School of Information Security. Yandex experience and practice

    image

    Safety is associated not only with theory, but also with practice. Therefore, we opened the School of Information Security , which will be devoted primarily to practical issues based on the experience of Yandex. Today we will tell the readers of Habr what exactly we will teach at the School.

    Imagine the system administrator of a small IT company, such as a regional provider. This is a person who is used to doing a lot of hands, solve any problems, and is even responsible for the information security of his company. Or there is a developer who is responsible for the security of his code. Or a man in a research institute who has to follow a lokalka and close holes in it. Or just an undergraduate student, or even a graduate who is interested in information security. They all have behind them the theory of security from a university or books, they all can learn independently, but they vividly lack systematization of knowledge and practice in the field of information security. A practice that subsequently gives self-confidence.

    Just the practical cases we are going to show and disassemble in the new Yandex school. We will show in practice how we do security in Yandex, what tasks life throws up and how we solve them.

    The program and other details under the cut. Even under the cut, you can take a link to the test tasks of the introductory selection, which can be solved and just for fun.

    What will it be?

    In April, the Yandex School of Information Security will open its doors in Moscow. To enter, you need to complete any 5 out of 10 test tasks here . We will check the solutions and choose the best. Of course, the more tasks you complete and the more fully describe the solutions, the greater the chance to get on the course. Application deadline will be February 28 .

    To enter the School you need to know at least one programming language (JS, Python, C ++, Java), understand at the initial level the principles of building and working web applications, the principles of operation of operating systems and network infrastructure, know the main types of attacks and types of vulnerabilities.

    Inside the course there is only applied security, which we ourselves apply every day. The program is designed for those who already work in IT or information security, senior students and those who graduated from the university with an IT specialty, but at the same time feel that they want to develop further towards information security.

    Three times a week, face-to-face lectures with homework. For example, a lecture on forensics (investigation of an attack) and, as homework, dump logs and disk images, on which you need to figure out exactly what happened. And so on all topics of the program: from web vulnerabilities to network security. Education is free, as in other Yandex schools. For nonresident participants from the regions of Russia and the CIS countries, payment of travel and accommodation is provided.

    The program is designed for one month and will be held in the evening on weekdays from April 2 to April 27, 2018. At the end of the school you will find the final work. The best students are offered the opportunity to complete an internship in our information security department and, possibly, to replenish our security team. Classes in the Moscow office of Yandex. Network Security

    Program



    About attacks on the protocols of the channel, network and application layers, about DDoS attacks. Let's talk about packet filters, VPN and IPSec, as well as intrusion detection systems (IDS).

    Web application security

    Let's talk about the device of the modern web - microservice architecture, technological, architectural vulnerabilities and how to prevent them. We analyze the vulnerabilities on the client side. Let's talk about the methods of operation.

    Cryptography

    Let's talk about PKI and its shortcomings, about TLS of different versions, attacks on them and protocol acceleration methods. Let's discuss Blockchain and its application in PKI - in Certificate Transparency technology. We will also talk about dependence on the exact time and discuss approaches to solving this problem.

    Mobile Security

    Let's talk about typical vulnerabilities of mobile applications and how to prevent them on iOS and Android.

    OS

    security Let's talk about the classic UNIX security model and the Posix ACL extensions, syslog and journald journaling systems. We will discuss credential access models (SELinux, AppArmor), the netfilter device and iptables, as well as procfs, sysctl and hardening OS. Let's talk about the device of the stack frame and the vulnerabilities associated with buffer overflow on the stack, protection mechanisms against such attacks: ASLR, NX-Bit, DEP.

    Virtualization and Containerization

    To increase the efficiency of servers, we use containers at Yandex. In this security lecture, we’ll look at the core technologies that provide virtualization and containerization. We will focus on containerization, as the most popular way to deploy applications. Let's talk about capabilities, namespaces, cgroups and other technologies, see how it works in modern Linux systems using the example of Ubuntu.

    Security of binary applications

    Let's talk about the security of compiled applications. In particular, we consider the vulnerabilities associated with memory corruption (out of bound, use after free, type confusion), as well as compensatory technical measures that are used in modern compilers to reduce the likelihood of their exploitation.

    Incident investigation

    Let's talk about approaches to detecting and investigating incidents and the main problems that we have to face. We also look at some tools that help investigate incidents and try them out in practice.

    In general, if very briefly - you may have heard all this theory at the university (or read something on the topics), and we are going to show how this works in practice.

    For homework, you will need about another 6-7 hours a week. We will give small tasks on weekdays and harder, longer for the weekend. Cases are waiting for you, analyzing which, you will feel yourself in conditions close to real ones. And, most importantly, you will get the opportunity to ask all the questions that arose during the decision process to the guys from our team.

    Where to push?
    - hereThere is a little video about security (this is a couple of lectures in the course about infrastructure).
    - Here are the introductory assignments . Please note: they are knowledgeable of different technologies, so it’s enough to solve 5 out of 10.
    - The site of the School of Information Security with a more detailed program.

    Also popular now: