PROSPECTUS

Certification Scheme for I .T. SECURITY PROFESSIONALS

Level 1 & Level 2

Certified Forensic Professional [CFP]

Or

Level3

Certified Information Systems Security Auditor [CISSA]

Or

Certified System Security Solution Designer [CSSSD]

Level2 Level1

Certified System Security Professional [CSSP] Certified System Security Analyst [CSSA]

DOEACC Society

Prospectus For Certification Scheme in Information Security

Level-3

Certified Forensic Professional [CFP]

Certified Information Systems Security Auditor [CISSA] Certified System Security Solution Designer [CSSSD]

Level-2 Certified System Security Professional [CSSP]

Cryptography and Network Security System and Device Security Mobile and Wireless Security Database and Web Application Security

Level-1 Certified System Security Analyst [CSSA]

Computer Fundamentals and Computer Networks Operating System Administration Information Security Concepts System Security

DOEACC SOCIETY (An Autonomous body of Department of Information Technology, Ministry of Communications & Information Technology, Government of India) ELECTRONICS NIKETAN 6, CGO COMPLEX, NEW DELHI-110 003

prospectus CONTENTS
1. DOEACC Society- An Introduction 2. DOEACC Society, Gorakhpur Centre- An Introduction 3. Information Security Education & Awareness(ISEA) Project 4. Certification Scheme in Information Security 5. Course Objective 6. Course Structure 7. Eligibility Criteria 7.1 7.2 7.3 Certified System Security Analyst Certified System Security Professional Certified Forensic Professional/Certified Information Systems Security AudItor/ Certified System Security Solution Designer 8. Rules and Regulations for Candidates Seeking Certification 9. Mode of Admission 9.1. 9.2. Regular Course Direct Course (Distance Course) 03 03 03 03 03 04 04 05 05 05 05 05 06 06 07 07 07 01 01 01 02 02 02 03 03 03

10.Final Examination Centres 11.Training Centres 12. Course Fee 12.1. 12.2. Fee For Regular Course Fee For Direct Course

13. Registration 14. Calender of Events for Certification 15. Certification Examination Pattern 16. Course Modules 17. Expert Committee for Certification Scheme in Information Security 17.1. Committee members

17.2. Terms of the Reference of the Committee APPENDIX A : DETAILED SYLLABUS LEVEL 1 CERTIFIED SYSTEM SECURITY ANALYST 1.1. 1.2. 1.3. 1.4. Computer Fundamentals and Computer Networks Operating System Administration Information Security Concepts System Security

08 12 15 18

APPENDIX B : DETAILED SYLLABUS LEVEL 2 CERTIFIED SYSTEM SECURITY ANALYST PROFESSIONAL 2.1. 2.2. 2.3. 2.4. Cryptography and Network Security System and Device Security Mobile and Wireless Security Database and Web Application Security 22 24 26 29

prospectus 1. DOEACC Society - An Introduction

OEACC is an autonomous body of the Department of Information Technology, Ministry of Communications & Information Technology, Government of India with Head Quarters at New Delhi. It is envisioned to bring the most updated global industry relevant computer education, within the reach of more and more in the areas of Information, Electronics and Communication Technology (IECT). DOEACC Society is implementing a joint scheme of All India Council for Technical Education(AICTE) and Department of Information Technology [formerly Department of Electronics (DOE)], Government of India. The Department of Electronics Accredited Computer Courses (DOEACC) Society was formed on the 9th November 1994 and is registered under the Societies Registration Act, 1860. The management and administration of the Society is overseen by Governing Council, under the chairmanship of the Minister of State, Communications & Information Technology, Government of India. Members of the Council consist of eminent academia from IITs, Universities, etc. and professionals from the industry.

2.DOEACC Society, Gorakhpur Centre - An Introduction

OEACC Society, Gorakhpur Centre is a unit of DOEACC Society which is an autonomous body of Department of Information Technology, Ministry of Communications & Information Technology, Govt. of India. The Centre is a Premier Organization for Education, Training, R&D and Consultancy in IT and Electronics. The Centre offers courses in areas like Embedded Systems, VLSI, Instrumentation, BioInformatics, ITES-BPO, Information Security, Cyber Law, Networking and other areas of Information Technology.

3.Information Security Education & Awareness(ISEA) Project

nformation Security is an emerging area. At present there are not many Information security professionals in the country. Also, the Information Security awareness level is low in the country. This necessitates development of specialized manpower, both at high and low ends. Accordingly, Government of India (Department of Information Technology) has launched Information Security Education and Awareness (ISEA) Project with the following broad aims to

i.

Introduce Information Security Curriculum at M.Tech. & B.Tech. level and Research Activity / PhD;

ii. iii. iv. v.

Train System Administrators/ Professionals; Train Government Officers on Information Security issues i.e.Computer networking, cyber hygiene, data security etc.; Bring Information Security Awareness in the country; and Education Exchange Programme.

Under the project, the activities of introduction of Information Security curriculum & training of System Administrators are being implemented through Resource Centres (RC - premier institutes like IITs and IISc.) and Participating Institutes(PI -NITs, Govt. Degree Engineering Colleges, IIITs, Societies of DIT, etc.). The activity of training of Central and State Government officers are being implemented through six DIT organizations viz. CDAC, ERNET India, DOEACC Society, CERT-In, STQC Directorate, & NIC. The Information Security awareness programme for the industry, educational institutes and the masses is being implemented through CDAC, Hyderabad, which is also developing Learning Material for the training of govt. officers. One of the activity envisaged is to launch a national level Certification Scheme for Information Security Professionals. This activity has been assigned to DOEACC Society.
01

prospectus
4.Certification Scheme in Information Security One of the objectives of the ISEA project is to implement a robust certification mechanism in Information Security with technical experience and guidance from RC's (of ISEA Project) which will set the international acceptable standards with DOEACC as the implementing organization. With the above objective in the mind, the DOEACC is launching the following certification scheme in Information security with three levels of certification scheme as a part of Information security education and awareness project. DOEACC Society, Gorakhpur Centre is acting as nodal centre. However the national image of the scheme is being maintained by DOEACC Society, New Delhi as the implementing organization. Presently the certification scheme is open for Level-1and Level-2 only.

5.Course Objective To implement a national level Certification Scheme in Information Security as part of the Information Security Education and Awareness Project of DIT. The Course structure has been designed to conduct examination for three levels of certification i.e.

Certified Forensic Professional [CFP] Or Level-3 Certified Information Systems Security Auditor [CISSA] Or Certified System Security Solution Designer [CSSSD] Level-2 Level-1 Certified System Security Professional [CSSP] Certified System Security Analyst [CSSA]

6.Course Structure Level-1 Certified System Security Analyst (6 Months)

S.No. Code

Paper

Theory (Hours)

Practical (Hours)
60 60 60 60

1. 2. 3. 4.

