Building a Virtual Constructivist Learning Environment for Learning Computing Security and Forensics

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Building a Virtual Constructivist Learning Environment for Learning Computing Security and Forensics"

Transcription

1 ORIGINAL ARTICLE Building a Virtual Constructivist Learning Environment for Learning Computing Security and Forensics Liangxiu Han, 1 Jamie Harries 1 & Phillip Brown 1 1 School of Computing, Mathematics and Digital Technology, Manchester Metropolitan University, UK Corresponding author: Liangxiu Han, School of Computing, Mathematics and Digital Technology, Manchester Metropolitan University, UK Abstract Practical experience of security and forensic computing is of increasing relevance for student employability. Further, courses related to these topics have increased in student popularity. Learning by doing (or experiential learning) is an effective pedagogical way to help students constructively build up their knowledge related to these courses. To improve student engagement and employability and make these courses sustainable, the paper has proposed and developed a portable unified constructivist-learning environment using virtualisation technology, and designed a wide spectrum of hands-on materials on both security and forensic computing topics to offer students a great chance to experience experiential learning. The work presented in this paper is a typical exemplar of applying constructivist learning theories into security and forensic computing education and other similar courses. It is a new way to improve and transform undergraduate STEM education. Keywords: computing security and forensics, constructivist learning, virtualisation Introduction With the increasing demand for specialists in security and forensic computing, many universities have implemented the related topics as mainstream courses at both undergraduate and postgraduate levels. Effective learning on these courses relies heavily on engagement with significant amounts of hands-on exercises, as suggested in constructivist learning theory (Vygotsky 1978, Piaget 2001). Constructivist learning places emphasis on providing the multi-representation of reality and knowledge, and encourages thoughtful reflection on experience. It utilises authentic tasks in a meaningful context rather than abstract instruction out of context, which can help students transfer their skills more easily to the work environment and improve students employable skills, such as problem-solving skills based on real-world cases. The Higher Education Academy 49 doi: /ital

2 Computing Security and Forensics Previous efforts have been made to create practical labs in relation to security topics. For example, the work (Tao et al. 2010) mainly focused on security teaching in Web applications. The researchers (Hill et al. 2001, Irvine et al. 2004) developed an example security project and network security labs. Attack-based labs (Micco & Rossman 2002, Wagner & Wudi 2004) used in many security courses were to help students to analyse and discover system vulnerabilities. Some other labs focused on teaching students application skills (Romney & Stevenson 2004, George & Valeva 2006, O Leary 2006), for example, how to use security tools to enhance system security. Despite the encouraging work, there are several limitations. Firstly, the existing work only covers limited topics related to security teaching only. To the best of our knowledge, there is little work done in offering forensic computing hands-on labs that could be publicly available for use in UK HEI sector. Secondly, most existing work adopted different techniques and required dedicated special computing environments, which are not standardised. It is time consuming and costly because educators need to invest money and time for the adaptation of the existing materials to their own institutional environments. Students also have to learn different learning environments. This hinders the wider adoption in the HE sectors. Additionally, many security and forensic computing-related labs require super-user privileges. However, no institution will give students super-user privileges on real machines because of the potential dangers. To improve student engagement and employability (mainly strong problem-solving skills in this context) and make these courses sustainable, the paper has proposed and developed a portable unified constructivist-learning environment using virtualisation technology, and designed a wide spectrum of hands-on materials on both security and forensic computing topics to offer students a great chance to learn by doing, exploring and breaking. As part of our BLOSSOM project funded by The Higher Education Academy (HEA), the work presented in this paper is a typical exemplar of applying constructive learning theory into security and forensic computing education and other similar courses. It is a new way to improve and transform undergraduate STEM education. Our contributions are as follows: 1. Incorporating both pedagogical and subject aspects into security and forensic computing education for enhancing learning and employability. Our work focuses on both constructivist design rationale and forensic and computing security principles and practical skills, and offers timely, up-to-date hands-on lab exercises for helping students in their professional careers. 2. Providing a unified portable constructivist learning environment. Pedagogically, the learning environment provides multiple real cases to enable students to solve problems and construct knowledge in a meaningful context, which can improve their employable skills. Technically, the project adopts virtualisation technology. The learning environment is implemented using virtual machines that are launched from a file without any requirement for super-user privilege or special purpose facilities. The students can conduct the hands-on exercises on their own personal computers or on any departmental modern PCs. The advantages of using this method are cost-effectiveness, standardisation and portability, which will facilitate its wide spread use in higher education. 3. Providing a complete software product. Our final product integrates software and a set of lab modules, which can be freely downloaded from the project website ( and can be used by any user who is interested in security and forensics subjects. The Higher Education Academy 50 doi: /ital

