This document provides an overview of Trustwave's security education offerings, including security awareness training courses for employees and secure software development courses for technical staff. It includes a catalogue of available security awareness and development training lessons organized by topic, as well as options for customizing training programs and additional educational materials like posters and pamphlets. The document aims to help organizations choose the right training content and formats for their needs.
Corporate Security Intelligence Just Got Smarter All Courses LinkedinSteve Phelps
The document provides information about intelligence and security training courses offered by Security & Intelligence Solutions Ltd and Sibylline Intelligence Solutions. It describes the companies and backgrounds of the owners/founders. Various training courses are then outlined, including topics covered, target attendees, and philosophy/approach. The courses focus on developing intelligence capabilities for corporate security environments. Intellectual property policies are also provided.
This document provides an overview of information security based on ISO 27001. It defines key terms like information, information security, risk, threats and vulnerabilities. It discusses the people, processes, and technologies involved in information security. It also summarizes the main clauses of ISO 27001 for implementing an information security management system, including establishing policies, controls, documentation, and user responsibilities.
10 Commandments for Achieving Operational ExcellenceMitch Ackles
This white paper is intended to provide a useful framework and guide for all Investment Management Firms.
Over the past 20 years the investment management industry, and specifically hedge funds, has achieved tremendous growth. As assets under management increased, so did diversification in strategies and investments. During that time investors have become very sophisticated in their selection of investments as well as the operational due diligence process. This growth and sophistication has reinforced the critical role of operational executives, and their teams’ responsibility to effectively manage the operational infrastructure. These are the people, functions and technology that are an integral part of keeping these firms thriving.
I have been on the operational side of the hedge fund business for 23 years, holding various senior positions. The first 8 years I had the privilege of being at Tiger Management, one of the premier firms at that time. The people I worked with were brilliant, the standards were high, the positive energy was contagious, and I felt honored to be a part of it. My background includes leading Global Operations for Tiger Management and Highbridge Capital, as well as having several COO positions for emerging managers.
I’ve witnessed and participated in the evolution of the operational side of hedge funds. In the early years hedge funds launched with mainly portfolio managers and traders, and relied heavily on their prime brokers to fulfill their back office needs. As assets grew so did the investment process, and subsequently, it was imperative to start building out an “operations group” within a hedge fund. Expansion from U.S. to foreign investments began, as well as diversifying from only equities and bonds to now including all types of derivatives and over the counter contracts. Also happening was the addition of multiple prime brokers to meet their “shorting” requirements. All these changes were occurring simultaneously.
The investment side of the business was growing so rapidly that the operations side had to quickly adapt to meet the challenge. As this expansion was happening the prime brokers were not as equipped to take on these new investments since their early model was built principally to support equity investments. Additionally, with hedge funds now engaging with multiple prime brokers, supporting them was even more challenging. Therefore, hedge fund operations, especially the larger firms, were taking back some of these functions from prime brokers to manage them more closely.
Cyber Security Certificate.
Learn vulnerabilities and risk management through variety of workshops, labs, and in class activities.
Earn Your Professional Certificate in Cybersecurity.
What you will learn :
The foundation and history behind the cyber security.
Different types of threats and attacks
Risk management techniques in networks
The exploits and their different types and consequences
Authentication and password related issues
Enroll To This Course
https://tonex.live/cyber-security-certificate/
https://www.tonex.com/training-courses/cyber-security-certificate-part-1-vulnerabilities-and-risk-management/
What is Cyber Security
What is Cyber Threat and Threat Landscape
Is Cybersecurity an IT Problem? It’s a human Problem
Role of a CFO
Well accepted Cybersecurity Frameworks and common Themes
SOC (Service Organization Control) and SOC for Cybersecurity
Recommended risk mitigation strategies for the weakest links of the Cybersecurity chain
Key Takeaways
Best Practices
1. Security operations aim to increase collaboration across teams to integrate security practices throughout the development lifecycle. This helps ensure stronger security.
2. Key goals of security operations include earlier detection of threats, increased transparency, continuous security improvements, and raising threat awareness across teams.
3. Security operation centers are responsible for continuous network monitoring, incident response, forensic analysis, and maintaining threat intelligence to help prevent and respond to security events.
Building and implementing a successful information security policyRossMob1
This document provides guidance on building and implementing a successful information security policy. It discusses conducting a risk analysis to identify key assets, managing risks posed to those assets, and creating an effective security awareness program. The security policy should clearly explain acceptable and prohibited uses of company resources. Creating a policy engages employees in securing the network and reduces risks from human errors. The document then gives recommendations for various aspects of the security policy and awareness program, such as addressing physical security, internet threats, security violations, and innovative training methods.
The document discusses how to create an effective security response plan to avoid a corporate meltdown. It recommends identifying critical assets and an incident response team with clear roles. The plan should include components like an escalation matrix, formal incident reporting, communication protocols, and regular testing. It emphasizes identifying all response team members, communicating the plan to staff, and updating it over time to address changing security needs and technologies.
Corporate Security Intelligence Just Got Smarter All Courses LinkedinSteve Phelps
The document provides information about intelligence and security training courses offered by Security & Intelligence Solutions Ltd and Sibylline Intelligence Solutions. It describes the companies and backgrounds of the owners/founders. Various training courses are then outlined, including topics covered, target attendees, and philosophy/approach. The courses focus on developing intelligence capabilities for corporate security environments. Intellectual property policies are also provided.
This document provides an overview of information security based on ISO 27001. It defines key terms like information, information security, risk, threats and vulnerabilities. It discusses the people, processes, and technologies involved in information security. It also summarizes the main clauses of ISO 27001 for implementing an information security management system, including establishing policies, controls, documentation, and user responsibilities.
10 Commandments for Achieving Operational ExcellenceMitch Ackles
This white paper is intended to provide a useful framework and guide for all Investment Management Firms.
Over the past 20 years the investment management industry, and specifically hedge funds, has achieved tremendous growth. As assets under management increased, so did diversification in strategies and investments. During that time investors have become very sophisticated in their selection of investments as well as the operational due diligence process. This growth and sophistication has reinforced the critical role of operational executives, and their teams’ responsibility to effectively manage the operational infrastructure. These are the people, functions and technology that are an integral part of keeping these firms thriving.
I have been on the operational side of the hedge fund business for 23 years, holding various senior positions. The first 8 years I had the privilege of being at Tiger Management, one of the premier firms at that time. The people I worked with were brilliant, the standards were high, the positive energy was contagious, and I felt honored to be a part of it. My background includes leading Global Operations for Tiger Management and Highbridge Capital, as well as having several COO positions for emerging managers.
I’ve witnessed and participated in the evolution of the operational side of hedge funds. In the early years hedge funds launched with mainly portfolio managers and traders, and relied heavily on their prime brokers to fulfill their back office needs. As assets grew so did the investment process, and subsequently, it was imperative to start building out an “operations group” within a hedge fund. Expansion from U.S. to foreign investments began, as well as diversifying from only equities and bonds to now including all types of derivatives and over the counter contracts. Also happening was the addition of multiple prime brokers to meet their “shorting” requirements. All these changes were occurring simultaneously.
The investment side of the business was growing so rapidly that the operations side had to quickly adapt to meet the challenge. As this expansion was happening the prime brokers were not as equipped to take on these new investments since their early model was built principally to support equity investments. Additionally, with hedge funds now engaging with multiple prime brokers, supporting them was even more challenging. Therefore, hedge fund operations, especially the larger firms, were taking back some of these functions from prime brokers to manage them more closely.
Cyber Security Certificate.
Learn vulnerabilities and risk management through variety of workshops, labs, and in class activities.
Earn Your Professional Certificate in Cybersecurity.
What you will learn :
The foundation and history behind the cyber security.
Different types of threats and attacks
Risk management techniques in networks
The exploits and their different types and consequences
Authentication and password related issues
Enroll To This Course
https://tonex.live/cyber-security-certificate/
https://www.tonex.com/training-courses/cyber-security-certificate-part-1-vulnerabilities-and-risk-management/
What is Cyber Security
What is Cyber Threat and Threat Landscape
Is Cybersecurity an IT Problem? It’s a human Problem
Role of a CFO
Well accepted Cybersecurity Frameworks and common Themes
SOC (Service Organization Control) and SOC for Cybersecurity
Recommended risk mitigation strategies for the weakest links of the Cybersecurity chain
Key Takeaways
Best Practices
1. Security operations aim to increase collaboration across teams to integrate security practices throughout the development lifecycle. This helps ensure stronger security.
