|About | Courses | Seminars | Self-study tools | Related sites | Contact us|
- June 18 - June 22, 2012
(FRB Chicago) Apply Now >>>
Information Systems Vulnerability ManagementS.T.R.E.A.M/Technology Lab Courses - The Federal Reserve Bank of Chicago
Type of Participant Targeted
The Information Systems Vulnerability Management course is a one-week course intended for examiners with IT examination responsibilities but who may not have had university training in information technology. At least one year of field examination experience is preferred.
This course provides participants with a technical grounding in networking concepts and technologies that are critical to IT operations in financial institutions, including TCP/IP networking protocols and common network infrastructures and configurations. The course examines key network perimeter security tools, including firewalls and intrusion detection systems.
After completing the course, the participant, at a minimum, will be able to
- Recognize where and how vulnerability management fits in with the bank's overall information security program and IT operations
- Identify the role a vulnerability management program has in safeguarding information and assets
- Assess the adequacy of a patch management, vulnerability scanning and assessment, and penetration testing tools and their limitations
- Evaluate the adequacy of an organization's testing program
- Recognize key elements of an incident response program
- Discuss key technology terms related to information systems vulnerability management
- Assess the key risks, controls and processes in a supervisory context, including regulatory compliance issues
- Identify what the financial institution must do to respond to new threats
Participants will learn the essential components of a sound vulnerability management program. The bank must position vulnerability management as an integral part of the enterprise-wide information security program, network engineering and IT operations. Other key elements include asset inventory, risk assessment, monitoring for vulnerabilities, patch management, vulnerability testing, security intelligence, incident response, forensics, and the relationship of vulnerability management to regulatory compliance.
|Topic/Activity||Approximate Class Hours|
|General Information Security concepts||1.00|
|SQL Injection-Case Study||3.00|
|Network mapping and vulnerability scanning-Exercise||1.00|
|Sources of Security Intelligence (review of CVE and Bugtraq)||0.50|
|Assessing the Patch Status of the Bank-Case Study||1.00|
|Patch Management Operations-Demonstration||1.00|
|Testing-Validating the Effectiveness of Patch Management||1.00|
|Inventory and Asset Identification-Demonstration||0.50|
|Update on the Latest Threat Vectors (e.g. ZeuS)||0.50|
|Penetration Testing Vulnerability Assessment-Case Study||1.50|
|Penetration Testing Vulnerability Assessment-Demonstration||0.50|
|Monitoring of Network Traffic and Password Capture-Exercise||1.00|
|Other Monitoring and Enumeration Tools-Exercise||1.00|
|When Banks Must Notify Customers-Case Study||1.00|
|Incident Response Resources and Regulatory Guidance||2.00|
|Security Information and Event Management-Demonstration||2.00|
|Responding to New Threats-Capstone Exercise||1.00|
Examiners should be able to articulate the key elements associated with operating and managing a vulnerability management program. This starts with having an accurate inventory of all assets (servers and applications) that communicate over the network. Accuracy in this case means that consideration should be given to potential risks for each system (internal and external) and that all systems should be inventoried. It includes having an accurate risk assessment and relies on configuration management. Configuration management is critical as this requires operational discipline regardless of institution size. Finally, the financial institution must be able to articulate a risk-mitigation strategy; this should be reviewed to ensure that new applications and/or systems are treated from a holistic perspective, and that controls for all systems are re-evaluated for effectiveness periodically.
Accomplishments By Module
|General Information Security Concepts||
|SQL Injection-Case Study||
|Penetration Testing and Vulnerability Assessment (Case Study and Demonstration)||
The optimum class size is approximately 25 participants. To provide sufficient variety of interaction among class participants, the minimum class size is 10 participants.
Information Systems Vulnerability Management courses include one or more instructor(s) from the FRS and may also include instructors from an external agency.