3 L. Han et al. Rationale and methodology Computing security and forensics are closely linked with many subject areas such as networking, programming and operating systems. They generally cover a greater diversity of topics when compared to traditional computing science courses. For example, IPSec (Internet Protocol Security) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. It is closely linked with both computer networking and security. The students need to first understand how network devices are interconnected and then how the network packets can be securely transferred between devices. It is critical to design materials that can help students develop both their general skills as computer scientists and professional skills as forensic and security specialists. Therefore, our work focuses on the development of a wide spectrum of security and forensic lab modules, which covers not only fundamental security principles and practices, but also general computing principles that help students understand, design, and improve system security and track down the forensics. Pedagogically, our labs are classified into three types of labs: learning by breaking, learning by doing and learning by exploration. We describe what each category represents in the following sections and a full list of lab modules is detailed in Table 1. Additionally, a glossary of lab terms in relation to security and forensics can be found in Appendix 1. Learning by breaking This type of lab enables students to learn from their mistakes. It mainly helps students understand the principles and vulnerabilities of existing systems and applications, to build their own scenarios with flaws of security and forensic computing, and then to solve the problems. Specific examples of security attack scenarios/exploits are demonstrated along with preventative techniques. These labs exploit the vulnerabilities of a system at different levels, such as operating systems, network protocols and Web applications. Specifically, some examples of our lab modules include: Network protocol related attack scenarios: IP (Internet Protocol) fragmentation, performing network attacks using Scapy (2013), etc. From these labs, the students can learn knowledge and skills such as networking, programming and security skills by using Scapy. Web-based security: For example, XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery). These security and forensic attack labs aim to help students understand the Web application vulnerabilities and design a secured Web application. Operating system related labs: For example, buffer overflow exploitation. Through step-by-step operations in this type of lab, the students can immediately gain experiences, for instance, how the buffer overflow works and how this vulnerability could be prevented. This lab involves programming in languages such as C++. Learning by doing The purpose of this type of lab is to reinforce the knowledge students have gained from lectures and to help them to apply it to real life. Students can design and implement security functionalities to harden computer systems based on objectives and various choices. Examples of these labs are: Forensic related labs: Steganography and steganalysis, forensic imaging, network forensics, etc. These labs mainly help students understand forensic analysis principles and methods. The Higher Education Academy 51 doi: /ital

4 Computing Security and Forensics Table 1 BLOSSOM lab modules. ID Name Types Notes 1 BLOSSOM User Guide User Guide Use of BLOSSOM 2 Virtual Machine Guide Prerequisite lab 3 Linux Guide Prerequisite lab 4 Buffer Overflow Learning by breaking Vulnerabilities/security 5 Cross Site Request Forgery (CSRF) Learning by breaking Vulnerabilities 6 DNS Pharming Learning by breaking Vulnerabilities 7 SQL Injection Learning by breaking Vulnerabilities 8 Cross Site Scripting (XSS) Learning by breaking Vulnerabilities 9 Automated Forensic Analysis Using Learning by doing Forensics Digital Forensic Framework 10 Forensic Imaging and Artifacts Analysis Learning by doing Forensics 11 Memory Forensics Learning by doing Forensics 12 Network Packet Analysis and Scapy Learning by doing Forensics/security Introduction 13 Scapy: Performing Network Attacks Learning by doing Forensics/security 14 Python Scripting with Scapy Learning by doing Forensics/security 15 Network Attacks Learning by doing Forensics/security 16 IPSec Learning by doing Security 17 Network Forensics Network Traffic Learning by doing Forensics/security Analysis 18 Steganography & Steganalysis Learning by doing Forensics/security 19 Secure Transactions Using SSL Learning by doing Security 20 Linux Capabilities & Set-UID Vulnerability Learning by exploration Security 21 Introduction to Ethical Hacking Learning by exploration Forensics/security 22 Ethical Hacking: Vulnerability Assessment Learning by exploration Forensics/security 23 Internet Forensics Learning by exploration Forensics/security 24 Network Scanning with Scapy Learning by exploration Forensics/security 25 File Content Analysis Learning by exploration Forensics 26 Dynamic Content of Websites Learning by exploration Foundation for Web Security Security related labs: Secure transactions using SSL (Secure Socket Layer), cryptography (symmetric and asymmetric encryption), IPSec (Internet Protocol Security), etc. Students can learn how to encrypt and decrypt messages. Learning by exploration This type of lab focuses on both exploring security functionality and collecting and analysing forensic evidence. The labs help students to understand how to collect evidence from applications/components/networks/systems and how to analyse the evidence. For example, questions such as how do you perform ethical hacking? and what is the vulnerability of a system? can be explored. Examples of labs-related forensics and security include: Internet forensics: Firefox, Chrome and analysis. The focus in this type of lab is on the analysis of user histories with different Web browsers. The Higher Education Academy 52 doi: /ital

5 L. Han et al. Ethical hacking: Based on real-world examples, and offering a valuable opportunity to develop ethical hacking skills, this type of lab explores the nature of system vulnerabilities and how they can be exploited in an ethical way. Linux capabilities and Set-UID (set user ID) vulnerability: This type of lab aims to explore vulnerabilities occurring in Linux systems by requiring students to conduct a set of experiments based on real case studies. A full list of labs is described in Table 1. Design of a portable virtual platform that lab exercises can run on To conduct the labs, we have implemented lab modules as virtual instances in the form of files, which are therefore portable. The labs can be conducted on students personal computers or on any departmental modern PCs without the need of special computing environments/or of any concerns about super-user privilege. Our final product can be found on our project website ( and is freely available for all users. A virtual platform means the creation of a virtual machine by using software products (e.g. KVM 2012, Vmware 2012, XEN 2012). A virtual machine, as a guest machine, can run on a physical machine (a host machine). It is implemented by a folder of files and it acts like a real computer. We can create multiple virtual machines on one physical machine depending on the specification of the physical machine (a high-spec machine can host more virtual machines). We can make proper configurations on one or multiple virtual machines for different lab exercises. In our work, we have used the KVM virtualisation platform to develop lab modules along three themes learning by breaking, learning by doing and learning by exploration and analysis. Several advantages of using virtualisation in the work include: Low cost: Apart from the cost associated with staff time, there is no other cost for employing virtualisation techniques. Xen and KVM are open sources. In our work, we have made use of the KVM virtualisation technique for our labs. Together with the unified learning environment, this makes labs affordable and serves to remove barriers to wider adoption. A unified portable learning environment: The virtual machines are implemented as virtual instances in the form of files. The lab environment is portable. Students can run the different labs on their own computers or departmental machines. Additionally, students can conduct the labs in a manner that would normally result in breaking the virtual machines without any concerns or worries. This is due to the fact that they can easily restart the labs using a fresh copy of the virtual instances. No constraints on super-user privilege: Many security labs need super-user privilege. With the virtual machine, a student can operate as super-user to conduct experiments without posing undue risk to the host machine configuration or network. Implementation In order to provide a portable unified learning environment for students, we have chosen an implementation approach based on virtualisation approach. The following subsections describe the implementation detail. The unified portable learning platform We have used KVM to realise the virtual platform. KVM is a pair of Linux kernel modules implementing full virtualisation on Linux operating systems for supported processors. One The Higher Education Academy 53 doi: /ital

