Description
In this information-packed four-day seminar, we will cover, in depth, key building blocks of modern IT audit, physical and logical security, including identity and access management. We will pay particular attention to the threats and vulnerabilities to web-based e-commerce. We will place special emphasis on discovering best practices and standards for auditing web (HTTP) servers and application servers and walk away with tools, techniques and checklists for discovering and testing web and application server security.
We will also cover auditing database management systems within the context of robust but practical enterprise architecture and governance models and go over web services and service-oriented architectures including SOAP, ReST, SOA and ESB. Together, we will also review safeguard concepts and best practices for secure mobile and wireless applications. We will also discuss standards associated with privacy issues and intellectual property concerns.
What you will learn
You will learn about complex IT topics like access control, web architectures and services, application design, server technology, database management, mobile applications, and the risks and legal elements affecting them.
Identity and Access Control Management (I&ACM) Architecture:
- fundamental principles of information security
- information technology security standards
- information security goals
- distributed computing control and security risks
- essential I&AM Policies and Standards GTAG, COSO, ISO 27002
- information classification
- risk analysis
- data breach statistics
- data security policies
- secure application design criteria
- security services – access control, authentication, authorization
- access control models and architectures
- security audit log management in multi-tiered applications
- TCP/IP network risk analysis
- client/server and middleware security for multi-tiered applications
- Enterprise directory services, LDAP
- locating control points in complex, multi-tiered applications
- security awareness
Web Application Architectures:
- web application software architecture and control points
- protecting the Web server, perimeter security, demilitarized zones
- HTTP protocol and state management
- SSO (single sign), pros and cons
- web application markup languages fundamentals of cryptography, ISO 27002 – 10, TLS, PKI, Digital signatures
- web application threats and vulnerabilities
- cloud computing and security
- web application attacks and security strategies
Auditing Web (HTTP) Servers:
- summary of baselines for secure server security
- physical threats, vulnerabilities, risks, and countermeasures
- information storage media protection, sanitization, and disposal
- emergency procedures
- human resources controls: hiring practices, badges, terminations and transfers
- goals for information security safeguards in applications
- ISO 27002 -13 Communications Security
- web server configuration: operational and security requirements
- web server access control security features: Apache, Microsoft IIS
- perils and protections for remote Web application development
- application firewalls and intrusion prevention systems
- tools, techniques, and checklists for discovering and testing Web server security
Secure Application Design, Testing and Audit:
- server-side Web page programming security
- mobile code security
- common security vulnerabilities and attacks on Web application software
- attacks on Web servers: cross-site scripting, SQL injection, buffer overflow
- input validation and editing, SQL injection
- software change controls and configuration management
- web application vulnerability and testing tools
- tools, techniques, and checklists for auditing security in application design
Auditing Application (Middleware) Servers:
- roles, architecture, and security control points for XML/object-oriented development
- environments and associated application servers
- defining key sources of application server security: declarative vs. programmatic controls, database and Enterprise
- Information System (EIS) connectors
- audit and security features in components and servers
- tools and techniques for auditing and securing application servers
Auditing Database Management Systems:
- database concepts
- methods for providing data access to users and other applications
- data access control, authorization, and audit
- ISO 27002 -12 operations security
- relational database management systems (DBMS)
- Structured Query Language (SQL): more than just query
- security risks associated DBMS systems
- audit and security features for major DBMS products
- database security safeguards, access controls, roles
- database triggers, DDL triggers, DML triggers
- database encryption
- DBMS audit logging
- tools, techniques, and checklists for securing and auditing DBMS components
- database connectors
- database audits – how to and checklists
Web Services and Service-Oriented Architectures (SOA):
- Simple Object Access Protocol (SOAP) web services definition and architecture
- SOAP web services standards
- Service Oriented Architectures (SOA)
- SOA Enterprise Service Bus (ESB)
- Representational State Transfer (REST) web services
- web services audit and security tools, and techniques
Mobile Application Security and Audit:
- key control points in remote access and mobile applications
- how mobile application differ from internal server-based applications
- tools and techniques for protecting the contents of mobile devices
- checklist for secure mobile and wireless application best practices
Laws and Standards Affecting IT Audit:
- organizational liabilities
- ethics affecting Information Security
- international laws, directives, and regulations
- EU Data Protection Regulation
- EU General Data Protection Regulation GDPR and its world-wide impact
- computer crimes and other breaches of information security
- investigations and evidence of computer crimes
- incident response
- information security and auditing standards
- types of laws
- privacy issues and legislation
- intellectual property, copyright laws, and software piracy
- prominent US and international laws
- information security and auditing standards