AUD507: Auditing & Monitoring Networks, Perimeters & Systems
The entire course has been fantastic it far exceeded my expectations. I think SANS training is far superior to other training programs.
Paul Petrasko, Bemis Company
The course is excellent as it covers most of the technical auditing techniques and tools used for auditing.
One of the most significant obstacles facing many auditors today is how exactly to go about auditing the security of an enterprise. What systems really matter? How should the firewall and routers be configured? What settings should be checked on the various systems under scrutiny? Is there a set of processes that can be put into place to allow an auditor to focus on the business processes rather than the security settings? How do we turn this into a continuous monitoring process? All of these questions and more will be answered by the material covered in this course.
This track is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high level audit issues and general audit best practice, the students will have the opportunity to dive deep into the technical "how to" for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatably verify these controls and techniques for continuous monitoring and automatic compliance validation will be given from real world examples.
One of the struggles that IT auditors face today is assisting management to understand the relationship between the technical controls and the risks to the business that these affect. In this course these threats and vulnerabilities are explained based on validated information from real world situations. The instructor will take the time to explain how this can be used to raise the awareness of management and others within the organization to build an understanding of why these controls specifically and auditing in general is important. From these threats and vulnerabilities, we will explain how to build the ongoing compliance monitoring systems and how to automatically validate defenses through instrumentation and automation of audit checklists.
A Sampling of Topics
- Audit planning and techniques
- Effective risk assessment for control specification
- Firewall and perimeter auditing
- A proven six-step audit process
- Time based auditing
- Effective network population auditing
- How to perform useful vulnerability assessments
- Uncovering "Back Doors"
- Building an audit toolkit
- Detailed router auditing
- Technical validation of network controls
- Web application auditing
- Audit Tools
You'll be able to use what you learn the day you get home. Five of the six days in the track will either produce or provide you directly with continuous monitoring scripts and a general checklist that can be customized for your audit practice. Each of these days includes hands-on exercises with a variety of tools discussed during the lecture sections so that you will leave knowing how to verify each and every control described in the class and know what to expect as audit evidence. Each of the five hands on days gives you the chance to perform a thorough technical audit of the technology being considered by applying the checklists provided in class to sample audit problems in a virtualized environment. Each student is invited to bring her own Windows 7 Professional 64 bit or higher laptop for use during class. The ideal laptop will have at least 4 gigabytes of RAM. Laptops with less memory will function for the majority of the exercises, though one or two may be impossible to accomplish with less memory. Macintosh computers running OS X may also be used with VMWare Fusion.
A great audit is more than marks on a checklist; it is the understanding of the what the underlying controls are, what the best practices are and why. Sign up for this course and experience the mix of theory, hands-on, and practical knowledge.
|AUD507.1: Effective Auditing, Risk Assessment, Reporting|
After laying the foundation for the role and function of an auditor in the information security field, this day's material will give you two extremely useful risk assessment methods that are particularly effective for measuring the security of enterprise systems, identifying control gaps and risks, and assisting you to recommend additional compensating controls to address the risk. Nearly a third of the day is spent covering important audit considerations and questions when dealing with virtualization and with Cloud Computing.
In today's information security world, most enterprises are either already moving toward or seriously considering moving toward compliance with any number of a variety of security standards that represent best practice. Is your organization doing this today? Are you running up against any road blocks? Despite implementing controls, are you still dealing with significant compliance problems? The risk assessment discussions covered in this material is for you. One of the key topics covered in this material is an effective risk based method for the specification or selection of controls. Following this discussion, you will be able to analyze an existing set of controls, a business process, an audit exception or a security incident, identifying any missing or ineffective controls. More importantly, perhaps, you will be able to easily identify what corrective actions will eliminate the problem in the future. Included in this material is a tried and true method for conducting audits and presenting findings that will assist the organization to move toward compliance effectively.
The last two sections of the day are spent digging into virtualization solutions. After first examining some of the huge issues and the biggest questions facing us when it comes to Cloud Computing, we dig into significant audit considerations when dealing with the market leader in private cloud implementations and enterprise virtualization solutions: VMWare.
CPE/CMU Credits: 6
Auditor's Role in Relation to
Basic Auditing and Assessing Strategies
The Six-Step Audit Process
Virtualization & Cloud Computing
|AUD507.2: Effective Network & Perimeter Auditing / Monitoring|
Enterprise networks are under constant assault. A key foundation in the security of our enterprise is created by ensuring that we have a validated secure perimeter. As easy as this is to say, organizations struggle with this constantly. Forces such as wireless technologies, enterprise VPNs, business partner connections, BYOD policies and more can all erode the security of our perimeter networks.
In this day we will build from the ground up, dealing with security controls, proper deployment, effective auditing continuous monitoring of configuration from Layer 2 all the way up the stack. Students will learn how to identify insecurely configured VLANs, how to determine perimeter firewall requirements, how to examine enterprise routers and much more.
Each topic is placed into a risk driven framework for securing a network long term and discussed in the context of a real security organization. What role does the security officer play? How do we reconcile security concerns with operational requirements? What questions should a security auditor be asking? What should the answers to those questions be? How does continuous monitoring fit in and how do you architect those processes?
Many students describe this as the most difficult day of the entire course but the day that fills in all of the gaps that they have in networking technology, whether fundamentals, routers, switches, wireless or firewalls.