6 Computing Security and Forensics module provides core virtualisation infrastructure and the other provides specific processor vendor support, i.e. for Intel s VT or AMD s SVM. A KVM virtual machine operates within a single process on the host whilst a KVM is running. This is a piece of software adapted from the QEMU PC system emulator. Each lab module mainly consists of two parts: 1) a base virtual image a customised BLOSSOM image based on Debian Live (2013) where the necessary packages are preinstalled. We have also configured and developed scripts for real-world scenarios and experiment execution. 2) A lab module instruction document which allows students to complete the lab based on the instruction. Our learning platform can be easily configured on a single machine or a networked environment as shown in Figure 1. Figure 2 shows a virtual environment within BLOSSOM that has been created on a lab machine and Figure 3 shows an example of the steps carried out when conducting the network forensics lab. Figure 1 BLOSSOM portable platform environment a) BLOSSOM a single machine environment b) BLOSSOM a network environment. As part of the deliverables of the HEA funded project BLOSSOM (Han 2012), we conducted testing during the classes in the second term. Based on initial feedback for labs, the reflections were good in terms of the knowledge learned and skills gained by the students (some examples are illustrated in the Evaluation section). The lab modules During the course of the project, we developed 23 lab modules related to security and forensics. We also added two extra labs as prerequisite labs. All of the labs are described and listed in Table 1, which provides an overview of the lab modules. Please also refer to the glossary of terms in Appendix 1. Evaluation According to the project plan, we conducted the first stage test and evaluation on a small-scale by applying some lab modules to the second term class teaching (a large-scale evaluation will be carried out after the completion of the project according to the plan). We The Higher Education Academy 54 doi: /ital

7 L. Han et al. Figure 2 The BLOSSOM virtualised environment. Figure 3 An example step of conducting a network forensic lab. The Higher Education Academy 55 doi: /ital

8 Computing Security and Forensics then modified the labs based on the students feedback as an iterative development of our lab modules (a questionnaire has been created for the feedback). A full list of questions on a large-scale evaluation can be found on the website, blossom/deliverables.htm (Han 2012), however, we focused mainly on the following three questions: 1. Do you think this lab is useful? 2. How long did you spend on the lab? 3. What kind of knowledge have you gained from the lab? Figures 4 7 are statistics of some selected tested labs based on the questionnaires. We have tested labs in the class teaching of both the third year students (16) and the second year students (40) respectively. Figure 4 Feedback related to the question Do you think this lab is useful? a) 16 students from the third year b) 16 students from the third year. Figures 4a) and 4b) and Figures 5a) and 5b) show the evaluation results obtained from 16 students who were studying in the third year. It's also worth noting that these students already have a basic knowledge of Linux and virtualisation which is considered to be a prerequisite for most of these labs. With respect to the first question Do you think this lab is useful? all students felt the labs were useful as shown in Figures 4a) and 4b). Most students strongly agreed, for instance, 63% for Scapy-performing network attacks, 50% for steganography and steganalysis. The degree of the challenges and difficulties are various, which were reflected in the responses to the second question How long did you spend on the lab?, where 50% of students spent one hour and 44% spent almost two hours to complete the lab (see Figures 5a) and 5b)). The main reason is that this lab involves new knowledge about Python programming and Scapy, which proved to be extremely difficult The Higher Education Academy 56 doi: /ital

9 L. Han et al. Figure 5 Feedback related to the question How long did you spend on the lab? a) 16 students from the third year b) 16 students from the third year. Figure 6 Feedback related to the question Do you think this lab is useful? 40 students from the second year. for almost half of the students in the class. Based on this feedback, we have therefore redesigned the tasks to accommodate the academic level of the students and have incorporated the changes into our new release of the software product (please refer to the project website (Han 2012)). Figure 6 and Figure 7 show the evaluation results obtained from 40 students who were studying in the second year. These students had no prior Linux or virtualisation-related knowledge and the academic level of the second-year students is lower than the third-year students. With regard to the first question, 81% of students felt the lab Ethical Hacking was The Higher Education Academy 57 doi: /ital

