Security Certification Courses

The widespread growth of 802.11b and now 802.11g networks has caused more corporations to adopt a wireless workplace. This “go anywhere”, “be connected” everywhere environment creates tremendous security challenges. We will cover, in detail, all the current wireless security methods, their advantages, disadvantages, and how realistically exploitable they are. We will walk through the short history of wireless networking security, why it failed, and what has been implemented to alleviate that failure. We will present research into the throughput of secure wireless scenarios, how the wireless test beds were built, and the output results. This session will include live demonstrations of techniques used to defeat older wireless technologies and also how to configure technologies to stop these techniques from being able to compromise your environment.

You will also receive a list of pitfalls to avoid when configuring a secure wireless network, as well as documentation to perform the configuration after the session.

You Will Learn:

• How wireless security got where it is today and what is planned for tomorrow
• Knowledge of common tools used to penetrate wireless networks
• Current technologies such as WEP, WPA, LEAP, PEAP, RADIUS, EAP, and 802.1X

The (ISC)² CISSP® CBK® Overview is the comprehensive overview seminar discussing Information Systems Security Industry best practices, known as the (ISC)² CBK®. The Overview seminar helps candidates review the 10 domains of the information security practice. It also serves as a strong learning tool for mastering concepts and topics related to all aspects of information systems security. The 2-day overview helps the candidate crystallize Information Security concepts and identify deficiencies in their knowledge for further study.

2-Day Overview Description

The (ISC)² CISSP 1-day Overview includes:

• Two 8-hour sessions
• Post-Seminar Self-Assessment
• 2008 (ISC)2 CISSP Curricula
• Contributions from CISSPs, (ISC)²-authorized instructors and subject matter experts
• An overview of the scope of the information security field

The CISSP credential is ideal for mid- and senior-level managers who are working toward or have already attained positions as CISOs, CSOs, Information Security Managers and Senior Security Engineers.

During the 2-day course candidates will receive an Overview review of the CISSP CBK covering the following areas (domains):

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Legal, Regulations, Compliance and Investigation
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Information Security and Risk Management
• Telecommunications and Network Security

During the course, students will also receive the 2008 CISSP CBK Overview curricula, complete with practice questions and instructor notes. This course will be delivered by a Certified (ISC)2 Instructor.

CISSP® candidates must meet the following requirements prior to becoming a CISSP:

Pass the CISSP exam with a score of 700 or more.

Subscribe to the (ISC)² Code of Ethics.

Have a minimum of five years of direct full-time security professional work experience in two or more of the ten domains of the (ISC)² CISSP® CBK® or four years of direct full-time security professional work experience in two or more of the ten domains of the CISSP® CBK® with a college degree. Additionally, a recognized Information Security Certificate ( like the SSCP or MCSE) can substitute for one year toward the five-year requirement.

Verifiable professional experience that includes information systems security-related work performed as a practitioner, auditor, consultant, vendor, investigator or instructor, or that which requires IS security knowledge and involves direct application of that knowledge.

Pass a background check.

Pre-requisites for the CISSP® will become more stringent starting in October 1, 2007. For example, there is a five (5) year experience requirement with work experience in two or more domains.

The Facilitated Risk Analysis Process (FRAP) is a celebrated mechanism for defining business risks, prioritizing those risks, and defining the corresponding controls. This process can be completed in less than two days, which maximizes the value of the results because results are timely and you can move to implementation faster. This class has been updated to streamline the process, and also tailored to encompass the ISO-1799 standards.

Risk analysis includes techniques to determine the relationship between the value of your information assets and the cost of measures required to protect them. We believe that all assets within our enterprise need protection of some kind, and yet every security mechanism seems to slow down operations. To establish an effective control program, the Information Security professional and audit staff must work with the information owners and users to find the best balance of productivity and controls.

If we implement controls without a strong understanding of the risks we may end up with controls that cost too much, are ‘overkill’ or take too much effort to operate. This workshop will provide you with the tools necessary to implement an efficient risk analysis process that identifies appropriate controls. The process allows organizations to conduct application, network, or system risk analysis in a matter of hours rather than weeks or months as some other methodologies require.

FRAP is a methodology driven by the owner of the application, network or system and conducted by a facilitator. It is a subjective process that obtains results by asking questions. The results of the FRAP are a comprehensive document that has identified risks, identified controls to mitigate those risks, and an action plan – created by the owner – to implement those controls.

Course Deliverables

• Tie business objectives to security controls
• Examine risks and assess vulnerabilities
• Conduct a FRAP
• Develop a comprehensive FRAP action plan
• Gain the support of the customer

You will take back with you:

• A completed set of risk analysis objectives
• A sample action plan
• A draft pre-screening set of questions
• A sample Business Impact Analysis
• A thorough understanding of the FRAP process
• The tools needed to conduct a FRAP

Course Curriculum

What is Risk Analysis? – We will examine what is included in typical risk analyses, and the pros and cons of different methods. We will look at the difference between risk analysis and vulnerability assessment, and identify the circumstances in which each should be used. Using these as a foundation, we will go through the sequence of events necessary to allow you to create a business process suitable for your own environment.

Qualitative Risk Analysis – There are two main forms of risk analysis, quantitative and qualitative. This course will center on qualitative risk analysis and how it has been accepted throughout the business and government sectors. This more recent approach has been designed to overcome the identified shortcomings of traditional risk analysis methods. The qualitative process sets limitations on the scope of the analysis and uses a “scoring system” to enable financial and non-financial risks to be measured. Using the information presented, class particpants break up into groups and work an exercise reinforcing the qualitative risk analysis process.

Pre-Screening Subjects – Once the basics of qualitative risk analysis have been established, we will move on to the practical application of those concepts. Not every subject needs a formal risk analysis, but every subject needs to be formally reviewed to determine its needs. By establishing a quick review of the application, system or other subject, the organization can determine where to expend its limited resources. We will examine a number of examples of pre-screening methods and how they are used in different organizations. We will then break up into groups and develop a pre-screening process for each participant's organization.

Formal Risk Analysis Methodology – Using the qualitative approach and the results from the pre-screening, we will examine the most popularly used method of risk analysis in use today. The Facilitated Risk Analysis Process (FRAP) will be reviewed, and you will be given the tools you need to conduct their own FRAP when you return to your organization.

Business Impact Analysis – The Business Impact Analysis (BIA) is used by organizations to identify critical resources. Using all of the techniques discussed, we will study a facilitated process to review the impact on business processes if resources become unavailable. Once the critical resources are scored, the organization can then identify appropriate controls to ensure the business continues to meet its business objectives or mission. We will then break into groups and develop a BIA to meet the needs of each participant's organization.

Practical Application: Case Study – Under the leadership of the instructor, teams of particpants will prepare and conduct a FRAP based on a specific case study. At the conclusion of the FRAP session, the teams will assemble to examine the results and begin to create their final reports. When completed, each group will go through a debriefing process to review the process and identify strong points and areas that may need additional work.