Length: 2 Days
Web Security Training
Web security is an ongoing and never-ending task for organizations – including nonprofits as well.
Without a proactive security strategy, businesses risk the spread and escalation of malware, attacks on other websites, networks, and other IT infrastructures.
One method of web security that has proven effective is something called Role-based access control (RBAC), which restricts network access based on a person’s role within an organization and has become one of the main methods for advanced access control.
Managing and auditing network access is essential to information security. Access can and should be granted on a need-to-know basis.
The roles in RBAC refer to the levels of access that employees have to the network.
Employees are only allowed to access the information necessary to effectively perform their job duties. Access can be based on several factors, such as authority, responsibility, and job competency. In addition, access to computer resources can be limited to specific tasks such as the ability to view, create, or modify a file.
As a result, lower-level employees usually do not have access to sensitive data if they do not need it to fulfill their responsibilities. This is especially helpful if you have many employees and use third-parties and contractors that make it difficult to closely monitor network access.
Using RBAC can help in securing your company’s sensitive data and important applications.
Effective web security for organizations has many advantages such as:
- Protection of intellectual property
- Improving customer confidence
- Preventing fraud through financial transactions
- Preventing damage to hardware that can impact productivity
A security website can also improve an organization’s SEO efforts. SEO spammers often target sites just to hijack their SEO rankings.
This is where a web application firewall (WAF) and DDoS protection can help an organization’s hard-earned SEO efforts. These website security tools prevent malicious bots and swarms from blocking good traffic to your site – including the crawlers that Google and other search engines used to understand and rank your site.
Cybersecurity professionals insist that organizations must continuously review web security strategies because hackers are not static. A recent report on cyber criminals shows that they are highly motivated to stay ahead of the latest security trends. It’s how they keep from getting caught, and how they keep the fun and profit rolling.
No matter how effective your web security, it’s critical to remember that your organization is responding to the innovations of hackers, not the other way around.
Web Security Training Course by Tonex
Web Security Training Course Description
The web security training teaches you the advanced web browsing vulnerabilities from system penetration to identity theft as well as protection solutions to ensure the web security. Tonex as a leader in security industry for more than 15 years is now announcing the web security training which helps you to secure the communication between a client and server as well as integrity of data in web.
Tonex has served the industry and academia with high quality conferences, seminars, workshops, and exclusively designed courses in system engineering area and is pleased to inform professional fellows about the recent comprehensive training on web security.
This course covers variety of topics in web security and computer network security areas such as: HTTP protocol, cryptography in web, SSL protocol, different kinds of web attacks, browser security issues, cookies, web bugs and spywares. Moreover, you will learn about the windows system security, Linux/UNIX system security, common web servers such as Apache and IIS, access control in web, web firewalls, computer network and a lot of hands on experience and trainings for web security applications.
By taking the web security training by Tonex, you will learn about main features of HTTP protocol, header fields in HTTP, URL encoding and HTTP security issues as the most basic knowledge needed for web security.
Learn about the encryption and decryption in web, secret codes, public/private key cryptography, digital signatures, and hash algorithms in web security training.
Learn the principles of secure socket layer (SSL), SSL architecture, and different protocols offered by SSL such as: handshake protocol, record protocol, alert protocol and change cipher spec protocol.
By taking this course you will also be introduced to the most common types of web attacks such as: SQL injection, HTML codes, and web page hijacking. Moreover, you will be trained to identify the browser attacks and prepare for the proper browser security principles such as URL filtering, cookie blocking or endpoint protection methods.
If you are an IT professional who specialize in web security, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of the web security training and will prepare yourself for your career.
Learn about the security of windows systems, access tokens, user SID, access checking and windows permissions. Moreover, you will be introduced to the UNIX/Linux server security, different types of attacks to the servers such as DNS amplifications, heart-bleed vulnerability or user account compromising.
You will also learn about web servers such as: Apache and IIS, various access controls in web with their control threats and categories, packet filtering, web firewall, security RSA, TCP, wireless multi-hop networks, computer network layers and routing loops.
Finally, the web security training will introduce a set of labs, workshops and group activities of real world case studies in order to prepare you to tackle all the related web security challenges.
Audience
The web security training is a 2-day course designed for:
- IT professionals in the area of information security and web security
- Executives and managers of cyber security and web security area
- Information technology professionals, web engineers, security analysts, policy analysts
- Security operation personnel, network administrators, system integrators and security consultants
- Security traders to understand the software security of web system, mobile devices, or other devices.
- Investors and contractors who plan to make investments in system engineering industry.
- Technicians, operators, and maintenance personnel who are or will be working on cyber security projects
- Managers, accountants, and executives of cyber security industry.
Training Objectives
Upon completion of the web security training course, the attendees are able to:
- Understand the information security related to World Wide Web.
- Understand the security issues of servers related to web application.
- Explain the main concepts of web attacks and web vulnerabilities such as malicious emails, web scripts, cookies, web bugs and spywares.
- Explore deeply into security issues and develop test potential solutions
- Investigate secure communication between client and server by encrypting data streams such as SSL
- Explore the browser vulnerabilities and protection of the system against web vulnerabilities
Training Outline
The web security training course consists of the following lessons, which can be revised and tailored to the client’s need:
Overview of Information Security
- History of Information Security
- Multiplexed Information and Computing Service (MULTICS)
- Definition of Security
- Key Information Security concepts
- Critical Characteristics of Information
- Standards for Information Systems Security
- Components of an Information System
- Balancing Information Security and Access
- Approaches to Information Security Implementation
- The System Development Life Cycle
- Security Professionals and Organization
- Communities of Interest
- Information Security; Art of Science?
