Last Day to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

Mentor SEC401 Session

Seattle, WA | Mon Jun 9 - Mon Aug 11, 2014

Security Essentials Bootcamp Style

It seems wherever you turn organizations are being broken into and the fundamental question that everyone wants to know is Why? Why do some organizations get broken into and others do not. SEC401 Security Essentials is focused on teaching you the right things that need to be done to keep an organization secure. Organizations are spending millions of dollars on security and are still compromised. The problem is they are doing good things but not the right things. Good things will lay a solid foundation but the right things will stop your organization from being headline news in the Wall Street Journal. SEC401's focus is to teach individuals the essential skills and techniques needed to protect and secure an organization's critical information assets and business systems. We also understand that security is a journey and not a destination. Therefore we will teach you how to build a security roadmap that can scale today and into the future. When you leave our training we promise that you will be given techniques that you can implement today and tomorrow to keep your organization at the cutting edge of cyber security. Most importantly, your organization will be secure.

With the APT (advanced persistent threat) organizations are going to be targeted. Whether the attacker is successful penetrating an organization's network depends on how well they are at the defense. While defending against attacks is an ongoing challenge with new threats emerging all of the time, including the next generation of threats, organizations need to understand what works in cyber security. What has worked and will always work is taking a risk-based approach to cyber defense. Before your organization spends a dollar of its IT budget or allocates any resources or time on anything in the name of cyber security, three questions must be answered:

1. What is the risk?

2. Is it the highest priority risk?

3. Is it the most cost-effective way of reducing the risk?

Security is all about making sure you are focusing on the right areas of defense. By attending SEC401 you will learn the language and underlying theory of computer security. Since all jobs today require an understanding of security, this course will help you understand why security is important and how it applies to your job. In addition, you will gain the essential, up-to-the-minute knowledge and skills required for effective security if you are given the responsibility for securing systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will gain up-to-the-minute knowledge you can put into practice immediately upon returning to work; and, (2) You will be taught by the best security instructors in the industry.

View Dr. Cole's security videos

Learn even more about security in the SANS Reading Room. Over 1600 free White Papers authored by real industry professionals.

Sampling of Topics:

  • Network fundamentals
  • Core security design principles for networks
  • Protocol behavior
  • Analysis and decoding of packets
  • Physical Security
  • Information assurance foundations
  • Computer security policies
  • Contingency and continuity planning
  • Password management and access control
  • Incident handling
  • Offensive and defensive information warfare
  • Host-based intrusion detection and prevention
  • Network-based intrusion detection and prevention
  • Offensive methods of attack
  • Firewall and perimeters
  • Risk assessment and auditing
  • Cryptography
  • Steganography
  • Wireless security
  • Operations security
  • Windows and Unix security

Assessment Available

Test your security knowledge with our free SANS Security Essentials Assessment Test here.

Course Content Overlap Notice:

Please note that some course material for SEC 401 and MGT 512 may overlap. We recommend SEC 401 for those interested in a more technical course of study, and MGT 512 for those primarily interested in a leadership-oriented but less technical learning experience.

This course prepares you for the GSEC certification which meets the requirement of the DoD 8570 IAT Level 2.

Course Syllabus
Course Contents
  SEC401.1: Networking Concepts
Overview

A key way attackers gain access to a company's resources is through a network connected to the Internet. A company wants to try to prevent as many attacks as possible; but in cases where it cannot prevent an attack, it must detect it in a timely manner. Therefore, an understanding of how networks and the related protocols like TCP/IP work is critical to being able to analyze network traffic and determine hostile traffic. It is just as important to know how to protect against these attacks using devices such as routers and firewalls. These essentials, and more, will be covered to provide a firm foundation for the consecutive days training.