IS-C1-01 IS-C1-02 IS-C1-03 IS-C1-04

Computer Fundamentals and Computer Networks Operating System Administration Information Security Concepts System Security

60 60 60 60
TOTAL

480 HOURS

02

prospectus
Level-2 Certified System Security Professional (6 Months)
S.No. 01. 02. 03. Code IS-C2-01 IS-C2-02 IS-C2-03 Paper Cryptography and Network Security System and Device Security Mobile and Wireless Security Theory (Hours) 60 60 60 Practical (Hours) 60 60 60

04.

IS-C2-04

Database and Web Application Security

60

60

TOTAL

480 HOURS

7.Eligibility Criteria 7.1.Certified System Security Analyst (Level - 1) B.E./B.Tech.(All Streams)/M.C.A./DOEACC 'B' Level/M.Sc.(CS/IT)/M.B.A. or B.C.A./B.Sc.(CS/IT)/PGDCA/DOEACC 'A' Level/3 years diploma with two years relevant job experience after passing the educational qualification. 7.2.Certified System Security Professional (Level - 2) Level-1(Certified System Security Analyst) or B.E./B.Tech(All Streams)/MCA/DOEACC B Level/M.Sc(Computer Science/IT)/M.B.A. and 2 years relevant job experience after passing the educational qualification 7.3.Certified Forensic Professional / Certified Information Systems Security Auditor / Certified System Security Solution Designer (Level - 3) Level-2(Certified System Security Professional) or B.E./B.Tech(All Streams)/MCA/DOEACC B Level/M.Sc(Computer Science/IT)/M.B.A. and 3 years relevant job experience after passing the educational qualification
Note : 1. Cerification Scheme is free For DOEACC Employees(Satisfying the Eligilibilty Criteria for Particular Level). 2. DOEACC Employees Applying for the certification need to submit a letter from there employer indicating that they are in the job and given permission to appear in the certification.

8.

Rules and Regulations for Candidates Seeking Certification i. A candidate can take regular study by taking admission at the Institute offering such training programme at Level1, Level2 or Level3 having eligibility criteria mentioned for respective level. ii. Candidates seeking for admission in direct or regular course have to fill the registration form for particular level. iii. Candidate can apply for a single level at a time.

9. Mode Of Admission: Admission can be taken in one of the following mode: 9.1. Regular Course: Candidates will be provided classroom facilities, six months training will be provided at DOEACC Centres offering such training program. 9.2. Direct Course(Distance Course) : Direct mode is an option for candidates to enroll through selfstudy mode without attending regular course.
03

prospectus
10. Final Examination Centres (with Alpha code) EXAMINATION IS PROPOSED TO BE CONDUCTED AT THE CENTRES ALL OVER INDIA AS GIVEN BELOW:
Andhra Pradesh Hyderabad APHYD Delhi New Delhi DLNDL Karnatka Bangalore KABNG Oris sa Bhubaneshwar ORBHU Uttar Pradesh Lucknow UPLNW Gorakhpur UPGKP Goa Panaji GOPNJ Jharkhand Tripura Agartala TRAGT

As sam Guwahati ASGUW Bihar

Gujrat Ahmedabad GUAHM Himachal Pradesh

Kerala Trivandrum KETVM Maharashtra

Rajasthan J aipur RJJAI Tamil Nadu

Jammu & Kas hmir Jammu JKJAM Srinagar JKSNG

Patna BHPAT Chandigarh Chandigarh CHCHA Chattis garh Bhilai CGBHI

Shimla HPSHM Haryana Faridabad HRFBD Arunachal Pradesh Itanagar ARITN

Mu mbai MHMUM Manipur Imphal MNIMP Madhya Pradesh Bhopal MPBHO

Chennai TNCHN Utta ranchal Dehradun UADDN West Bengal Kolkata WBKKT

Ran chi JHRAN Mizora m Aizwal MZAZW Nagaland Kohima NLKOH

Note : DOEACC reserves the right to change/cancel any centre mentioned above.In such case candidates who have applied for that centre will be allocated their second choice/nearest centre.

11. Training Centers Training is provided at following DOEACC Centres for Level-1 and Level-2 :

1.DOEACC Society, Gorakhpur Centre M.M.M. Engineering College Campus Deoria Road, Gorakhpur-UP Pin-273010 2.DOEACC Society, Imphal Centre Akampat,Post Box No.104, Imphal Manipur - 795001. 3.DOEACC Society, Jammu Centre New Campus University of Jammu, Dr. BR Ambedkar Road Jammu - 180006.

4.DOEACC Society, Kolkata Centre Jadavpur University Campus Kolkata - 700032 5.DOEACC Society, Srinagar Centre Sidco Electronics Complex Old Airport Road Rangreth,Srinagar - 190007

04

1
12. Course Fee
12.1. Fee For Regular Course

prospectus

12.2. Fee For Direct Course

13. Registration Registration is a pre-requisite for appearing in the certification examination. Some important aspects of registration are: (i) Registration No is unique and will remain same for a particular level. (ii) Registration will be valid for a period of 4 years for a particular level after which re- registration is required. After completion of a particular level successfully registration is allowed for next higher level after paying the prescribed fee. Registration is open throughout the year and valid for a specified number of consecutive eight examinations taking into account the cut-off date for the next immediate examination after registration. There is a cut-off date beyond which the registrants cannot take immediate examination. Registration Fee is 500/- + Service Tax(as applicable)

(iii)

(iv)

(v)

14. Calendar Of Events For Certification

Schedule For January-2011 Batch of Certification Scheme in Information Security Level-1 and Level-2
Last date for submission of Registartion Form Last date for submission of Course Fees (for Regular Candidates) 31st December 2010 Commencem ent of Classes (For Regular Candidates) 3 January 2011
rd

Last date for submission of filled-in Exam form

Last date for Date of Date of submission of Commencem Declaration of filled-in Exam ent of Exam Results form with late fee
13th May 2011 Last week of June
2nd Week of September 2011
05

15 December 2010

th

29 April 2011

th

2011

prospectus
15. Certification Examination Pattern The examination for Information Security Certification Scheme will be conducted on following pattern: i. ii. Examination will be conducted two times in a year on last week of December and June. The theory examination of each paper will contain both objective as well as subjective questions. To qualify for a pass in a module, a candidate must have obtained at least 50% in each theory and practical examination. There will be a single application form for examination and for each examination the candidate has to fill in the said form. Examination form will be available for free download from our st website (http://www.doeaccgkp.edu.in) from 1 March 2011. On successful completion of all modules (theory and practical) of levels 1&2 the candidate will be awarded certificate. But in the case of level 3 candidate have to clear all the theory papers, practical and viva corresponding to the industrial project. vi. The percentage of marks obtained by a candidate will be reflected in certificate awarded to candidate for a particular level. vii. The structure for the examination fee is as follows:

iii.

iv.

v.

16. Course Modules

LEVEL-1 CERTIFIED SYSTEM SECURITY ANALYST

S.No. 1. 2. 3. 4. 5.

Code IS-C1-01 IS-C1-02 IS-C1-03 IS-C1-04 IS-C1-05

Paper Computer Fundamentals And Computer Networks Operating System Administration Information Security Concepts System Security Practical

Max. Marks 100 100 100 100 100

06

prospectus
Level-2 Certified System Security Professional (6 Months)

S.No. 01. 02. 03. 04. 05.

