SECURITY EDUCATION CATALOGUE

SECURITY EDUCATION CATALOGUE i

ii

TABLE OF CONTENTS Introduction 2 Security Awareness Education 3 Security Awareness Course Catalogue 4 Security Awareness Course Builder 7 SAE Print Material 8 Secure Code Development 9 Secure Development Catalogue 10 Secure Code Development Course Builder 14 1

INTRODUCTION The human factor - what employees do or don t do - is the biggest threat to an organization s information security, yet it s often the most overlooked. Whether they are swiping credit cards, handling clients personal information, or developing software solutions for your business, your employees are ripe targets for information thieves seeking access to your sensitive data - if you do not help them learn to protect it. Arm yourself with security education for staff and partners. Use this catalogue to browse Trustwave s security education offerings, including security awareness training for all staff and secure software development courses for technical staff. If you have questions, reach out to your Trustwave account manager or use the Contact Us section of the Trustwave website. 2

Section Introduction: Security Awareness Education (SAE) Every Trustwave Security Awareness Education (SAE) program is customized for you, the client. Your options include how your online security awareness training course will be set up and what additional print-based materials you would like to order to reinforce your program all year round. This section is designed to help guide you through these options and choose the program that is right for you and your organization. SAE Course Catalogue: Use these pages to browse our growing library of security awareness lessons. Categorized by areas of interest, each lesson s catalogue code, topic and objectives are listed here to help you decide which topics are most appropriate for your target audience(s). You may also view all of our lessons in the Trustwave SAE Portal itself - contact your Trustwave account manager if you would like to receive a free trial account on our service. SAE Custom Course Builder: This page lists the lessons included in each of our course offerings for the most common types of organizational roles targeted for security awareness training. If these combinations don t fit your organization s needs just right, or you d like to include additional materials such as quizzes or your organization s own information security policies as part of the course, use the interactive spaces at the bottom of the page to identify the contents of the custom course(s) you would like us to build. SAE Pamphlets: Do you employ cashiers and servers who do not have ready access to computers at work? Do you hire temporary workers whose schedules don t allow much time for training? No problem. Instead of enrolling this population in our online service, you can order our security awareness training brochures suitable for front-line workers. The content of the brochures is the same as what is included in our online course. Brochures are currently available in English, Spanish and Portuguese. SAE Posters: Often, organizations administer a formal security awareness training only once per year. Including SAE posters in your office environment reminds employees year-round of their security awareness responsibilities. 3

Security Awareness Course Catalogue Each course in your Security Awareness Education (SAE) program can be comprised of one or more of the following lessons. Use this guide to identify the lessons you would like to include in each course. If you have any questions, or if you would like to receive a free trial account on the Trustwave SAE Portal, contact your Trustwave account manager for more information. COMPLIANCE OVERVIEWS - COM lessons cover the basic principles of various compliance standards mandating training and other information security measures. # Lesson Name Lesson Objectives Supporting Objectives COM-01 PCI Overview Recognize how the Payment Card Industry (PCI) self-regulates to protect cardholder data. COM-02 HIPAA Overview Recognize how U.S. HIPAA and HITECH laws protect the privacy and security of protected health information (PHI). COM-03 FFIEC Overview Coming Soon Coming Soon COM-04 PIPEDA Overview Coming Soon Coming Soon Recognize the key PCI stakeholders, and common merchant acceptance channels and classifications. Recognize the cycle of a credit card transaction. Describe the PCI regulatory environment and recognize high level compliance requirements. Recognize key HIPAA and HITECH stakeholders Recognize the purpose and scope of HIPAA privacy and security rules. Describe the HIPAA regulatory environment and recognize high level compliance requirements. CORE CONCEPTS - COR lessons cover basic security awareness concepts that all employees should understand. We recommend including these 5-minute lessons for all your staff. # Lesson Name Lesson Objectives Supporting Objectives COR-01 Information Demonstrate basic knowledge of information security. Define information security and recognize the importance of protecting information. Security COR-02 Security Awareness Demonstrate basic knowledge of security awareness. Define and recognize the importance of security awareness. COR-03 Sensitive Information Define sensitive information, list the types of sensitive information that exist, and recognize the basic procedures for control, storage and destruction of information. Define sensitive information. Recognize how to identify and categorize information. Recognize the basic procedures for the control, storage and destruction of sensitive information. List best practices for discussing sensitive information. SECURITY AWARENESS TOPICS - SAT lessons cover best practices for common types of tools and activities on the job. Include all those that apply to your employees work activities. # Lesson Name Lesson Objectives Supporting Objectives SAT-01 Social Engineering Define social engineering and recognize common threats to information security and how to avoid becoming a victim. Define social engineering, recognize who is at risk of becoming victims and list the types of information targeted by social engineers. List the most common channels for social engineering, and recognize popular ploys. List best practices to avoid becoming a victim of social engineering. SAT-02 Physical Security Define physical security, recognize common threats and list best practices. SAT-03 PC Security Define PC security, recognize common threats and list best practices. Define physical security, recognize the importance of physical security and list the information at risk. Recognize common attacks on physical security. Recognize physical security vulnerabilities and best practices for securing your workplace. Define PC security and recognize the risks of leaving your computer unprotected. List and describe common PC attacks, vulnerabilities, and user mistakes that put your information and systems at risk. List and describe critical PC security measures and best practices. 4

