July 9, 2016

Advance Programme in Cybersecurity Testing (CPCT)

The Advance Programme in Cybersecurity Testing [CPCT] at “The Internet Security Academy (TISA)” is pro-actively designed for emerging security testing features in Mobility, IoT, smart-X projects with real world security applications.

The Program is meant for graduates from any discipline who have IT skills and would like to learn cyber security QA.

Cybersecurity testing is execution of a single unique test or a set of unique tests on software systems to find security related bugs, weaknesses, vulnerabilities and exploits embedded in the system using prescribed methodologies.

  • Integrity protection of the system
  • Helps developers in fixing these vulnerabilities
  • to show an overall security posture of an application

Some of the known testing terminologies are Application Vulnerability Scanning, Network Security Scanning, Penetration testing, Risk Assessment, Security Auditing, Ethical hacking, Posture Assessment.

Image result for software tester
At its core, the Program provides deeper training in malware and vulnerability analysis. After developing a solid foundation, the Program enables students to specialize in areas related to corporate IT infrastructure, Internet of Things, public, private networks, and applications. The Program develops research capabilities, analysis skills and software tools that are needed to succeed as an IT Security Analyst and beyond. The objective is to develop broad-based malware and vulnerabilities problem-solving abilities for future global leaders.

Our unique teaching methods focus on applied learning and case studies rather than on rote learning. Students will participate in workshops and seminars with top IT security and risk audits professionals. Given our corporate connections, students will get the opportunity to participate in live projects. Further, upon completion of the Program, we aim to provide students with internship opportunities with firms across the country.

In addition to the above, students will enhance their communication skills through class discussions and presentations, where they will be trained to present security information in a concise manner. Students will also improve their writing skills through research papers, teaching them how to express intricate ideas and analysis eloquently and effectively. Students will expand their security detection and protection skills pertaining to handling complex IT environments.

Course Structure

  • Consists of a 3 week Foundations course in Networking, Application and Cyber security fundamentals.
  • Advance course for remaining 10 weeks.

Course Benefits (USPs)

  • Creating worldclass cyber security testers
  • Building individual skills for jobs in the industry
  • Containing Job Ready Foundation and Specialized Courses
  • Learning new tools and techniques for vulnerability & malware analysis
  • Future CISSP leadership roles
  • World-class Certification

Career & Job Responsibilities

A security tester must possess knowledge of information security frameworks of the industries. The main job is to measure effectiveness of security controls. The security tester must work with developers and business administrators in communicating vulnerabilities in security systems to disclose every vulnerabilities with proper process documentations in case there are any breaches.

Main Responsibilities are :

  • testing all sensitive IT assets within a company
  • insuring all networks have adequate security to prevent unauthorised access
  • develop reports to share with administrators about the efficiency of security policies and recommend any changes
  • plan and document all security information in the company including physical and Internet security

Course Modules

  1. Networking Fundamentals
  2. Application Development Cycle
  3. Cyber Security Fundamentals
  4. Mobility and Internet of Things
  5. Cloud and Virtulization Security
  6. Vulnerability Analysis
  7. Enterprise Threats Modelling
  8. Specialization
  9. Job Readyness

Domains (Case-studies On Application, Client, Server, Network and Data)

  1. Enterprise Information Technology Security domain
  2. Mobility Security domain
  3. Internet of Things Security domain
  4. Government Policies Security domain
  5. Telecom Security domain
  6. Banking security domain

Risks Assessment Labs

  1. Security Assessment Labs – Across industry and technology domains
  2. Secure Code Review labs – Software Programming Technologies (Unix, Android, iOS and Windows)
  3. Static & Dynamic Testing Lab – Unix, Android, iOS and Windows
  4. OS and Database Hardening Labs
  5. Network Elements Firewalling and Controlling Labs
  6. Application Firewall & Log Audits Labs
  7. Mobile Device Management labs

Test plan includes

  • Security related test cases or scenarios
  • Test Data related to security testing
  • Test Tools required for security testing
  • Analysis on various tests outputs from different security tools

Sample Test Scenarios

  • Encrypted technology usage
  • Application should not allow invalid users
  • Check cookies and session time for application
  • SQL injection and Authentication bypass should not be allowed
  • For financial sites, Browser back button should not work

Methodologies and Techniques

In security testing, different methodologies are followed, and they are as follows:

