School of information security. Yandex Experience and Practice

Security is connected not only with theory, but also with practice. Therefore, we opened the School of Information Security , which will focus primarily on practical issues based on the experience of Yandex. Today we will tell Habr readers what exactly we will learn in the School.

Imagine a system administrator for a small IT company, such as a regional provider. This is a person who used to do a lot with his hands, solve any problems and is even responsible for his company's information security. Or there is a developer who is responsible for the security of his code. Or a person in a scientific research institute who has to monitor a lokalka and close holes in it. Or just an undergraduate student, or even a graduate interested in information security. All of them have a theory of security from the university or books behind them, they all know how to learn independently, but they lack the systematization of knowledge and practice in the field of information security. Such a practice, which subsequently gives confidence in their abilities.
')
Just practical cases we are going to show and disassemble in the new school of Yandex. We will show in practice how we do security in Yandex, what tasks are thrown up by life and how we solve them.

Program and other details under the cut. Even under the cat, you can take a link to the test tasks of the entrance selection, which can be solved and just for fun.

What will it be?

Already in April, the Yandex Information Security School will open its doors in Moscow. To enter, you need to perform any 5 out of 10 test tasks here . We will check the solutions and choose the best. Of course, the more tasks you complete and the more fully describe the solutions, the greater the chance of getting onto the course. Call for applications will close on February 28 .

To enter the School, you need to know at least one programming language (JS, Python, C ++, Java), understand at the initial level the principles of building and running web applications, the principles of operating systems and network infrastructure, know the main types of attacks and types of vulnerabilities.

Inside the course there is only applied security, which we ourselves apply every day. The program is designed for those who are already working in IT or IB, senior students and those who graduated from the university in an IT specialty, but at the same time they feel that they want to further develop in the direction of IB.

Three times a week full-time lectures with homework. For example, a lecture on forensic (investigation of the attack) and as a homework dump logs and disk images, which need to figure out exactly what happened. And so on all topics of the program: from web vulnerabilities to network security. Education is free, as in other schools of Yandex. For non-resident participants from the regions of Russia and the CIS countries, payment of travel and accommodation is provided.

The program is designed for one month and will be held in the evening on weekdays from April 2 to April 27, 2018. At the end of the School you are waiting for the final work. The best students are offered the opportunity to undergo an internship in our information security department and, possibly, to replenish our security team. Classes at the Moscow office of Yandex.

Program

Network security

About attacks on the channel, network and application protocols, about DDoS attacks. Let's talk about packet filters, VPN and IPSec, as well as intrusion detection systems (IDS).

Web application security

Let's tell about the device of a modern web - microservice architecture, technological, architectural vulnerabilities and how to prevent them. Let's analyze client side vulnerabilities. Let's talk about the methods of operation.

Cryptography

We will tell about PKI and its shortcomings, about TLS of different versions, attacks on them and methods of protocol acceleration. Let's discuss Blockchain and its use in PKI - in Certificate Transparency technology. We will also talk about dependence on the exact time and discuss approaches to solving this problem.

Mobile Application Security

Let's talk about typical vulnerabilities in mobile applications and how to prevent them on iOS and Android.

OS security

Let us tell you about the classic UNIX security model and the Posix ACL extensions, the syslog and journald journaling systems. Let's discuss the mandatory access models (SELinux, AppArmor), the device netfilter and iptables, as well as procfs, sysctl and hardening OS. Let's talk about the device of the stack frame and vulnerabilities associated with buffer overflow on the stack, the mechanisms of protection against such attacks: ASLR, NX-Bit, DEP.

Virtualization and Containerization

To increase server efficiency, we use containers in Yandex. In this lecture on security, we will look at the main technologies that provide virtualization and containerization. We will focus on containerization as the most popular way to deploy applications. Let's talk about capabilities, namespaces, cgroups, and other technologies; let's see how this works in modern Linux systems using the example of Ubuntu.

Binary Security

Let's talk about the security of compiled applications. In particular, consider the vulnerabilities associated with memory corruption (out of bound, use after free, type confusion), as well as compensatory technical measures that are used in modern compilers to reduce the likelihood of their exploitation.

Incident Investigation

Let's talk about the approaches to the detection and investigation of incidents and the main problems encountered. Also consider some tools that help to investigate incidents, and try them in practice.

In general, if very briefly, you may have heard all this theory at the university (or read something by topic), and we are going to show how this works in practice.

For homework it will take about another 6-7 hours a week. We will give small tasks on weekdays and heavier — longer for the weekend. Cases are waiting for you, examining which, you will feel in conditions close to real ones. And, most importantly, you will get the opportunity to ask all the questions arising in the decision process to the guys from our team.

Where to click?
- Here is a little video about security (this is a couple of lectures in the course about infrastructure).
- Here are the introductory tasks . Pay attention: they are on the knowledge of different technologies, so it’s enough to solve 5 out of 10.
- The website of the School of Information Security with a more detailed program.