2. Key goals of security operations include earlier detection of threats, increased transparency, continuous security improvements, and raising threat awareness across teams.
3. Security operation centers are responsible for continuous network monitoring, incident response, forensic analysis, and maintaining threat intelligence to help prevent and respond to security events.
Building and implementing a successful information security policyRossMob1
This document provides guidance on building and implementing a successful information security policy. It discusses conducting a risk analysis to identify key assets, managing risks posed to those assets, and creating an effective security awareness program. The security policy should clearly explain acceptable and prohibited uses of company resources. Creating a policy engages employees in securing the network and reduces risks from human errors. The document then gives recommendations for various aspects of the security policy and awareness program, such as addressing physical security, internet threats, security violations, and innovative training methods.
The document discusses how to create an effective security response plan to avoid a corporate meltdown. It recommends identifying critical assets and an incident response team with clear roles. The plan should include components like an escalation matrix, formal incident reporting, communication protocols, and regular testing. It emphasizes identifying all response team members, communicating the plan to staff, and updating it over time to address changing security needs and technologies.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Incident response methodology involves responding to and managing cyber attacks through investigation, containment, eradication, recovery and lessons learned. A well-developed incident response plan is needed to minimize damage from attacks and data breaches, and recover as quickly as possible. Key aspects of incident response include detecting incidents, formulating response strategies, investigating through data collection and forensic analysis, and reporting findings. The goal is to understand attack methods and prevent future incidents.
Identifying Code Risks in Software M&AMatt Tortora
Strategic fit and table stakes KPIs aren't the only things acquirers evaluate during the software M&A process. A software code review is one of the many components that is often overlooked by sellers.
Cyber Essentials Requirements for UK GovernmentDavid Sweigert
The document outlines requirements for basic technical cyber protection against common cyber attacks. It details controls in five areas: 1) boundary firewalls and internet gateways, 2) secure configuration, 3) user access control, 4) malware protection, and 5) patch management. Implementing these controls will help organizations defend against the most frequent internet-based attacks using widely available tools. The document provides high-level guidance for technical cybersecurity basics, though not a comprehensive solution against all threats.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
The document proposes standard operating procedures for security breaches at DeVry University. It recommends removing email addresses from websites to avoid harvesting, and using a contact form instead. Physical security policies are outlined, such as not leaving documents visible in public or unattended. An incident response plan framework is also proposed to minimize downtime from security incidents. The plan involves initial assessment, isolation, communication, recovery, reassessment and review.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
NFA Interpretive Notice on Info SecurityWesley Moore
This document discusses the requirements for an information systems security program (ISSP) according to National Futures Association regulatory rules. It outlines the five key areas an ISSP must address: 1) a written program, 2) security and risk analysis, 3) deployment of protective measures against threats, 4) response and recovery from electronic system threats, and 5) employee training. It provides details on what each area should entail and compliance questions organizations should consider to ensure their ISSP is comprehensive and follows all necessary protocols.
This document provides an overview of enterprise patch management technologies. It begins with an introduction that explains the purpose and scope is to assist organizations in understanding enterprise patch management technologies. It describes the importance of patch management for addressing software vulnerabilities. It then examines the key challenges of patch management, such as timing, prioritization and testing of patches. The document provides an overview of the components, security capabilities and management capabilities of enterprise patch management technologies. It concludes with a brief discussion of metrics for measuring the effectiveness of these technologies and comparing the importance of patches. The appendices include a tutorial on the Security Content Automation Protocol (SCAP) and a summary of recommendations for improving patch management.
The Next Generation of Security Operations Centre (SOC)PECB
The document discusses the key aspects of building a next generation Security Operations Centre (SOC). It emphasizes that skilled people, well-defined processes, and integrating new technologies are critical. Specifically, it recommends adopting automation and analytics to analyze large datasets, integrating threat intelligence from multiple sources, and establishing red and blue teams to continuously test defenses. The goal of a next generation SOC is to use predictive analysis of vast security data to improve threat detection, response, and the overall security posture of an organization.
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
The document outlines a strategy for building an effective security operations center (SOC) in four main parts. It discusses (1) the need for a SOC and roadmap for implementation, (2) required team members, processes, technologies, and threat intelligence, (3) governance, risk, and compliance frameworks, and (4) an 11-step recipe for SOC success focusing on mission, services, people, processes, and communication. The overall strategy presents a structured approach for organizations to establish a SOC capability that enables security management and aligns with standards like ISO 27001.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
This document provides biographical and career information about Shritam Bhowmick. It lists his current and previous professional roles, including as an AVP of Labs at Lucideus Tech where he performs application security assessments and R&D, as well as previous roles as an application security trainer and in security roles at other companies. It also notes some of his hobbies include the areas of his professional work.
The document discusses logging, monitoring, auditing, and the importance of management review controls. It provides details on:
- What a security audit involves, including assessing physical, software, network, and human aspects of an information system.
- How security auditing works by testing adherence to internal IT policies and external standards/regulations.
- The purpose of monitoring security logs to detect anomalies and threats, given the large volume of logs generated.
- The benefits of logging, monitoring and reporting which include stronger governance, oversight, security and compliance.
- How management review controls are important for an effective control environment and ensuring accuracy of key security documents.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Cybersecurity Fundamentals for Legal ProfessionalsShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at the 55th Annual Conference on Intellectual Property Law at The Center for American and International Law on November 13, 2017.
The document discusses the role of the Chief Information Security Officer (CISO) and proposes recommendations for implementing an effective yet affordable cyber security program. It recommends that companies focus on doing the security basics well, such as keeping software updated, limiting access to data, and employing security monitoring. The document also advocates for a balanced approach using frameworks like NIST and implementing controls across people, processes, policies, products, and privacy. Following cybersecurity best practices and tenets around areas like secure backups, access management, data security, and risk management can help reduce security incidents by over 90%.
Use this catalog to browse Trustwave’s security education offerings, including security awareness training for all staff and secure software development courses for technical staff. If you have questions please contact us.
Use this catalog to browse Trustwave’s security education offerings, including security awareness training for all staff and secure software development courses for technical staff. If you have questions please contact us.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Incident response methodology involves responding to and managing cyber attacks through investigation, containment, eradication, recovery and lessons learned. A well-developed incident response plan is needed to minimize damage from attacks and data breaches, and recover as quickly as possible. Key aspects of incident response include detecting incidents, formulating response strategies, investigating through data collection and forensic analysis, and reporting findings. The goal is to understand attack methods and prevent future incidents.
Identifying Code Risks in Software M&AMatt Tortora
Strategic fit and table stakes KPIs aren't the only things acquirers evaluate during the software M&A process. A software code review is one of the many components that is often overlooked by sellers.
Cyber Essentials Requirements for UK GovernmentDavid Sweigert
The document outlines requirements for basic technical cyber protection against common cyber attacks. It details controls in five areas: 1) boundary firewalls and internet gateways, 2) secure configuration, 3) user access control, 4) malware protection, and 5) patch management. Implementing these controls will help organizations defend against the most frequent internet-based attacks using widely available tools. The document provides high-level guidance for technical cybersecurity basics, though not a comprehensive solution against all threats.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
The document proposes standard operating procedures for security breaches at DeVry University. It recommends removing email addresses from websites to avoid harvesting, and using a contact form instead. Physical security policies are outlined, such as not leaving documents visible in public or unattended. An incident response plan framework is also proposed to minimize downtime from security incidents. The plan involves initial assessment, isolation, communication, recovery, reassessment and review.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
NFA Interpretive Notice on Info SecurityWesley Moore
This document discusses the requirements for an information systems security program (ISSP) according to National Futures Association regulatory rules. It outlines the five key areas an ISSP must address: 1) a written program, 2) security and risk analysis, 3) deployment of protective measures against threats, 4) response and recovery from electronic system threats, and 5) employee training. It provides details on what each area should entail and compliance questions organizations should consider to ensure their ISSP is comprehensive and follows all necessary protocols.
This document provides an overview of enterprise patch management technologies. It begins with an introduction that explains the purpose and scope is to assist organizations in understanding enterprise patch management technologies. It describes the importance of patch management for addressing software vulnerabilities. It then examines the key challenges of patch management, such as timing, prioritization and testing of patches. The document provides an overview of the components, security capabilities and management capabilities of enterprise patch management technologies. It concludes with a brief discussion of metrics for measuring the effectiveness of these technologies and comparing the importance of patches. The appendices include a tutorial on the Security Content Automation Protocol (SCAP) and a summary of recommendations for improving patch management.
