Overview

After laying the foundation for the role and function of an auditor in the information security field, this days material will give you two extremely useful risk assessment methods that are particularly effective for measuring the security of enterprise systems, identifying control gaps and risks, and assisting you to recommend additional compensating controls to address the risk. Nearly a third of the day is spent covering important audit considerations and questions when dealing with virtualization and with Cloud Computing.

In todays information security world, most enterprises are either already moving toward or seriously considering moving toward compliance with any number of a variety of security standards that represent best practice. Is your organization doing this today? Are you running up against any road blocks? Despite implementing controls, are you still dealing with significant compliance problems? The risk assessment discussions covered in this material is for you. One of the key topics covered in this material is an effective risk based method for the specification or selection of controls. Following this discussion, you will be able to analyze an existing set of controls, a business process, an audit exception or a security incident, identifying any missing or ineffective controls. More importantly, perhaps, you will be able to easily identify what corrective actions will eliminate the problem in the future. Included in this material is a tried and true method for conducting audits and presenting findings that will assist the organization to move toward compliance effectively.

The last two sections of the day are spent digging into virtualization solutions. After first examining some of the huge issues and the biggest questions facing us when it comes to Cloud Computing, we dig into significant audit considerations when dealing with the market leader in private cloud implementations: VMware.

Overview

Focus on some of the most sensitive and important parts of our information technology infrastructure: routers and firewalls. In order to properly audit a firewall or router, we need to clearly understand the total information flow that is expected for the device. These diagrams will allow the auditor to identify what objectives the routers and firewalls are seeking to meet, thus allowing controls to be implemented which can be audited. Overall, this course will teach the student everything needed to audit routers, switches, and firewalls in the real world.

Overview

Web Applications have consistently rated one of the top five vulnerabilities that enterprises face for the past several years. Unlike the other top vulnerabilities, however, our businesses continue to accept this risk since most modern corporations need an effective web presence to do business today. One of the most important lessons that we are learning as an industry is that installing an application firewall is not enough!

A portion of the morning will cover all of the underlying principles of web technology and introduce a set of tools that can be used to validate the security of these applications. Throughout the day, all of the OWASP Top Ten issues will be addressed, abstracted into five practical principles of web application design and deployment. The majority of the day will be spent building and working through a checklist for validating the existence and proper implementation of controls to mitigate the primary threats found in web applications through the use of cutting edge techniques and advanced testing methods. Throughout the material time is spent identifying key development requirements, allowing you to provide meaningful feedback into your organizations coding standards.

Several discrete web applications will be examined using these tools and the audit program developed. By the end of the day each student will use the provided high level checklist and detailed instructions throughout the day to perform a comprehensive validation of security controls in at least one full web application.

In addition to designing an audit testing program, time will be spent discussing process remediation for project managers and coding teams.

Overview

Microsofts business class system make up a large part of the typical IT infrastructure. Quite often, these systems are also the most difficult to effectively secure and control because of the enormous number of controls and settings within the operating system. This class gives you the keys, techniques and tools to build an effective long term audit program for your Microsoft Windows environment. More importantly, during the course a continuous monitoring and reporting system is built out, allowing you to easily and effectively scale the testing discussed within your enterprise when you return home.

During the course of this day, attendees will have the opportunity to perform a thorough hands on audit of Active Directory servers in class, in addition to the laptop that they bring to class. In addition to covering all of the major audit points in a stand alone Windows system, the course will scale these methods for use within a domain. One of the primary goals of the material presented is to allow the auditor to get away from checking registry settings, helping administrators to create a comprehensive management process that automatically verifies settings. With this type of system in place, the auditor can step back and begin auditing the management processes which generally helps us to be far more effective.

Finally, the course will spend a significant amount of time discussing the more important aspects of Active Directory from an auditors perspective. We will cover and give you the opportunity to try your hand at querying useful data out of the Active Directory. Throughout the day we will work to build a comprehensive baseline auditing script to automatically audit all of the systems within a domain.

Overview

Students will gain a deeper understanding of the inner workings and fundamentals of the Unix operating system as applied to the major Unix environments in use in business today. Students will have the opportunity to explore, assess and audit Unix systems hands-on. Lectures describe the different audit controls that are available on standard Unix systems, as well as, access controls and security models.

The majority of the day will be spent working hands on with the instructor to create a comprehensive set of auditing scripts that can be used on virtually any Unix system. This set of scripts can be used to either check the security of a system, report on the compliance of the system to a baseline or be used in a change control process to validate a system before patching and subsequently re-generate the system baseline.

Neither Unix nor scripting experience is required for this days course. The course book and hands on exercises present an easy to follow method with the assistance of the instructor that will allow you to cover scripting and more advanced topics like regular expressions.

Overview

This final day of the course presents a capstone experience with additional learning opportunities. Leveraging the well known NetWars engine, students have the opportunity to connect to a simulated enterprise network environment. Building on the tools and techniques learned throughout the week, each student is challenged to answer a series of questions about the enterprise network, working through various technologies explored during the course.

This allows students to immediately put the knowledge gained into practice with these guided challenges. At the conclusion of the day, students are asked to identify the most serious findings within the enterprise environment and to suggest possible root causes and potential mitigations.