Last Day to Save $400 on SANS Pen Test Austin 2015

SEC464: Cyber Security Training for IT Administrators

There are not enough well trained IT administrators and operations staff to meet the daily onslaught of cyber criminal and cyber terrorist activities. Sandia National Labs, NASA, and the State of Texas recently demonstrated that we can address this issue by leveraging the large number of IT admins within an organization to act as a hacker guard to help thwart many of these attacks. The goal is to have IT administrators in an organization serve as the first line of defense as human intrusion detectors.

This is an important challenge for organizations because perimeters are routinely being breached, and attackers often roam through networks for weeks or months on end, often without discovery. This new approach, pioneered by organizations such as Sandia Labs, NASA and the State of Texas, is a unique training program for IT operations and admins that teaches them how to:

  • Discover evidence of intruder activity
  • Demonstrate how to work effectively with their organization's security professionals and
  • Provide tools that they can put to work immediately

It's the first security program that is tuned directly to the interests of IT administrators and establishes a clear entry career path from a system admin to security professional.

  • Why bad things happen to good IT admins: 5 common mis-configurations and mistakes that lead to a system being compromised
  • Security methodology and thought process in daily systems administration activities
  • An IT administrator's view of what matters in systems architectures
  • Security monitoring: Not knowing makes the auditors and hackers happy
  • The hard part - knowing what is normal for Windows and Unix systems
  • The harder part - knowing what is abnormal for Windows and Unix systems
  • Hardening Windows and Unix systems is easier than you thought
  • Command line kung fu for Unix and Windows
  • Understanding network traffic for systems administrators
  • Malware: Why it is still effective in your environment

Here is what other IT administrators and operations staff have to say about the Hacker Guard Training:

"I've been waiting for this type of course to come from SANS so I could get task-specific security training for sysadmins." - Tom Siu, Case Western Reserve University

"This course fills the gap that all other server administrative courses lack; not only how to set it up securely, but the anomalies related to the insecurities." - Richard Spanfelner, CA Franchise Tax Board

"This is an excellent course and should be a requirement for all our IT admins - not to mention at least some of our business partners and higher members of the IT food chain to influence the importance of this work." - Bob Timberlake, University of Kansas

This educational program gives IT admins the tools and techniques to illuminate evidence of potentially malicious activity on their systems and to look deeper to determine whether the problems they see are real. It allows them to become the hacker guards for malicious activity in their organization. It uses hands-on exercises to ensure they are comfortable using the tools.

Hacker Guard: Security Baseline Training for IT Administrators and Operations - Introductory Two-Day Class

IT operations and administrators are at the front line of any security architecture. They also know the systems that they manage on a daily basis better than anyone else. However, most systems administrators are NOT security professionals. Making the assumption that they are often leads to many of the security related issues organizations face today.

This course is not designed to turn an admin into a security geek. But rather, it will help administrators better understand what security teams and auditors require and turn them into the hacker guards for malicious activity.

The course also focuses strongly on developing the tools and techniques that an IT administrator would need to meet audit and security requirements in as efficient a manner as possible. In summary, this class provides the tools and techniques to bridge the gap and help systems administrator teams meet the needs of security and audit teams - and still do their day jobs.

Course Syllabus
Course Contents
  SEC464.1: Why are we losing

CPE/CMU Credits: 6


Day 1.1 Class Goal:

  • Know our systems better by baselining
  • Know when we have deviations from the baselines
  • Understand how to communicate your findings with the Security team
  • Prepare you to survive an audit/pen test
  • Teach some cool tricks that will help you in your regular job
  • Scare you

Day 1.2 Security Architecture

  • Security Team and Operations Team

Day 1.3 Risk and the 20 Critical Controls

  • #1 Attack vector is your browser

Day 1.4 Know Your Network

Day 1.5 Malware

  • Day 1.5.1 Malware Exploits to By-Pass traditional Defenses
  • Day 1, Lab 1 Malware Lab: mspfayload

Day 1.6 Incident Response

  • Policies and Procedures prior to incidents occuring
  • Knowing What is Normal - Baselining
  • Secure Configurations
  • Open Source Resources
  • Windows Cheat Sheet for securing the Browser
  • Checking Tasks
  • Day 1, Lab 2 Building a Baseline Script

Day 1.7 Windows Management with SMS and SCCM

  • Discussion of powerful functionality from Microsoft

Day 1.8 The 20 Critical Controls: Inventory of Authorized and Unauthorized Software

  • The 20 Cricial Controls: Inventory of Authorized and Unauthroized Devices
  • Day 1, Lab 3 Evil - Not Evil