The Next Generation of Security Operations Centre (SOC)PECB
The document discusses the key aspects of building a next generation Security Operations Centre (SOC). It emphasizes that skilled people, well-defined processes, and integrating new technologies are critical. Specifically, it recommends adopting automation and analytics to analyze large datasets, integrating threat intelligence from multiple sources, and establishing red and blue teams to continuously test defenses. The goal of a next generation SOC is to use predictive analysis of vast security data to improve threat detection, response, and the overall security posture of an organization.
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
The document outlines a strategy for building an effective security operations center (SOC) in four main parts. It discusses (1) the need for a SOC and roadmap for implementation, (2) required team members, processes, technologies, and threat intelligence, (3) governance, risk, and compliance frameworks, and (4) an 11-step recipe for SOC success focusing on mission, services, people, processes, and communication. The overall strategy presents a structured approach for organizations to establish a SOC capability that enables security management and aligns with standards like ISO 27001.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
This document provides biographical and career information about Shritam Bhowmick. It lists his current and previous professional roles, including as an AVP of Labs at Lucideus Tech where he performs application security assessments and R&D, as well as previous roles as an application security trainer and in security roles at other companies. It also notes some of his hobbies include the areas of his professional work.
The document discusses logging, monitoring, auditing, and the importance of management review controls. It provides details on:
- What a security audit involves, including assessing physical, software, network, and human aspects of an information system.
- How security auditing works by testing adherence to internal IT policies and external standards/regulations.
- The purpose of monitoring security logs to detect anomalies and threats, given the large volume of logs generated.
- The benefits of logging, monitoring and reporting which include stronger governance, oversight, security and compliance.
- How management review controls are important for an effective control environment and ensuring accuracy of key security documents.
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
Cybersecurity Fundamentals for Legal ProfessionalsShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at the 55th Annual Conference on Intellectual Property Law at The Center for American and International Law on November 13, 2017.
The document discusses the role of the Chief Information Security Officer (CISO) and proposes recommendations for implementing an effective yet affordable cyber security program. It recommends that companies focus on doing the security basics well, such as keeping software updated, limiting access to data, and employing security monitoring. The document also advocates for a balanced approach using frameworks like NIST and implementing controls across people, processes, policies, products, and privacy. Following cybersecurity best practices and tenets around areas like secure backups, access management, data security, and risk management can help reduce security incidents by over 90%.
Use this catalog to browse Trustwave’s security education offerings, including security awareness training for all staff and secure software development courses for technical staff. If you have questions please contact us.
Use this catalog to browse Trustwave’s security education offerings, including security awareness training for all staff and secure software development courses for technical staff. If you have questions please contact us.
Use this catalog to browse Trustwave’s security education offerings, including security awareness training for all staff and secure software development courses for technical staff. If you have questions, please contact us.
4MANUAL OVERVIEW
5SECTION 1:Introduction: Welcome to CyberLeet
51.1 Introduction
51.2 Your Role at CyberLeet
61.3 Purpose of This Manual
7SECTION 2:CORE TENETS OF CYBERSECURITY
72.1 Confidentiality
72.2 Integrity
82.3 Availability
9SECTION 3:CYBERSECURITY POLICIES
93.1 Password Policies
93.2 Acceptable Use Policies
103.3 User Training Policies
103.4 Basic User Policies
11SECTION 4:THREAT MITIGATION SCENARIOS
114.1 Theft
114.2 Malware
124.3 Your Choice
13SECTION 5: REFERENCES
MANUAL OVERVIEW
You are the training manager at CyberLeet Technologies, a midsized firm that provides cybersecurity services to other businesses. CyberLeet’s core customer base is sole proprietorships and other mom-and-pop shops that are too small to have their own IT departments and budgets. Generally speaking, your clients have a reasonably high risk tolerance, and put a premium on the functionality of their IT systems over stringent security measures. However, you also have clients that must protect highly sensitive information in order to continue operating successfully. For example, CyberLeet supports a few small public-accounting firms that need to maintain important tax-related information, as well as several day-care businesses that must keep children’s health records private while allowing necessary access for certain caregivers. In the past year, CyberLeet has experienced rapid growth, which means you can no longer personally provide one-on-one training to every new information security analyst as they are hired. Therefore, you have decided to create a training manual that will explain to the current and future cohorts of new hires the essential principles and practices that they must understand in order to be successful in their role as information security analysts at CyberLeet.
Manual Layout
There are four sections in the manual, which cover all the components of a new employee training manual. As the training manager, you must complete each section using information you learned in this course. Refer to the background information on CyberLeet and apply the appropriate information that best matches based on the size of the company, the value of cybersecurity, and its core tenets. Apply best practices of cybersecurity principles for addressing the common threat scenarios of a sole proprietary business. The main sections of the manual you are responsible for completing are the following:
· Introduction
· Core tenets of cybersecurity
· Developing cybersecurity policies
· Threat mitigation scenarios
In Section One, describe the organization. Provide a short history of the company, define the way it operates, and describe its place within the industry and the community it serves. Follow the prompts to complete each section. All prompts should be deleted prior to submitting this section. SECTION 1:
Introduction: Welcome to CyberLeet1.1 Introduction
Prompt: Explain the value of CyberLeet Technologiesas a provider of cybersecurity services to its .
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
This document explains the need for information security for all organizations and also the standards to be followed for doing the same. It also gives vendor selection criteria for selecting a consultancy firm for information security. It gives guidelines as to how to stop ethical hacking of your web application, be it any critical data from getting hacked, scripts being run, without the knowledge of the owner.
A security policy should outline the key items in an organization that need to be protected. This
might include the company's network, its physical building, and more. It also needs to outline the
potential threats to those items. If the document focuses on cyber security, threats could include
those from the inside, such as possibility that disgruntled employees will steal important
information or launch an internal virus on the company's network.
Security policy
A security policy is a written document in an organization outlining how to protect the
organization from threats, including computer security threats, and how to handle situations
when they do occur.
A security policy is an overall statement of intent that dictates what role security plays within the
organization. Security policies can be organizational policies, issue-specific policies, or system-
specific policies, or a combination of all of these.
[https://www.sciencedirect.com/topics/computer-science/security-policy]
A security policy is a document that states in writing how a company plans to protect the
company's physical and information technology (IT) assets.
Why do you need a security policy?
A security policy contains pre-approved organizational procedures that tell you exactly what you
need to do in order to prevent security problems and next steps if you are ever faced with a data
breach. Security problems can include:
Confidentiality – people obtaining or disclosing information inappropriately
Data Integrity – information being altered or erroneously validated, whether deliberate or
accidental
Availability – information not being available when it is required or being available to
more users than is appropriate
At the very least, having a security ( ★★For making this content author used various online resources, it is share here only for those who want to know something about it. This content is not the full of author's primary/ own creating/ intellectual property. )
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
An accountant is a valuable asset to any organization. He or she is a professional who performs accounting functions. Accounting is not only confined to tax and financial matters as per what people generally think.
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
The CompTIA Cybersecurity Analyst (CySA+) certification is the industry standard for demonstrating that cybersecurity professionals can analyze data and interpret the results to detect vulnerabilities, threats, and risks to an organization.
Company Description (Tech Lopes)Tech Lopes delivers expert l.docxjanthony65
Company Description (Tech Lopes)
Tech Lopes delivers expert level IT support. We handle both software and hardware issues, as well as general maintenance and IT consultation. We have IT experts ready to provide assistance and results on data recovery, hardware repair, virus removal, and general IT support. We work with all brands of computers, smartphones and tablets in relation to both hardware and software.
Mission:
Our mission is to provide fast, expert level IT Support and educate our customers on simple IT solutions.
Vision:
Our vision is to become the most reliable IT Support Company for consumers, and small businesses.
QUESTIONS;
Create an Information Security Strategy Plan. Use the following outline. For each section use the heading provided and address each bulleted point.
IS Mission Statement
· Explain why you are creating this plan and what the security department hopes to achieve for the business by its implementation.
Introduction
· Explain how this document will set priorities for the entire organization and provide standards and guidelines for reducing risk associated with computing environments.
Governance
· Explain what Information Technology roles your organization has (CIO, CISO, CISSO, etc.) and their descriptions and responsibilities. Who is leading the efforts outlined in this plan?
Strategic Objectives
· Outline strategic objectives that define where your organization needs to be to effectively manage security risks to its information assets such as:
o Data Loss Prevention
o Risk Management
o Crisis and Security Incident Management
Key Initiatives
· Expound upon programs that can be implemented to meet your strategic objectives. Include a description of each, and explain what objectives the program enables as well as its key benefits.