CPE/CMU Credits: 8

Topics

Network fundamentals

  • Network types (LANs, WANs)
  • Network topologies
  • Ethernet, token ring
  • ATM, ISDN, X.25
  • Wiring
  • Network devices
  • Voice Over IP (VOIP)

IP concepts

  • Packets and addresses
  • IP service ports
  • IP protocols
  • TCP
  • UDP
  • ICMP
  • DNS

IP behavior

  • TCPdump
  • Recognizing and understanding
  • UDP
  • ICMP
  • UDP Behavior

IOS and router filters

  • Routers
  • IOS
  • Routing
  • Routing protocols
  • Access control lists

Physical security

  • Facility requirements
  • Technical controls
  • Environmental issues
  • Personal safety
  • Physical security threats
  • Elements of physical security

 
  SEC401.2: Defense In-Depth
Overview

In order to secure an enterprise network, you must have an understanding of the general principles of network security. In this course, you will learn about six key areas of network security. The day starts with information assurance foundations, where students look at both current and historical computer security threats, and how they have impacted confidentiality, integrity and availability. The first half of the day also covers the instruction for creating sound security policies and password management, including tools for password strengths on both Unix and Windows platforms. The second half of the day is spent on understanding the information warfare threat and the six steps of incident handling. The day draws to a close by looking at what can be done to test and protect a web server in your company.

CPE/CMU Credits: 8

Topics

Information assurance foundations

  • Risk model
  • Authentication vs. Authorization
  • Data classification
  • Vulnerabilities
  • Defense in-depth

Computer security policies

  • Elements when well written
  • How policies serve as insurance
  • Roles and responsibilities

Contingency and continuity planning

  • Legal and regulatory requirements
  • Disaster recovery strategy and plan

Business impact analysis

  • Emergency assessment
  • Business success factors
  • Critical business functions

Password management

  • Password cracking for Windows and Unix
  • Alternate forms of Authentication (Tokens, Biometrics)
  • Single sign on and RADIUS

Incident handling

  • Preparation, identification, and containment
  • Eradication, recovery, and lessons learned
  • Investigation techniques and computer crime
  • Ethics

Offensive and defensive information warfare

  • Web security
  • Web communication
  • Web security protocols
  • Active content
  • Cracking web applications
  • Web application defenses

 
  SEC401.3: Internet Security Technologies
Overview

Military agencies, banks and retailers offering electronic commerce programs, and dozens of other types of organizations are demanding to know what threats they are facing and what they can do to alleviate those threats. In this course, you will obtain a roadmap that will help you understand the paths available to organizations that are considering or planning to deploy various security devices and tools such as intrusion detection systems and firewalls. The course goes beyond the narrow technical view and offers a full context for the deployment of these promising new technologies. When it comes to securing your enterprise, there is no single technology that is going to solve all of a company's security issues. However, by implementing an in-depth defense strategy that includes multiple defensive measures, you can go a long way in securing your enterprise. Each section in this course covers one tool that will play a part in a company's overall information assurance program.

CPE/CMU Credits: 8

Topics

Host-based intrusion detection and prevention

  • TCP wrappers, Tripwire
  • Intrusion detection
  • What they are and how to deploy them

Network-based intrusion detection and prevention

  • Syslog
  • Commercial tools
  • Denial of service
  • Deception toolkit
  • Calculation of acceptable loss
  • Automated response

Honeypots

  • Forensics
  • Honeypots
  • Honeynets
  • Honey tokens
  • Effect of firewalls on IDS sensors

Methods of attacks

  • Buffer overflows
  • Default accounts
  • Spamming
  • Browsing
  • Race conditions

Firewalls and perimeters

  • Types of firewalls
  • Pros and cons of firewalls
  • Firewall placement

Risk assessment and auditing

  • Risk assessment methodology
  • Risk approaches
  • Calculating risk
  • SLE
  • ALE
  • How all these capabilities work together
  • Where these technologies are heading

 
  SEC401.4: Secure Communications
Overview

There is no silver bullet when it comes to security. However, there is one technology that would help solve a lot of security issues, though few companies use it. This technology is encryption. Concealing the meaning of a message can prevent unauthorized parties from reading sensitive information. Day 4 looks at various aspects of encryption and how it can be used to secure a company's assets. A related area called steganography, or information hiding, is also covered. Wireless is becoming a part of most modern networks but they are often implemented in a non-secure manner. Security issues associated with wireless and what can be done to protect these networks will also be discussed. This section finishes by tying all of the other pieces together by looking at Operations Security.