Code IS-C2-01 IS-C2-02 IS-C2-03 IS-C2-04 IS-C2-05

Paper Cryptography and Network Security System and Device Security Mobile and Wireless Security Database and Web Application Security Practical

Max. Marks 100 100 100 100 100

17.Expert Committee for certification scheme in Information Security 17.1. Committee Members : There is an Expert Committee constituted for the certification scheme in Information Security with the approval of Secretary, Department of Information Technology. The following is the structure of the Committee:
i) ii) Prof. Sukumar Nandi,IIT,Guwahati Dr.M.S. Gaur, Malviya National Institute of Technology(MNIT),Jaipur iii) Dr. Kamlesh Bajaj, CEO Data Security Council of India (DSCI) iv) Shri Sitaram Chamarty, Principal Consultant Advanced Technology Centre,Tata Consultancy Service(TCS),Deccan Park, 1, Software Units Layout,Madhapur, Hyderabad-500 081 v) Shri Sanjay Vyas, Joint Director, HRD Division, DIT vi) vii) Representative of AICTE Shri M.M. Tripathi, Joint Director, DOEACC Society(Hqrs.) viii) Shri Alok Tripathi, Scientist D DOEACC Society, Gorakhpur Centre

Member Member

Member

Member

Member Member Member

Member Secretary

17.2. The Terms of the Reference of the Committee are as follows:-

07

prospectus

Appendix A
DETAILED SYLLABUS LEVEL-I CERTIFIED SYSTEM SECURITY ANALYST IS-C1-01: Computer Fundamentals and Computer Networks Lecture Hours: 60 Hours Practical Hours: 60Hours

Sr.No. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.

Topics Overview of PC architecture Different bus standards (ISA, PCI, PCMCIA) Different Add-on Cards like memory, Graphics etc. Operating system architecture Process Management Memory Management File system Management Introduction to Network OS Basics of Communication Systems Transmission Media OSI ,TCP/IP Models Local Area Networks Wide Area Networks Networking Protocols IP addressing & Routing Understanding & recognizing TCP, IP, UDP, ICMP, Ethernet Packets Internetworking Devices (Hub, Switch, Router etc.) Wireless Networks Total

Number of Hours 02 03 03 02 03 06 03 03 03 03 06 02 03 03 03 03 05 04 60

Detailed Syllabus Overview of PC Architecture 2 Hours

What is a Computer , How computers operate ,Types of computers , The computing environment,The Enterprise Computer Environment , Types of computers in the enterprise, Where the PC fits in the enterprise environment ,Computers and PC Hardware Architectural Components ,CPUs,

Chipsets,Memory ,I/O ,Component interaction ,PC Software ,CISC versus RISC computer models ,Software ,Assembly, interpreted, and compiled software, Mother Board Components ,CPU ,Chipsets ,Interrupt and DMA controllers and how they work ,Memory ,Static and dynamic RAM and their derivations BIOS ,CMOS RAM ,I/O subsystem ,Embedded and add-in devices Different BUS standards 3 Hours

Serial Interconnects and Layered Protocols ,Parallel models ,Serial models, Synchronous versus asynchronous operation , Physical Layer Function and Services , Logical Sub-Block , Expansions Slots
08

prospectus

and Add-In Cards , Bus evolution and the bus wars , ISA, EISA, MCA, PCI, PCI-X, PCI Express ,PCMIA, Video and Monitor Types , Ports Serial and parallel ,USB and FireWire , Ethernet , Mass Storage Devices , Floppy and hard drives , High and low level formatting , CDs and DVDs ,Types, speeds, and formatting Different Add-on cards Add-on Video Cards ,Add-on Memory Cards , Add-on Graphics Cards Operating System Architecture 2 Hours 3 Hours

Introduction to Operating Systems , OS Internals and Architecture , Memory management, processes and threads , Files, file systems and directory structure ,The Boot Process , POST , Windows boot process , Linux boot process , Basic OS Configuration Process Management 3 Hours

Types of Process ,Multitasking , Input, Output & Error redirection , Managing running process , Killing Started process, Understanding the init process , Parent processes , Tools for working with processes, Process scheduling , Inter process communication , Signals , Pipes , FIFO , Queues , Semaphores ,Shared Memory Memory Management 6 Hours What is Memory Management , Abstract Model of Virtual Memory , Demand Paging Swapping , Shared Virtual Memory , Physical & Virtual addressing Modes , Access Control, Caches , Buffer Cache, Page Cache , Swap Cache , Hardware Caches , Page Tables, Page Allocation & deallocation , Memory Mapping, Demand Paging, Page Cache , Swapping out & discarding Pages , Reducing Size of Page & buffer cache , Swapping out system shared memory pages, Swap, Cache , Swapping Pages in File System Management 3 Hours Types of file system, Comparison of file system , Virtual file System , Program used to manage file system , Making a file system, Checking a file system , File System Fragmentation , File Fragmentation , Free Space Fragmentation, Related file Fragmentation Introduction to Network operating System 3 Hours Networking OS Software ,Network basics and network models , Protocols , OSI and TCP Drivers Basics of Communication Systems 3 Hours Basic Telecommunication System ,Types of Communication , Transmission Impairments , Analog Versus Digital Transmission , Components, Data representation, Data Flow , Issues in Computer Networking , The Beginning of the Internet , Service and Applications , Packet Switching Concepts, Virtual Circuit , Datagram Service , Source Routing , Issues in Computer Networking

09

prospectus
Transmission Media 3 hours Twisted Pair Cable ,Coaxial Cable , Fiber Optic Cable , Unguided Media : Wireless Radio Waves , Micro Waves , Infrared OSI Model, TCP/IP Model 6 hours OSI Model , Layered Architecture , Peer to Peer Process, Encapsulation , Layers in the OSI Model , Physical Layer , Data Link Layer , Network Layer , Transport Layer , Session Layer , Presentation Layer , Application Layer , Summary of Layers , TCP/IP Protocol Suite , Physical and Data Link Layers , Network Layer , Transport Layer Local Area Networks 2 hours The Ethernet LAN , LAN Protocol , CSMA/CD protocol , Ethernet Addresses , Ethernet Frame Format , LAN Transmission Media , LAN Topologies , Medium Access Control Protocols in LANs, LAN Standards, LAN Bridge , Wireless LANs Wide Area Networks 3 hours Issues in Wide area Networking , X.25 Protocol , Overview of X.25 , A Satellite-Based X.25 Networks , Addressing in X.25 Networks Networking Protocols 3 hours

Internetworking, Need for Network Layer, Internet as a datagram network, Internet as a connection less network, IPv4, Datagram , Fragmentation, Checksum, IPv6, Advantages of Packet Format, Extension Headers

IP Addressing and Routing

3 hours

IPV 4 Address , Address Space, Notations, Classful Addressing, Classless Addressing, Network Address Translation (NAT), IPv6 Address, Structure, Address Space, Routing protocols, Direct Delivery, Indirect Delivery, Routing Tables and next-Hop Routing Adaptive routing, Routing within Autonomous systems, Open shortest path First (OSPF), Flooding, Routing between autonomous systems, Exterior gate way protocol, Border Gate way Protocol

Understanding and Recognizing TCP,IP UDP, ICMP,Ethernet Packets

3 hours

TCP (Transmission Control Protocol), Flow Control and Acknowledgments , Stop-and-wait Protocol , Sliding Window Protocol , Congestion Control, IP (Internet Protocol), Overview of IP, Internet Addressing Scheme , Dotted Decimal notation , Address Resolution Protocol , Reverse Address resolution protocol ,IP Datagram format , UDP (User Datagram Protocol), UDP Datagram format , Overview of ICMP, Overview of Ethernet Packets

10

prospectus
Internet Working Devices HUB, Switch and Routers Wireless Networks 4 Hours 5 Hours

Introduction to personal Area Networks, Overview of Blue tooth, Home RF , IRDA , IEEE 802.1X References 1. 2. 3. 4. A+ Jumpstart PC Hardware and O.S. Basics by Faithe Wemben,BPB. A+ Complete study Guide by Quentum Doctor.,BPB CCNA study Guide by Todd Lammale,BPB N+ study Guide 4th Edition David Groth,BPB

PRACTICAL ASSIGNMENTS

Total: 60 hrs

11

prospectus
IS-C1-02: Operating System Administration Lecture Hours: 60 Hours Practical Hours: 60Hours S. No. Topic WINDOWS OPERATING SYSTEM 1. 2. 3. 4. 5. Introduction to Windows Operating System Installation and Configuration Installation and Managing Active Directory Managing and Securing Resources Performance and Maintenance LINUX OPERATING SYSTEM 6. 7. 8. 9. 10. 11. 12. Introduction to Linux Linux Installation Booting Procedures Linux Commands and Shell Programming System Administration X Windows Performance Tuning Detailed Syllabus Windows Operating System Introduction to Windows Operating System 02hours Windows 2003 Server, System Requirement, Architecture, Groups, Domains and Active Directory. Installation and Configuration 07hours Hardware Requirement, Preparation for Installation, Disk Partitioning, Dual Booting Feature, Remote Installation Server, Troubleshooting during Installation. Installation and Managing Active Directory 02hours Understanding feature of Active Directory, Structure, Naming Convention, Window 2003 Domain Organizational Units, Installing Active Directory, Controlling Access to Active Directory, Locating Objects Inactive Directory and Administration of Active Directory Objects.
12

No. of Hours

02 07 05 12 05

02 03 03 07 10 02 02

prospectus
Managing and Securing Resources 12hours Configuration of Hardware Devices, APM, Working with File System, Upgradation of Hard Disk, Backup Strategy, Managing Users Account and Profiles, Managing Group Accounts, System Policy and Group Policy, Monitoring Disk Quotas, Auditing, Configuring and Scheduling Printer Tools, Setting Up of IIS Web Server, SQL Server and Exchange Server. Performance and Maintenance 05hours Monitoring Performance using System Monitor, Setting up of Services, Recovering from Disk Failure. LINUX OPERATING SYSTEM Introduction to Linux 02hours Development of Linux, Various Distribution of Linux, Linux System Concepts- Directory Structure and File Structure. Linux Installation 03hours System Requirement, Different types of Installation- CD ROM, Network and quick Start, Different types of Linux Installation Server, Workstation and Customs, Disk Partitioning Auto and Manual, Boot Loader, Packet Selection, Network and Authentication Support. Booting Procedures 03hours LILO / GRUB Configuration, Server Security, Run Level, Initialization Script, Devices Initialization and their Access, Set Down Procedures. Linux Commands and Shell Programming 07hours Concepts of Processes, Commonly used user Commands, vi Editor, Various Shells and Shell Programming. System Administration 10hours Services- Initialization and Status, Creating and Maintaining of User Account, and Group Account, Disk and Device Management, Backup Concepts, Installation and Maintenance of various Servers Apache, Squid, NFS, DHCP, NIS and Printer Server. Xwindows 02hours Introduction, Installation and Configuration of XWindows, Working with X- Windows GNOME, KDE, Window Manager. Performance Tuning 02hours Logrotate, Backup Strategy, Study of various Services for Performance Tuning, Enhancement and Optimization.

References: 1.Windows Server 2003 Network Security Design Study Guide by Reisman BPB Techmedia. 2.Windows Server 2003 Network security Administration Study Guide by Kaufmann BPB Techmedia. 3.Red Hat Linux Security and Optimization. Red Hat press. 4.Building Secure Server with Linux. O'Reilly Publishers 5.Linux Security by Hontanun. BPB Techmedia

13

prospectus

PRACTICAL ASSIGNMENTS
Windows Practical List

Total: 60 hrs

14

prospectus
IS-C1-03: Information Security Concepts Lecture Hours: 60 Hours Practical Hours: 60Hours

No 1 2 3 4 5 6 7 8 9 10 11 12
Detailed Syllabus

Topic Basics of Information Security Security threats and Vulnerabilities Cryptography Identification and Authentication Network Security Security Tools and Techniques Internet Security E-mail Security Wireless Security Risk Assessment and Disaster Recovery Computer Forensics Information Security laws Total Hrs

Minimum No of Hours 10 8 6 2 8 2 5 2 5 6 4 2 60
10 hours

Basics of Information Security

Introduction to Information Security, History of Information Security, Need for computer security Confidentiality, Integrity, Availability, Authenticity, Accountability, non-repudiation, Authorization, Security threats, Intrusion, Hacking, Security mechanisms Prevention, Detection, Recovery, Anti virus, Encryption, Firewall, VPN, Access control, Smart card, Biometrics, Intrusion Detection, Policy management, Vulnerability Scanning, Physical security, Backup, Auditing, Logging ,National & International Scenario Security threats, Vulnerabilities 08 hours

Overview of Security threats, Vulnerabilities, Access Attacks Snooping, Eavesdropping Interception, Modification Attacks Changes, Insertion, Deletion, Denial-of-Service Attacks - Denial of Access to Information, Applications, Systems, Communications, Repudiation Attacks Masquerading, Denying an Event , Malicious code - Viruses, worms, Trojan horses, how they work and how to defend against them, Sniffing, back door, spoofing, brute force attack, Social Engineering, Vulnerable Configurations , Security of Hard drives, laptops & mobile devices Cryptography 06 hours

Symmetric versus asymmetric cryptography, Advantages & disadvantages of Symmetric versus asymmetric cryptography, How to mix and match both in practical scenario, Key management, Digital Signature & other application of cryptography, PKI CA, RA, Subscriber etc, PKI usage, From user side, CA/RA side etc, Type of PKI hierarchy, Single CA, trust models etc, Certificate management Identification and Authentication 02 hours Access Control models Mandatory Access Control, Discretionary Access Control, Role based Access Control, Methods of Authentication Kerberos, CHA, Certificates, Username/Password, Tokens, Biometrics, Multi-factor, Mutual Network Security 08 hours Network Infrastructure Security Workstation, Server, Router, Switch, Modem, Mobile devices, Firewalls and packet filtering, Proxy or application level gateways security devices, VPN, Intrusion detection System , Electronic payment System Introduction to IPSec, PPTP,L2TP

