Penetration Testing Lecture 2 (Practice Environment 2 provided)

Voice phishing, URL, mobile, accounts, card usage, internet banking, ARS authentication, and other various financial fraud incidents are causing an increase in victims. Recently, hacking and fraud techniques utilizing various vulnerabilities such as open banking, simple payment (pay), strengthened fraud methods, hackers utilizing leaked personal information, and taking control of personal PCs and mobile devices are being reinforced. Financial authorities and various financial companies do not specifically disclose accident procedures and hacking methods related to financial consumers, which has led to growing misunderstandings among people who have never experienced hacking. We have recognized the seriousness of this issue through reports from our surroundings and have produced educational materials. Please, we hope you will recognize accurate hacking methods, and also understand related laws and policies to appropriately establish preventive systems and strengthen response measures in advance. (In case of incidents, it is your own responsibility under current law.)

- Strengthening understanding of inspections based on Privacy Impact Assessment checklist items - Finding and improving errors in personal information flow charts - Identifying and improving personal information breach factors - Understanding Privacy Impact Assessments and finding errors - Understanding Personal Information Protection Act and finding errors

- Public and private sector top-tier information security and personal information protection management system certification audit training in Korea - Preparation for ISMS-P certification strengthening due to comprehensive information security measures establishment - Management system GAP assessment and improvement plan development training - Individual training for ISMS-P initial audit, follow-up audit, and renewal audit - Professional information security training for acquiring excellent information security level enterprise certification

- Specialized training in preparation for Financial Security Institute ISMS-P certification audits - Identifying information security workflows and establishing improvement plans for fintech and electronic financial companies - ISMS-P certification application process following vulnerability analysis and evaluation of electronic financial infrastructure in accordance with the Electronic Financial Supervisory Regulations - Improving incident response and data breach response manuals for financial institutions - Know-how on creating personal information flowcharts and establishing personal credit information management systems, as well as submitting operational performance reports in accordance with the Credit Information Act

The recent Coupang personal information leak has been recorded as the largest personal information breach in domestic history, marking a case where the personal information of all South Korean citizens was leaked. However, the issue of ISMS-P's effectiveness was concluded with meaningless improvement measures such as penetration testing and certification revocation, and as of December 11, 2025, Coupang and others that were subject to the Personal Information Processing Policy Evaluation System conducted by the Personal Information Protection Commission in 2024 continue to operate incorrectly in more than 10 areas of the evaluation system's standards. The reason is clearly the human factor of Coupang's personal information team, who are the best personal information experts domestically and internationally, and ISMS-P auditors, who hold the best personal information expert qualifications domestically and internationally. All of these personal information leaks, including this incident and those at G-Market, Netmarble, SKT, KT, LG U+, etc., could have been prevented with even basic common sense knowledge of the Personal Information Protection Act. However, the reality is that accidents continue to occur due to human factors, insufficient preliminary inspections, and differences in legal interpretation, resulting in customers' personal information not being protected or appropriate protective measures not being established and operated. Through this course, you can develop the ability to transparently and objectively evaluate personal information through proper personal information inspection methods and professional training to eliminate blind spots, with the hope that personal information protection for customers will be achieved.

As personal information breach incidents expand, customer anxiety grows. During this time, companies have been operating management systems that cannot properly identify personal information and implement safety measures through ISMS-P/ISO27701-based business system operations (lawyers, etc.) and penetration testing (RED TEAM composition, e.g., Coupang) consisting of domestic and international hacking competition winners. Even companies that haven't experienced incidents yet are in a situation where breaches could occur at any time. -The reason is that personal information managers themselves create unmanaged blind spots, such as insufficient methods for obtaining customer consent and inadequate identification of personal information processing status. ->Therefore, there is a need to improve work processes by sharing fines/penalties for domestic companies' consent forms and processing policies (as of December 8, 2025) to transparently disclose to customers the expertise of personal information managers and proper personal information protection safety measures.

Most large corporations and financial institutions are conducting penetration testing in addition to simulated hacking, so recently there is a need to establish new positions and secure capabilities to perform penetration operations using the RED TEAM terminology as is. Therefore, in addition to simple WEB and APP simulated hacking, we are opening an educational course that can provide practical training on large-scale personal information leakage after discovering scenarios that can penetrate servers. +Providing server and website environments where penetration testing can be performed +Sharing hacking tools and hacking methods

This is a project where you install an actual app on your phone and practice penetration testing using hacking tools in accordance with the Electronic Financial Infrastructure Inspection Standards and Public Service Inspection Standards for mobile apps. This course helps you understand mobile app penetration testing, overcome any fears, and learn inspection know-how, result report writing, and communication methods.