·
Example:
Initiative 1 – Information Security Awareness Training
o Enables Objectives – Data loss prevention, improved security of system and network services, proactive risk management and crisis and security incident management
Description – Make available information security awareness training, which serves to inform employees of their responsibilities for protecting the information in their care. To further engage the user community, the security office will work to develop a variety of information-sharing forums to include electronic and live mediums.
o Key Benefits
§ Better awareness of security threats and their impact on information assets
§ Fewer security incidents
§ Common knowledge for all staff
.
Company Description (Tech Lopes)Tech Lopes delivers expert l.docxtemplestewart19
Company Description (Tech Lopes)
Tech Lopes delivers expert level IT support. We handle both software and hardware issues, as well as general maintenance and IT consultation. We have IT experts ready to provide assistance and results on data recovery, hardware repair, virus removal, and general IT support. We work with all brands of computers, smartphones and tablets in relation to both hardware and software.
Mission:
Our mission is to provide fast, expert level IT Support and educate our customers on simple IT solutions.
Vision:
Our vision is to become the most reliable IT Support Company for consumers, and small businesses.
QUESTIONS;
Create an Information Security Strategy Plan. Use the following outline. For each section use the heading provided and address each bulleted point.
IS Mission Statement
· Explain why you are creating this plan and what the security department hopes to achieve for the business by its implementation.
Introduction
· Explain how this document will set priorities for the entire organization and provide standards and guidelines for reducing risk associated with computing environments.
Governance
· Explain what Information Technology roles your organization has (CIO, CISO, CISSO, etc.) and their descriptions and responsibilities. Who is leading the efforts outlined in this plan?
Strategic Objectives
· Outline strategic objectives that define where your organization needs to be to effectively manage security risks to its information assets such as:
o Data Loss Prevention
o Risk Management
o Crisis and Security Incident Management
Key Initiatives
· Expound upon programs that can be implemented to meet your strategic objectives. Include a description of each, and explain what objectives the program enables as well as its key benefits.
·
Example:
Initiative 1 – Information Security Awareness Training
o Enables Objectives – Data loss prevention, improved security of system and network services, proactive risk management and crisis and security incident management
Description – Make available information security awareness training, which serves to inform employees of their responsibilities for protecting the information in their care. To further engage the user community, the security office will work to develop a variety of information-sharing forums to include electronic and live mediums.
o Key Benefits
§ Better awareness of security threats and their impact on information assets
§ Fewer security incidents
§ Common knowledge for all staff
.
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
Xevgenis_Michail_CI7130 Network and Information SecurityMichael Xevgenis
- The document discusses a security assessment of an organization that provides secure data storage for clients. It outlines the organization's key assets including proper system operation, data security, software, hardware, and employees.
- An analysis team is formed to conduct the security assessment using the OCTAVE framework. The team includes specialists in networking, IT, human resources, security, and business.
- The assessment will identify vulnerabilities and develop security strategies to mitigate risks to the organization's reputation, data protection, availability, and proper operation. Countermeasures proposed will focus on improving the organization's defensive capabilities.
The document provides an overview of designing and developing an effective security awareness and training program. It defines security awareness training, discusses why such programs are important, and outlines best practices for doing it correctly. The presentation agenda includes defining security awareness training, discussing its importance, and presenting Mittal Technologies' security awareness training solution. The document then provides details on developing effective security awareness training, including establishing goals and success criteria, designing the program, developing training content at different levels, and tracking results.
Cyber security practices involve preventing malicious attacks on computers, servers, mobile devices, electronic systems, networks, and data. It is also called information technology security or electronic information security.
https://www.infosectrain.com/courses/ceh-v11-certification-training/
This document provides a playbook for information security (infosec) professionals to build a business case and get budget approval from executive leadership (C-suite) for security initiatives. It outlines a 7-step process: 1) conduct a business impact analysis, 2) perform a security audit, 3) run security scans, 4) develop a remediation plan, 5) present findings and recommendations to the C-suite, 6) continue reporting and be prepared for future opportunities, and 7) implement approved security products and services. The goal is to understand business risks, identify technical vulnerabilities, prioritize remediations, and educate leadership on security needs using business terms and metrics. Ongoing communication, transparency and demonstrating progress are
8242015 Combating cyber risk in the supply chain Print Art.docxevonnehoggarth79783
8/24/2015 Combating cyber risk in the supply chain Print Article SC Magazine
http://www.scmagazine.com/combatingcyberriskinthesupplychain/printarticle/381050/ 1/2
Daryk Rowland, director of risk
management, Guidance Software,
Inc.
Daryk Rowland, director of risk management, Guidance Software, Inc.
November 11, 2014
Combating cyber risk in the supply chain
Share this article:
facebook
twitter
linkedin
google
Comments
Email
Print
Security threats within the supply chain have been a concern of purchasing,
information security and risk and compliance teams for many years. What's
new is the rapid increase in targeted attacks on a less welldefended area for
most corporations the confidential data now commonly shared with
supply chain vendors and partners.
In research released in 2013, the Information Security Forum (ISF) found
that, “of all the supply chain risks, information risk is the least well
managed,” and that, “forty percent of the datasecurity breaches experienced
by organizations arise from attacks on their suppliers.” The Target breach
began with a simple login to its corporate network—a login seen as normal
by its security systems because the user name and password were valid. The
problem, of course, was that these login credentials were stolen—yet they
were also authorized for access, so they went unchallenged by Target's
authentication system.
Consider the fact that the recent Dragonfly/Energetic Bear hack of U.S. and
European energy companies began with a spearphishing campaign against
senior employees in energy sector companies. Those senior employees took
the bait and enabled the hackers to compromise legitimate software used by
industrial control system (ICS) manufacturers, inserting malware into
software updates sent from the ICS manufacturers to their clients.
Everyone involved with vendor management — from legal and risk/compliance teams to information security and
purchasing specialists — should now develop a common, collaborative security strategy (or program) that includes
layering new protections onto processes and policies to defend against information risk in the supply chain. Adding the
following practices to your existing security controls can help you collaborate productively for a targeted approach to
supply chain cybersecurity.
Map locations of sensitive data: Collaborate across all relevant teams to determine which data—intellectual property,
employee records, financial information, credit card data — is considered sensitive by your organization. Security
teams should audit for all locations of that sensitive data on your network, as well as for the locations of copies of that
data that may be accessible to members of your supply chain.
Evaluate risk by vendor: Assess and rank vendors and partners with access to your network—or any who retain
copies of your data—according to their risk to information security. Two helpful templates for this are the annotated
ICT Supply Chain Risk Manageme.
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
WHY IS THIS IT RISK ASSESSMENT WORKSHOP IMPORTANT?
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
This document provides guidance on determining maintenance strategies for hardware and network servicing. It discusses identifying business risks, types of direct and indirect risks to a business, and the process of risk management. It also outlines steps to conduct a software audit, including taking an inventory, metering application usage, gathering licensing documentation, adjusting license counts, and establishing software policies. Finally, it introduces warranties and service contracts, explaining what they cover and questions to consider about them when determining maintenance needs.
Post 11. Long term GoalThe Group’s goal is to offer attranhcrowley
The document discusses long term goals, balanced scorecards, and lead and lag measures for an automotive company. The company's long term goal is to offer attractive, safe, and environmentally sound vehicles that can compete globally and set standards in their class. The balanced scorecard includes financial measures like profit margins and returns, customer measures like market penetration and customer loyalty, and internal business process measures like improvements to property and equipment. Balanced scorecards help managers develop efficient policies to achieve organizational goals. Lead measures guide current decisions that yield future results, while lag measures are outcomes of past management decisions.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
2. SECURITY EDUCATION CATALOGUE
INTRODUCTION
The human factor—what employees do or don’t do—is the biggest
threat to an organization’s information security, yet it’s often the most
overlooked. Whether they are swiping credit cards, handling clients’
personal information, or developing software solutions for your
business, your employees are ripe targets for information thieves
seeking access to your sensitive data—if you do not help them learn to
protect it. Arm yourself with security education for staff and partners.
Use this catalogue to browse Trustwave’s security education offerings,
including security awareness training for all staff and secure software
development courses for technical staff. If you have questions, reach
out to your Trustwave account manager or use the “Contact Us” section
of the Trustwave website.