  • White Box: Internal development codes, processes and techniques are shared to tester.
  • Black Box: External access points are shared to tester.
  • Hybrid Box: Hybrid of white and black box methods

Industry Standards & Best Practice Sources

  1. OWASP Top 10 Wep Application Risks
  2. OWASP Top 10 Mobile Application Risks
  3. PCI-DSS
  4. National Institute of Standards and Technology
  5. Information Security Forum (ISF)
  6. Vulnerability Disclosure Sources
  7. Malware Disclosure Sources
  8. CVE and NVD National Vulnerability Database (USA Govt & Govt of India)
  9. Vulnerability Severity Scoring

Course Contents

  • Networking Fundamentals Module: 
    • Basics of OSI and TCP/IP Stacks, Routers, Firewall
    • Common networked applications including web applications
    • LAN/WAN operation and features
    • Configuration and network connectivity using ping, traceroute, telnet, SSH or other utilities
    • Implement an IP addressing scheme and IP Services to meet network requirements
    • Static and dynamic addressing services for hosts in a LAN environment
    • Basic router security
    • configure on a wireless network
    • Explain general methods to mitigate common security threats to network devices, hosts, and applications
    • Describe security recommended practices including initial steps to secure network devices
    • Configure and apply an ACLs to limit telnet and SSH access to the router using
    • Describe VPN technology (including: importance, benefits, role, impact, components)
    • Hardening of Hosts, Database, Web components, so on…..
  • Application Development Module
    • APPLICATION Development Environment
      • Programming Language: Android, C, .Net, HTML5, JAVA and so on…
      • SDKs, IDEs, so on…
    • Client Applications:
      • Web Server Applications
      • Mobile Android Applications
      • Mobile iOS Applications
      • Mobile Windows Applications
    • Web Server Applications:
      • Web based applications
      • APIs based Middleware applications
      • TCP/IP based server applications
  • Cybersecurity Fundamentals Module
    • Introductions to IT Forensics
    • Introduction to Privacy
    • Introduction to Network Security Management
    • Introduction to Incident Management
    • Introduction to Security Testing
    • Introduction to Application Security
    • Introduction to Risk, Audit & Compliance
  • Vulnerability Analysis Module
    • Risks/Threat Modelling
    • Installations of Security Analysis tools
    • Hardening of Client Devices:
      • Laptop/Desktop Devices
      • Mobile/Tablet Android Devices
      • Mobile/Tablet iOS Devices
      • Mobile/Tablet Windows Devices
    • Hardening of Servers Devices:
      • Cloud based Servers
        • Windows/Linux/Unix
          • Cloud Hosted Servers
          • Virtualized Servers
        • Mobile Android Devices
        • Mobile iOS Devices
        • Mobile Windows Devices
    • Vulnerability Reporting Frameworks
    • Vulnerability Severity Rating Frameworks
    • Best Practice Security Standards and Frameworks
      • OWASP Framework Report Generations
  • Mobile and IoT Module
    • Mobile Device Management
    • Mobile Application Management
    • Mobile BYOD Management
    • Emerging Security Risks in IoT devices
  • Cybersecurity Specialist Track (Any one)
    • Risk Audit & Compliance
    • Application Security
    • Security Testing
    • Network Security Management
    • Privacy
  • LIVE Projects on selected track
    • Vulnerability Assessment & Penetration Testing Kick-off
    • Project walk-through
    • Risks Threat Modelling
    • Security Assessment Yearly Roadmap
    • 1st cycle Assessment schedule
    • Vulnerability Assessment & Penetration Testing Notifications
    • Firewall Access Enablement
    • Start of Vulnerability Assessment & Penetration Testing
    • Proof collections
    • End of Vulnerability Assessment & Penetration Testing
    • Review of checklists and Proofs
    • Security Report Generation with Recommendations, Severity, Proofs and Mitigations approach based on OWASP/Industry Practice/Enterprise framework
    • Hand-over of Security Report
    • Meeting with development team & Next Verification schedule
    • Sign-off
    • Security Presentations & Seminars
    • Tender & RFP Responses
    • Security Proposal Development
    • Security Project Efforts Calculation
    • Security Demoes & PoC to Customers
    • Security Framework development for a enterprise
    • Security Checklists development
    • Security Project Management
  • Final Evaluation Exams & Interviews
  • Certifications with grading
  • Resume Enhancements and submission 
  • Placement Interviews
  • Internship Opportunities
  • Entrepreneurship Opportunities