Course Category: Technical

Introduction to HISF

Dates coming soon

Duration: ½ day

Delivery: Live Online Course, Instructor led with supervised activities

Introduction

Cyber and information security is increasingly important for all organisations. Health organisations are prime targets for cyber attacks as they hold important, valuable personal information. Cyber Toa’s Introduction to the Health Information Security Framework (HISF) covers important information security standards set out by the Health Information Security Organisation (HISO), specifically HISO10029:2015 Health Information Security Framework. The course explains the areas that HISF covers, provides understanding as to how to understand the structure of HISF requirements, and explains some of the baseline procedures that can be easily implemented in order to bring your organization up to standard. We also discuss recent news stories from New Zealand and worldwide throughout the course as learning examples.

With a range of interactive scenarios, case studies, videos and activities using real life tools and solutions, this course will teach learners about making informed cybersecurity decisions for any NZ health organization.

Course Content

Module 1: What is HISF?

  • Who has to comply with HISF, and at what levels?
  • What areas does HISF cover?
  • Why does my organisation need to comply and what are the risks of non-compliance?

Module 2: Understanding HISF Requirements

  • How is HSIF laid out?
  • Understanding specific HISF requirements
  • Other standards related to HISF (including privacy standards)
  • Who is responsible for meeting these requirements?

Module 3: Quick Tips for HISF Compliance

  • Understanding of some ‘baseline’ requirements
  • Some quick wins across multiple standards
  • Navigating the balance between compliance and security

Target Audience and Course Prerequisites

Cyber Toa’s Intro to HISF is aimed at management, administrators, technical staff or anyone who has responsibility for security or IT within New Zealand health organisations. It is helpful to understand the HISF level that the organisation you are involved in sits at (baseline, intermediate or advanced), however this is not required.

Specifically, it is recommended that you have the following skills and knowledge before starting this course:

  • Have experience with organization-specific IT infrastructure and practices

Course Outcomes

This course will explain the fundamentals of the Health Information Security Framework requirements, why it is important and which section are most relevant is relevant for your organisation. Specifically, this course focuses on the ‘baseline’ requirements that all health organisations are required to comply with.

On course completion, you will be able to:

  • Determine what requirements are relevant to your organization
  • Understand who is responsible for requirements
  • Understand how HISF fits in with other security documentation such as the NZISM and the NZ Privacy Act and other standards such as ISO27001 and NIST CSF.
  • Evaluate if there are other requirements which your organization could or should implement.

Hands-On Web Application Testing

Course Description

Cyber security effects everyone in an organization. Cyber Toa’s Hands-On Web Application Testing course is intended for those wishing to learn the fundamentals of testing websites, APIs and web-apps against commonly-exploited vulnerabilities, following OWASP methodology. With a range of interactive scenarios, case studies, videos and activities using real life situations so students can reflect on their own behaviour and make informed security choices.

Next Scheduled Date: 6th October 9am-5pm (Proudly presented through ITP)

Duration: 1 day

Delivery: Live Online Course, Instructor led, Supervised Activities, and Practical labs

Target audience and course prerequisites

The Cyber Toa Hands-On Web Application Testing course is aimed at IT professionals with (or seeking) job roles such as IT security analysts, software developers, software testers, application managers or web developers.

Specifically, it is recommended that you have the following skills and knowledge before starting this course:

  • Know basic network terminology and functions (such as OSI Model, Topology etc).
  • Know the fundamentals of modern web technologies (such as HTML5, CSS, SQL etc).
  • Understand the basics of server-client interactions.

Course Outcomes

This course will teach you the fundamental principles of assessing web systems for commonly-exploited vulnerabilities. The course explains, in detail, the most common web vulnerabilities as reported in the 2017 OWASP (Open Web Application Security Project) Top 10 vulnerabilities report. It also covers a variety of manual and automated web vulnerability testing tools – such as ZAP (Zed Attack Proxy) and Arachni. Study of the course can also help to build the prerequisites to study more advanced IT security courses.