4. SECURITY EDUCATION CATALOGUE
Security Awareness Education (SAE)
Every Trustwave Security Awareness Education (SAE) program is
customized for you, the client. Your options include how your online security
awareness training course will be set up and what additional print-based
materials you would like to order to reinforce your program all year round.
This section is designed to help guide you through these options and choose
the program that is right for you and your organization.
SAE Course Catalogue
Use these pages to browse our growing library of security awareness lessons. Categorized by areas of interest, each
lesson’s catalogue code, topic and objectives are listed here to help you decide which topics are most appropriate for
your target audience(s). Most lessons are available in English, Spanish, Portuguese, French and Swedish. You may
also view all of our lessons in the Trustwave SAE Portal itself - contact your Trustwave account manager if you would
like to receive a free trial account on our service.
SAE Custom Course Builder
This page lists the lessons included in each of our course offerings for the most common types of organizational roles
targeted for security awareness training. If these combinations don’t fit your organization’s needs just right, or you’d like
to include additional materials such as quizzes or your organization’s own information security policies as part of the
course, use the interactive spaces at the bottom of the page to identify the contents of the course(s) you would like us
to build.
SAE Pamphlets
Do you employ cashiers and servers who do not have ready access to computers at work? Do you hire temporary
workers whose schedules don’t allow much time for training? No problem. Instead of enrolling this population in our
online service, you can order our security awareness training pamphlets suitable for front-line workers. The content
of the brochures is the same as what is included in our online course. Pamphlets are currently available in English,
Spanish and Portuguese.
SAE Posters
Often, organizations administer a formal security awareness training only once per year. Including SAE posters in your
office environment helps keep employees aware of their security responsibilities year-round.
2
5. SAE Course Catalogue
Each course in your Security Awareness Education (SAE) program can be comprised of one or more of the following lessons. Use this guide to
identify the lessons you would like to include in each course. If you have any questions, or if you would like to receive a free trial account on the
Trustwave SAE Portal, contact your Trustwave account manager for more information.
Compliance Overviews
COM lessons cover the basic principles of various compliance standards mandating training and other information security measures.
Lesson Name
Lesson Objectives
COM-01
PCI Overview
Recognize how the Payment Card Industry (PCI)
self-regulates to protect cardholder data.
• Recognize the key PCI stakeholders, and common merchant acceptance channels and classifications.
• Recognize the cycle of a credit card transaction.
• Describe the PCI regulatory environment and recognize high level compliance requirements.
COM-02
HIPAA Overview
Recognize how U.S. HIPAA and HITECH laws
protect the privacy and security of protected
health information (PHI).
• Recognize key HIPAA and HITECH stakeholders.
• Recognize the purpose and scope of HIPAA privacy and security rules.
• Describe the HIPAA regulatory environment and recognize high level compliance requirements.
#
Core Concepts
#
COR-01
COR-02
Supporting Objectives
COR lessons cover basic security awareness concepts that all employees should understand. We recommend including these 5-minute lessons for all your staff.
Lesson Name
Lesson Objectives
Introduction to Security
Awareness
Demonstrate basic knowledge of security
awareness.
• Define security awareness and recognize the importance of protecting information.
Social Engineering
Define social engineering and recognize common
threats to information security and how to avoid
becoming a victim.
• Define social engineering, recognize who is at risk of becoming victims and list the types of information
targeted by social engineers.
• List the most common channels for social engineering, and recognize popular ploys.
• List best practices to avoid becoming a victim of social engineering.
SECURITY AWARENESS TOPICS
Supporting Objectives
SAT lessons cover best practices for common types of tools and activities on the job. Include all those that apply to your employees’ work activities.
#
Lesson Name
Lesson Objectives
SAT-01
Physical Security
Define physical security, recognize common
threats and list best practices.
• Define physical security, recognize the importance of physical security and list the information at risk.
• Recognize common attacks on physical security.
• Recognize physical security vulnerabilities and best practices for securing your workplace.
PC Security
Define PC security, recognize common threats
and list best practices.
• Define PC security and recognize the risks of leaving your computer unprotected.
• List and describe common PC attacks, vulnerabilities, and user mistakes that put your information and
systems at risk.
• List and describe critical PC security measures and best practices.
Email Security
Define email security, recognize common threats
and list best practices.
• Define email security and recognize the risk to information security if secure email practices are not in
place.
• Recognize the most common email scams and the measures you can take to avoid becoming a victim.
• List best practices for using email securely.
SAT-02
SAT-03
Supporting Objectives
3
6. SECURITY EDUCATION CATALOGUE
#
Lesson Name
Lesson Objectives
SAT-04
Password Security
Define password security, recognize common
threats and list best practices.
• Define password security and recognize the importance of keeping passwords protected.
• List the ways password protection may be used to keep information secure.
• List basic rules for building a strong password and recognize best practices for effective password use.
SAT-05
HIPAA Overview
Define Web browsing security, recognize
common threats and list best practices.
• Define Web browsing security and recognize the risks of visiting unknown and unsecure websites.
• List the most common Web security threats and recognize how you may put your organization’s
information at risk.
• List and describe best practices for browsing the Web securely.
SAT-06
Mobile Device Security
Define mobile device security, recognize common
threats and list best practices.
• Define mobile device security and recognize the risks of leaving your device unprotected.
• Recognize common mobile device attacks and user mistakes that put information at risk.
• List and describe common mobile device security measures.
BEST PRACTICES FOR JOB ROLES
Supporting Objectives
JRT lessons target specific job roles within an organization. Each course may contain one JRT lesson to cover best practices for the target role.
Lesson Name
Lesson Objectives
JRT-01
Secure Practices for
Retail Associates
Recognize the security awareness responsibilities
of retail associates and the laws, regulations,
methods and best practices that help keep
information secure in the retail environment.
• Recognize the information security responsibilities of retail associates and the related laws and
regulations that impact the retail environment.
• List and describe information security responsibilities and best practices of retail associates.
JRT-02
Secure Practices for
Retail Managers
Recognize the security awareness
responsibilities of retail managers and the laws,
regulations, methods and best practices that help
keep information secure in the retail environment.
• Recognize the security responsibilities of retail managers or owners and the information security laws
and regulations that impact the retail environment.
• List and describe information security responsibilities and best practices of retail managers.
JRT-03
Secure Practices for
Call Center Employees
Recognize the security awareness
responsibilities of call center employees and the
laws, regulations, methods and best practices
that help to keep information secure.
• Recognize the information security laws and regulations that impact the call center environment.
• Recognize the responsibility of call center employees to protect the information they work with each day.
• List and describe the information security responsibilities and best practices of call center employees.
JRT-04
Secure Practices for
Call Center Managers
Recognize the security awareness responsibilities
of call center managers and the laws, regulations,
methods and best practices that help keep
information secure in the call center.
• Recognize the information security responsibilities of call center managers and the related laws and
regulations that impact the call center environment.
• List and describe information security responsibilities and best practices of call center managers.
JRT-05
Secure Practices for
Enterprise Employees
Recognize the security awareness
responsibilities of enterprise employees and the
laws, regulations, methods and best practices
that help keep information secure.
• Recognize the security responsibilities of enterprise employees and the information security laws and
regulations that impact the enterprise environment.
• List and describe information security responsibilities and best practices of enterprise employees.
Secure Practices for IT
and Engineering Staff
Recognize the security awareness
responsibilities of IT and engineering staff and
the laws, regulations, methods and best practices
that help keep information secure.
• Recognize the information security-related laws and regulations that impact the IT and application
development environment and the responsibility of personnel to protect the information they work with
each day.
• List and describe the information security responsibilities of IT and engineering staff.
• List best practices for IT and engineering staff to help keep information secure.
#
JRT-06
4
Supporting Objectives
7. ADVANCED SECURITY TOPICS
#
Lesson Name
ADV lessons cover a wide range of topics for managers and technical personnel.
Lesson Objectives
Supporting Objectives
ADV-01
PCI Forensic
Investigations
Recognize how the PCI forensic investigation
process works and identify how a breach is
discovered, investigated and remediated.
• Identify common ways breaches are discovered and the high level steps employees should take if a
breach is discovered.
• Describe the Trustwave PCI forensic investigation process and a breached organization’s responsibility
to report and remediate security deficiencies.
• Recognize common security threats and the importance of continuous compliance to protect against
them.
ADV-02
Exploring Security
Trends
Recognize key findings of Trustwave’s annual
Global Security Report and list ways to improve
security this year based on last year’s trends.
• Recognize the purpose and contents of Trustwave’s Global Security Report.
• Recognize key findings of the current Global Security Report.
