The most trusted source for computer security training, certification and research.

select a course
Skokie, IL - October 26 - November 2, 2009
Global Information Assurance Certification

The fire hose strikes again! My brain hurts!
-Dean Farrington, Wells Fargo

SECURITY 440

20 Critical Security Controls: Planning, Implementing and Auditing

Monday, October 26, 2009 - Tuesday, October 27, 2009
Day 1: 8am - 7pm | Day 2 8:00am - 5pm
Eric Cole, PhD, SANS Faculty Fellow
Day 1: 9 CPE Credits | Day 2: 8 CPE Credits

This course helps you master specific, proven techniques and tools needed to implement and audit the Top Twenty Most Critical Security Controls. These Top 20 Security Controls, listed below, are rapidly becoming accepted as the highest priority list of what must be done and proven before anything else at nearly all serious and sensitive organizations. These controls were selected and defined by the US military and other government and private organizations (including NSA, DHS, GAO, and many others) who are the most respected experts on how attacks actually work and what can be done to stop them. They defined these controls as their consensus for the best way to block the known attacks and the best way to help find and mitigate damage from the attacks that get through. For security professionals, the course enables you to see how to put the controls in place in your existing network though effective and widespread use of cost-effective automation. For auditors, CIOs, and risk officers, the course is the best way to understand how you will measure whether the Top 20 controls are effectively implemented. It closely reflects the Top 20 Critical Security Controls found at http://www.sans.org/cag/.

The Top 20 are listed below. You will find the full document describing the Top 20 Most Critical Security Controls posted at the Center for Strategic and International Studies at http://csis.org/publication/twenty-important-controls-effective-cyber-defense-and-fisma-compliance.

One of the best features of the course is that it uses offense to inform defense. In other words, you will learn about the actual attacks that you'll be stopping or mitigating. That makes the defenses very real, and it makes you a better security person.

As a student of the 20 Critical Security Controls two-day course, you'll learn important skills that you can take back to your workplace and use your first day back on the job in implementing and auditing each of the following controls:

Critical Controls Subject to Automated Collection, Measurement, and Validation:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  4. Secure Configurations of Network Devices Such as Firewalls, Routers, and Switches
  5. Boundary Defense
  6. Maintenance and Analysis of Security Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Assessment and Remediation
  11. Account Monitoring and Control
  12. Malware Defenses
  13. Limitation and Control of Network Ports, Protocols, and Services
  14. Wireless Device Control
  15. Data Loss Prevention

Additional Critical Controls (not directly supported by automated measurement and validation):

  1. Secure Network Engineering
  2. Penetration Tests and Red Team Exercises
  3. Incident Response Capability
  4. Data Recovery Capability
  5. Security Skills Assessment and Training to Fill Gaps

Why this might be the most important course you'll take to boost your career in cyber security

What are the most important things we have to do to protect our systems? That is the question the defense industrial base CIOs asked the DoD when they learned their systems were leaking and losing some of America's most important military secrets to nation-state hackers. It is also the question that CIOs throughout government are asking when they learn from Government Accountability Office Congressional testimony that FISMA audits are not measuring security effectively. It is exactly the same question that is being asked in power companies and banks and oil and gas organizations and health care organizations. If you are the person who can not only answer the question, but also implement and/or audit the controls, you will be the game changer. It might not happen immediately, but it will happen.

People who have taken training from Dr. Cole have this to say:

Great teacher; very knowledgeable, passionate, entertaining, and informative. Mike Mayers, RIM

Expertise of the instructor lets me concentrate on learning, rather than interpreting! Leo Lavender, McDonald Observatory, University of Texas

This is my first formal security class. Eric's energy and presentation definitely makes me want to sign right up for the next class. Minyon L. Ridley, ENSR/AECOM

Dr. Cole is an incredible teacher. He is one of the only teachers that I have experienced in my many years of classes that can keep your attention 100% of the time. Blake Sharin, Florida Dept of Health

People who have taken training from James Tarala have said this:

James is quite a talented and captivating speaker. He seems to never miss a beat and has an immense knowledge base. Charles Bolte, U.S. Army

James Tarala is a great instructor! Enjoyable to listen to, easy to follow and helpful in the labs. I would not hesitate to register for another class that Mr. Tarala is teaching. Sarah Rosman, Sterling Savings Bank

James conveys the technical subject matter in an easily understandable manner that is easy to visualize and comprehend. Idris Fofana, TREX

  • Who Should Attend
    • Information assurance managers/auditors
    • System implementers/administrators
    • Network security engineers
    • IT administrators
    • Auditors/auditees
    • DoD personnel/contractors
    • Federal agencies/clients
    • Security vendors and consulting groups looking to stay current with frameworks for information assurance
    • Alumni of SEC401, SEC501, SANS Audit classes, and MGT512

There's nothing that compares to the detail and real world content in this course
-John Daskal, Lockheed Martin

Author Statement

As we've had the opportunity to talk with information assurance engineers, auditors, and managers over the past ten years we've seen frustration in the eyes of these hardworking individuals trying to make a difference in their organizations by better defending their data systems. It's even come to the point where some organizations have decided that it's simply too hard to protect their information, and many have started to wonder, is the fight really worth it, will we ever succeed? We see companies and agencies making headway, but the offense keeps pushing. The goal of this course is to give direction and a realistic hope to organizations attempting to secure their systems.

The 20 Critical Security Controls: Planning, Implementing and Auditing offers direction and guidance as to what security controls will make the most impact, from those in the industry that think through the eyes of the attacker. What better way to play defense than by understanding the mindset of the offense? By implementing our defense methodically and with the mindset of a hacker, we think organizations have a chance to succeed in this fight. We hope this course helps turn the tide.

- James Tarala and Dr. Eric Cole, Ph.D.