10 Computing Security and Forensics Figure 7 Feedback related to the question How long did you spend on the lab? 40 students from the second year. very useful. The main reason is that we designed real scenarios to allow students to exploit the vulnerabilities and find the security hole of the system step by step. For the second question How long did you spend on this lab?, 50% of students finished the lab within one hour, whereas 38% of students spent two hours on the lab. The main reason for this is that the students first had to absorb some basic knowledge about Linux and virtualisation before starting the lab, which therefore took a longer time to complete. With respect to the question What knowledge have you learned?, the students answers were very positive. The learned knowledge included not only the security and forensic principles but also general computing skill (Linux, virtualisation, computer networking, etc.). Overall, the evaluation results showed the students from both the second and third years were genuinely interested in doing the labs. They enjoyed gaining new knowledge in areas such as Python programming, ethical hacking, steganography and steganalysis, which they had either never covered before or had a lesser understanding of. Apart from the positive evaluation result directly obtained from the specific labs above, it is also worth mentioning that our computer forensic and security course has been nominated as one of the best courses in the university this year ( news/view/teaching-awards-2013-the-winners). This nomination also indirectly demonstrates the effectiveness of our proposed work. Conclusion and future work Student engagement and employability is key to the success of higher education. This work has incorporated both pedagogical and subject aspects into security and forensic computing education to create a unified portable constructivist-learning environment, and to provide a wider range of timely, up-to-date and hands-on exercises for helping students in their professional careers. Additionally, since the underlying technique of the work is to utilise virtualisation, all labs have been implemented as a file system image (in the form of files), which are portable. The advantages of this method are cost-effectiveness, standardisation and portability, which therefore facilitates its wide spread use in higher education and beyond. We have evaluated the work in the class teaching at both the second-year and the third-year levels, which cover different academic levels of students. The feedback following the labs is very positive and the course has also been nominated as one of the best courses of the year in the university. The lab modules set up real scenarios, which provide a realistic environment for learning and increase the students employable The Higher Education Academy 58 doi: /ital

11 L. Han et al. skills. We have planned for a full-scale evaluation by engaging the wider community, for example, practitioners in industry, general users and students and lecturers from other HEIs. Specifically: 1. To formally introduce the lab modules to all classes related to security and forensic computing teaching in the coming terms. 2. In order to generate a wider impact, we have set up a project website which is open to any interested individuals to download and learn the security and forensic principles. We have already created questionnaires on the website to collect feedback from users who have downloaded and used our software product. 3. We have communicated with our industry partners and are planning to have a short course on the labs developed. Our work not only provides a new systematic way to sustain the computer security and forensic courses and to improve and transform undergraduate STEM education, but also offers great opportunities for a wide range of user groups. Appendix 1: A Glossary of Lab Terms 1 Buffer Overflow: An anomalous case when a program or a process tries to store or write more data to a buffer than it was intended to hold. This is a special case of violation of memory safety. 2 Cross Site Request Forgery (CSRF): An attack which forces an end user to execute unwanted actions on a Web application in which he/she is currently authenticated. 3 DNS Pharming: An attack that redirects a website to another fake website by exploitation of a vulnerability in DNS software. 4 SQL Injection: An attack that exploits a security vulnerability in an application s software. It is done by insertion or injection of a SQL query in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker). 5 Cross Site Scripting (XSS): An attack that exploits security vulnerability in Web applications. It enables attackers to inject client side script into Web pages viewed by other users. 6 Forensic Imaging: Used to preserve the contents of a custodian hard drive or server. A forensic image is often created using software that is running on a computer forensic examiner s laptop or lab computer. 7 Memory Forensics: A forensic analysis of a computer s memory dump. 8 Scapy: An interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. 9 IPSec: An Internet Protocol (IP) Security for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session. 10 Steganography: The art and science of hiding information by embedding messages within other, seemingly harmless messages. 11 Steganalysis: The art and science of detecting messages hidden using steganography. 12 SSL: Cryptographic protocols that provide communication security over the Internet. 13 Ethical Hacking: Aims to improve the security of a system by finding security flaws and fixing them in a professional way. The hackers are professionals and usually sign contracts with the organisations before conducting the evaluation. 14 Set-UID Vulnerability: A Unix access right flag that allows users to run an executable with the permissions of the executable s owner or group respectively and to change behaviour in directions. Its vulnerability consists in using SetUID to run as root by an attacker. The Higher Education Academy 59 doi: /ital

12 Computing Security and Forensics Acknowledgements This work is supported by BLOSSOM, a project funded by The Higher Education Academy (HEA). The authors acknowledge the support from the HEA and from the School of Computing, Mathematics and Digital Technology, Manchester Metropolitan University. The authors would also like to thank anonymous reviewers who provided constructive comments on the earlier version of the paper. References Debian Live (2013) Available at (accessed 05 June 2013). George, B. and Valeva, A. (2006) A database security course on a shoestring. In Proceedings of the 37 th Technical Symposium on Computer Science Education (SIGCSE 06). Houston, Texas. New York, NY: ACM. Han, L. (2012) BLOSSOM Available at htm (accessed 19 December 2012). Hill, J., Carver, C., Humphries, J. and Pooch, U. (2001) Using an isolated network laboratory to teach advanced networks and security. In Proceedings of the thirty-second SIGCSE technical symposium on Computer Science Education. New York, NY: ACM. Irvine, C.E., Levin, T.E., Nguyen, T. and Dinolt, G.W. (2004) The trusted computing exemplar project. In Proceedings of the 2004 IEEE Systems Man and Cybernetics Information Assurance Workshop, pp Piscataway, NJ: IEEE Service Center. KVM (2012) Available at (accessed 12 November 2012). Micco, M. and Rossman, H. (2002) Building a cyberwar lab: lesson learned: teaching cybersecurity principles to undergraduates. In Proceedings of the 33 rd Technical Symposium on Computer Science Education (SIGCSE 02), pp Cincinnati, Kentucky. New York, NY: ACM. O Leary, M. (2006) A laboratory based capstone course in computer security for undergraduates. In Proceedings of the 37 th Technical Symposium on Computer Science Education (SIGCSE 06). Houston, Texas. New York, NY: ACM. Piaget, J. (2001) The psychology of intelligence, second edition. London and New York: Routledge. Romney, G.W. and Stevenson, B.R. (2004) An isolated, multi-platform network sandbox for teaching IT security system engineers. In Proceedings of the 5 th Conference on Information Technlogy Education (CITCS 04). Salt Lake City, UT. New York, NY: ACM. Scapy (2013) Available at (accessed 08 March 2013). Tao, L., Chen, L.-C. and Lin, C. (2010) Virtual open-source labs for Web security. In Proceedings of the World Congress on Engineering and Computer Science. Hong Kong: Newswood Limited. Vmware (2012) Available at (accessed 11 November 2012). Vygotsky, L.S. (1978) Mind in society: the development of higher psychological processes. Cambridge: Harvard University Press. The Higher Education Academy 60 doi: /ital