• List security best practices that help organizations avoid the security pitfalls of last year.
5
8. SECURITY EDUCATION CATALOGUE
Security Awareness Course Builder
Po
Do licy
cu
me
n
iz
Qu
AD
V-0
2
AD
V-0
1
JR
T-0
6
JR
T-0
5
JR
T-0
4
JR
T-0
3
JR
T-0
1
JR
T-0
2
BA
N01
BA
N0
BA 2
N03
SA
T-0
5
SA
T-0
6
SA
T-0
4
SA
T-0
3
SA
T-0
1
SA
T-0
2
R02
R01
CO
CO
M02
CO
CO
M01
t
This page lists the lessons included in our basic Security Awareness Education courses. These courses are targeted to
common roles that fit most organizations’ needs. Select the course(s) that fit your target audience(s) by clicking inside
the box beside it, or build your own course using the blank spaces below. Descriptions of each lesson in our library can
be found in the SAE Course Catalogue.
Security Awareness for
Retail Associates
Security Awareness for
Retail Managers
Security Awareness for
Call Center Employees
Security Awareness for
Call Center Managers
Security Awareness for
Enterprise Employees
Security Awareness for
IT and Engineering Staff
Security Awareness for
Health Care Workers
Security Awareness for
Bank Workers
Create your Own
6
Use this section to mix and match lessons to build up to five courses of your own. Just use the interactive checkboxes below to select course content.
9. SAE Print Material
POSTERS
Augment your Security Awareness Education with posters specific to your target audience. Click the check box to
select the poster(s) you want. Use the “total” field to specify how many of each poster you want. Posters are available
only in English. Contact your Trustwave account manager if you have questions.
Retail
Total:
Total:
Total:
Call Center
Total:
Total:
Total:
Office
Total:
Total:
Total:
Total:
Total:
Total:
Total:
Web
Total:
Total:
Total:
SAE Pamphlets
Trustwave’s SAE Pamphlets are perfect for employees who do not have ready
access to computers at work, or a lot of time to devote to training. The pamphlets can
be cobranded to include your logo and company name, and are available in English,
Spanish and Portuguese. Use the “total” field to specify how many pamphlets you
would like to order. Each pamphlet consumes a single SAE license.
Total:
7
10. SECURITY EDUCATION CATALOGUE
Banking Security
Online banking has soared in popularity, not only for businesses but for consumers who depend on banks for their
everyday financial needs. While you are taking steps to protect their customers from identity theft and financial crimes,
customers themselves must also implement security best practices when accessing online banking on their personal
or business computers. Providing resources to customers to educate them about best practices for securing their
information online demonstrates your commitment to securing your customers’ information, improves security for you
and your customers and helps satisfy FFIEC requirements for customer education.
BANKING SECURITY
BAN lessons target the specific security awareness needs of bank customers who use online accounts to manage their finances.
Lesson Name
Lesson Objectives
BAN-01
Online Banking Security
Recognize the risks and threats that come with
online banking, as well as the technology and
security best practices available to help combat
such threats.
• Recognize ways information is stolen from online accounts.
• Recognize the monetary risk of security incidents and the top attack targets used by criminals.
• Describe how banks and their customers work together to protect valuable information.
BAN-02
Protecting Online
Accounts for
Businesses
Recognize a business’s role in helping to secure
its own online systems and accounts, and identify
the security best practices businesses can follow
to do so.
• Recognize a business’s role in keeping their sensitive information secure online.
• List best practices for businesses to use to protect their sensitive information.
BAN-03
Protecting Online
Accounts for
Consumers
Recognize the individual’s role in helping to
secure their own online accounts, and identify
the security best practices individuals can follow
to do so.
• Recognize an individual consumer’s role in keeping their sensitive information secure online.
• List best practices consumers can use to protect their sensitive information.
#
8
Supporting Objectives
11. Secure Development Training (SDT)
Trustwave offers a suite of Web-based technical courses that introduce your
solution development staff to theory and best practices around planning and
writing secure code. You can choose to enroll employees in just one of the
courses that is most relevant to them, or to give them access to the full suite of
Secure Coding Design courses we offer. Whichever option you select, this
section will help you decide which course(s) are right for your staff.
Secure Development Course Catalogue
Use these pages to browse our library of Secure Development courses. Categorized by the stages of the software
development life cycle, each course’s catalogue code, topic and prerequisites (if any) are listed here to help you decide
which topics are most appropriate for your target audience(s).
Secure Development Course Builder
This page defines the course bundles available to SDT customers. Use this worksheet to note which courses you would like
to offer to your staff.
9
12. SECURITY EDUCATION CATALOGUE
SDT Course Catalogue
SECURITY AWARENESS AND PROCESS COURSES
#
Lesson Name
Lesson Objectives
Time
Supporting Objectives
AWA 101
Fundamentals of
Application Security
Upon course completion, students will be able to understand and recognize threats to
applications, leverage the OWASP top 10 list to create more secure Web applications and
conduct specific activities at each development phase to ensure maximum hardening of
your applications.
AWA 102
Protecting Online
Accounts for Businesses
By the end of this course, students will be familiar with the main characteristics of a secure
software development lifecycle and the activities that an organization should perform to
develop secure software. Additionally, students will recognize the need to address software
security in their everyday work.
1 hour
• Basic knowledge of software development
processes and technologies.
AWA 103
Six Fundamentals of
Information Security
By the end of this course, students will be familiar with the main characteristics of a secure
software development lifecycle and the activities that an organization should perform to
develop secure software. Additionally, students will recognize the need to address software
security in their everyday work.
1 hour
• None
AWA 104
Fundamentals of the
PCI-DSS
This course is designed to meet the PCI-DSS requirement and will provide such
awareness as well as an basic understanding of each of the PCI-DSS requirements
addressing cardholder data security.
1 hour
• None
AWA 105
Fundamentals of Security
Awareness - Mobile and
Social Media
This security awareness course focuses on how sensitive data and confidential information
can be compromised with the use of social media and mobile devices by today’s work
force. Using a fun and interactive computer based format, the viewer is made aware of the
risks associated with these technologies, and how to use them safely.
30 minutes
• None
2 Hours
• Understanding of the software development
lifecycle and technologies; basic understanding
of software security.
SECURITY ENGINEERING COURSES
#
Lesson Name
Lesson Objectives
Time
Supporting Objectives
ENG 102
Introduction to the
Microsoft SDL
The goal of this course is to help students understand and identify the Security
Development Life Cycle (SDL) requirements for building and deploying secure software
applications. The course demonstrates the benefits teams gain by following the SDL, and it
provides managers with information regarding their role and responsibilities in ensuring the
team follows the SDL.
ENG 201
SDLC Gap Analysis and
Remediation Techniques
Upon completion of this course, the participant will be able to identify the benefits of the
Security Development Lifecycle, recognize the importance of the Final Security Review,
follow the necessary steps to meet SDL requirements and identify the appropriate tools
required by the SDL.
1 hour
• Knowledge of the software development
lifecycle.
ENG 211
How to Create
Application Security
Design Requirement
This course provides an understanding of the goals, processes and best practices
for auditing software security processes within the context of the Microsoft Security
Development Life Cycle.
45 minutes
• Introduction to the Microsoft SDL (ENG 102),
Fundamentals of Application Security (AWA 101).
ENG 301
How to Create an
Application Security
Threat Model
This course provides an understanding of the goals, processes and best practices
for auditing software security processes within the context of the Microsoft Security
Development Life Cycle.
1 hour
• Fundamentals of Application Security (AWA 101).
10
1 hour
• Knowledge of the software development
lifecycle.
13. ENG 311
Attack Surface Analysis
and Reduction
In this course, students will learn to identify the goals of threat modeling and the
corresponding SDL requirements, identify the roles and responsibilities involved in the
threat modeling process, recognize when and what to threat model and identify the tools
that help with threat modeling. Students will also learn to use the threat modeling process
to accurately identify, mitigate and validate threats.
ENG 312
How to Preform a
Security Code Review
Course provides an understanding of the goals and methodologies of attackers,
identification of attack vectors and how to minimize the attack surface of an application.
ENG 391
How to Create an
Application Security
Threat Model for
Embedded Systems
This course provides students with guidance on how to best organize code reviews,
prioritize those code segments that will be reviewed, best practices for reviewing source
code and maximize security resources.
1 hour
• Fundamentals of Secure Architecture
(DES 101), How to Create Application Security
Design Requirements (ENG 211), How to Create
an Application Security Threat Model (ENG 301),
Creating Secure Code – ASP.Net (COD 311) OR
C/C++ (COD 312) OR J2EE (COD 313).
