Customized Security training for Cognizant

TABLE OF CONTENTS

Module 1, Day 1
1.
2.
I.
II.
III.
IV.
V.
VI.
VII.
VIII.
IX.
X.
3.

Introduction to Information security and information about the latest techniques.

Talk about all the 10 domains of CISSP briefly with examples and use cases
Access control
Telecommunications and network security
Information security governance and risk management
Software development security
Cryptography
Security architecture and design
Operations security
Business continuity and disaster recovery planning
Legal, regulations, investigations and compliance
Physical (environmental) security
CIA Triad. Confidentiality, Integrity, Availability and how are they achieved.

Module 1, Day 2
4. Hashing and the techniques to use hashing show case tools with use cases and give exercise to
the candidates
5. Encryption types and implementations showcase tools with use cases and give exercise to the
candidates
6. Ports ,Protocols and their vulnerabilities talk about the ports and association, talk about
protocols tunneling into other protocols like video over http and streaming of audio over http and
other examples.

Module 1, Day 3

7. TCP IP & OSI Layer , talk about all the layers and the protocols which work on each layer.talk about
where their coding applies in the applications in the OSI layer.
8. System Hacking-/windows/linux Root access. Showcase tools like NETCAT and its capabilities in
depth with use cases and give exercise to the candidates
9. Foot printing and Reconnaissance and enumerating networks and servers for applications
Showcase nmap and its capabilities in depth with use cases and give exercise to the candidates

Module 1, Day 4
10. Sniffing and stealing data- Analyzing TCP/IP with Wireshark
11. Wireshark preferences for advanced TCP/IP analysis talk about all the layers and the protocols
and showcase this in each packet type, show layer 2 information with mac addresses etc.
12. TCP/IP analysis of the transport layer TCP functions
Session Setup, Data Transfer and Session Teardown and give exercise to the candidates

Module 1, Day 5
13. Identity and access management talk about Forefront identity manager or Tivoli identity
managethoroughly talk about the features and why they are required.
14. AAA- Authentication- 2 factor, Authorization and Accounting
15. Role base access control, talk about RMS, talk about Active directory, LDAP and give exercise to
the candidates

Module 2, Day 1

16. Trojans and Backdoors/Viruses/ Worms/rootkits showcase with examples how they are different.
Assign tasks to the students to identify the backdoors or rootkits and identify viruses and worms
separately
17. Different types of attacks, Denial of Service/ARP or DNS poisoning, Buffer Overflows etc showcase
a few if possible in a sandbox environment in the virtual appliances.

Module 2, Day 2
18. Network security- IDS, IPS, Network IPS, Host IPS. give exercise to the candidates to work on
console of an IPS or a UTM virtual appliance.
19. Firewalls, types of firewalls, -Proxy servers, Content filtering, Antivirus, host firewalls and Access
control ACLs
20. Virtualization and the security issues in virtual environments

Module 2, Day 3
21. OWASP TOP 10 and WASC
22. Explain in detail each and every vulnerability of OWASP top 10
I.

A1-Injection

II.

A2-Broken Authentication and Session Management

III.

A3-Cross-Site Scripting (XSS)

IV.

A4-Insecure Direct Object References

V.

A5-Security Misconfiguration

VI.

A6-Sensitive Data Exposure

VII.

A7-Missing Function Level Access Control

VIII.

A8-Cross-Site Request Forgery (CSRF)

IX.

A9-Using Components with Known Vulnerabilities

X.

A10-Unvalidated Redirects and Forwards

Module 2, Day 4
23. Install Webgoat and perform all the top 10 vulnerabilities exercise on the virtual machines
I.

A1-Injection

II.

A2-Broken Authentication and Session Management

III.

A3-Cross-Site Scripting (XSS)

IV.

A4-Insecure Direct Object References

V.

A5-Security Misconfiguration

VI.

A6-Sensitive Data Exposure

VII.

A7-Missing Function Level Access Control

VIII.

A8-Cross-Site Request Forgery (CSRF)

IX.

A9-Using Components with Known Vulnerabilities

X.

A10-Unvalidated Redirects and Forwards

Module 2, Day 5
24. VPNs-types and protection SSL vs IPSEC, talk about TLS and SSL Handshake and IPSEC thoroughly
25. SSL Appliances- URL Rewriting and url set allowed to pass through the ssl sessions.

Module 3, Day 1
26. Hacking and protecting Web servers and Applications and consequently Developing secure
architecture
27. Common Mistake in Developments- Students are introduced to Security Best Practices

Module 3, Day 2
28. Web applications server vs web services(SOAP) security, talk about XML mistakes
29. Understanding AJAX vs. Regular HTTP call
30. SANS top 25 programming errors : (link-https://www.sans.org/top25-software-errors/)

Module 3, Day 3
31. Black/White/Grey Box Testing talk about different mechanisms used for Vulnerability assessment
and penetration testing. The risks involved in penetration testing and talk about the approvals
required.
32. Auditing and compliance perspective talk about various reasons for this testing and what are the
ways they can be achieved, as a service or appliance based.
33. DAST vs SAST talk about different vendors in this category which ones are open source and why
open source is avoided etc. Source code penetration testing how it is done-theory

Module 3, Day 4
34. A practical of what is learned previous day about SAST And DAST show use cases using the security
testing tool like Acunetix or Appscan or even open source tools etc.
35. Give exercises to the students to perform this testing against webgoat and webservices.

Module 3, Day 5
36. Give exercises to the students to create a web application without any mistakes and then finally
perform a penetration testing of the application and its backend calls made to sql server or
directory server for authentication etc.