13 L. Han et al. Wagner, P.J. and Wudi, J.M. (2004) Designing and implementing a cyber war laboratory exercise for a computer security course. In Proceedings of the 35 th Technical Symposium on Computer Science Education (SIGCSE 04), pp New York, NY: ACM. XEN (2012) Available at (accessed 03 March 2013). The Higher Education Academy 61 doi: /ital

Enhancing Security Education with Hands-On Laboratory Exercises

Enhancing Security Education with Hands-On Laboratory Exercises Enhancing Security Education with Hands-On Laboratory Exercises Wenliang Du 1, Karthick Jayaraman 1, and Noreen B. Gaubatz 2 Department of EECS 1, Office of International Research and Assessment 2 Syracuse

More information

CYBERTRON NETWORK SOLUTIONS

CYBERTRON NETWORK SOLUTIONS CYBERTRON NETWORK SOLUTIONS CybertTron Certified Ethical Hacker (CT-CEH) CT-CEH a Certification offered by CyberTron @Copyright 2015 CyberTron Network Solutions All Rights Reserved CyberTron Certified

More information

Computer Security Curriculum at the Univ. of Wisconsin Eau Claire. Paul J. Wagner wagnerpj@uwec.edu

Computer Security Curriculum at the Univ. of Wisconsin Eau Claire. Paul J. Wagner wagnerpj@uwec.edu Computer Security Curriculum at the Univ. of Wisconsin Eau Claire Paul J. Wagner wagnerpj@uwec.edu Background! Attended week-long workshop at Indiana University of Pennsylvania in 2002 with colleague Andy

More information

Summary of the SEED Labs For Authors and Publishers

Summary of the SEED Labs For Authors and Publishers SEED Document 1 Summary of the SEED Labs For Authors and Publishers Wenliang Du, Syracuse University To help authors reference our SEED labs in their textbooks, we have created this document, which provides

More information

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS 1 LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS Te-Shun Chou and Tijjani Mohammed Department of Technology Systems East Carolina University chout@ecu.edu Abstract

More information

SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation

SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang Du, Zhouxuan Teng, and Ronghua Wang Department of Electrical Engineering and Computer Science Syracuse University. Syracuse,

More information

Principles of Information Assurance Syllabus

Principles of Information Assurance Syllabus Course Number: Pre-requisite: Career Cluster/Pathway: Career Major: Locations: Length: 8130 (OHLAP Approved) Fundamentals of Technology or equivalent industry certifications and/or work experience. Information

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

A Laboratory Based Capstone Course in Computer Security for Undergraduates

A Laboratory Based Capstone Course in Computer Security for Undergraduates A Laboratory Based Capstone Course in Computer Security for Undergraduates Mike O Leary Department of Computer and Information Science Towson University Towson, MD 21252 +1 410-704-4757 moleary@towson.edu

More information

CRYPTUS DIPLOMA IN IT SECURITY

CRYPTUS DIPLOMA IN IT SECURITY CRYPTUS DIPLOMA IN IT SECURITY 6 MONTHS OF TRAINING ON ETHICAL HACKING & INFORMATION SECURITY COURSE NAME: CRYPTUS 6 MONTHS DIPLOMA IN IT SECURITY Course Description This is the Ethical hacking & Information

More information

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.

More information

Table of Contents. Page 2/13

Table of Contents. Page 2/13 Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities

More information

Application Security Testing. Indian Computer Emergency Response Team (CERT-In)

Application Security Testing. Indian Computer Emergency Response Team (CERT-In) Application Security Testing Indian Computer Emergency Response Team (CERT-In) OWASP Top 10 Place to start for learning about application security risks. Periodically updated What is OWASP? Open Web Application

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

The Cyber Threat Profiler

The Cyber Threat Profiler Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are

More information

DESIGN OF A VIRTUAL COMPUTER LAB ENVIRONMENT FOR HANDS-ON INFORMATION SECURITY EXERCISES *

DESIGN OF A VIRTUAL COMPUTER LAB ENVIRONMENT FOR HANDS-ON INFORMATION SECURITY EXERCISES * DESIGN OF A VIRTUAL COMPUTER LAB ENVIRONMENT FOR HANDS-ON INFORMATION SECURITY EXERCISES * Nathaniel Gephart, Benjamin A. Kuperman Computer Science Department Oberlin College Oberlin, OH 44074 440-775-8556

More information

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

Designing and Implementing a Cyberwar Laboratory Exercise for a Computer Security Course

Designing and Implementing a Cyberwar Laboratory Exercise for a Computer Security Course Designing and Implementing a Cyberwar Laboratory Exercise for a Computer Security Course Paul J. Wagner and Jason M. Wudi Department of Computer Science University of Wisconsin-Eau Claire Eau Claire, WI

More information

The Key to Secure Online Financial Transactions

The Key to Secure Online Financial Transactions Transaction Security The Key to Secure Online Financial Transactions Transferring money, shopping, or paying debts online is no longer a novelty. These days, it s just one of many daily occurrences on

More information

Guidelines: Which SEED Labs Should I Use?