On course completion, you will be able to:

  • Explain the top 10 most common web exploits and evaluate the risk they present to your application and organization.
  • Use ZAP, Arachni and other testing tools to assess the security of an existing web.
  • Use the OWASP Application Security Verification Standard (ASVSv3) and the Security Knowledge Framework (SKF) to manually assess the security of a web application.
  • Create a prioritized list of remediation recommendations based on the results of a web vulnerability assessment.
  • Use the WebGoat learning resource to understand an application with known vulnerabilities.
  • Understand the comparative risk to business that web vulnerabilities pose as compared to other common cybersecurity risks.

Course Materials

The course consists of a study volume, containing indexed notes and review questions, a series of supervised practical lab exercises and a comprehensive glossary.

Pathway to Zero Trust with ESDN

Course Description

Internationally, many organisations are attempting to future-proof their IT infrastructure by embracing non-traditional network and organizational structures such as Zero Trust Networks. Unfortunately, many Zero-Trust approaches require organization to migrate their entire organization at once – creating significant business disruption and incurring significant costs and, as a result many organizations delay or even decide to stick with their existing flat network structures.

Cyber Toa’s ‘Pathway to Zero Trust’ course introduces what Zero-Trust networks are and how they aid in securing an organization whilst still enabling IT flexibility. We discuss some problematic Zero Trust solutions (such as BeyondCorp), and then present an alternative: Enterprise Software Defined Networks (ESDN). The course focuses on how ESDN on even a small section of an enterprise network can be used to comply with more than half of the NZCERT Critical Controls, for a fraction of the cost of replacing a traditional firewall appliance. We also discuss how ESDN can be used to administer complex networks easily, allowing for both an internal and an external security operations centre (SOC), whilst providing real-time information on all traffic and devices on the SDN network. The ESDN solution we present (Faucet , Poseidon and OpenFlow) is highly scalable and extensible, and allows for the adoption of various Zero Trust policies incrementally.

This course includes a range of interactive scenarios, case studies, videos and activities using real life examples so learners can obtain experience with the principles and technologies that are taught.

Scheduled Dates: 19th October 1-5pm

Duration: ½ day

Delivery: Live Online Course, Instructor led, and Supervised Activities

Course Content

Module 1: Zero Trust

  • Zero Trust Networks
    • What are Zero Trust networks
    • How do organisations achieve and administer Zero Trust?
    • What is Software Defined Networking?
    • What are the NZCERT Critical Controls?

Module 2: ESDN

  • EDN
    • Openflow, Faucet and Switches
    • Network structures
    • Network monitoring and visibility
    • Poseidon
    • ESDN for BYOD/IOT management

Module 3: Using ESDN for Zero Trust

  • ESDN for Security
    • Deny by Default
    • Data Loss Prevention
    • Network Segregation
    • Layer 2 security features
    • Network visibility
    • NZISM compliance with ESDN

Target audience and course prerequisites

The Cyber Toa ‘Pathway to Zero Trust with ESDN’ course is aimed at professionals from organizations with existing technical teams. Previous networking and IT knowledge is useful for this course, however this course is also suitable for a non-technical audience.

Specifically, it is helpful if you have the following knowledge and experience before starting this course:

  • Are familiar with the basics of networking and client-server interactions.
  • Are familiar with one or all of docker, GitHub, python and Linux.

Course Outcomes

This course will teach you the fundamentals of using an enterprise software defined networking solution. Specifically, the course discusses several use cases of ESDN, the most obvious being protecting a legacy or high-value asset. It focuses on ‘core’ technologies necessary for an ESDN or Zero Trust network including: monitoring, visualization, logging, authorization and authentication. Study of the course can also help to build the prerequisites to study other cybersecurity courses, including the “Security Operations Centre on a Budget” course and the Cyber Toa Defensive Network Security Fundamentals course for students wishing to pursue more technical cybersecurity careers.

On course completion, you will be able to:

  • Discuss various different approaches to migrating networks to Zero Trust
  • Understand what is necessary to use ESDN in an organisation
  • Understand the security and compliance implications of using ESDN
  • Understand what are realistic expectations for information generated from a network that you own, control or administer.

Course Materials

The course consists of a study volume, containing indexed notes and review questions, a series of supervised practical lab exercises and a comprehensive glossary.