15

prospectus
Security Tools and Technologies 02 hours Network scanners, Vulnerability scanners, OS fingerprinting: nmap, nessus, MBSA, SAINT, John the Ripper, Forensic tools, Others. Internet Security 05 hours Recognize and understand the following Internet security concepts ,Customizing Browser Security Settings, Vulnerabilities Cookies, Java Script, ActiveX, Applets, Buffer overflows, Anonymous surfing, Phishing, HTTP/S, SSL/TLS and Certificates Internet use - best practices E-mail Security 02 hours POP3 vs.Web-based e-mail, Encrypting and signing messages, S/MIME, PGP, Vulnerabilities Spam, E-mail hoaxes , Email use - best practices Wireless Security 05 hours Wired/Wireless networks, Ad-hoc network and sensor networks, WTSL, 802.11 and 802.11x, WEP/WAP(Wired Equivalent Privacy /Wireless Access Protocol), Vulnerabilities , Site Surveys, DOS and DDOS attacks Risk Assessment and Disaster Recovery 06 hours Asset classification, Information classification, Organization level strategy, Process level strategy, Risk assessment methods, Risk classification, Business continuity plan , Business impact analysis, Event logs, Security Auditing , Disaster Recovery Plan , Backup, Secure Recovery- Alternate sites, Security Policies & Procedures Computer Forensics 04 hours Nature and types of cyber crime- Industrial espionage, cyber terrorism, Principles of criminal law, Computer forensic investigation Digital evidence, Forensic analysis Information Security laws 02 hours IT-Act, The rights the various parties have with respect to creating, modifying, using, distributing, storing and copying digital data. Concurrent responsibilities and potential liabilities, Intellectual property issues connected with use and management of digital data Recommended Books Main reading 1.Network Security Bible Eric cole and Ronald L KrutzWile dreamtech India Pvt Ltd, New Delhi 2.Fundamentals of Network Security by Eric Maiwald , Dreamtech Press 3.Absolute Beginner's Guide To: Security, Spam, Spyware & Viruses By Andy Walker, Publisher: Que 4.Computer Security Basics, 2nd Edition By Rick Lehtinen, Publisher: O'Reilly Supplementary Reading 1. Network Security Essentials: Applications and standards Stallings, Pearson Education Pvt Ltd, Delhi 2. Computer viruses, Computer Security, A Global challenge by Cohen Elsevier Press 3. Incident Response & Computer Forensics by Kevin Mandia, Chris & Matt Pepe TATA McGRAW Hill Edition 4. 802.11 Security Bruce Potter Bob Flick, O'Reilly 5. B.Schnier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2/e, John Wiley and Sons, New York, 1996. 6. Foundations of Computer Security by David Solomon, Publisher: Springer 7. Security+ In depth by Paul Campbell, Publisher: Vijai Nicol Imprints Chennai 8. Digital Security Concepts and Cases , ICFAI University Press, Hyderabad
16

prospectus

PRACTICAL ASSIGNMENTS

Total: 60 hrs

17

prospectus
IS-C1-04: System Security Lecture Hours: 60 Hours Practical Hours : 60Hours

Outline of the Syllabus Sr.no 01. 02. 03. 04. 05. 06. 07. 08. 09. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. Topic Design of Secure Operating System Design of Trusted Operating System Operating System Hardening Operating System Controls Internet Protocols and Security Application Security WWW Security SHTTP(Secure HTTP) SMIME ( Secure Multipurpose Internet Mail Extension) PGP SET (Secure Electronic Transaction) E-mail security and Instant Message Security Access Control Internet Security Protocols Managing Personal Firewall and Antivirus Remote Access Security Secure Configuration of Web Server Secure Configuration of Database Server Secure Configuration of Email Server Minimum no. of hours 04 04 06 04 04 02 02 02 02 02 02 02 04 04 06 04 02 02 02

18

prospectus
Detailed Syllabus Design of Secure Operating System 04 hours Introduction of a Secured System, Drawbacks of Existing Operating System (Bugs, Fault Isolation, Huge size Kernel Program etc.), Patching Legacy Operating System, Paravirtual Machines Concept, Future System Design of Trusted Operating System 04 hours Introduction, Security Assurance Evaluation, Need for Trusted Operating System Features of Trusted OSs Operating System Hardening 06 hours Function of Operating system , Types of OS ( Real time OS, Single User Single task OS, Single UserMulti tasking System, Multiuser System), Task of OS , Process Management, Memory Management, Device Management, Storage Management, Application Interface, User Interface, Security Weakness, Operating System, Windows Weakness, LINUX Weakness, Hardening OS during Installation, Secure User Account Policy, Strong User Password Policy, Creating list of Services and Programs running on Server, Patching Software, Hardening Windows, Selecting File System, Active Directory / Kerberos, General Installation Rules, Hardening Linux, Choose the correct installation procedure , different installation tools, Partitions and Security, Network Services, Boot Loaders, Reverse Engineering Operating System Controls 04 hours Introduction - How the Computer System Works, Purpose of an Operating System Types of Operating System, Wake up Call, Power on Self Test, BIOS, Boot Loader Task of an Operating System Internet Protocols and Security 04 hours Introduction of Internet Protocols, IPSec Operation, IPSec Implementation, IPV4 Network Versus IPV6 Network, Problems with IPSec Application Security 02 hours Hacking WEB Applications, How are the WEB applications attacked, Input Validation attack, Full Knowledge Analysis WWW Security 02 hours

Web Security Considerations, Hacking Web Platforms, Web Platform Security Best Practices, Web Authentication threats, Bypassing Web Authentication, (Token Relay, Identity Management, ClientSide Piggybacking), Attacking Web Authorization SHTTP(Secure HTTP) Introduction , Overview of SHTTP 02 hours

SMIME ( Secure Multipurpose Internet Mail Extension) 02 hours Introduction, Functionality, Digital Signature, Message Encryption, Triple-Wrapped Messages,S/MIME Certificates, Usage of S/MIME in various e-mail software, Obstacle of Deploying S/MIME, CAVEATS PGP 02 hours Introduction, Use of PGP , Encryption and Decryption in PGP, PGP Services, Message, Key Management SET (Secure Electronic Transaction) 02 hours Introduction of SET, SET Technology, Symmetric and Asymmetric encryption in SET, Transaction Authenticity, Importance of secure transactions

19

prospectus
E-mail security and Instant Message Security 02 hours Introduction, E-mail Attack, Use of Digital Certificate to prevent attack, Introduction to IM Security, Best Practices for IM security Access Control 04 hours Access Control Basics, Access Control Technique, Access Control Administration, Centralized Access Control, Decentralized Access Control, Accountability, Access Control Models, Identification and Authentication Methods, Biometric Authentication Internet Security Protocols 04 hours IP Security Architecture, Authentication Header, Encapsulating Security Payload Combining Security Associations, Key Management Managing Personal Firewall and Antivirus Managing Logs, Upgrades, SNMP, Internet Service Provider Issues, Defense in Depth 06 hours

