Thursday, December 28, 2006

A new class at UCLA Extension

I've "volunteered" to take on a new class at UCLA Extension. It will be titled "Security Vulnerability Assessment" or something like that. I'm going to teach it over 2 consecutive weekends (fri/sat two weeks in a row) sometime in Spring (mid-April most likely).

Here is my outline so far:

  • Overview of information security, including the basic threat model, types of vulnerability, technical security architecture and principles of security management.
  • Discussion of the types of security assessment that may be conducted, including general controls audits, technical audits, vulnerability scans, and penetration tests.
  • Standards for vulnerability assessment, including AICPA/PCAOB, NIST SP 800-30 and related docs, NSA IAM/IEM, and Payment Card Industry (PCI) standards. I MAY talk a bit about HIPAA. I'm not sure if I should do the OSSTMM. Does anyone actually use OSSTMM aside from the folks who wrote it?
  • Some specific review items for most common technical platforms, meaning how to review Windows serves, Linux servers, and overall network security.
  • Demonstration of network security tools such as nmap, Nessus and the like.
I'll have a course reader with the slides as well as public domain material. I'll include relevant NIST documents and maybe FFIEC audit programs. I hope to get permission to use PCI documents. I really wish the NSA IAM had public domain documentation. I wish the Web site wasn't broken. It seems the Feds outsource this to training firms, who make a good business cranking out these certs.

I've tried finding similar courses offered elsewhere, but with little luck. Most of the "learn to hack" classes are proprietary, with no description other than the bare minimum. They tend to be entirely tool oriented as well. Classes on IT auditing only cover, well, IT auditing. Classes that touch on security assessment tend to do so as a small subtopic of a bigger intro to security class.


Blogger Matteo G.P. Flora said...


Thanx for sharing your knowledge with us and I really appreciated your opinions on the subject.

I just wanted to tell you that OSSTMM is really fairly used and if you take a look at the 2.x version you'll see that OSSTMM is in most cases "the only" guide you need.

In addition to this please remember that OSSTMM is about Open Source and Methodology and a methodology is required to test anything thoroughly. As humans, we take short-cuts. We assume we know an answer or we know what's going on because of past experiences and we cut to the chase because time is money and all that. However, when that happens, we leave many unverified (unanswered) questions and report our assumptions as if they were facts. A good security methodology does not let you do that.
The open source concept actually means that anyone can contribute the ideas for thoroughness and it's not just up to one person, one group, or one authority.

Just my 2 cents of OSSTMM users and cheers for the new year...

12:01 PM


Post a Comment

<< Home