Security Awareness Course Catalogue # Lesson Name Lesson Objectives Supporting Objectives SAT-04 Email Security Define email security, recognize common threats and list best practices. SAT-05 SAT-06 SAT-07 SAT-08 Password Security Web Browsing Security Mobile Device Security Online Banking Security Define password security, recognize common threats and list best practices. Define Web browsing security, recognize common threats and list best practices. Define mobile device security, recognize common threats and list best practices. Recognize the risks and threats that come with online banking, as well as the technology and security best practices available to help combat such threats. Define email security and recognize the risk to information security if secure email practices are not in place. Recognize the most common email scams and the measures you can take to avoid becoming a victim. List best practices for using email securely. Define password security and recognize the importance of keeping passwords protected. List the ways password protection may be used to keep information secure. List basic rules for building a strong password and recognize best practices for effective password use. Define Web browsing security and recognize the risks of visiting unknown and unsecure websites. List the most common Web security threats and recognize how you may put your organization s information at risk. List and describe best practices for browsing the Web securely. Define mobile device security and recognize the risks of leaving your device unprotected. Recognize common mobile device attacks and user mistakes that put information at risk. List and describe common mobile device security measures. Recognize ways information is stolen from online accounts Recognize the monetary risk of security incidents and the top attack targets used by criminals Describe how banks and their customers work together to protect valuable information BEST PRACTICES FOR JOB ROLES - JRT lessons target specific job roles within an organization. Each course may contain one JRT lesson to cover best practices for the target role. # Lesson Name Lesson Objectives Supporting Objectives JRT-01 Secure Practices for Retail Associates Recognize the security awareness responsibilities of retail associates and the laws, regulations, methods and best practices that help keep information secure in the retail environment. Recognize the information security responsibilities of retail associates and the related laws and regulations that impact the retail environment. List and describe information security responsibilities and best practices of retail associates. Recognize the security responsibilities of retail managers or owners and the information security laws and regulations that impact the retail environment. List and describe information security responsibilities and best practices of retail managers. Recognize the information security laws and regulations that impact the call center environment. Recognize the responsibility of call center employees to protect the information they work with each day. List and describe the information security responsibilities and best practices of call center employees. Recognize the information security responsibilities of call center managers and the related laws and regulations that impact the call center environment. List and describe information security responsibilities and best practices of call center managers. Recognize the security responsibilities of enterprise employees and the information security laws and regulations that impact the enterprise environment. List and describe information security responsibilities and best practices of enterprise employees. JRT-02 Secure Practices for Retail Managers Recognize the security awareness responsibilities of retail managers and the laws, regulations, methods and best practices that help keep information secure in the retail environment. JRT-03 Secure Practices for Call Center Employees Recognize the security awareness responsibilities of call center employees and the laws, regulations, methods and best practices that help to keep information secure. JRT-04 Secure Practices for Call Center Managers Recognize the security awareness responsibilities of call center managers and the laws, regulations, methods and best practices that help keep information secure in the call center. JRT-05 Secure Practices for Enterprise Employees Recognize the security awareness responsibilities of enterprise employees and the laws, regulations, methods and best practices that help keep information secure. 5