Day 1.9 Windows Logging

  • The 20 Critical Controls: Maintenance, Monitoring and Analysis of Audit Logs
  • Critical Logs

Day 1.10 Controlled Access Based on "Need to Know"

Day 1.11 The 20 Critical Controls: Data Loss Prevention

  • Day 1.11.1 Unauthorized Changes to User Groups and Services

Day 1.12 Windows Log Management

Day 1.13 Command Line in Depth - WMIC

Day 1.3.1 Importance of the Windows Command Line Interface (CLI)

Day 1, Lab 4 WMIC and netsh Lab

Summary of Day 1 Your Turn to Think Like a Hacker

Day 1, Lab 5

  • Conclusions for Day 1

  SEC464.2: Security for System Administrators

CPE/CMU Credits: 6


Day 2.1System Monitoring

  • Nagios
  • Why are these tools valuable to System Administrators
  • Day 2, Lab 1 Monitoring Lab

Day 2.2Linux

  • Day 2.2.1 Establish what is Normal, Just like Day 1 Windows
  • Day 2.2.2 DISA Security Readiness Review
  • Day 2.2.3 Linux Cheat Sheet
  • Day 2.2.4 Looking for the unusual

Day 2.3The 20 Critical Controls: Unauthorized Changes to Users, Groups and Services

  • Day 2.3.1 Splunk

Day 2, Lab 2: Linux Cheat Sheet and Logs

Day 2.4What is a Honeypot

  • Day 2.4.1 Why do we use Honeypots?
  • Day 2.4.2 Open Source Tools for setting up Honeypots
  • Day 2, Lab 3 LAB: HoneyPorts

Day 2.5Network Traffic

  • Day 2.5.1 Special Note re: Permission to use these tools on your network
  • Day 2.5.2 Network Monitoring tools: Snort, Ntop, Wireshark
  • Day 2, Lab 4: LAB: Network Baseline

Day 2.6 Understanding what is normal network traffic behavior

  • Day 2.5.1 Knowing what is Abnormal
  • Day 2: Lab 5 The Not_Normal Lab

Day 2. 7Communicate with the Incident Response Team

Day 2.8Scenario: Kobayashi Maru -- A starfleet exercise

Day 2: Lab 6 Kobayashi Maru Team Lab

Day 2 Conclusions

Additional Information

"Very useful for me as a systems administrator. Some of the information I have seen in another SANS class (SEC504), but this is more focused on what I encounter day-to-day." - Dustin Odya, Indiana University

  Laptop Required



To get the most value out of the course, students are required to bring their own laptop so that they can connect directly to the workshop network that we will create. It is the students' responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network.

Some of the course exercises are based on Windows, while others focus on Linux. VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion, along with a Windows guest virtual machine.


You are required to bring Windows 7 (Professional or Ultimate), Windows Vista (Business or Ultimate), Windows XP Pro, or Windows 2003 or 2008 Server, either a real system or a virtual machine. Windows 7 Home, Windows Vista Home, Windows XP Home, and Windows 2000 (all versions) will NOT work for the class as they do not include all of the built-in capabilities we need for comprehensive analysis of the system.

The course includes a VMware image file of a guest Linux system that is larger than 2 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run Windows and Linux operating systems simultaneously when performing exercises in class. You must have either the free VMware Player 3 or later or the commercial VMware Workstation 6 or later installed on your system prior to coming to class. You can download VMware Player for free at

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation from VMware will send you a time- limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.

We will give you a DVD full of attack tools to experiment with during the class and take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 1.5 Ghz CPU Minimum or higher
  • DVD Drive (not a CD drive)
  • 2 GigaByte RAM minimum with 4 GB or higher recommended
  • Ethernet adapter (A wired connection is required in class. If your laptop supports only wireless, please make sure to bring an Ethernet adapter with you)
  • 10 GigaByte available hard drive space
  • Any Service Pack level is acceptable for Windows XP Pro, 2003, Vista, or Win7 .

By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.

If you have additional questions about the laptop specifications, please contact

  Who Should Attend
  • IT administrators who interact on a regular basis with their security team or with an auditor.
  • Any IT operations staff or administrators who are curious about the things security teams require.

Author Statement

Throughout the course of my career I have worked with many organizations where systems administrators feel that they are forced to take action on behalf of security or a compliance requirement. They have expressed concerns to me that they don't understand why they have to do certain security hardening activities. Worse, they feel like their own security team doesn't have a full understanding of why they do what they do on behalf of security.

This class is designed to help the systems and network administrators of an environment understand what it is that they need to do to meet security and audit requirements so they can get back to doing their job of keeping the environment running.

- John Strand

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method

/ Location
/ Instructor

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.