- Provision of penetration testing environment and assessment tools - WEB penetration testing practice according to the 2025 revised edition of Critical Information and Communications Infrastructure - WEB penetration testing practice according to the 2025 revised edition of Electronic Financial Infrastructure - Review and sharing of vulnerabilities existing on websites - Education on penetration testing report writing methods and improvement measures

- Training on inspection methods aligned with cloud management system checkpoints in the Electronic Financial Infrastructure Vulnerability Analysis and Assessment Standards - Inspection of protective measures required by Electronic Financial Supervisory Regulations tailored to cloud and virtualization environments respectively - Organization of matters that must be included in establishing cloud security regulations and procedures - Securing evidence materials for evaluation and certification-related tasks in cloud environments

-Learn about the information security continuous assessment items conducted annually for financial companies, and strengthen preparation and response capabilities as a financial security officer -Learn based on the highest-grade information security continuous assessment cases, and receive education on know-how to achieve and maintain the highest grade in information security continuous assessment

-Understand best practices for each inspection item in the electronic financial infrastructure management system inspection that targets financial companies reviewed annually, and apply them to derive management system improvement tasks in preparation for appropriate breach incidents and leakage accidents -Present management system establishment cases for financial security personnel that can be established together with management system setup and ISMS-P/ISO27001 certification -Provide excellent materials for security personnel working at companies to utilize management system cases and prepare for electronic financial infrastructure management system inspection freelancers -Specialized education for consultants and R&D personnel in industry, academia, and legal sectors who need additional education on electronic financial infrastructure management systems according to the Financial Transaction Act and Electronic Financial Supervision Regulations

- Based on the 2025 Personal Information Protection Level Assessment Manual standards - Proposing measures for applying best practices from top 1% public institutions in personal information protection - Analysis of deduction factors for each quantitative and qualitative indicator - Presenting application cases of synthetic data (PETs Personal Information Enhancement Technology) to secure scores for new technology (bonus points) indicators - Providing cases of securing safe zones for personal information utilization, manual production, disclosure records, CEO reporting cases, etc.

- Establishment of incident response manual and training plans - Introduction of training cases including penetration testing, DDoS, and APT - Sharing of mid-to-long-term information security strategies (~2027 or ~2030) of leading domestic companies - Introduction of information security activities of leading domestic companies - Education on Risk Management Framework (RMF) and Zero Trust implementation cases for electronic financial companies

- Understanding the establishment and inspection of personal information management systems in accordance with the Personal Information Protection Act - Inspection and status assessment of personal information processing systems - Creation of personal information flow charts and flow diagrams - Identification of personal information breach factors - Publication of personal information impact assessment summaries

- Policy revision for establishing cloud management systems (CSP/MSP contracts and SaaS contracts) - Vulnerability assessment for ISMS-P/ISO27001 certification or major information communication/electronic financial infrastructure response in cloud environments (public/private asset identification and vulnerability remediation) - Security operations and incident response in cloud environments - ISO27017&ISO27018 certification response

Developed to submit annual performance records, including the establishment of information security regulations and the preparation of various activity evidence, by applying domestic and international certification standards for Information Security Management Systems (ISMS) and internal/external audit criteria to the revised Risk Assessment standards for the Management and Physical sectors of Critical Information and Communication Infrastructure in the second half of 2025. The plan is designed to prepare for changes in the external environment (AI, etc.), internal environment (new systems and changes in employees/external staff), and new evaluation indicators and legal amendments. It aims to establish activity plans to advance information security levels compared to the previous year. Specifically, it involves objectively and meticulously inspecting various activities to strengthen accident prevention systems—such as personal information leaks caused by hacking—and establishing plans for the headquarters to supervise all departments and ensure the secure management of contractors. This includes operating DevSecOps systems following the introduction of AI systems and implementing Privacy by Design (PbD) adequacy review frameworks. The execution is based on expanding monitoring and periodic inspection report areas, external disclosure areas, data linkage system inspections (API, MyData, etc.), establishing network separation improvement plans according to N2SF, and advancing Zero Trust implementation. *Possessing over 150 references for establishing and applying the world's first and highest-level information security and personal information protection activities and system enhancement plans.