Security Awareness Course Catalogue JRT-06 Secure Practices for IT and Engineering Staff Recognize the security awareness responsibilities of IT and engineering staff and the laws, regulations, methods and best practices that help keep information secure. harasses Recognize the information security-related laws and regulations that impact the IT and application development environment and the responsibility of personnel to protect the information they work with each day. List and describe the information security responsibilities of IT and engineering staff. List best practices for IT and engineering staff to help keep information secure. Recognize a business s role in keeping their sensitive information secure online List best practices for businesses to use to protect their sensitive information JRT-07 Protecting Online Accounts for Businesses Recognize a business s role in helping to secure its own online systems and accounts, and identify the security best practices businesses can follow to do so. JRT-08 Protecting Online Accounts for Consumers Recognize the individual s role in helping to secure their own online accounts, and identify the security best practices individuals can follow to do so. Recognize an individual consumer s role in keeping their sensitive information secure online List best practices consumers can use to protect their sensitive information ADVANCED SECURITY TOPICS - ADV lessons cover a wide range of topics for managers and technical personnel. They are available for any SAE course at an extra charge per license. # Lesson Name Lesson Objectives Supporting Objectives ADV-01 PCI Forensic Investigations Recognize how the PCI forensic investigation process works and identify how a breach is discovered, investigated and remediated. Identify common ways breaches are discovered and the high level steps employees should take if a breach is discovered. Describe the Trustwave PCI forensic investigation process and a breached organization s responsibility to report and remediate security deficiencies. Recognize common security threats and the importance of continuous compliance to protect against them. ADV-02 Exploring the Global Security Report Recognize key findings of Trustwave s annual Global Security Report and list ways to improve security this year based on last year s trends. Recognize the purpose and contents of Trustwave s Global Security Report Recognize key findings of the current Global Security Report List security best practices that help organizations avoid the security pitfalls of last year 6

Security Awareness Course Builder This page lists the lessons included in our basic Security Awareness Education courses. These courses are targeted to common roles that fit most organizations needs. Select the course(s) that fit your target audience(s) by clicking inside the box beside it, or build your own course using the blank spaces below. Descriptions of each lesson in our library can be found in the SAE Course Catalogue. COM-01 COM-02 COR-01 COR-02 COR-03 SAT-01 SAT-02 SAT-03 SAT-04 SAT-05 SAT-06 SAT-07 SAT-08 JRT-01 JRT-02 JRT-03 JRT-04 JRT-05 JRT-06 JRT-07 JRT-08 ADV-01 ADV-02 Quiz Policy Document Security Awareness for Retail Associates Security Awareness for Retail Managers Security Awareness for Enterprise Employees Security Awareness for Call Center Employees Security Awareness for Call Center Managers Security Awareness for IT and Engineering Staff Security Awareness for Health Care Workers Security Awareness for Bank Workers Secure Banking Practices for Businesses Secure Banking Practices for Consumers CREATE YOUR OWN - Use this section to mix and match lessons to build up to five courses of your own. Just use the interactive checkboxes below to select course content. 7

SAE Print Material POSTERS Augment your Security Awareness Education with posters specific to your target audience. Click the check box to select the poster(s) you want. Use the total field to specify how many of each poster you want. Additional cost may apply depending on the number of SAE licenses you have purchased. Contact your Trustwave account manager if you have questions. RETAIL CALL CENTER WEB OFFICE SAE PAMPHLETS Trustwave s SAE Pamphlets are perfect for employees who do not have ready access to computers at work, or a lot of time to devote to training. The pamphlets can be cobranded to include your logo and company name, and are available in English, Spanish and Portuguese. Use the total field to specify how many pamphlets you would like to order. Each pamphlet consumes a single SAE license. 8