Guidelines: Which SEED Labs Should I Use? SEED Document 1 Guidelines: Which SEED Labs Should I Use? Over the last few years, we have worked with a number of instructors who adopted our labs in their classes. Based on the experience, we have summarized

More information

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems Yacov Y. Haimes and Barry M. Horowitz Zhenyu Guo, Eva Andrijcic, and Joshua Bogdanor Center

More information

CyberNEXS Global Services

CyberNEXS Global Services CyberNEXS Global Services CYBERSECURITY A cyber training, exercising, competition and certification product for maximizing the cyber skills of your workforce The Cyber Network EXercise System CyberNEXS

More information

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001 001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110

More information

SECURITY IN OPERATING SYSTEM VIRTUALISATION

SECURITY IN OPERATING SYSTEM VIRTUALISATION SECURITY IN OPERATING SYSTEM VIRTUALISATION February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in

More information

Keyword: Cloud computing, service model, deployment model, network layer security.

Keyword: Cloud computing, service model, deployment model, network layer security. Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging

More information

Cybernetic Proving Ground

Cybernetic Proving Ground Cybernetic Proving Ground Penetration Testing Scenario Jakub Čegan, Martin Vizváry, Michal Procházka cegan@ics.muni.cz Institute of Computer Science, Masaryk University About The Scenario "In this game

More information

Tele-Lab IT Security: An Architecture for Interactive Lessons for Security Education

Tele-Lab IT Security: An Architecture for Interactive Lessons for Security Education Tele-Lab IT Security: An Architecture for Interactive Lessons for Security Education Ji Hu hu@ti.uni-trier.de Christoph Meinel meinel@ti.uni-trier.de Michael Schmitt michael.schmitt@teststep.org ABSTRACT

More information

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification Secure Web Development Teaching Modules 1 Security Testing Contents 1 Concepts... 1 1.1 Security Practices for Software Verification... 1 1.2 Software Security Testing... 2 2 Labs Objectives... 2 3 Lab

More information

TEACHING COMPUTER SECURITY TO UNDERGRADUATES A Hands-On Approach

TEACHING COMPUTER SECURITY TO UNDERGRADUATES A Hands-On Approach TEACHING COMPUTER SECURITY TO UNDERGRADUATES A Hands-On Approach Rahul V. Tikekar Southern Oregon University Abstract: Increasing awareness of the vulnerabilities of computer systems has led to the introduction

More information

Overview of the Penetration Test Implementation and Service. Peter Kanters

Overview of the Penetration Test Implementation and Service. Peter Kanters Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Information Security. Training

Information Security. Training Information Security Training Importance of Information Security Training There is only one way to keep your product plans safe and that is by having a trained, aware and a conscientious workforce. - Kevin

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Cyber Exercises, Small and Large

Cyber Exercises, Small and Large First International Conference on Cyber Crisis Cooperation: Cyber Exercises 27 June 2012 Cyber Exercises, Small and Large Commander Mike Bilzor Computer Science Department U.S. Naval Academy Annpolis,

More information

CYBER SECURITY TRAINING SAFE AND SECURE

CYBER SECURITY TRAINING SAFE AND SECURE CYBER SECURITY TRAINING KEEPING YOU SAFE AND SECURE Experts in Cyber Security training. Hardly a day goes by without a cyber attack being reported. With this ever-increasing threat there is a growing need

More information

Network Test Labs (NTL) Software Testing Services for igaming

Network Test Labs (NTL) Software Testing Services for igaming Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs

More information

Corporate Security Research and Assurance Services

Corporate Security Research and Assurance Services Corporate Security Research and Assurance Services We Keep Your Business In Business Obrela Security Industries mission is to provide Enterprise Information Security Intelligence and Risk Management Services

More information

How Protected Is Your Enterprise?

How Protected Is Your Enterprise? How Protected Is Your Enterprise? Next Gen thinking and technology to help strengthen and protect your critical business systems and data Greg Belanger, CISSP Symantec (Canada) Corporation - Security Practice

More information

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html

More information

DESIGNING WEB LABS FOR TEACHING SECURITY CONCEPTS ABSTRACT

DESIGNING WEB LABS FOR TEACHING SECURITY CONCEPTS ABSTRACT DESIGNING WEB LABS FOR TEACHING SECURITY CONCEPTS ABSTRACT Security education is critical in today s cyber threat environment. Many schools have investigated different approaches to teaching fundamental

More information

Reducing Application Vulnerabilities by Security Engineering

Reducing Application Vulnerabilities by Security Engineering Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information

More information

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access The World s Premier Online Practical Network Defense course PND at a glance: Self-paced, online, flexible access 1500+ interactive slides (PDF, HTML5 and Flash) 7+ hours of video material 10 virtual labs

