Consulting & Training - Nethemba

Security Services

Consulting & Training

01

Consulting & Training – we offer the following courses:

Basics of encryption technologies and their implementation

TRAINING DESCRIPTION

The “Basics of encryption technologies and their implementation” course is suitable for the technical staff of a company. The main goal is to become familiar with the basic understanding for the proper deployment of technologies utilizing cryptography. In the world of digital communications and the need for privacy, it is necessary to have available experts controlling interactions and context. By using incorrect method, security will be weakened – It allows for reading or modification of transmitted data and could reduce the speed. This would cause infrastructure investments to be squandered. It is necessary to realize that your data or your customers’ data are transmitted over a public space, so the only real protection is suitably selected cryptography. This course also provides appropriate training for engineers and the requirements imposed by law for cyber-security.

Training language: English or Czech
Suitable for: technical staff of a company
Time range: 1-2 days

MAIN TOPICS

* Basic terminology
* Relationship between open text, encrypted text, hashes, compressed text, used combinations and random text, mistakes in implementation and leakage in previous categories
* Random number generators, symmetric and asymmetric algorithms, hash function, use and errors in implementation
* Main standards and their importance
* Implementation of cryptography (ASIC, FPGA, specialized chipsets…), throughput and normalization
* Cryptography in SSL/TLS – server/client, browser and platform support
* Results for testing SSL/TLS
* Analysis of different VPN technologies
* Hardening – examples, performance, recommendation
* Technology in real life

Digital Privacy Protection, Security Basics for Managers and Company Owners

TRAINING DESCRIPTION

Digital privacy protection course is suitable for all managers and company
owners who care about digital privacy and do not want to rely on easily
exploitable communication, e.g. unencrypted email communication or vulnerable
GSM calls.

Course participants learn how they can easily protect their private or
business sensitive informations against third parties using strong
encryption of their devices (PC, smartphones, tablets) and their communication
(encrypted emails, instant messaging, voice).

The inevitable part of this training is also a practical demonstration
how to deploy all mentioned privacy technologies and start to use them
immediately.

MAIN TOPICS

Hardening of operating system (Windows / Linux)
* full disk encryption
* security updates
* firewall, antivirus, antispam configuration

Data encryption
* filesystem / file encryption, using hidden volumes
* how to delete files / format disk in secure way

Hardening of mobile platforms (iOS / Android )
* full disk encryption
* installation of privacy-aware and verified applications
* security updates
* firewall, antivirus configuration

Communication encryption
* email encryption using PGP a S/MIME
* instant communication encryption using Jabber / OTR
* voice encryption using SRTP/ZRTP a SIP/TLS
* encryption of all traffic using VPN

Secure and privacy-aware browsing
* using various security plugins (https everywhere, adblocks etc)
* validation and interpretation of HTTPS signatures
* alternatives search engine to Google
* privacy protection on social networks

Secure privacy-aware webmails
* using secure privacy aware email servers

Anonymization techniques
* anonymous access to Internet using Tor and I2P
* pseudo-anonymous payments using cryptocurrencies (like Bitcoin or Litecoin)

1-day MobileAppSec Training

This training is primarily targeted at security of iOS and Android applications and web services.

Main Topics
* introduction to iOS and Android platforms, platform security model
* anatomy of applications
* setting up a test environment, jailbreak, root, emulator
* tools and applications
* decompilation, class-dump, sensitive information in the source code and application archive
* file system, data storage, used file types, SQLite
* Keychain – problems, data dumping
* runtime analysis and modifying of iOS applications using cycript
* detection of jailbreak and root and evasion techniques
* runtime analysis using tools such as Snoop-it, Introspy, iNalyzer, DroidBox, Drozer
* analysis of network traffic, proxy settings, certificate pinning
* web services, architecture and data formats (REST, SOAP, XML, JSON)
* vulnerabilities specific for a web services (parser attacks, replay attacks, injection attacks)
* problems with cryptography
* problems with URI schemas
* using GDB
* demo: Damm Vulnerable iOS Application, GoatDroid

1-day Network Security Training (IPS, Firewalls, Honeypots)

Firewall and ISP is now standard equipment for perimeter of network infrastructure protection. The goal of the course is describe the types of firewalls and their use, IDS / IPS technology of used systems, methods of detection and their options. Furthermore a variety of ways of circumventing and tunneling, such as fragmentation attack, tear drop, SSL encryption, IPv6, Teredo IPv6, TCP cheksum forgery, but also obfuscation and also skype and DNS tunnel are discussed. Another related issue is IPsec VPN, IKE phase and use of weaknesses of aggressive VPN mode negotiation to obtain the encrypted key. In the chapter on honeypots their role in detecting intrusion attempts is mentioned. Possible measures are outlined at the end.