ENG 392
Attack Surface Analysis
and Reduction for
Embedded Systems
This course module provides additional training on How to Create an Application Security
Threat Model of particular importance to embedded software engineers. It includes
mapping of content to specific compliance and regulatory requirements, links to key
reference resources that support the topics covered in the module and a “Knowledge
Check” quiz that assesses mastery of key concepts.
30 minutes
• How to Create an Application Security Threat
Model (ENG 301).
ENG 393
How to Perform a
Security Code Review for
Embedded Systems
This course module provides additional training on Attack Surface Analysis and Reduction
of particular importance to embedded software engineers.
30 minutes
• Attack Surface Analysis and Reduction
(ENG 311).
Secure DESIGN
#
1 hour
• Fundamentals of Secure Development
(COD 101), Architecture Risk Analysis and
Remediation (DES 212).
1 hour
• Fundamentals of Secure Development
(COD 101), Architecture Risk Analysis and
Remediation (DES 212).
DES courses cover topics in secure software architecture and design, to help plan security into applications before any code is written.
Lesson Name
Lesson Objectives
Time
Supporting Objectives
DES 101
Fundamentals of Secure
Architecture
Understand the state of the software industry from a security perspective, by learning from
past software security errors and how to avoid repeating those mistakes. They will also be
able to recognize and use confidentiality, integrity and availability (CIA) as the three main
tenets of information security.
DES 211
OWASP Top 10 - Threats
and Mitigations
Recognize best practices for understanding, identifying and mitigating the risk of
vulnerabilities and attacks within the OWASP Top 10.
2 hour
• None
DES 212
Architecture Risk Analysis
and Remediation
Recognize concepts, methods and techniques for analyzing the architecture and design of
a software system for security flaws.
1 hour
• Fundamentals of Secure Architecture (DES 101).
DES 213
Introduction to Security
Tools and Technologies
This course is designed to educate architects and developers on the technologies available
to create more secure systems.
2 hour
• Fundamentals of Security Testing (TST 101).
DES 301
Introduction to
Cryptography
Recognize the problems that cryptography can address, the threats that apply to two
communicating parties, the appropriate cryptographic solutions to mitigate these threats, and
how to describe the mechanisms behind cryptographic protocols. Learners will also be able
to recognize how to follow cryptographic best practices and locate cryptography resources.
1 hour
• Fundamentals of Secure Development
(COD 101).
• Architecture Risk Analysis and Remediation
(DES 212).
DES 311
Creating Secure
Application Architecture
Recognize key security principles that can be used to improve the security of application
architecture and design. Demonstrate how to apply defenses to harden applications and
make them more difficult for intruders to breach, reducing the amount of damage an
attacker can accomplish.
2 hours
1 hour
• None
• Fundamentals of Secure Architecture (DES 101).
• Architecture Risk Analysis and Remediation
(DES 212).
11
14. SECURITY EDUCATION CATALOGUE
Secure Coding
#
COD courses cover security topics in the implementation stage of the software development life cycle, when code is actually being written.
Lesson Name
Lesson Objectives
Time
Supporting Objectives
COD 101
Fundamentals of Secure
Development
Recognize the latest trends in software security, as well as the importance of software
security for business. Demonstrate how to perform threat modeling to identify threats
proactively, create threat trees for application components, use threat tress to find and
classify vulnerabilities and perform risk analysis and prioritize security fixes.
COD 110
Fundamentals of Secure
Mobile Development
This course introduces some of the common mobile application risks and the best
development practices that you should follow for development to overcome risks. The
course also explains how to create a mobile application threat model.
2 hours
• None
COD 111
Fundamentals of Web
2.0 Security
This course introduces you to the fundamentals of secure Web 2.0 development. The
course begins with a discussion about Web 2.0, its evolution, and the technologies
behind it. The course describes common Web 2.0 attacks that can cause significant loss
to organizations. It reviews the best practices that you should incorporate to mitigate the
risks from Web 2.0 attacks, as well as practices to avoid. The course concludes with a
walk-through of a software system scenario that can help you better understand Web 2.0
attacks and apply the best practices discussed in the course.
2 hours
• None
COD 201
Fundamentals of Secure
Database Development
This course will demonstrate database development best practices for software architects
and developers.
2 hours
• Fundamentals of Secure Development
(COD 101).
COD 211
Understanding Secure
Code - JRE
Recognize and remediate common Java Web software security vulnerabilities. Define data
leakage, injection attacks, client/server protocol manipulation attacks, and authentication
exploitations and mitigate these security vulnerabilities.
1 hour
• Fundamentals of Secure Development
(COD 101).
COD 212
Understanding Secure
Code - C/C++
Recognize how to write secure code in C/C++ for Windows and Unix platforms, robust
code development and secure socket programming. Demonstrate how to apply time-tested
defensive coding principles to develop secure applications. Recognize the nine defensive
coding principles and how to use them to prevent common security vulnerabilities.
75 minutes
• Fundamentals of Secure Development
(COD 101).
COD 213
Understanding Secure
Code - Windows 7
Define Windows 7 security features and build applications that leverage Windows 7’s builtin security mechanisms.
2 hours
• Basic knowledge of Windows programming and
memory management, and knowledge of basic
security features of Windows versions prior to
Windows 7.
Understanding Secure
Code - .NET 4.0
Recognize .NET 4.0 security features, including concepts such as Code Access Security
(CAS) and .NET cryptographic technologies. Recognize security changes in .NET 4.0
including level 2 security transparency, the new sandboxing and permission model,
introduction of conditional APTCA and changes to evidence objects and collections. Define
secure coding best practices that will enable students to build more secure applications in
.NET 4.0.
2 hours
• Fundamentals of Secure Development
(COD 101).
COD 215
12
1 hour
• None
15. #
Lesson Name
Lesson Objectives
Time
Supporting Objectives
COD 216
Understanding Secure
Code - NET 2.0
Define .NET 2.0 security features, including concepts such as Code Access Security (CAS)
and .NET cryptographic technologies. Recognize secure coding best practices that will
enable students to build more secure applications in .NET 2.0.
2 hours
• Fundamentals of Secure Development
(COD 101).
COD 217
Creating Secure Code iPhone Foundations
Learn to develop and deploy secure iPhone applications by leveraging Apple’s security
services and following Web application secure coding best practices.
1 hour
• Fundamentals of Secure Mobile Development
(COD 110).
COD 218
Creating Secure Code Android Foundations
Learn to develop secure Android applications by applying Android-specific secure
development best practices and techniques. The course emphasizes key Android security
features that can help you prevent common application vulnerabilities.
90 minutes
• Fundamentals of Secure Mobile Development
(COD 110).
COD 221
Web Vulnerabilities Threats and Mitigations
Recognize, avoid and mitigate the risks posed by Web vulnerabilities. Define the most
common and recent attacks against Web-based applications, such as cross-site scripting
attacks and cross-site request forgery attacks. Demonstrate how to avoid and/or mitigate
Web vulnerabilities using real-world examples.
1 hour
• Creating Secure Code – J2EE Web Applications
(COD 313) OR Creating Secure Code – ASP.
NET (COD 311).
COD 222
PCI Best Practices for
Developers
Recognize application security issues within the PCI DSS and best practices for
addressing each requirement. Recognize how addressing the PCI DSS requirements
during the design and build stages of the development life cycle will improve application
security and will simplify compliance.
1 hour
• Fundamentals of Secure Architecture (DES 101).
COD 231
Introduction to CrossSite Scripting - With JSP
Examples
Recognize the mechanisms behind cross-site scripting vulnerabilities, describe cross-site
scripting vulnerabilities and their consequences, and apply secure coding best practices to
prevent cross-site scripting vulnerabilities.
20 minutes
• Basic knowledge of Web technologies, and Java
Server Pages (JSP).
COD 232
Introduction to Cross-Site
Scripting - With ASP.NET
Examples
Recognize the mechanisms behind cross-site scripting vulnerabilities, describe cross-site
scripting vulnerabilities and their consequences and apply secure coding best practices to
prevent cross-site scripting vulnerabilities.
20 minutes
• Basic knowledge of Web technologies, and Java
Server Pages (JSP).
Creating Secure Code ASP .NET
Demonstrate the development of secure web applications in C#. Recognize common web
application vulnerabilities and demonstrate ways to avoid those vulnerabilities in C# code.
