Thursday, December 28, 2006

A new class at UCLA Extension

I've "volunteered" to take on a new class at UCLA Extension. It will be titled "Security Vulnerability Assessment" or something like that. I'm going to teach it over 2 consecutive weekends (fri/sat two weeks in a row) sometime in Spring (mid-April most likely).

Here is my outline so far:

  • Overview of information security, including the basic threat model, types of vulnerability, technical security architecture and principles of security management.
  • Discussion of the types of security assessment that may be conducted, including general controls audits, technical audits, vulnerability scans, and penetration tests.
  • Standards for vulnerability assessment, including AICPA/PCAOB, NIST SP 800-30 and related docs, NSA IAM/IEM, and Payment Card Industry (PCI) standards. I MAY talk a bit about HIPAA. I'm not sure if I should do the OSSTMM. Does anyone actually use OSSTMM aside from the folks who wrote it?
  • Some specific review items for most common technical platforms, meaning how to review Windows serves, Linux servers, and overall network security.
  • Demonstration of network security tools such as nmap, Nessus and the like.
I'll have a course reader with the slides as well as public domain material. I'll include relevant NIST documents and maybe FFIEC audit programs. I hope to get permission to use PCI documents. I really wish the NSA IAM had public domain documentation. I wish the Web site wasn't broken. It seems the Feds outsource this to training firms, who make a good business cranking out these certs.

I've tried finding similar courses offered elsewhere, but with little luck. Most of the "learn to hack" classes are proprietary, with no description other than the bare minimum. They tend to be entirely tool oriented as well. Classes on IT auditing only cover, well, IT auditing. Classes that touch on security assessment tend to do so as a small subtopic of a bigger intro to security class.