1-day “Wifi” Security Training

The course describes the most widely used wireless technology, a description of all the common mistakes and attacks, as well as practical demonstrations of the most used applications and recommendations ensuring wireless networks.
The training consists of two parts – the first is theoretical, the other is mostly practical, which includes the description of attacks and practical demonstrations.
The course covers most of the known vulnerabilities and attacks they describe.

TRAINING DESCRIPTION

Wireless connectivity and communications are an integral part of communication. Wireless networks are becoming a challenge for hackers who use bugs and vulnerabilities to gain access to the wireless network infrastructure. Wireless Hacking helps IT professionals to test, develop and implement a secure network to understand the current security vulnerabilities and understand the planning and execution of attacks by hackers in their favor. This course will help participants understand how to improve the security of WLAN referencing attack methodology and also to understand the importance of penetration testing as a first defense. The course focuses on the description of the standard and its essential elements and in terms of safety, security vulnerabilities 802.11 description, methods of abuse and hardware and tools to be used in Windows and Linux environments. The fly in the post options are passed to the VPN option attack, attack option for the management of AP itself and the possibility of tunneling. Finally, the possibility of detection, recommendations and countermeasures are discussed.

MAIN TOPICS

802.11 a / b / g / n – Description of specific layers, physical, line, the task description frameworks. The overlap of other technologies.

SSID – Its purpose, parameters, options in the security.

Authentication and its species. Open network authentication architecture, PSK, 802.1X authentication (Cisco LEAP, PEAP, EAP-TLS, EAP-FAST) and 802.11i

Encryption – Description of open networks and WEP, WPA, WPA2. Description VPN.

Filtering – MAC filtering, its role and capabilities.

Attacks

Passive attacks – network monitoring, interception and analysis tools for data transfer

Attacks on authentication-attacks on encryption, DoS attacks, false wireless network

Principle MITM fake AP, attack on authentication (LEAP), Assault (WEP IV and PTW), WPA (2), WPS, Tools for breaking ciphers

Testing security management used AP

Tunneling Connection

PRACTICAL PART

This section will cover all known attacks and a practical demonstration of the use of vulnerabilities will be made.

Aircrack http://www.aircrack-ng.org/

Kismet http://www.kismetwireless.net/

Cain http://www.oxid.it/

coWPAtty http://wirelessdefence.org/Contents/coWPAttyMain.htm

BurpSuite http://portswigger.net/burp/

EWSA http://www.elcomsoft.com/ewsa.html

OCLHASHCAT http://hashcat.net/oclhashcat-plus/

Penetration testing course using Metasploit Framework

Very unique penetration testing course that demonstrates advanced features of the Metasploit Framework

Material: Metasploit exploitation

SELinux course

Advanced SELinux training from SELinux basics to advanced administration, SELinux policy creation, practical demonstration on RH EL

Material: SELinux course slides for download

Training time: 2 days

Web Application Vulnerabilities and Attacks

Theoretical presentation of new web application attacks, vulnerabilities in new web application, rules of secure web application programming, securing PHP.

Material: How the Common Real Application Attack Looks Like

New Web Application Attacks

Vulnerabilities in New Web Applications

Securing PHP (in Slovak language)

Training time: 1-3 days

Practical Web Attacks

Practical demonstration of most common web application vulnerabilities.

Material:Practical Web Attacks

Training time: 1 day

Others

In addition to the above trainings, we are able to prepare any training in security technology according to the customer wishes in the following areas:

  • Footprinting
  • Scanning
  • Enumeration
  • System Hacking
  • Trojans and Backdoors
  • Sniffers
  • Denial of Service
  • Social Engineering
  • Session Hijacking
  • Hacking Web Servers
  • Web Application Vulnerabilities
  • Web-based Password Cracking Techniques
  • SQL Injection
  • Hacking Wireless Networks
  • Virus and Worms
  • Linux Hacking
  • Evading IDS, Firewalls, and Honeypots
  • Buffer Overflows
  • Cryptography
  • Penetration Testing