Section Introduction: Secure Code Development (SCD) Trustwave offers a suite of Web-based technical courses that introduce your solution development staff to theory and best practices around planning and writing secure code. You can choose to enroll employees in just one of the courses that is most relevant to them, or to give them access to the full suite of Secure Coding Design courses we offer. Whichever option you select, this section will help you decide which course(s) are right for your staff. SCD Course Catalogue. Use these pages to browse our library of Secure Code Development courses. Categorized by the Design, Code and Test stages of the software development life cycle, each course s catalogue code, topic and prerequisites (if any) are listed here to help you decide which topics are most appropriate for your target audience(s). SCD Course Builder. Use this worksheet to note which courses you would like to offer to your staff. 9

Secure Development Catalogue SECURE DESIGN - DES courses cover topics in secure software architecture and design, to help plan security into applications before any code is written. # Course Name Prerequisite DES 101 Fundamentals of Secure Architecture Understand the state of the software industry from a security perspective, by learning from past software security errors and how to avoid repeating those mistakes. They will also be able to recognize and use confidentiality, integrity and availability (CIA) as the three main tenets of information security. None DES 201 PCI Best Practices for Developers Recognize application security issues within the PCI-DSS and best practices for addressing each requirement. Recognize how addressing the PCI-DSS requirements during the design and build stages of the development lifecycle will improve application security and will simplify compliance. Fundamentals of Secure Architecture (DES 101) DES 211 OWASP Top 10 - Threats and Mitigations Recognize best practices for understanding, identifying and mitigating the risk of vulnerabilities and attacks within the OWASP Top 10. None DES 212 Architecture Risk Analysis and Remediation Recognize concepts, methods and techniques for analyzing the architecture and design of a software system for security flaws. Fundamentals of Secure Architecture (DES 101) DES 213 Introduction to Security Tools and Technologies This course is designed to educate architects and developers on the technologies available to create more secure systems. Fundamentals of Security Testing (TST 101) DES 301 Introduction to Cryptography Recognize the problems that cryptography can address, the threats that apply to two communicating parties, the appropriate cryptographic solutions to mitigate these threats, and how to describe the mechanisms behind cryptographic protocols. Learners will also be able to recognize how to follow cryptographic best practices and locate cryptography resources. Fundamentals of Security Testing (TST 101) DES 311 Creating Secure Application Architecture Recognize key security principles that can be used to improve the security of application architecture and design. Demonstrate how to apply defenses to harden applications and make them more difficult for intruders to breach, reducing the amount of damage an attacker can accomplish. Fundamentals of Secure Architecture (DES 101) Architecture Risk Analysis and Remediation (DES 212) SECURE ING - courses cover security topics in the implementation stage of the software development life cycle, when code is actually being written. 101 Fundamentals of Secure Development Recognize the latest trends in software security, as well as the importance of software security for business. Demonstrate how to perform threat modeling to identify threats proactively, create threat trees for application components, use threat tress to find and classify vulnerabilities, and perform risk analysis and prioritize security fixes. None 201 Fundamentals of Secure Database Development This course will demonstrate to software architects and developers database development best practices. Fundamentals of Secure Development ( 101) 10