More information

Certified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison

Certified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation

More information

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013 CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control

More information

SEED: A Suite of Instructional Laboratories for Computer Security Education

SEED: A Suite of Instructional Laboratories for Computer Security Education SEED: A Suite of Instructional Laboratories for Computer Security Education WENLIANG DU and RONGHUA WANG Syracuse University The security and assurance of our computing infrastructure has become a national

More information

GLOSSARY OF TECHNICAL TERMS

GLOSSARY OF TECHNICAL TERMS This glossary contains explanations of certain terms, definitions and abbreviations used in this prospectus in connection with our Group and our business. The terms and their meanings may not correspond

More information

Enterprise Application Security Workshop Series

Enterprise Application Security Workshop Series Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants

More information

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN) MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

More information

Common Security Vulnerabilities in Online Payment Systems

Common Security Vulnerabilities in Online Payment Systems Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited

More information

IDS and Penetration Testing Lab ISA656 (Attacker)

IDS and Penetration Testing Lab ISA656 (Attacker) IDS and Penetration Testing Lab ISA656 (Attacker) Ethics Statement Network Security Student Certification and Agreement I,, hereby certify that I read the following: University Policy Number 1301: Responsible

More information

StACC: St Andrews Cloud Computing Co laboratory. A Performance Comparison of Clouds. Amazon EC2 and Ubuntu Enterprise Cloud

StACC: St Andrews Cloud Computing Co laboratory. A Performance Comparison of Clouds. Amazon EC2 and Ubuntu Enterprise Cloud StACC: St Andrews Cloud Computing Co laboratory A Performance Comparison of Clouds Amazon EC2 and Ubuntu Enterprise Cloud Jonathan S Ward StACC (pronounced like 'stack') is a research collaboration launched

More information

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) Page 1 of 6 Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) TNCC Cybersecurity Program web page: http://tncc.edu/programs/cyber-security Course Description: Encompasses

More information

CMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis

CMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

Implementation of Embedded Web server using TEA algorithm

Implementation of Embedded Web server using TEA algorithm Implementation of Embedded Web server using TEA algorithm Arunkumar G 1, Dr. T.C. Manjunath 2, Harish H.M 3, Jayaprakasha.H 4 1 Department of E&C, S.T.J.I.T, Ranebennur 2 Principal, HKBKCE, Bangalore 3,4

More information

PCI Compliance Updates

PCI Compliance Updates PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf

More information

Installing & Using KVM with Virtual Machine Manager COSC 495

Installing & Using KVM with Virtual Machine Manager COSC 495 Installing & Using KVM with Virtual Machine Manager COSC 495 1 Abstract:. There are many different hypervisors and virtualization software available for use. One commonly use hypervisor in the Linux system

More information

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training McAfee Web Gateway Administration Intel Security Education Services Administration Course Training The McAfee Web Gateway Administration course from Education Services provides an in-depth introduction

More information

Secure Web Development Teaching Modules 1. Threat Assessment

Secure Web Development Teaching Modules 1. Threat Assessment Secure Web Development Teaching Modules 1 Threat Assessment Contents 1 Concepts... 1 1.1 Software Assurance Maturity Model... 1 1.2 Security practices for construction... 3 1.3 Web application security

More information

Learn Ethical Hacking, Become a Pentester

Learn Ethical Hacking, Become a Pentester Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,

More information

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE) HONEYD (OPEN SOURCE HONEYPOT SOFTWARE) Author: Avinash Singh Avinash Singh is a Technical Evangelist currently worksing at Appin Technology Lab, Noida. Educational Qualification: B.Tech from Punjab Technical

More information

Security + Certification (ITSY 1076) Syllabus

Security + Certification (ITSY 1076) Syllabus Security + Certification (ITSY 1076) Syllabus Course: ITSY 1076 Security+ 40 hours Course Description: This course is targeted toward an Information Technology (IT) professional who has networking and

More information

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques

More information

Network Packet Analysis and Scapy Introduction

Network Packet Analysis and Scapy Introduction Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

WEB ATTACKS AND COUNTERMEASURES

WEB ATTACKS AND COUNTERMEASURES WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

90% of data breaches are caused by software vulnerabilities.

90% of data breaches are caused by software vulnerabilities. 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with

More information

Design and Configuration of a Network Security and Forensics Lab

Design and Configuration of a Network Security and Forensics Lab Design and Configuration of a Network Security and Forensics Lab Billy Harris Billy-Harris@utc.edu Joseph Kizza Joseph-Kizza@utc.edu Mike Ward Mike-Ward@utc.edu ABSTRACT This paper describes the design

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

Information Technology Career Cluster Introduction to Cybersecurity Course Number: 11.48100

Information Technology Career Cluster Introduction to Cybersecurity Course Number: 11.48100 Information Technology Career Cluster Introduction to Cybersecurity Course Number: 11.48100 Course Description: Introduction to Cybersecurity is designed to provide students the basic concepts and terminology

More information

Implementing the Application Control Engine Service Module

Implementing the Application Control Engine Service Module Course: Implementing the Application Control Engine Service Module Duration: 4 Day Hands-On Lab & Lecture Course Price: $ 2,995.00 Learning Credits: 30 Hitachi HiPass: 4 Description: Implementing the Application

More information

Guidelines for Web applications protection with dedicated Web Application Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security

