Course Description
Fueled by a growing number of PII data breach laws, Payment Card Industry Data Security Standard (PCI DSS), and alarming frequency of Cyberdata leakage, cryptography is becoming a necessary safeguard in many applications. In the down-to-earth workshop, we will build on the basic cryptography knowledge required for a CISA and expand the playing field to systematically cover the use cryptography as a major CyberSecurity safeguard for a variety of essential modern-day business applications. Highlighted will be a wide array of common CyberSecurity applications of encryption and key audit points covering “data at rest” as well as “data in motion” traveling over the Internet and other untrusted network connections. We focus only on the practical, operational aspects of cryptography for CyberSecurity, NOT on the related complex mathematics and formulas. Numerous diagrams, information worksheets, references, and checklists will be provide to equip auditors with the necessary tools and know-how to effectively assess the prudent and secure use of the often mystifying area of cryptography
Learning Objectives
- Understanding the operation and use of cryptographic algorithms: symmetric, asymmetric, message digest/hashing, message authentication codes
- Identifying important security services provided by cryptography: data confidentiality, digital signatures, secure key exchange, authentication, data integrity
- Identifying key control points and associated safeguards for Public Key Infrastructure (PKI)
- Learning how to audit practical applications of cryptography
Course Outline
Demystifying Cryptography
- Identifying applications and risks requiring the use of cryptography
- Identifying important security services provided by cryptography: data confidentiality, digital signatures, secure key exchange, authentication, data integrity
- Operating characteristics, applications, and trade-offs associated with the major cryptographic algorithm families:
- Symmetric (shared key)
- Asymmetric (public key/private key)
- Hashing (message digest)
- Message authentication codes (MACs)
Public Key Infrastructure (PKI)
- Digital certificates and Certificate Authorities (CA)
- Public key infrastructure (PKI) workflow and control points: Registration Authority, (RA), Root Certificate Authority, Intermediate Certificate Authority, Validation Authority
- Auditing key management, key escrow, key recovery, and PKI controls
Auditing Practical Applications of Cryptography
- Assessing the use of cryptography for workstation security
- Auditing the use and implementation of encryption in TLS/SSL applications
- Auditing IPSec and SSL VPNs
- Analyzing secure e-mail systems
Additional Information
Who Should Attend
- IT Auditors
- Information Security Managers, Architects, and Analysts
- IT Management and Architects
- System Administrators/Software Engineers
- Network Administrators/Engineers
- Consultants
Learning Level
Intermediate
Delivery
Group Live or Group Internet-Based
Field
Auditing
Recommended Prerequisites
Planning and Conducting IT General Control Reviews (AA03) or equivalent training. A basic understanding of IT audit controls and terminology is assumed.
Session Duration
On Site: 1 day
CPE Credits: 8