Secure Development Catalogue 211 Understanding Secure Code - JRE Recognize and remediate common Java Web software security vulnerabilities. Define data leakage, injection attacks, client/server protocol manipulation attacks, and authentication exploitations, and mitigate these security vulnerabilities. Fundamentals of Secure Development ( 101) 212 Understanding Secure Code - C/ C++ Recognize how to write secure code in C/C++ for Windows and Unix platforms, robust code development, and secure socket programming. Demonstrate how to apply time-tested defensive coding principles to develop secure applications. Recognize the nine defensive coding principles and how to use them to prevent common security vulnerabilities. Fundamentals of Secure Development ( 101) 213 Understanding Secure Code - Windows 7 Define Windows 7 security features and build applications that leverage Windows 7 s built-in security mechanisms. Basic knowledge of Windows programming and memory management, and knowledge of basic security features of Windows versions prior to Windows 7. 214 Understanding Secure Code - Windows Vista Define Windows Vista security features and build applications that leverage Windows Vista s built-in security mechanisms. Basic knowledge of Windows programming and memory management, and knowledge of basic security features of Windows versions prior to Windows 7. 215 Understanding Secure Code -.NET 4.0 Recognize.NET 4.0 security features, including concepts such as Code Access Security (CAS) and.net cryptographic technologies. Recognize security changes in.net 4.0 including level 2 security transparency, the new sandboxing and permission model, introduction of conditional APTCA, and changes to evidence objects and collections. Define secure coding best practices that will enable students to build more secure applications in.net 4.0. Fundamentals of Secure Development ( 101) 216 Understanding Secure Code - NET 2.0 Define.NET 2.0 security features, including concepts such as Code Access Security (CAS) and.net cryptographic technologies. Recognize secure coding best practices that will enable students to build more secure applications in.net 2.0. Fundamentals of Secure Development ( 101) 221 Understanding Secure Code - Threats and Mitigations Recognize, avoid, and mitigate the risks posed by Web vulnerabilities. Define the most common and recent attacks against Web-based applications, such as cross-site scripting attacks and cross-site request forgery attacks. Demonstrate how to avoid and/or mitigate Web vulnerabilities using real-world examples. Creating Secure Code J2EE Web Applications ( 313) OR Creating Secure Code ASP.NET ( 311) 231 Introduction to Cross-Site Scripting - With JSP Examples Recognize the mechanisms behind cross-site scripting vulnerabilities, describe cross-site scripting vulnerabilities and their consequences, and apply secure coding best practices to prevent cross-site scripting vulnerabilities. Basic knowledge of Web technologies, and Java Server Pages (JSP). 232 Introduction to Cross-Site Scripting - With ASP.NET Examples Recognize the mechanisms behind cross-site scripting vulnerabilities, describe cross-site scripting vulnerabilities and their consequences, and apply secure coding best practices to prevent cross-site scripting vulnerabilities. Basic knowledge of Web technologies, ASP.NET, and C# programming language. 11

Secure Development Catalogue 311 Creating Secure Code - ASP.NET Demonstrate the development of secure web applications in C#. Recognize common web application vulnerabilities and demonstrate ways to avoid those vulnerabilities in C# code. In the hands-on section, students will discover the vulnerabilities for themselves and find ways to address them, greatly enhancing the security of their code. Upon completion of this class, participants will be able to recognize the need to follow secure coding best practices, follow secure coding best practices, and locate additional resources on secure coding best practices for ASP.NET. Understanding Secure Code -.Net 4.0 ( 214) 312 Creating Secure Code - C/C++ Define application security risks and secure coding standards for C and C++ applications, and the different types of errors that can be introduced while coding. Recognize the importance of detecting these errors and remediating them as early as possible to avoid security issues. Define real-world best practices and techniques, and static analysis tools to detect and resolve security vulnerabilities in code. Understanding Secure Code C/C++ ( 212) 313 Create Secure Code - J2EE Web Applications Demonstrate development of secure web applications in Java. Recognize common web application vulnerabilities and define ways to avoid those vulnerabilities in Java code. In the handson section, students will discover the vulnerabilities themselves and find ways to address them, greatly enhancing the security of their code. Upon completion of this course, participants will be able to recognize why software security matters to their business, recognize the root causes of the more common vulnerabilities, identify the symptoms of common vulnerabilities, and use security best practices to prevent common vulnerabilities. Understanding Secure Code JRE ( 211) 411 Integer Overflows - Attacks and Countermeasures An integer overflow is a programming error that can severely impact a computer system s security. Due to the subtlety of this bug, integer overflows are often overlooked during development. This course covers the security concepts, testing techniques, and best practices that will enable students to develop robust applications that are secure against integer overflow vulnerabilities. Basic understanding of the C, C++, and C# programming languages. 412 Buffer Overflows - Attacks and Countermeasures Recognize how to avoid and mitigate the risks posed by buffer overflows. Recognize protections provided by the Microsoft complier and the Windows operation system, and advice on how to avoid buffer overflows during the design, development and verification phase of the software development life cycle. Basic knowledge of Windows programming and memory management in Windows. SECURITY TESTING - TST courses cover topics in testing software for security flaws and remediating defects before release. TST 101 Fundamentals of Security Testing Define security-testing concepts and processes that will help students analyze an application from a security perspective and to conduct effective security testing. Recognize different categories of security vulnerabilities and the various testing approaches that target these classes of vulnerabilities. Several manual and automated testing techniques are presented which will help identify common security issues during testing and uncover security vulnerabilities. None 12

