Audit +++ (OPSE Certification)

Trainer Name: Joerg Simon
Title: Audit +++ (OPSE Certification)
Duration: 2 Days
Dates: 4^th - 5^th March 2020

Overview

After the big success of this training at the last nullcon, we took the feedback from our student's and the results from our research achievements to make the training fit even better for current and future challenges.

Nothing of the hypes of today like Industry 4.0 or Internet of Things is really new, but we face it with a new quantity of trusts. Be prepared, because there will always be "next".

When it comes down to Information - Security, have you ever felt the need to stay unbiased and to stay out of the Compliance and Risk business or vice-versa if you are a Compliance - or Risk - Manager do you really understand the technical findings that you get from your testers?

Have you ever wondered if there is a better way to measure security and trusts, other than with threat-models?

Have you ever thought that just "capture the flag" might not be enough as a Security Test Result?

Are your unsatisfied by the security - solution industry?

As a brilliant technical mind, do you want to learn how to report technical findings in a way that management understands?

As a Security Manager, do you want to learn what you should demand from future Security-Tests and how to calculate the benefits from your Security-Projects?

This Training will give you answers and fits for all types of security professionals - the Security Tester as well as the Information Security Officer. Every lesson provides two kinds of exercises you can choose from whether technical or non-technical.

Certification Exam Available

Special offer only for nullcon - ISECOM, the creators and maintainers of the OSSTMM will provide the OPSE certification exam, OSSTMM Professional Security Expert with an discount of more than 40% - Special price of $299 for anyone who takes this training.

Get more details on it at www.isecom.org

Topics covered

Security Test Demands and Standards in the International Enterprise

• State of Security Test Compliance in the Enterprise
• ISO and why it does not work for Security Tests & Research
• Compliance Killer an Intro to alternate, new Methods and Standards
• Exercises to compare methods and to think out of the box

What to expect?

• You will learn what Enterprises use in their organizations, how they implement IT - Security and Compliance - Why and where they fail and where they benefit from Compliance and Standards.
• You learn where you benefit from supporting methods like the OSSTMM, OpenDeem and others to enhance the Security Management Lifecycle in your Enterprise Organizations

Fedora Security Lab (FSL) as a Security Test Platform

• Intro to the platform
• Hand on Exercises
• Fedora Security Test Bench
• Setting up the Platform (hands-on)

What to expect?

• You will learn how to handle FSL as one possible test - platform and to set up the test-environment based on Fedora Security Test Bench.

The Open Source Security Test Methodology Manual (OSSTMM)

• The OSSTMM Testing Steps
• Pre-Test(Sales & Marketing, Pre-Assessment), Contracts & Testplan, Legislation & Ethics, Testing and Limits, Report
• Lessons learned from Exercises 1 and 2
• Security Channels
• Induction - deep dive + exercises
• Inquest - deep dive + exercises
• Interaction - deep dive + exercises
• Intervention - deep dive + exercises exercise along the 4point process
• The Risk Assessment Values
  • OSSTMM Risk Assessment Value vs Thread Modeling
  • Deep Dive + Analysis according to the OSSTMM RAV
• Hacking Trust
• Trust-Analysis and Trust-Verification

Insider - Preview to the OSSTMM 4!

What to expect?

• This teaching get's you started with the international de - facto Standard for Security Tests, the OSSTMM. Learn your way around the most important parts of the OSSTMM and how you can use it to improve your work as a Penetration Tester and how it helps the Security - Manager as a catalyst to keep the Information Security Management going.

What to expect?

• Learn how to identify the maximum justified investment limit and how to quantify the efficiency of your Security - Projects.

Skill and knowledge required

Technical or non - technical Security Professional, does not really matter

• be willing to think out of the box and do some mind - twisting new stuff.

Prepare yourself with
https://www.isecom.org/research.html#content5-9d

If you want to take the exam you might want to focus on:
https://www.isecom.org/opse.pdf

Technical folks might want to visit
https://labs.fedoraproject.org/en/security/

What not to expect?

• Pure technical hands - on training.
• The boring Standard & Guidelines Theory.
• Printed Books and Handouts.

What you will need to bring

a current Laptop which is able to boot FSL from USB - Key Pen and Paper might help as well

About the Trainer

Joerg Simon

Joerg Simon is an active contributor to various Open Source Projects. You can see results of his work as a ISECOM team - member, where he created the OSSTMM - Lab as a platform for teaching security - and within the Fedora-Project, where he works on Security Test Applications like dsniff, unicornscan or others. He maintains the official Fedora-Security - Spin and left his traces as the former FAmSCo Chair and a member of the Fedora Board. He is Director of business division security and audit service at Audius GmbH.