Remote Access Security 04 hours Business Requirement of Remote Access, Remote Access Technologies, VPN, Extranet and Intranet Solution, Use of VPN for Remote Access Security, IPSec, Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), SSL Authenticated access of files through SAMBA for different OS, Overview of RAS Server for Small Enterprise Application, Overview of Remote Access through ISP, Remote Administration Secure Configuration of Web Server 02 hours Protecting Directories and Files against Profiling, IIS Hardening, Apache Hardening, Analyzing Security Logs, Web Authorization / Session Token Security, IE Security Zones, Low Privilege Browsing, Server Side countermeasure Secure Configuration of Database Server 02 hours Access control policy , Protecting Read Only Accounts, Protecting high risk stored procedures and extended functionality, Patch updates Secure Configuration of Email Server 02 hours Vulnerabilities of Mail Server, Improving the Security through appropriate planning Security Management Practices and Controls, Secured OS and Secured Application Installation, Improving the Security through Secured Network Infrastructures

References: 1) 2) 3) 4) Network Security Bible, Cole, WILEY Designing Security Architecture Solutions, Ramachandran, WILEY Network Security Essentials : Applications and Standards,William Stallings. Hacking Web Applications Exposed, TATA McGraw-HILL By Joel Scambray, Shema, Caleb Sima

Mike

20

prospectus

PRACTICAL ASSIGNMENTS

Total: 60 hrs

21

prospectus

Appendix B
DETAILED SYLLABUS LEVEL-2 CERTIFIED SYSTEM SECURITY PROFESSIONAL IS-C2-01: Cryptography and Network Security Lecture Hours: 60 Hours Practical Hours: 60Hours

Sr.No. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Topics Introduction Classical Encryption Techniques Mathematics Fundamentals associated with cryptography Symmetric ciphers Asymmetric ciphers Internet Security Protocols User Authentication and Kerberos Electronic Mail Security IP Security Firewalls and Virtual Private Networks (VPN) Total

Number of Hours 02 04 06 08 10 08 06 04 06 06 60

2.

Detailed Syllabus 1. Introduction 02 hours

Active attacks, passive attacks, confidentiality, integrity, availability, Non-repudiation, plain text, encryption algorithm, secret key, text, decryption algorithm, cryptanalysis, brute force attacks. 2. Classical Encryption Techniques 04 hours Substitution Techniques, Transposition Techniques, Rotor machine, steganography key range and key

size.
3.Mathematics Fundamentals associated with cryptography 06 hours

Groups, Rings, Fields, Prime numbers, Euclid's Algorithm, Modular Arithmetic and Discrete logarithms, Finite Fields, Polynominal arithmetic, Fermat's Theorem Euler's Theorem, Chinese Remainder Testing for Primality Quadratic Residues, Legendr Symbol, Jacobi Symbol Hasse's Theorem, Quadratic Reciprocity Theorem, Masseyomura protocol, Inverse of a matrix.

4. Symmetric ciphers

08 hours

Block cipher principles, DES, Strength of DES, Differential and Linear cryptanalysis, Block cipher Design principles, International Data Encryption algorithm (IDEA), Steam cipher RC4, RC5, Blowfish, AES Evaluation criteria for AES, Triple DES, Traffic confidentiality key distribution, Random number generation
22

prospectus
5.Asymmetric chippers 10 hours

Brief history, overview, RSA algorithm, Key management, Diffie-Hellman key exchange, Elliptic curve cryptography, Difference between Asymmetric and Symmetric ciphers. Authentication message, Authentication codes, Hash functions, Security of Hash functions and MAC, Hash Algorithm Whirlpool, HMAC, CMAC. Digital Signature, Authentication protocols, Digital signature standard, Public-key Infrastructure, Models of PKI, Digital certifications private key management.

6.Internet Security Protocols

08 hours

Introduction,secure socket layer, Transport Security Layer (TLS), Secure Hyper Text Transfer Protocol (SHTTP), Time Stamping Protocol (TSP), Secure Electronic Transaction (SET), SSL Versus SET, 3D Secure Protocol, Electronic Money.

7.User Authentication and Kerberos

06 hours

Introduction, Authentication Basics, Passwords, Authentication, Biometric Authentication, Kerberos, Key Distribution Centre (KDC), Security Handshake Default, Single Sign (SSO) Approached .

8.Electronic Mail Security Introduction, E-mail headers and Body, Proxy SMTP, Pretty Good Privacy (PGP), S/MIME.

04 hours

9.IP Security

06 hours

IP Security overview, IP Security Architecture, Authentication Header, Encapsulating Security payload (ESP), Combining Security Associations, Key Management .

10.Firewalls and Virtual Private Networks (VPN) Firewalls, Firewall Design Principles, Virtual Private Network (VPN), Intrusion

06 hours

References : Detailed References will be provided in the course material to be given to registered candidates.

23

prospectus

IS-C2-02: System and Device security Lecture Hours: 60 Hours Practical Hours: 60Hours

Outline of the Syllabus Sr.no Topic Part - I (Operating System Threats) 1. 2. 3. 4. 5. Program Security Fascination of Malicious Code Analysis Malicious Code Environment Classification of Infection Strategies Strategies of Computer Worm Part - II (Securing OS from Threats) 6. 7. 8. Antivirus Techniques Advanced Antivirus Techniques Case Studies 4 6 4 2 4 4 3 3 Minimum no. of hours

Part - III (Device Security) 9. 10. 11. 12. 13 . 14. 15. Introduction to Network Infrastructure Security Switch Security Router Security DNS Security ADSL Security Cable Modem Security Protecting Network Infrastructure- A new approach 4 2 4 4 5 5 6

Detailed Syllabus Part-I (Operating System Threats) 1. Program Security 02 hours Secure Program, Virus and other Malicious code, targeted malicious code,Control against Program threats 2. Fascination of Malicious Code Analysis 04hours Common pattern of virus research, antivirus defense development, terminology of malicious program, Computer malware naming scheme 3.Malicious Code Environment 04hours Computer architecture dependency, CPU dependency, OS dependency, File system and file format dependency, Network protocol dependency

24

prospectus
4. Classification of Infection Strategies Boot Viruses, File infection techniques, In depth look at WIN32 Viruses 03hours

5. Strategies of Computer Worm 03hours Generic structure of computer worms, Common worms code transfer and execution techniques

Part-II (Securing OS from threats) 6. Antivirus Techniques Detection: Static Methods, Scanners, Static Heuristics, Integrity Checkers, Dynamic Methods, Behavior Monitors/Blockers, Emulation, Comparison of antivirus techniques 04Hours

