Advanced cyber-attacks against hardware and software supply chains are growing in frequency and complexity.  Today’s cyber threats use counterfeits, advanced tampering, organizational influence, manipulation of software repositories, attacks against trusted third-party relationships, and other strategies to manipulate legitimate technology products prior to use by the final customer.  To avert these attacks, special attention to detail and security due diligence is needed throughout each phase of the technology supply chain lifecycle. 

CSCM 101 is designed to educate management, cyber security, and IT professionals on the growing risk of hardware and software supply chain attacks.  The course offers technical and programmatic recommendations for threat detection and risk mitigation to improve the integrity of software and hardware products and services.

Hardware supply chain attacks are growing in popularity with advanced cyber threats who seek to manipulate hardware components and products prior to receipt and use by the final customer.  By modifying hardware and introducing counterfeit components, cyber threats can insert a backdoor into customer networks and establish a high degree of control over the system that can go undetected without additional due diligence.

CSCRM 102 is designed for cyber security managers and hardware asset managers who are responsible for fulfilling hardware orders and introducing secure hardware into the production environment.  This course explores cyber threat techniques for compromising hardware supply chains, provides guidance for how to reduce the likelihood of hardware manipulation throughout the hardware supply chain lifecycle, and provides practical training on tools and processes used to detect counterfeits and manipulated hardware components.  

Effective Cyber Security Management begins with a solid understanding of hardware and software inventories and the active oversight and management of hardware and software integrity and provenance.  Unless an organization knows what hardware and software is present within its environment, and that the hardware and software can be validated genuine and not altered by a given cyber threat, the cyber security program will be ineffective toward reducing risk exposure.

CSCRM 103 is designed to provide asset managers, security managers, and other IT staff with instruction for how to discover and maintain accurate hardware and software inventories, how to validate inventories as genuine and unaltered, how to track and trace critical system components throughout the supply chain, and how to evaluate the internal composition and origin of system components. 

Effective cybersecurity is much more than a just a technical challenge and should never be done in a technical vacuum without senior leadership involvement.  Behind the scenes, businesses have financial and operational objectives that must be met for long-term success.  A good cybersecurity program is compliant, cost-effective, and aligns to the organization’s overall business objectives, risk tolerance levels, budget constraints, and other corporate priorities. 

CSRL 101 is designed for both technical and non-technical senior and mid-level organizational leaders who influence decisions associated with cyber risk management.  This course demystifies the complex world of cybersecurity and equips organizational leaders to make informed risk-based decisions, evaluate the cost-benefit of cyber risk controls, and gain confidence in overseeing cybersecurity programs.

Managers who determine and control spending have a very strong influence on the ability to control and manage cyber risk.  Effective cybersecurity is much more than just a technical challenge.  Unless cybersecurity costs are properly analyzed and resources allocated, the organization may experience unacceptable and prolonged risk exposure.  Cybersecurity programs require appropriate levels of funding to recruit and retain a qualified security staff, afford cyber insurance, implement security processes and policies, implement security risk controls, afford security training, and afford the life-cycle management costs of technologies needed to maintain acceptable levels of risk. 

CSRL 102 is designed for resource managers and organizational leaders who are responsible for ensuring sufficient personnel, equipment, funds, and information technology are available to implement the cyber risk management program.  This course provides practical guidance for how to budget for IT spending, how to budget for cybersecurity risk controls, how to offset costs associated with data breaches, how to recruit and maintain a qualified cybersecurity staff, and how to analyze the cost-effectiveness of the cybersecurity program for long term resource planning.

The dynamic field of cyber risk management requires security managers to implement risk management strategies that reduce cyber risk exposure throughout the entire system lifecycle, including system design, development, acquisition, deployment, operation, sustainment, and disposal. 

CSRL 103 is designed for all security and leaders who have a responsibility in protecting company systems and resources from cyber-attacks.  This course provides practical guidance for how to identify and reduce organizational risk exposures associated with cyber vulnerabilities, threats, and impacts.  A multi-tiered risk management approach is also presented to manage cyber risk at enterprise, business, and system levels throughout the organization.

What would you do if your organization fell victim to a ransomware attack?  Do you have a plan?  How would you contain the threat and protect critical data from becoming inaccessible?  Cybercriminals will attack any customer, any business, any industry, and any organization.  Many organizations that have fallen victim to this malicious and costly form of cyber-attack quickly realize that the time for planning for this type of event is before the attack, not afterwards.

CSRL 104 is designed for all IT staff and management who are responsible for protecting the organization’s assets, operations, data, and reputation.  This course will analyze the Ransomware cyber kill chain and tactics used by cyber threats, provide mitigation strategies for how to reduce the significance and duration of risk, and provide a planning framework for how to protect, detect, respond, and recover from Ransomware attacks.  Practical exercises will be used to develop a Ransomware Survival Plan as part of the course.

The best security is “baked in, not bolted on”.  When proper security engineering principles are used during system design, the likelihood of cyber risk exposure is significantly reduced since due diligence is applied to understand and mitigate likely threat courses of action.

CENG 101 is designed for software, system and other engineers who are responsible for implementing security and privacy engineering principles within new systems under development as well as older systems in need of upgrades.   The course explores comprehensive threat modeling, use cases, threat agents, attack vectors and patters, design patterns, and compensating controls needed to mitigate risk.

Cyber resilience is an effective and alternative approach toward achieving cybersecurity objectives.  With cyber resilience planning, the organization assumes the failure of all “protection” related controls and seeks to engineer systems to anticipate, withstand, recover, and adapt to adverse conditions, attacks, or compromises. 

CENG 102 is designed for software, system and other engineers who are responsible for implementing disaster recovery and business continuity controls to ensure the organization can meet high availability requirements to avert service interruptions resulting from a cyber-attack. 

The concept of “Zero Trust” security is growing in popularity and moves defenses from static and networked based to focus on end users, assets, and resources.  Within a Zero Trust Architecture (ZTA), the network segment is a secondary component to the actual security posture of the resource itself.  All data sources and computing services are considered resources and access controls to such resources are strictly enforced, granted on a per-session basis, and are based upon the concept of least privilege instead of automatically available due to network access. 

CENG 103 is designed for security engineers, privacy engineers, and managers responsible for Identity, Credential, and Access Management (ICAM).  This course will explore the tenets of zero trust, how to incorporate zero trust tenets within an existing network, how to engineer logical components within a ZTA, how to use micro-segmentation and software defined parameters to achieve security, and how to mitigate threats that have the potential to subvert ZTA processes.