In the hands-on section, students will discover the vulnerabilities for themselves and find
ways to address them, greatly enhancing the security of their code. Upon completion of
this class, participants will be able to recognize the need to follow secure coding best
practices, follow secure coding best practices and locate additional resources on secure
coding best practices for ASP.NET.
4 hours
• Understanding Secure Code - .Net 4.0
(COD 215).
Creating Secure Code C/C++
Define application security risks and secure coding standards for C and C++ applications,
and the different types of errors that can be introduced while coding. Recognize the
importance of detecting these errors and remediating them as early as possible to avoid
security issues. Define real-world best practices and techniques, and static analysis tools
to detect and resolve security vulnerabilities in code.
90 minutes
• Understanding Secure Code – C/C++
(COD 212).
COD 311
COD 312
13
16. SECURITY EDUCATION CATALOGUE
#
Lesson Name
Lesson Objectives
Time
Supporting Objectives
COD 313
Create Secure Code J2EE Web Applications
Demonstrate development of secure web applications in Java. Recognize common web
application vulnerabilities and define ways to avoid those vulnerabilities in Java code. In
the hands-on section, students will discover the vulnerabilities themselves and find ways to
address them, greatly enhancing the security of their code. Upon completion of this course,
participants will be able to recognize why software security matters to their business,
recognize the root causes of the more common vulnerabilities, identify the symptoms of
common vulnerabilities and use security best practices to prevent common vulnerabilities.
COD 314
Creating Secure C#
Code
This course will provide a deep understanding of application security risks and secure
coding standards for C# applications. The main lesson guides students through the
concepts underlying the coding principles and illustrates real-world best practices and
techniques and the labs allow students to test what they have learned
3 hours
• Understanding Secure Code - .NET 4.0
Foundations (COD 215)
COD 315
Creating Secure PHP
Code
This course introduces best practices for developing secure PHP code. The course also
identifies common PHP vulnerabilities that attackers can exploit to gain access to critical
information. In addition, the course explains mitigation techniques that you can use to avoid
common PHP vulnerabilities and write secure code.
2 hours
• Fundamentals of Secure Development
(COD101)
COD 321
Creating Secure Code Oracle Foundations
This course provides the student with an understanding of the scope and requirements of
database security as well as the risks presented by insecure database applications. After
taking this course, the student will be able to understand the risks to database applications;
apply security best practices when developing database applications; understand common
database attacks; code applications with countermeasures to common database attacks.
2 hours
• Fundamentals of Secure Database Development
(COD 201)
COD 322
Creating Secure Code SQL Server Foundations
This course provides the student with an understanding of the scope and requirement of
database security as well as the risks presented by unsecure database applications. After
taking this course, the student will be able to understand the risks to database applications;
apply security best practices when developing database applications; understand common
database attacks; code applications with countermeasures to common database attacks.
90 minutes
• Fundamentals of Secure Database Development
(COD 201)
COD 411
Integer Overflows
- Attacks and
Countermeasures
An integer overflow is a programming error that can severely impact a computer system’s
security. Due to the subtlety of this bug, integer overflows are often overlooked during
development. This course covers the security concepts, testing techniques and best
practices that will enable students to develop robust applications that are secure against
integer overflow vulnerabilities.
1 hour
• Basic understanding of the C, C++, and C#
programming languages.
COD 412
Buffer Overflows
- Attacks and
Countermeasures
Recognize how to avoid and mitigate the risks posed by buffer overflows. Recognize
protections provided by the Microsoft complier and the Windows operation system, and
advice on how to avoid buffer overflows during the design, development and verification
phase of the software development life cycle.
2 hours
• Basic knowledge of Windows programming and
memory management in Windows.
14
2 hours
• Understanding Secure Code – JRE (COD 211)
17. Security Testing
#
TST courses cover topics in testing software for security flaws and remediating defects before release.
Lesson Name
Lesson Objectives
Time
Supporting Objectives
Fundamentals of Security
Testing
Define security-testing concepts and processes that will help students analyze an
application from a security perspective and to conduct effective security testing. Recognize
different categories of security vulnerabilities and the various testing approaches that
target these classes of vulnerabilities. Several manual and automated testing techniques
are presented which will help identify common security issues during testing and uncover
security vulnerabilities.
2 hours
• None
TST 201
Classes of Security
Defects
Recognize how to create a robust defense against common security defects. Students will
learn why and how security defects are introduced into software, and will be presented with
common classes of attacks, which will be discussed in detail. Along with examples of real
life security bugs, students will be shown techniques and best practices that will enable the
team to identify, eliminate and mitigate each class of security defects. Additional mitigation
techniques and technologies are described for each class of security defect.
3 hours
• None
TST 211
How to Test for the
OWASP Top 10
The Open Web Application Security Project (OWASP) Top Ten is a listing of critical security
flaws found in web applications. Recognize how these flaws occur and demonstrate testing
strategies to identify the flaws in web applications.
1 hour
• Fundamentals of Security Testing (TST 101)
TST 301
Software Testing - Tools
and Techniques
This course introduces the tools and techniques used during software security testing.
After taking this course, the student will be able to create a software security test plan;
decide which software security testing tools to use; know how to apply the testing tools;
understand and apply penetration testing techniques.
90 minutes
• None
TST 401
Advanced Software
Security Testing
Techniques
This course delves deeply into the techniques for testing specific security weaknesses.
After taking this course, the student will be able to understand the ten types of
attacks; know which tools to use to test for these attacks; test software applications for
susceptibility to the ten specific attacks; describe the expected mitigations required to
prevent these attacks.
2 hours
• Software Testing - Tools and Techniques (TST
301)
TST 411
Exploiting Buffer
Overflows
Recognize the threats posed by buffer-overflow exploits, and the mechanisms behind
exploitation of stack-based and heap-based buffer overflows. Define challenges faced by
exploit code and how different exploitation techniques overcome environmental limitations.
2 hours
• Creating Secure Code – C/C++ (COD 312)
TST 101
• Fundamentals of Security Testing (TST 101)
15
18. SECURITY EDUCATION CATALOGUE
Secure Development Course Bundles
Use this checklist to determine which course(s) you want to provide for your staff. Descriptions of each course in the
SDT library can be found in the SDT Course Catalogue on the previous pages. Custom bundles, consisting of up to six
(6) courses or twelve (12) hours of content, can be set up on request. Contact your Trustwave account representative if
you would like to configure a custom bundle.
Java Developer
PHP Developer
Project Manager
• AWA-101 Fundamentals of Application Security
• AWA-101 Fundamentals of Application Security
• ENG-101 Microsoft SDL for Managers
• COD-101 Fundamentals of Secure Development
• COD-101 Fundamentals of Secure Development
• COD-221 Web Vulnerabilities – Threats & Mitigations
• COD-221 Web Vulnerabilities – Threats & Mitigations
• ENG-201 SDLC Gap Analysis and Remediation
Techniques
• COD-211 Creating Secure Code – JRE Foundations
• COD-315 Creating Secure PHP Code
• COD-313 Creating Secure J2EE Code
.NET Developer
• AWA-101 Fundamentals of Application Security
• COD-101 Fundamentals of Secure Development
• COD-221 Web Vulnerabilities – Threats & Mitigations
• COD-215 Creating Secure Code - .NET 4.0
Foundations (or .NET 2.0 version)
• COD-311 Creating Secure ASP.NET Code
C/C++ Developer
Mobile Applications
• AWA-105 Security Awareness – Mobile & Social
Media
• COD-110 Fundamentals of Secure Mobile
Development
• COD-217 Creating Secure Code – iPhone
Foundations
• COD-218 Creating Secure Code – Android
Foundations
Software Architect
• AWA-101 Fundamentals of Application Security
• AWA-101 Fundamentals of Application Security
• COD-101 Fundamentals of Secure Development
• DES-101 Fundamentals of Secure Architecture
• COD-312 Creating Secure Code – C/C++
Foundations
• DES-212 Architecture Risk Analysis and Remediation
• COD-392 Creating Secure C/C++ Code
• DES-311 Creating Secure Application Architecture
• ENG-301 How to Create an Application Security
Threat Model
• ENG-311 Attack Surface Analysis and Reduction
16
• ENG-211 How to Create Application Security Design
Requirements
• COD-101 Fundamentals of Secure Development
• DES-101 Fundamentals of Secure Architecture
Test/QA
• TST-101 Fundamentals of Security Testing
• TST-201 Classes of Security Defects
• TST-211 How to Test for the OWASP Top 10
• TST-301 Software Security Testing – Tools &
Techniques
• TST-401 Advanced Software Security Testing