7. Advanced antivirus techniques 06hours Retroviruses, Entry point obfuscation, Anti-Emulation (outlast, outsmart, overextent) Armoring (Anti-Debugging, Anti-bisassembly), Tunneling (Integrity checkers attacks), Avoidance, Deworming, defense (User, host, perimeter), capture and containment (Honey pots, Reverse Firewalls, Throtting), Automatic Counter measures 8. Case Studies Linux/Unix Security Details, Trusted Operating Systems Part-III (Device Security) 9. Introduction to Network infrastructure security 04hours Internet infrastructure, key components in the internet infrastructure, internet infrastructure security 10 Switch Security Introduction, How switches can be attacked 02hours 04hours

11.Router security 04hours Over view of Internet routing, External and internal attacks, RIP attacks and countermeasures, OSPF attacks and countermeasures, BGP Attacks and countermeasures 12.DNS Security Introduction, DHCP attacks, DNS attacks 04hours

13.ADSL Security 05hours Introduction, DSL family tree, ADSL, ADSL benefits, security threats, countermeasures, topologies with ADSL modems, Topologies with ADSL routers, recommended topologies, using routers as a firewall, limitations, Features Risk, precautionary Measures. 14.Cable Modem security 05hours Working of cable Modem, Cable Modem security threats, different filtering techniques, DHCP server filter, Microsoft networking filter, Network isolation filter, static IP address filter, MAC address filter, comparing DSL and cable Modem security threats. 15.Protecting Network Infrastructure- A new Approach 06hours Analysis on security problems of network infrastructure, steps in hacking network infrastructure, Flat network design model and Masquerading, A new Model to protect network infrastructure. References :
Detailed References will be provided in the course material to be given to registered candidates.
25

prospectus
IS-C2-03: Mobile and Wireless Network Security Lecture Hours: 60 Hours Practical Hours: 60Hours

Outline of the Syllabus Sr.no Topic Part - I (Wireless Technology) 1. 2. 3. 4. Wireless Wireless Wireless Wireless Fundamentals Network Logical Architecture Network Physical Architecture LAN Standard 2 4 4 4 Minimum no. 0f hours

Part - II (Security for Mobility) 5. 6. 7. 8. 9. 10. 11. 12. 13. PKI in Mobile Systems Personal PKI Smartcard as a Mobile Security Device Secure Mobile Tokens-The Future Universal Mobile Telecommunications System(UMTS) Security Securing Network Access in Future Mobile System Security Issues in a MobileIPV6 Network Mobile Code Issues Secure Mobile Commerce 2 2 2 2 2 6 2 4 2

Part - III (Wireless Network Security) 14. 15. 16. 17. 18. Security in Traditional Wireless Network Wireless LAN Security Security in Wireless Ad-hoc Network Implementing Basic Wireless Security Implementing Advanced Wireless Security 2 2 2 2 2

Part - IV (Other Wireless Technology)

19. 20. 21. 22. 23.

Home Network Security Wireless Embedded System Security RFID Security Security Issues in Single Hop Wireless Networks Security Issues in Multi Hop Wireless Networks

2 2 2 2 4

26

prospectus
Detailed Syllabus Part-I (Wireless Technology) 1. Wireless Fundamentals 2hours Wireless Medium: Radio Propagation Effects, Exposed Terminal Problem, Bandwidth, Wireless Networking Basics: WLAN, working of WLAN, Current WLAN Standard. 2. Wireless Networking Logical Architecture 4hours OSI Network Model, Network Layer Technologies, Data Link Layer Technologies, Operating System Consideration 3. Wireless Network Physical Architecture 4hours Wired Network Topologies, Wireless Network Topologies, Wireless LAN Devices, Wireless PAN Devices, Wireless MAN Devices 4. Wireless LAN Standard 4hours THE 802.11 WLAN Standards, 802.11 MAC Layer, 802.11 PHY Layer, 802.11 Enhancements, other WLAN Standard Part-II (Security for Mobility) 5.PKI in Mobile Systems PKI overview, PKI in current Mobile Systems, PKI in Future Mobile System 2hours

6.Personal PKI 2hours Issues in Personal PKI, Personal PKI requirement, Personal CAs, Device Initialization, Proof of possession, Revocation in Personal PKIs 7. Smartcard as a Mobile Security Device 2hours Storage cards and Processor cards, Standardization data objects and commands, Smartcards and biometrics 8.Secure Mobile Tokens-The Future 2hours Security Modules, Current use of Security Modules, Security Module Technology, Current use of secure mobile tokens, Personal Security tokens 9.Universal Mobile Telecommunication System Security 2hours Building a GSM Security, UMTS access security, Network Security, IP Multimedia Subsystem Security 10.Securing Network Access in Future Mobile System 6hours Outline of Security Architecture, Design alternatives for authentication and establishment of Security association, IP Layer Security, Link Layer Security, Network Security options 11.Security Issues in a Mobile IPV6 Network Introduction to Mobile IP, MobileIPV6 Security Mechanisms, AAA (authorization, authentication and accounting) requirements for Mobile IP 2hours

12.Mobile Code Issues 4hours Agent and Multi-agent Systems, Security Implication, Security Measures for Mobile Agents, Security Issues for Downloaded code in Mobile phones 13.Secure Mobile Commerce 2hours M-Commerce and its security challenges, Security of the radio interface, Security of mcommerce
27

prospectus
Part-III (Wireless Network Security) 14. Security in Traditional Wireless Networks 2 hours Security in First Generation TWNs, Security in Second Generation TWNs, Security in 2.5 Generation TWNs, Security in 3G TWNs 15. Wireless LAN Security 2 hours Key Establishment, Anonymity, Authentication, Confidentiality, Data Integrity and Loopholes in 802.11 16. Security in Wireless Ad-hoc Network 2 hours Bluetooth: Basics, Security Modes, Key Establishment, Authentication, Confidentiality, Integrity Protection, Enhancements 17.Implementing Basic Wireless Security 2 hours Enabling Security Features on a Linksys WAP 11802.11b Access, Filtering by MAC Address, Enabling Security Features on a Linksys WRT54G 802.11 b/g, Configuring Security Features on Wireless Clients 18. Implementing Advanced Wireless Security 2 hours Implementing WiFi Protected Access (WPA), Implementing a Wireless Gateway with Reef Edge, Implementing a VPN on a Linksys WRV54G VPN Broadband

Part-IV (Other Wireless Technology) 19. Home Network Security 2 hours Basics of Wireless Security, Basics of Wireless Security Measures, Additional Hotspot Security Measures 20.Wireless Embedded System Security Wireless Technologies, Bluetooth, ZigBee, Wireless Technologies and the Future 21. RFID Security Introduction, RFID Radio Basics, RFID Architecture, Threat and Target Identification, Management of RFID Security 2 hours

2 hours

22.Security Issues in Single Hop Wireless Networks 2 hours Cellular Network Security , Access Control and Roaming Issues, Mobile IP Security,Pervasive Computing Security 23.Security Issues in Multihop Wireless Networks 4hours Mobile Adhoc Network Security, Trust Management and Routing Issues, Wireless Sensor Network Security, Key Management, Sybil Attacks and Location Privacy, Vehicular Network Applications and Security, Wireless Metropolitan Area Networks(e.g. 802.11b)

References : Detailed References will be provided in the course material to be given to registered candidates.

