyber security policies and standards which government departments must adhere to. QA is the only commercial organisation to work across central and local government, providing training using licensed materials from CESG, for IA professionals. QA s courses include: IA Fundamentals of Information Assurance in HMG Information Risk Management for HMG IA Practitioners - IS 1&2 Information Assurance Accreditor Introduction 2 days There are over 20,000 malicious s on government networks each month. Tempest EM Security and TEMPEST Fundamentals TEMPEST Testers basic onsite testing TEMPEST Testers transmitter testing TEMPEST Testers certification testing TEMPEST Testers advanced testing 2 days 15 days 10 days 5 days 15 days Iain Lobban Director of GCHQ CAS(T) CAS(T) Lead Auditor Conversion (inc exam)

5 Timeline of security breaches Below is a timeline which illustrates some of the key events in the evolution of cybercrime. It shows the evolving nature of cybercrime and the increasing threat which it poses to businesses and public sector organisations alike Nevil Maskelyne disrupts a radio demonstration by John Fleming and Guglielmo Marconi. Maskelyne sent messages to 1966 QA/IACyber/Jan2014 QA Ltd All rights reserved John von Neumann publishes the paper 'Theory of self-reproducing automata'. The ideas in the paper were instrumental in the creation of early computer viruses. The Animal (the first trojan malware program) is released. It was a non-malicious virus but it exploited holes in the Operating System of the computer and left the name of the Animal in all the directories and files that the user had access to. US Government introduces the Comprehensive Crime Control Act. It introduced new rules against the unauthorised access and use of computers/computer networks. The Cascade virus is released. It was the first virus that was able to encrypt itself to avoid detection. It caused the letters of a document to 'fall' to the bottom of the screen. The virus caused IBM to publicly release anti-virus software. The Concept macro virus is released. The first macro virus for Microsoft Word found in the wild. The Code Red worm is released. The worm attacked a vulnerability in Microsoft's Internet Information Server (IIS) and infected around 2 million servers. March - The Witty worm is the first Internet worm to carry a destructive payload. Witty attacked computers that had ISS firewall products installed. Once infected the machines would attempt to infect other random IP addresses and then crash the host's hard disk. August - The first appearance of the Vundo trojan is recorded. These Trojans displayed pop-up ads for spyware or malware removal software and switched off some security features and programs. February - The first malware designed for the MAC Operating System is detected. The trojan known as either Leap-A or Oompa-A used the ichat application to spread to other devices. Jeremy Clarkson publishes his bank account details in The Sun newspaper (in response to panic over child benefit data breach) Someone set up a 500 direct debit to the charity Diabetes UK. Clarkson forced to admit that he was wrong and that the information could be used to remove money from his account. Google network is compromised. Many other large companies reveal that they have also been compromised - The aim of the attacks was to gain access to intellectual property and software code. March - Global Payments is attacked. 1.5 million Visa and Mastercard card details are compromised. April - Hacker Edward Pearson investigated for stealing confidential information. Police found information for 200,000 PayPal accounts, 3000 credit card accounts and the personal details of over 8 million UK residents. Pearson also infiltrated Nokia s network and 8000 staff records. June - LinkedIn is compromised - 6 million passwords stolen. The passwords were then loaded onto a Russian web forum the receiver on the stage of the Royal Institute in London, revealing vulnerabilities within the system. The Creeper worm spreads through ARPANET the Advanced Research Projects Agency Network, funded by the US Defence Department. It infected the main-frame computers, copying itself onto the system and displaying a message. The ARF-ARF virus is released. A Trojan horse which wiped out a computers directory by offering to sort it into alphabetical order. Robert Schifreen & Stephen Gold are arrested for accessing the British Telecom network. The case was a major factor in the creation of the Computer Misuse Act The Computer Misuse Act passed by the British Government. The Act makes it an offence to obtain unauthorised access to a computer or computer network. The ILoveYou worm affects networks across the world. The worm used social engineering techniques to entice users to open the mail attachment and then exploited weaknesses in common mail systems to spread within organisations. The worm infected over 50 million computers. January - The SQL Slammer worm is released. The worm attacked machines running Microsoft SQL Server. It only took 15 minutes to spread worldwide. September - First Titan Rain attack is detected. Titan Rain targeted military and contractor networks. It was one of the first examples of an Advanced Persistent Threat (APT) attack. It involved a rapid breach that removed data to intermediate servers in South Korea, Hong Kong & Taiwan. The UK National Infrastructure Security Co-ordination Centre (NISCC) reports targeted attacks on over 300 Government departments and major commercial organisations. January - The Storm worm begins attacking computers through an spam campaign. Infected computers are then used to deliver spam s. October - Two CDs containing the child benefit database went missing after being sent by a courier. The information was secured using a very basic password mechanism which could be easily bypassed. There has been no evidence that the discs fell into criminal possession. Credit card transaction processing company Heartland Payment Systems network breached. Tens of millions of credit card details were compromised. March - RSA servers are compromised. Network breached by an phishing attack aimed at employees, which carried an Excel attachment with a Remote Administration Tool (RAT). Using the RAT attackers accessed RSA servers. April - The PlayStation network is breached. Information - including financial details of 77 million users - is compromised. Adobe is compromised million customers names and credit card information stolen. Cyber-attack war game, Waking Shark II, launched in London to test security of financial institutions a step in the right direction to ensure companies are prepared for an attack. LivingSocial daily-deal website hackers retrieved more than 50 million users data. Hacker group, Anonymous, attacks The Federal Reserve internal site and accesses personal data of more than 4,000 bank executives.