Secure Development Catalogue TST 201 Classes of Security Defects Recognize how to create a robust defense against common security defects. Students will learn why and how security defects are introduced into software, and will be presented with common classes of attacks, which will be discussed in detail. Along with examples of real life security bugs, students will be shown techniques and best practices that will enable the team to identify, eliminate, and mitigate each class of security defects. Additional mitigation techniques and technologies are described for each class of security defect. None TST 211 How to Test for the OWASP Top 10 The Open Web Application Security Project (OWASP) Top Ten is a listing of critical security flaws found in web applications. Recognize how these flaws occur and demonstrate testing strategies to identify the flaws in web applications. Fundamentals of Security Testing (TST 101) TST 311 How to Break Software Security This course is designed to give testers and developers the tools and techniques they need to help find security problems before their application is released. It lays the foundation needed to effectively recognize and expose security flaws in software and it introduces a fault model to help testers conceptualize these types of bugs. Functional testing knowledge as well as a basic understanding of how applications work. TST 411 Exploiting Buffer Overflows Recognize the threats posed by buffer-overflow exploits, and the mechanisms behind exploitation of stack-based and heap-based buffer overflows. Define challenges faced by exploit code and how different exploitation techniques overcome environmental limitations. Creating Secure Code C/C++ ( 312) 13

Secure Code Development Course Builder Use this checklist to determine which course(s) you want to provide for your staff. Descriptions of each course in the SCD library can be found in the SCD Course Catalogue on the previous pages. Design DES 101 - Fundamentals of Secure Architecture DES 201 - PCI Best Practices for Developers 1 2 3 4 Select the course(s) that fit your target audience(s) by clicking inside the box beside it, noting any prerequisite courses that may be required. 1 - OWASP Web Application Security DES 211 - OWASP Top 10 - Threats & Mitigations DES 212 - Architecture Risk Analysis & Remediation DES 213 - Introduction to Security Tools and Technologies 2 - PCI-DSS / Compliance 3 - Security Awareness DES 301 - Introduction to Cryptography 4 - Microsoft / SDL DES 311 - Creating Secure Application Architecture Custom Code 101 - Fundamentals of Secure Development 201 - Fundamentals of Secure Database Development 211 - Understanding Secure Code - JRE 212 - Understanding Secure Code - C++ 213 - Understanding Secure Code - Windows 7 214 - Understanding Secure Code - Windows Vista 215 - Understanding Secure Code -.Net 4.0 216 - Understanding Secure Code -.Net 2.0 221 - Web Vulnerabilities: Threats & Mitigations 231 - Introduction to Cross-Site Scripting - JSP 232 - Introduction to Cross-Site Scripting - ASP.NET 311 - Creating Secure Code - ASP.NET 312 - Creating Source Code - C/C++ 313 - Creating Secure Code - J2EE 314 - Creating Secure Code - C# 411 - Integer Overflows: Attacks & Countermeasures 412 - Buffer Overflows: Attacks & Countermeasures 14 Test TST 101 - Fundamentals of Security Testing TST 201 - Classes of Security Defects TST 211 - How to Test for the OWASP Top 10 TST 311 - How to Break Software Security TST 411 - Exploiting Buffer Overflows

About Trustwave Trustwave is a leading provider of on-demand and subscriptionbased information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today s challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions including SIEM, WAF, EV SSL certificates and secure digital certificates. Trustwave has helped hundreds of thousands of organizations-ranging from Fortune 500 businesses and large financial institutions to small and mediumsized retailers-manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com. Copyright 2012 Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility for errors or omissions. Trustwave and Trustwave s SpiderLabs names and logos are trademarks of Trustwave. Such trademarks shall not be used, copied or disseminated in any manner without the prior written permission of Trustwave.