Hands-on E-security

Objectives Prerequisites Who should attend Course Outline Hands-on Sessions

What you will learn...

  • How to apply the principals of secure Internet connection
  • Identify  the areas of security vulnerability in a distributed computer environment
  • Participate in the planning for the selection, implementation of secure distributed computer systems.
  • Determine the relative benefits and cryptographic strengths of significant non-proprietary algorithms.
  • The characteristics of public key systems infrastructure.
  • Virtual Private Network security models.
  • How IPSEC works and is deployed.

Who should attend...

  • Security management personnel, administrators and managers.
  • Communications consultants, network designers and planners.
  • e-World managers and analysts.
  • Systems and network administrators.

Pre-requisites for your attendance

  • It is expected that prior to your attendance that you will have a good solid understanding of Internet principles such as e-mail, domain name service and web; and the underlying protocols of TCP, UDP and IP.

Course Outline

The e-Security Program is designed  to provide participants with the knowledge and skills needed to   understand security  requirements in e-business transactions, infrastructure and implementation.


INTRODUCTION TO E-WORLD

  • Nature of E-World Security
  • General Security Requirements    
  • National Security Requirements    
  • E-World Components    
  • Security Policy Placement    
  • Threat Classification    
  • Australian Security Standards    


E-WORLD INFRASTRUCTURE    

  • E-Transaction Flows    
  • IP Architecture    
    • Open Systems Interconnection (OSI) Reference Model    
    • IP Datagram Formats    
  • E-Commerce Infrastructures    
    • Intranet    
    • Extranet    
    • VPN (Tunneling, IPSec, PPTP, etc.)
    • Remote access security - eg RADIUS
    • Business-to-Business models    
    • Business-to-consumer models
    • Smart card technolgies and other remote access technologies


CRYPTOGRAPHY AND AUTHENTICATION    

  • About Cryptography    
  • Conventional Encryption and Key Management
  • Public Key Cryptography    
  • Digital Signatures
    • Hash Functions    
  • Digital Certificates    
    • Certificate Distribution    
    • Certificate Formats    
  • Public Key Infrastructure
    • PKI Components    
    • Areas of Liability    
    • PKI-Based Protocols    
  • Trust Models    
    • Direct Trust    
    • X.509 Hierarchical Trust Model    
    • PGP Web of Trust Model
    • PGP Hierarchical Trust Model
  • Certificate Revocation    
  • Encryption Standards    
    • RSA    
    • DES    
    • Triple DES (3DES)    
    • IDEA    
    • Diffie-Hellman (DH) Key Exchange
    • PGP
    • Others
  • Australian Cryptographic Standards    
    • Digital Signature Standards    
    • Encryption Algorithm Standards    
    • Session Key Standard

IPSEC    

  • IPSec Architecture    
  • Security Models    
    • Interconnecting Corporate Intranets    
    • Corporate Extranets    
    • Secure Remote Access
  • IPSec Roadmap    
  • Security Association    
  • Authentication Header (AH)    
    • Authentication Header Format    
    • AH Transport Mode
    • AH Tunnel Mode    
  • Encapsulated Security Payload (ESP)    
    • Encapsulated Security Payload Format    
    • ESP Transport Mode    
    • ESP Tunnel Mode    
  • Internet Security Association Key Management Protocol (ISAKMP)    
    • ISAKMP Header    
    • Payloads    
    • Negotiation Phases    
    • Exchange Types    
  • Internet Key Exchange (IKE) Protocol    
    • Exchange Phases    
    • Exchange Mode    
  • Key Management    
    • Manual keying    
    • Automatic keying    
    • Unauthenticated Key Exchange
    • Key Exchange using DNS    
    • Key Exchange using a PKI    
    • Photuris
    • SKIP

WEB SECURITY    

  • Web Server Options    
  • Securing the Web Server    
  • Limiting Web Services    
  • Limiting Web Server Scope    
    • Arbitrary Directives    
    • Disabling Server-Side Includes
    • Limiting Web Server Authority    
    • Password Protection    
  • Cookies and Privacy    
  • Programming    
    • Applications and Plug-Ins    
    • Java    
    • ActiveX    
  • Secure Socket Layer (SSL)    
    • Transmitting Data Privately    
    • Authenticating the Web Server
    • SSL Handshake
    • Sample SSL Transaction    
    • TLS
  • Web Server Auditing    
    • Benefits of Auditing
    • Requirements    
  • Privacy Issues