CPE/CMU Credits: 6
Specific topics covered include:
Secure Layer 2 Configurations
Router & Switch Configuration Security
Firewall Auditing, Validation & Monitoring
Network Population Monitoring
|AUD507.3: Web Application Auditing|
Web Applications have consistently rated one of the top five vulnerabilities that enterprises face for the past several years. Unlike the other top vulnerabilities, however, our businesses continue to accept this risk since most modern corporations need an effective web presence to do business today. One of the most important lessons that we are learning as an industry is that installing an application firewall is not enough!
A portion of the morning will cover all of the underlying principles of web technology and introduce a set of tools that can be used to validate the security of these applications. Throughout the day, all of the OWASP Top Ten issues will be addressed, abstracted into five practical principles of web application design and deployment. The majority of the day will be spent building and working through a checklist for validating the existence and proper implementation of controls to mitigate the primary threats found in web applications through the use of cutting edge techniques and advanced testing methods. Throughout the material time is spent identifying key development requirements, allowing you to provide meaningful feedback into your organization's coding standards.
Several discrete web applications will be examined using these tools and the audit program developed. By the end of the day each student will use the provided high level checklist and detailed instructions throughout the day to perform a comprehensive validation of security controls in at least one full web application.
CPE/CMU Credits: 6
In addition to designing an audit testing program, time will be spent discussing process remediation for project managers and coding teams.
|AUD507.4: Advanced Windows Auditing & Monitoring|
Microsoft's business class system make up a large part of the typical IT infrastructure. Quite often, these systems are also the most difficult to effectively secure and control because of the enormous number of controls and settings within the operating system. This class gives you the keys, techniques and tools to build an effective long term audit program for your Microsoft Windows environment. More importantly, during the course a continuous monitoring and reporting system is built out, allowing you to easily and effectively scale the testing discussed within your enterprise when you return home.
During the course of this day, attendees will have the opportunity to perform a thorough hands on audit of Active Directory servers in class, in addition to the laptop that they bring to class. In addition to covering all of the major audit points in a stand alone Windows system, the course will scale these methods for use within a domain. One of the primary goals of the material presented is to allow the auditor to get away from checking registry settings, helping administrators to create a comprehensive management process that automatically verifies settings. With this type of system in place, the auditor can step back and begin auditing the management processes which generally helps us to be far more effective.
Finally, the course will spend a significant amount of time discussing the more important aspects of Active Directory from an auditor's perspective. We will cover and give you the opportunity to try your hand at querying useful data out of the Active Directory. Throughout the day we will work to build a comprehensive baseline auditing script to automatically audit all of the systems within a domain.
CPE/CMU Credits: 6
|AUD507.5: Advanced Unix Auditing & Monitoring|
Students will gain a deeper understanding of the inner workings and fundamentals of the Unix operating system as applied to the major Unix environments in use in business today. Students will have the opportunity to explore, assess and audit Unix systems hands-on. Lectures describe the different audit controls that are available on standard Unix systems, as well as, access controls and security models.
The majority of the day will be spent working hands on with the instructor to create a comprehensive set of auditing scripts that can be used on virtually any Unix system. This set of scripts can be used to either check the security of a system, report on the compliance of the system to a baseline or be used in a change control process to validate a system before patching and subsequently re-generate the system baseline.
Neither Unix nor scripting experience is required for this day's course. The course book and hands on exercises present an easy to follow method with the assistance of the instructor that will allow you to cover scripting and more advanced topics like regular expressions.
CPE/CMU Credits: 6
Auditing to Create a Secure Configuration
Auditing to Maintain a Secure Configuration
Auditing to Determine What Went Wrong
|AUD507.6: Audit the Flag: A NetWars Experience|
This final day of the course presents a capstone experience with additional learning opportunities. Leveraging the well known NetWars engine, students have the opportunity to connect to a simulated enterprise network environment. Building on the tools and techniques learned throughout the week, each student is challenged to answer a series of questions about the enterprise network, working through various technologies explored during the course.
This allows students to immediately put the knowledge gained into practice with these guided challenges. At the conclusion of the day, students are asked to identify the most serious findings within the enterprise environment and to suggest possible root causes and potential mitigations.
CPE/CMU Credits: 6
Technologies included in the capstone challenges include:
Audit 507 requires that you bring a fairly modern laptop running 64 bit Windows 7 Business or Windows 8 Business operating system. Your computer should additionally have a minimum of 2 gigabytes of RAM, though 4 gigabytes or more is preferred. A computer not meeting the RAM and operating system requirements will not be able to run all of the hands-on exercises. Your computer will also need the ability to mount a USB stick and a wireless adapter for you to participate in the exercises in class.
Your laptop must be capable of running the most current version of VMware Player (http://www.vmware.com/products/player/). It is strongly advised that you attempt to download and install VMware Player before coming to class to verify that your laptop can indeed run it successfully. Additionally, the Virtualization Extensions (VT-x) must be enabled in the BIOS of the computer.
It is absolutely necessary that you have full administrative rights on your computer for this class. We would strongly recommend that you work with your help desk to have a clean laptop built for the purpose of attending this class. Full administrative rights means that you will need the ability to install software, change system settings, manipulate the registry, possibly disable antivirus, etc. Of course, you can meet this requirement by bringing a laptop with VMware Player already installed and a Windows XP or higher virtual machine installed inside of a virtual machine to which you have full and complete access.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
|What You Will Receive|
In this course, you will receive the following:
|You Will Be Able To|
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.