Information Security Philippines

presents

Network Vulnerability Assessment Workshop

March 26, 27 and 28 2008

In today’s world, it is getting more and more important for businesses to be connected and be accessible through the Internet. Businesses now put more stock into the viability of the net in increasing their profit margin and in large extent their public exposure. Thus, more financial value gets imbued into the data that goes around the wires.

That’s where the value of information security comes into play; assessing one’s readiness in defending information assets comes as a direct result of proper Vulnerability Assessment and to a larger scale of risk management. Getting one’s feet wet on VA will benefit not only the company’s security stance but also the individual’s appreciation of what could possibly lie ahead in terms of threats and risks, realization would also set on the extent of knowledge, time and investment to fully prepare one’s company in facing the growing challenges of today and tomorrow’s Internet.

Course Objectives:

At the end of the training, you should be able to:

• Determine the boundary of analysis and schedule of assessment
• Perform threat and impact analysis
• Define and verify policies of target assets for VA
• Execute active and passive information gathering techniques
• Utilize vulnerability scanning tools
• Generate technical and managerial VA reports

Who Should Attend:

• Network Managers
• System Administrators
• IT Managers
• IT Auditors
• Security Professionals

Course Outline:

 

DAY 1

 

• • Information Security Concepts
  • The Need for Information Security
  • Vulnerability Assessment Overview
  • The Security Process
  • Information Security Life Cycle
  • Threats to Computer and Network Systems
  • What is Ethical Hacking?
  • Types of Ethical Hacking
  • Responsibilities of an Ethical Hacker
  • Skills Requirements
  • Customer Expectations
  • Relevant Laws

• Introduction
  
• Foundations

DAY 2

 

• • Formal Methodologies
  • Methodology Overview
  • Open Source and Commercial Tools
  • The Live CD Approach
     

  • • Passive Information Gathering
    • Active Information Gathering
    • Social Engineering

    • Tools and Online Resources
    • Google Hacking

  • Project Start-Up
  • Information Gathering
  • Threat and Impact Analysis
  • Reconnaissance and Enumeration

• Getting Started
• Vulnerability Assessment

DAY 3

 

• • • Technical Report
    • Managerial Report

  • Vulnerability Scanning
  • Report Generation
  • Web Application Securit
     

  • Summary
  • Information Security Policies
  • Introduction to Penetration Testing

• Vulnerability Assessment
• Synopsis

Miscellaneous

Reports

Checklists

Technical Reports

Managerial Reports

Please bring your laptop.

Trainer’s Profile:

Ariel Ben T. Senga, CISSP

Ariel is the President and CEO of SeQure Technologies, which he cofounded in 2005. He is also a Certified Information Systems Security Professional. Ariel has intensive experience in various information systems management and development in IT, communications, manufacturing, government, and engineering industries. He has conducted various engagements related to IT internal control reviews, standards compliances, and internal audit reviews.

Currently, he has been managing all of SeQure Technologies’ security services such as vulnerability assessments, penetration testing, security assessments and audits, policy controls, and network infrastructure deployments.

Ariel has developed training courses in security awareness, network vulnerability assessment and penetration testing. As with course development, Ariel has presented in Universities and Colleges in the Philippines as an information security advocate.

Training Schedule: March 26, 27 and 28, 2008 (3 Days w/ Lunch + Refreshment Snacks)

Course Fee: PhP 17,500.00 (Exclusive of 12% VAT)

Includes: Student Manual, Live CD, and Certificate of Completion

Venue: CEO Suite, 37th Flr. LKG Tower 6801 Ayala Ave. 1226 Makati City

For more details, please call or text Pamela Chua at +63 922 8742757 or email pam@poshmarketingservices.com.

Cancellation of registration should be made seven working-days before the training date. Otherwise, 50% of the training fee shall be charged. No show during the training shall be charged 100% of the training fee.

The threat vectors that target today’s software applications are constantly evolving. While commercial software security features are improving, vulnerabilities still exist.

Customized and proprietary software – those that power much of today’s business operations – are even more vulnerable, as hackers increasingly target applications that range from e-commerce platforms to legacy accounting systems.

As the number of companies deploying proprietary software on or near public networks continues to spike, concerns about application security are more acute than ever.

What steps can you take to protect your company?

An effective, proactive defense against today’s attacks and tomorrow’s threats requires the right combination of technology and expertise.

Making sure you have the right team in place, typically a blend of internal and external experts, is the first step. Methodically identifying and addressing your company’s vulnerabilities, and establishing a plan for ongoing defensive measures is the next.

This FREE whitepaper from Neophasis will help you better understand the threats your company is facing, and the immediate steps you can take to confidently secure your applications.

Download Neophasis’ Proactive Strategies for Securing Your Applications FREE Whitepaper

Anatomy of a Breach Webcast

June 13 , 2007- 12 p.m. EDT

You harbor vast amounts of confidential information ranging from credit cards to health information to corporate plans. That proprietary data is today’s “new money” and someone is willing to pay for it. Unfortunately, the miscreants who want it may know more about technology—and your IT environment—than your own staff. The stakes are enormous: for your customers, your company, and you.

In this webcast, we examine the fundamental shift of IT risk to the insider threat and the inability of legacy protection mechanisms to stop it. We itemize and quantify the impact from containment to notification. Most importantly, we discuss eradication of the breach risk. New, targeted, caustic threats require new responses that strictly secure your critical information assets, while proving it with 100 percent surety.