    E-MAIL SECURITY

  • Mail Client Security    
  • Mail Server Security    
  • E-Mail Threats to Network Security
    • Spam    
    • Information Leaks    
    • E-Mail Interception and Tampering
    • E-Mails Containing Offensive Messages
    • Viruses    
    • Delivery Failure    
  • Protecting Corporate E-Mail Systems Against Security Breaches    
    • Corporate Security Policy    
    • Security Software    
    • Eliminating Spam    
    • Preventing Information Leaks
    • Stopping Interception and Tampering    
    • Content Control
    • Combating Viruses    
    • Reporting and Archiving
    • Enhancing Corporate Mail Security    
      • Content Checking    
      • Quarantining of E-Mail
      • Encryption    
      • Disclaimers    
      • E-Mail Management    
      • Personalised Auto-Replies with Tracking Numbers
      • Advanced Anti-Spam Measures    
      • Archiving of E-Mail to an ODBC Database    
    • High-level Concepts    
      • Mail-Boxes    
      • User Agents    
      • Transfer Agents
      • Delivery Agents    
    • Low-level Concepts    
      • Character Sets    
      • Headers and Bodies    
      • MIME    
      • Transfer Protocols    
      • Envelopes and Bodies    
      • 7-bit Data vs. 8-bit Data
      • Routing
      • Sendmail Specifics    
      • Specific Applications    
    • Scanning E-Mail for Viruses
    • Client to Server    
      • Local Injection    
      • SMTP    
      • POP XTND XMIT
    • Server to Server    
      • Server Software    
      • Transports    
    • Server to Client
      • Local file    
      • POP Servers    
      • IMAP Servers    
    • Mail Server Auditing
      • Benefits of Auditing    

    SECURITY TOOLS    

    • Security Tools    
      • Firewall Tools    
    • Network Infrastructure Security
      • Network Investigation Tools    
      • Firewall Tools
    • Host Based Security    
      • Local Host Vulnerability Detection
      • Remote Host Vulnerability Detection    
      • Port Scanners    
    • Network Based Intrusion Detection    
      • Network Based Integrated Tools    
      • Probe Detector    
      • Network Security Tools    
    • Host Based Intrusion Detection    
      • Log Scanners    
      • Integrity Checker    
    • Australian Computer Emergency Response Team (AusCERT)    
    • Security Tool Evaluation
      • ITSEC and Common Criteria    
      • Australian Information Security Evaluation Programme (AISEP)

    INTERNET PAYMENTS    

    • The Payment Business    
    • Internet Payment Methods    
      • Political Impact of Digital Currencies
    • Post-Paid Payment Systems    
      • Credit Card Solutions    
      • Invoice    
      • Internet Cheques
      • Cash On Delivery    
    • Instant-Paid Payment Systems
      • Debit Cards    
      • Direct Debit    
    • Pre-Paid Payment Systems    
      • Electronic (Digital) Cash    
      • Smart Cards   

    References

    AUSCERT

    • AusCERT Message Alert    

    E-BUSINESS APPLICATIONS

    • Application Sectors    
    • E-Commerce Sales and Marketing Applications
    • E-Commerce Procurement Applications
    • Buy-Side Procurement    
    • Sell-Side Procurement    
    • Trading Community    
      • Critical Mass    
      • Transparency    
      • Dynamic Pricing    
      • Real-Time Capability    
    • Content Management    
    • Order Management Applications    
    • Customer Relationship Management (CRM)    
    • Information for Businesses - Australian Law    

    AUSTRALIAN E-WORLD SECURITY-IN-PRACTICE    

    • History of PKI in Australia    
    • Current Use of PKI in the Australian Public and Private Sectors    
      • An Overview of Agency Consultations    
      • Current PKI Applications    
      • Consumer Awareness and Education    
      • Difficulties and Issues in Implementing PKI    
      • State Government Agency PKI applications    
      • Private Sector PKI Applications    
    • Restrictions to Cryptography in Australia    
    • Current Public Policy on Domestic Cryptography    
    • Domestic Users of Cryptography    
    • Export of Encryption Products from Australia
    • Cryptographic Standards in Australia and Internationally    
    • Electronic Frontiers Australia (EFA)    
    • Policy of Industry Organisations    

     Hands-on Sessions

    After participating in the hands-on classes, delegates should have gained sufficient practical knowledge to communicate the subject matter to colleagues and clients outside of the classes.

    SECURITY POLICY

    Identification of the key components in a security policy document.

    E-COMMERCE INFRASTRUCTURES

    Identification of the fundamental components of B2B and B2C infrastructures.

    SECURITY RISKS IN E-COMMERCE INFRASTRUCTURES

    Identification of security risks of B2B and B2C infrastructures.

    PUBLIC KEY INFRASTRUCTURE

    Understanding the mechanisms involved in a PKI for the issuance and management of digital certificates.

    PACKET MONITORING USING SIMULATED INTERNET

    Requirements for encryption and authentication of messages sent over the internet.

    USING PGP

    Pretty Good Privacy (PGP) protocol  to encrypt and decrypt email messages.

    CREATING VPNS

    Implementation and administration of a VPN using various software tools.

    APACHE WEB SERVER

    Configuration options for  the Apache web server.

    CGI SCRIPTS

    Utilisation of a poorly written script to highlight deficiencies.

    E-COMMERCE

    Construction of an e-commerce website using a back office database with a B2C interface.