2025 Electronic Financial Infrastructure (OS Virtualization, Container Virtualization) Inspection Know-how Transfer and 2025 Second Half Revised Major Information and Communication Infrastructure (CA,HV) Inspection Know-how Transfer In particular, providing Risk assessment for core hypervisors (ESXi, Xenserver) with the latest versions Additionally providing Risk assessment for K8S(Kubernetes_master), Docker, etc. Finally, providing vulnerability analysis and assessment results that meet CSAP (Cloud Management System Certification) standards **Providing installation methods for ESXi, Kubernetes master, Docker, Xencenter

Training for establishing risk assessment methods for network equipment, security devices, and control systems based on the revised Critical Information and Communication Infrastructure standards for the second half of 2025, and eliminating vulnerabilities through the integration of years of know-how and fast, accurate inspections and remedial actions. In particular, we expect efforts to secure inspection speed and improvement plans in accordance with the designation of ISMS-P and ISO27001 certification scopes. Gain experience with network equipment, security devices, and control systems—which are relatively less accessible and more difficult to set up environments for compared to Servers, DBs, WEB, WAS, PCs, and Cloud (Public, Private).

Electronic Financial Infrastructure Vulnerability Analysis and Assessment based on 2025 standards, DBMS, WAS(PaaS), PC explained based on the Major Information and Communication Infrastructure standards revised in the second half of 2025 And penetration testing explained based on the standards revised in the second half of 2025 Additionally, mobile penetration testing as well Expected skill improvement through know-how transfer and fast and accurate inspection methods and remediation measures

- Strengthening understanding of inspections based on Privacy Impact Assessment checklist items - Finding and improving errors in personal information flow charts - Identifying and improving personal information breach factors - Understanding Privacy Impact Assessments and finding errors - Understanding Personal Information Protection Act and finding errors

- Provision of penetration testing environment and assessment tools - WEB penetration testing practice according to the 2025 revised edition of Critical Information and Communications Infrastructure - WEB penetration testing practice according to the 2025 revised edition of Electronic Financial Infrastructure - Review and sharing of vulnerabilities existing on websites - Education on penetration testing report writing methods and improvement measures

This lecture is designed to prepare for the Information Security Engineer written exam, and it will help you concisely summarize the core theories and strengthen your practical skills through problem solving. Take a step closer to obtaining the Information Security Engineer certification with analysis of past questions and practical preparation strategies.

This lecture is designed to prepare for the Information Security Engineer written exam, and it will help you concisely summarize the core theories and strengthen your practical skills through problem solving. Take a step closer to obtaining the Information Security Engineer certification with analysis of past questions and practical preparation strategies.

This is a theoretical/practical training course to prepare for the certification exam for those who dream of becoming an ISMS-P certification auditor in 2025. It is an extended version that includes general ISMS-P and financial ISMS-P.

Nationally Certified Industrial Security Manager: "Final update of the newly renewed version is complete"!! The 2026 exam schedule is expected to be announced between February and March on the following site (https://license.kaits.or.kr/license/web/board/brdList.do?menu_cd=000021). This course is designed to help you obtain the Nationally Certified Industrial Security Manager certification by providing a systematic understanding of industrial security from a management perspective. Rather than focusing on rote memorization, the content systematically organizes the concepts, structures, and flows of industrial security so that even non-security majors can understand it, preparing you for the exam while also supporting practical work and career expansion.

This course carefully selects the core systems that beginners must know in the vast field of information security. Instead of rigid theory, it's structured to help you intuitively understand system principles through clear analogies and practical examples. With this single course, you can grasp the big picture of information security systems as a whole and develop practical skills.

This is an online course where you can learn essential content for certification, from basic concepts of information security to the latest security issues. With theory reflecting the latest exam trends and practical mock tests, you can efficiently prepare for the exam, and it's structured so that even those new to information security can easily follow along.

This course systematically teaches practical Docker skills (installation→operation→automation→security) and comprehensively covers the latest security threats and countermeasures in each section. It features a hands-on approach where you learn by following along with practical exercises. This curriculum is highly recommended for DevOps engineers, infrastructure engineers, and security practitioners who want to experience the latest container/cloud environments in real-world scenarios.

This course puts an end to Linux server operational vulnerabilities caused by incorrect permissions. Master file and directory permission control based on real-world industry standards.

You can understand the concept and technology of blockchain and conduct ISMS-P certification audits specialized for virtual asset exchanges.