Who Should Watch:
Executives responsible for audits, compliance and mitigating data breach risks and security professionals responsible for protecting critical assets on their networks
About the speakers:
William Malik
Consultant, Identity and Information Security
Malik Consulting

Bill Malik has been well-known in information security since the early 1990s when he was a founding member of Gartner’s Information Security Strategies service. He began his IT career in Boston as an applications programmer with the John Hancock Insurance Company following undergraduate work at MIT. He joined IBM’s MVS team and worked in development, testing, business planning, and strategic planning for a dozen years. He moved to Gartner in 1990 and held a series of roles as an analyst and manager through 2002. As CTO of Waveset, a start-up in identity management, he helped the firm grow through its acquisition by Sun, where Bill became Director of Marketing for Security. In 2004 Bill established his independent consulting firm, where he helps clients develop their identity management and information security programs.

Robert Ciampa
Vice President, Marketing and Business Strategy
Trusted Network Technologies

Rob Ciampa has more than 20 years of experience in IT risk management, networking and security. Rob has worked with companies around the world designing and implementing secure infrastructures. An early OS engineer for HP and a former switch and router designer for 3Com, he co-founded one of world’s largest network and security integration firms. Rob then went on to Access360, where he was instrumental in its acquisition by IBM, where he subsequently ran IBM’s worldwide channel for security and identity management. In additional to television commentary on IT and computer security issues, Rob is frequently a featured speaker at major IT venues and events internationally. He has a B.S. in computer science and an M.S. in computer engineering from the University of Massachusetts, as well as an M.B.A. from Boston University. He holds two patents in information technology management. His blog is www.knowidentity.com.

Join the Anatomy of a Breach Webcast

Get a complimentary copy of the Data Integrity Strategy Kit for the Financial Industry from RSA, featuring a new Burton Group report with actionable information on preventing unauthorized or inappropriate changes to business information.

Data Integrity Strategy Kit for the Financial Industry At a Glance:

Burton Group Report
Security and Risk Management Strategies: Information Integrity, March 2007

Podcast
“Real-World Strategies for Protecting your Data” with Jon Oltsik of Enterprise Strategy Group

Data Sheet: File Security Manager
Centrally managed, transparent compromise prevention for critical files

Data Sheet: Database Security Manager
Transparent, policy-driven data protection optimized for heterogeneous database environments
Limited time offer. Download now! http://www.sans.org/info/8461

Two zero-day exploits for remote code execution flaws in Yahoo! Messenger’s Webcam application have been released.

One of the flaws is a boundary error in the Yahoo! Webcam Upload ActiveX control; the other is in the Yahoo! Webcam Viewer ActiveX control.

Yahoo! expects to have a fix for the flaws available soon.  The flaws have been confirmed in Yahoo! Messenger version 8.1.0.249 and may exist in other versions as well.

{Update: As of Friday, June 8, 2007, Yahoo! has already prompted yahoo messenger users to download and install a security upgrade to patch the security issue}

More info here on the Yahoo! ActiveX Flaw.

Hackers are developing increasingly stealthy techniques to evade detection.  The attacks place malicious code on web sites, then keep track of the IP addresses that have visited infected sites; if the same IP address attempts to view the malicious site again, benign content is offered in its stead.

The attacks are also capable of identifying “the IP addresses of web crawlers used by URL filtering, reputation services and search engines,” and serve legitimate content to avoid being identified as malicious.

Recent findings reveal that hackers have created a new class of highly evasive attacks which represent a quantum leap in terms of technological sophistication, going far beyond drive-by downloads and code obfuscation.

The combination of these evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated hackers to go undetected.

A follow-up study conducted by Finjan’s Malicious Code Research Centre warns of the growing presence of malicious code in online advertising.

More info at: VNUNet

It’s been estimated that three-fourths of today’s successful system hacks are perpetrated not via network security flaws, but by entering directly through the “front door” - exploiting vulnerabilities in customer facing web applications.

Grab a copy of SPI Dyanmic’s FREE SQL Injection white paper “SQL Injection: Are Your Web Applications Vulnerable?” Understand and prevent SQL Injection attacks today!

The Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

- Data access control matrix
- Component access control matrix
- Subject-object matrix
- Data Flow
- Call Flow
- Trust Flow
- Attack Surface
- Focused reports

Download from Microsoft

National Cyber Alert System
Technical Cyber Security Alert TA07-089A
Microsoft Windows ANI header stack buffer overflow

Original release date: March 30, 2007
Last revised: –
Source: US-CERT

Systems Affected

Microsoft Windows 2000, XP, Server 2003, and Vista are affected. Applications that provide attack vectors include:

* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Outlook Express
* Microsoft Windows Mail
* Microsoft Windows Explorer (more…)

The National Security Agency (NSA) has published version 2 of its security guidelines for Mac OS X. The security documents are available in PDF format on their OS Guides page  for Mac OS X.

These documents for Mac OS X and Mac OS X Server represent best practices for securing the OS and are widely used by the industry as internal standards for configuring Mac OS X. The document is actually written by experts at Apple and endorsed by the NSA which says on its Website,” It is our belief that these guides establish the latest best practices for securing the products and recommend that traditional customers of our security recommendations use the Apple guides when securing Macintosh OS X 10.4.x and Macintosh OS X Server 10.4.x.”

Practices such as setting up admin accounts, generating passwords, the proper way to remove Classic, which can be a serious security problem for Mac OS X, managing the root account, and the use of Access Control Lists (ACLs) is covered.

Out of the box, Mac OS X is fairly secure, especially with respect to closed ports. However, for those in the enterprise who want to take advantage of every feature of Mac OS X to lock down and secure the OS against not only network but local intrusions, this is a must read.

http://www.nsa.gov/snac/downloads_macOSX10_4Server.cfm?MenuID=scg10.3.1.1