More information

WHITE PAPER: ENTERPRISE SECURITY. Strengthening Database Security

WHITE PAPER: ENTERPRISE SECURITY. Strengthening Database Security WHITE PAPER: ENTERPRISE SECURITY Strengthening Database Security White Paper: Enterprise Security Strengthening Database Security Contents Introduction........................................................................4

More information

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access The Best First for Beginners who want to become Penetration Testers PTSv2 in pills: Self-paced, online, flexible access 900+ interactive slides and 3 hours of video material Interactive and guided learning

More information

Security Goals Services

Security Goals Services 1 2 Lecture #8 2008 Freedom from danger, risk, etc.; safety. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. An assurance;

More information

Ethical Dilemmas in Teaching Computer and Internet Security

Ethical Dilemmas in Teaching Computer and Internet Security Ethical Dilemmas in Teaching Computer and Internet Security Brian Tompsett Department of Computer Science, University of Hull b.c.tompsett@hull.ac.uk Abstract. This paper could be subtitled "Are we teaching

More information

What is Really Needed to Secure the Internet of Things?

What is Really Needed to Secure the Internet of Things? What is Really Needed to Secure the Internet of Things? By Alan Grau, Icon Labs alan.grau@iconlabs.com The Internet of Things (IoT) has become a ubiquitous term to describe the tens of billions of devices

More information

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of CSS SSL. SSL Cryptography Overview CHAPTER CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers

More information

GLOSSARY OF TECHNICAL TERMS

GLOSSARY OF TECHNICAL TERMS This glossary contains explanations of certain terms, definitions and abbreviations used in this document in connection with our Group and our business. The terms and their meanings may not correspond

More information

Hackers are here. Where are you?

Hackers are here. Where are you? 1 2 What is EC-Council Certified Security Analyst Licensed Penetration Tester Program You are an ethical hacker. Your last name is Pwned. You dream about enumeration and you can scan networks in your sleep.

More information

EC-Council Certified Security Analyst (ECSA)

EC-Council Certified Security Analyst (ECSA) EC-Council Certified Security Analyst (ECSA) v8 Eğitim Tipi ve Süresi: 5 Days VILT 5 Day VILT EC-Council Certified Security Analyst (ECSA) v8 Learn penetration testing methodologies while preparing for

More information

Bellevue University Cybersecurity Programs & Courses

Bellevue University Cybersecurity Programs & Courses Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320

More information

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services WEB SITE SECURITY Jeff Aliber Verizon Digital Media Services 1 SECURITY & THE CLOUD The Cloud (Web) o The Cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Information Security Services

Information Security Services Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual

More information

Track 2: Introductory Track PREREQUISITE: BASIC COMPUTER EXPERIENCE

Track 2: Introductory Track PREREQUISITE: BASIC COMPUTER EXPERIENCE Anne Arundel Community College Tracks Anne Arundel Community College s computer technologies courses have been organized into 10 suggested tracks. The tracks are arranged to ensure that students have the

More information

INFORMATION SECURITY TRAINING CATALOG (2016)

INFORMATION SECURITY TRAINING CATALOG (2016) INFORMATICS AND INFORMATION SECURITY RESEARCH CENTER CYBER SECURITY INSTITUTE INFORMATION SECURITY TRAINING CATALOG (2016) Revision 4.0 2015 TÜBİTAK BİLGEM SGE Siber Güvenlik Enstitüsü P.K. 74, Gebze,

More information

2016 TÜBİTAK BİLGEM Cyber Security Institute

2016 TÜBİTAK BİLGEM Cyber Security Institute 2016 Revision 5.0 2016 TÜBİTAK BİLGEM Cyber Security Institute 1 ... 3 1. Information Security Awareness for End Users... 4 2. Information Security Awareness for Managers... 5 3. Social Engineering: Attack

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

A Survey on Virtual Machine Security

A Survey on Virtual Machine Security A Survey on Virtual Machine Security Jenni Susan Reuben Helsinki University of Technology jreubens@cc.hut.fi Abstract Virtualization plays a major role in helping the organizations to reduce the operational

More information

Indexed Terms: attacks, challenges, cloud computing, countermeasures, hacker, security

Indexed Terms: attacks, challenges, cloud computing, countermeasures, hacker, security Reviewing the Security Challenges and their Countermeasures in Cloud Computing Kamayani Assistant Professor, PG Dept of Computer Science, BBK DAV College for Women, Amritsar Email id: kamayani_anand@yahoo.com

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

The Electronic Arms Race of Cyber Security 4.2 Lecture 7 The Electronic Arms Race of Cyber Security 4.2 Lecture 7 ISIMA Clermont-Ferrand / 04-February 2011 Copyright 2011 Dr. Juergen Hirte List of Content Why Process Automation Security? Security Awareness Issues

More information

Implementing Security on virtualized network storage environment

Implementing Security on virtualized network storage environment International Journal of Education and Research Vol. 2 No. 4 April 2014 Implementing Security on virtualized network storage environment Benard O. Osero, David G. Mwathi Chuka University bosero@chuka.ac.ke

More information

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY) E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system

More information

OWASP Top 10: Effectiveness of Web Application Firewalls. David Caissy AppSec Asia 2016 Wuhan, China

OWASP Top 10: Effectiveness of Web Application Firewalls. David Caissy AppSec Asia 2016 Wuhan, China OWASP Top 10: Effectiveness of Web Application Firewalls David Caissy AppSec Asia 2016 Wuhan, China Agenda Commercial vs Open Source Web Application Firewalls (WAF) Bypassing WAF Filtering Effectiveness

More information