HTTP Protocol
- Overview of Hypertext Transfer Protocol (HTTP)
- Basic Features of HTTP
- Architecture of HTTP
- HTTP Version
- Parameters of HTTP
- Messages in HTTP
- Requests in HTTP
- Responses in HTTP
- HTTP Methods
- HTTP Status Codes
- HTTP Headers Field
- HTTP Cashing
- URL Encoding
- HTTP Security
Basic Cryptography
- Cryptography Introduction
- Encryption
- Cipher Text
- Decryption
- Plaintext
- Computational Difficulty in Cryptography
- Secret Codes
- Breaking an Encryption Scheme
- Types of Cryptographic Functions
- Secret Key Cryptography
- Public Key Cryptography
- Digital Signatures
- Digital Certificates
- Hash Algorithms
The SSL Protocol
- Secure Socket Layer (SSL) Definition
- SSL Architecture
- SSL Handshake Protocol
- SSL Record Protocol
- SSL Alert Protocol
- SSL Change Cipher Spec Protocol
- SSL Sessions and Connections
Web Attacks
- Infected Web
- Complexity of Modern Web
- SQL Injection Attacks
- Malicious Advertisement
- Cross-site Scripting (XSS)
- Phishing
- Malicious HTML Code
- Software Vulnerabilities
- Web Attack Toolkits
- Obfuscation of the Actual Attacks
- Hijacking Web Pages
- Fake Codec
- Malicious Peer-to-peer Files
- Fake Scanner Web Page
- Blog Spam
Browser Security
- How does a Web Browser Work?
- Why Browser Security?
- Types of Browser Threats
- Buffer Overflow
- Root Exploit
- Phishing
- Cookies
- Document Object Model
- Cross-Site Scripting
- Cache History Attacks
- Security versus Usability
- Features of a Secure Browser
- Security Implementations and Browsers
- Blocking Third Party Cookies
- Same-Origin Policy
- Security Compartmentalization
- Update control
- Plug-in and Extension Control
- Prevention of Malicious Scripts
- Content Inspection
- URL Filtering
- Endpoint Protection
- Web Server Protection
Cookies, Web Bugs and Spyware
- Overview of Spyware
- Online Attackers
- Spying by a Trusted Insider
- Data Gathered by Spyware
- Operation of Spyware
- Impact of Spyware
- Common Types of Spyware
- Browser Session Hijacking
- Browser Helper Objects
- Cookies and Web Bugs
- Autonomous Spyware
- Spyware Security Tips
- Introduction to Cookies
- ASCI Strings
- Session Cookies
- Persistent Cookies
- Version 0 Cookies
- Version 1 Cookies
- Cookie Privacy Risks
- Security Risks Related to Cookies
- Session Hijacking
- Definition of Web Bugs
- Effect of Web Bug on servers
- Where to Find Web Bugs?
- Email Web Bugs
- Email Wiretapping
Windows Systems Security
- Introduction to Windows Security
- Windows Protection System
- Protection State
- Enforcement Mechanism
- Transitions
- Windows Subjects
- Access Tokens
- User SID
- Windows Services-Domains
- User Authentication
- Windows Objects
- Active Directory
- Windows Permissions
- Access Checking
- Access Control Entries
- Access Checking with ACE
- Windows Vs Linux
UNIX/Linux Server Security
- Operating System (OS) Management
- Common Vulnerabilities
- Compromising User Accounts
- DNS Amplification Attacks
- NTP Reflection Attacks
- Heartbleed Vulnerability
- Secure Remote Access Protocol (SSH vs Telnet)
- Secure File Transfer Protocols (SCP/SFTP vs FTP)
- Secure Protocols for Accessing Web Servers (HTTP vs HTTPS)
- Remote File Systems
- Iptables
- TCP Wrapper
- SELinux
- UMAK
- SUID and SGID
- Cron
- Syslog
- Patches
Apache and IIS Web Servers
- Introduction to Web Servers
- Uniform Resource Identifier (URI)
- HTTPS Request Types
- System Architecture
- Client-Slide Scripting Versus Server-Slide Scripting
- Accessing Web Servers
- Microsoft Internet Information Services (IIS)
- Apache Web Server
- Requesting Documents
- XHTML
- NET
- Perl
- PHP
- Python
- Web Resources
Various Access Controls
- Definitions and Key Concepts
- Access Control Categories and Types
- Access Control Threats
- Access to the System
- Access to Data
- Intrusion Prevention and Detection System
- Access Control Assurance
Packet Filtering and Web Firewall
- Basic Packet Filtering
- Stateful Packet Filtering
- Matching Algorithms
- Common Configuration Errors
- Direction Based Filtering
- Advanced Firewall Management
- Firewall Analysis
Introduction to Computer Networks
- Internet, HTTP, DNS, P2P
- Socket, Ports
- Congestion Control, Flow Control, TCP
- Routing, Basic Graphs, IP
- DSL Versus Cable, Aloha, CSMA, TDMA, Token, 802.11
- Security RSA
- Cellular Networks, Mobile Networks, Satellite Networks
- Wireless Multi-hop Networks
- Internetwork
- Layers
- Data Rate, Throughput and Bandwidth
- Packets
- Datagram Forwarding
- Topology
- Routing Loops
- LAN and Ethernet
- DNS
- IP
- Firewall
- IETF and OSI
- Epilog
Hands On, Workshops and, Group Activities
- Labs
- Workshops
- Group Activities
Sample Workshops and Labs for Web Security Training
- Tutorial and Hands-on for different possible web attacks
- IP Hijacking Case Study
- Eavesdropping HTTP passwords Case Study
- Command Line Injection Attack Experiment
- Using SQL Injection Vulnerabilities to Gain Access to Website
- Using the Stolen Cookie for Identity Attack
- ModSecurity Application to Detect Threats
Web Security Training