28

prospectus

IS-C2-04: Database and Web Applications Security Lecture Hours: 60 Hours Practical Hours: 60Hours

Database Security 1. 2. 3. 4. 5. Integrity Access Control Database Auditing Network Access and Requirements Operating System

28 hours 06 hours 08 hours 06 hours 06 hours 02 hours

Web Applications Security 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Fundamental of Web Application Security Core Defense Mechanisms Web Application Technologies Client-side Exploit Frame Work Bypassing Client-side Controls Web Based Malware Securing Authentication Securing Session Management Securing Access Controls Securing Application Architecture Web Server and Web Application Testing with Back Track Securing Web Based Services Database Security 1.Integrity

32 hours 02 hours 02 hours 03 hours 03 hours 02 hours 02 hours 03 hours 02 hours 02 hours 03 hours 03 hours 05 hours

06 hours

Software Integrity Current DBMS Version, DBMS Software/Object Modification, Unused Database Software/ Components Database Software Development Shared Production/Development Systems Ad Hoc Queries Multiple Services Host Systems Data Integrity Database File Integrity, Database Software Baseline, Database File Backup and Recovery

29

prospectus
2. Access Control 08 hours

Database Account Controls Authentication Password Guidelines, Certificate Guidelines Database Accounts Administrative Database Accounts, Application Object Ownership/Schema Account, Default Application Accounts, Application Non-interactive/Automated Processing Accounts, N-Tier Application Connection Accounts, Application User Database Accounts Database Authorizations Database Object Access, Database Roles, Application Developer Roles, Application Administrator Roles, Application User Database Roles Protection of Sensitive Data Protection of Stored Applications Protection of Database Files 3. Database Auditing 06 hours

Precautions to Auditing Audit Data Requirements Minimum Required Audit Operations, DBA Auditing, Required Audit Operations on Audit Data Audit Data Backup Audit Data Reviews Audit Data Access Database Monitoring 4. Network Access and Requirements 06 hours

Protection of Database Identification Parameters Network Connections to the Database Remote Administrative Database Access, Open Database Connectivity (ODBC), Java Database Connectivity (JDBC), Web Server or Middle-Tier Connections to Databases, Database Session Inactivity Time Out Database Replication Database Links 5. Operating System Database File Access Local Database Accounts Database Administration Accounts Database OS Groups Web Applications Security 02 hours

6. Fundamental of Web Application Security

02 hours

The core security problem, Key problem factors, immature security awareness, Deceptive Simplicity, Resource and Time constraints, Overextended Technologies, The new security perimeter, The future of Web Application Security.

30

prospectus
7.Core Defense Mechanisms 02 hours

Handling user Access, Handling user input, boundary validation, multistep validation and canonicalization, handling errors, Maintaining Audit logs, Altering Administrators, Reacting to attacks, Managing the application. 8.Web Application Technologies 03 hours

The HTTP Protocol, HTTP Headers, Cookies, Status codes, Web Functionality, Server-side Functionality, Client-side Functionality, State and Sessions, Encoding scheme (URL Encoding, Unicode Encoding, HTML Encoding, Base 64 Encoding, Hex Encoding). 9.Client-side Exploit Frame Work 03 hours

Attack API, BeEF (Installing, configuring and controlling), CAL 9000, overview of XSS-proxy, using XSS-proxy. 10.Bypassing Client-side Controls 02 hours

Transmitting Data via the client, Capturing user Data: HTML forms, Capturing user Data: Thickclient components, ActiveX Controls, Shockwave Flash objects, handling client-side data securely. 11.Web Based Malware 02 hours

Attacks on Web, Hacking into Web sites, Index Hijacking, DNS poisoning, Malware and the Web, Parsing and Emulating HTML, Browser vulnerabilities, Testing HTTP. 12.Securing Authentication 03 hours

Authentication Technologies, Design Flows in Authentication Mechanisms, Implementing Flows in Authentication, Securing Authentication, Strong credentials, handle credentials secretively, validate credentials properly, Prevent information leakage, prevent Brute-Force Attacks, log, monitor and notify. 13.Securing Session Management 02 hours

Weakness in Session Token Generation, Weakness in Session Token Handling, Securing Session Management, Generate strong Tokens, log, Monitor and Alert. 14.Securing Access Controls Common vulnerabilities, Attacking Access controls, Securing Access Controls, A multi-layered Privilege Model. 15.Securing Application Architecture 03 hours 02 hours

Tiered Architecture, Attacking tiered Architecture, Securing Tiered Architecture, Virtual Hosting, Shared Application services, Attacking shared Environments, Securing Shared Environment, Secure Customer Access, Segregate customer Functionality, Segregate components in a shared Application.

31

prospectus
16.Web Server and Web Application Testing with Back Track 03 hours

Introduction, Web Server Testing, CGI and Default Pages Testing, Web Application Testing, Core technologies, Open Source Tools, Scanning Tools, Assessment Tools, Exploitation Tools. 17.Securing Web Based Services 05 hours

Web Server Lockdown, Handling Directory and Data Structures, Eliminating Scripting vulnerabilities, Logging Activity, Stopping Browser Exploits, SSL and HTTP/S, Instant Messaging, Web Based Vulnerabilities, Making Browsers and E-mail client more secure, FTP Security, Directory Services and LDAP Security, Web Application Assessments, Source Code and Binary Analysis, Application threat modeling and Architectural Analysis, Web Services and Active X Analysis, Compliance Assessments for Visa CISP,,Mastercard SDP,GLBA,SOX,Web Server Security , Operating system specific Security, Permissions and Scripting, HTAccess prevention measures, Cross Site scripting, Cross Site request forgery, User Authentication Session management.

References : Detailed References will be provided in the course material to be given to Registered candidates.

32

I M P O R TA N T D AT E S

1. Last date of submission of Registration Form 2. Last date for submission of Course Fees (for Regular Candidates) 3. Commencement Date of Classes 4. Date of Commencement of Final Exam

December 15,2010 December 31,2010 January 03,2011

Last Week of June,2011

Headquarter - DOEACC SOCIETY Electronics Niketan 6 CGO Complex New Delhi 110 003 Website : http://www.doeacc.edu.in Nodal Center - DOEACC Society , Gorakhpur Centre M. M. M. Engg. College Campus, Gorakhpur U.P.- 273 010. Website : http://www.doeaccgkp.edu.in Other Training Centres
Srinagar Centre : Sidco Electronics Complex Old Airport Road Rangreth,Srinagar - 190007 Kolkata Centre : Jadavpur University Campus,Kolkata - 700032. Jammu Centre : New Campus University of Jammu,Dr. BR Ambedkar Road Jammu - 180006. Imphal Centre : Akampat,Post Box No.104, Imphal Manipur - 795001.

CONTACT US : Phone No. - (0551)2273872 , FAX - (0551) -2273873 , Email ID - isc@doeaccgkp.edu.in ,isc.doeaccgkp@gmail.com