CPE/CMU Credits: 8

Topics

Cryptography

  • Need for cryptography
  • Types of encryption
  • Symmetric
  • Asymmetric
  • Hash
  • Ciphers
  • Digital substitution
  • Algorithms
  • Real-world cryptosystems
  • Crypto attacks
  • VPNs
  • Types of remote access
  • PKI
  • Digital certificates
  • Key escrow

Steganography

  • Types
  • Applications
  • Detection

PGP

  • Installing and using PGP
  • Signing data and what it means
  • Key management
  • Key servers

Wireless

  • Common protocols
  • Common topologies
  • Misconceptions
  • Security issues
  • Securing wireless

Operations security

  • Legal requirements
  • Administrative management
  • Individual accountability
  • Need to know
  • Privileged operations
  • Control types
  • Operation controls
  • Reporting

 
  SEC401.5: Windows Security
Overview

Windows is the most widely-used and hacked operating system on the planet. At the same time, the complexities of Active Directory, PKI, BitLocker, AppLocker and User Account Control represent both challenges and opportunities. This section will help you to quickly master the world of Windows security while showing you the tools you can use to simplify and automate your work. You will complete the day with a solid grounding in Windows security, including the important new features in Windows 8 and Server 2012.

CPE/CMU Credits: 8

Topics

The Security Infrastructure

  • The Windows family of Operating Systems
  • Workgroups and local accounts
  • What is Active Directory?
  • Domain users and groups
  • Kerberos, NTLMv2, smart cards
  • Forests and trusts
  • What is group policy?

Permissions and User Rights

  • User rights
  • NTFS permissions
  • File and print sharing service
  • Shared folders
  • Encrypting file system
  • BitLocker drive encryption

Security policies and templates

  • Group policy objects
  • Password policy
  • Lockout policy
  • Anonymous access
  • Software restriction policies
  • NTLMv2 authentication
  • Protecting critical accounts

Service Packs, patches, and backups

  • Service packs
  • E-Mail security bulletins
  • Patch installation
  • Automatic updates
  • Windows server update services
  • Windows backup
  • System restore
  • Device driver rollback

Securing network services

  • Firewalls and packet filtering
  • IPSec and VPNs
  • Wireless networking
  • The security configuration wizard
  • IIS URLSCAN
  • Terminal services

Auditing and automation

  • Microsoft baseline security analyzer
  • SECEDIT.EXE
  • Windows event logs
  • NTFS and registry auditing
  • IIS logging
  • Creating system baselines
  • Scripting tools
  • Scheduling jobs

 
  SEC401.6: Linux Security
Overview

Based on industry consensus standards, this course provides step-by-step guidance on improving the security of any Linux system. The course combines practical "how to" instructions with background information for Linux beginners and security advice and "best practices" for administrators of all levels of expertise.

CPE/CMU Credits: 6

Topics

Linux Landscape

  • Different variants of and uses for Linux
  • Ways processes are started
  • Network interface information
  • Process information
  • Directory hierarchy
  • Mounting the file systems

Linux Command Line

  • Command line essentials
  • Logging in
  • File system commands
  • Critical OS tools
  • Getting help with man
  • Basic shell scripting
  • Regular expressions

Virtual Machines

  • Types of virtual machines
  • What are virtual machines and how they work
  • Controlling virtual machines
  • Installing VMWare tools
  • Configuration & networking options
  • Problems with virtual machine networking

Linux OS Security

  • Dangerous services
  • Helpful services
  • Running & stopping programs
  • Configuration changes and restarting services
  • File system permissions, ownership, and systems
  • Mounting drives

Linux security tools

  • File integrity verifications
  • Chkrootkit
  • CIS hardening guides
  • Bastille linux
  • Sniffers
  • Snort

Maintenance, monitoring, and auditing Linux

  • Common causes of compromise
  • Patching
  • Backing up data
  • Syslog
  • Analyzing log files
  • Other logging

 
Schedule Instructor
 
Mon Jun 9th, 2014
6:30 PM - 8:30 PM
Sundar Krishnamurthy
Mon Jun 16th, 2014
6:30 PM - 8:30 PM
Sundar Krishnamurthy
Mon Jun 23rd, 2014
6:30 PM - 8:30 PM
Sundar Krishnamurthy
Mon Jun 30th, 2014
6:30 PM - 8:30 PM
Sundar Krishnamurthy
Mon Jul 7th, 2014
6:30 PM - 8:30 PM
Sundar Krishnamurthy
Mon Jul 14th, 2014
6:30 PM - 8:30 PM
Sundar Krishnamurthy
Mon Jul 21st, 2014
6:30 PM - 8:30 PM
Sundar Krishnamurthy
Mon Jul 28th, 2014
6:30 PM - 8:30 PM
Sundar Krishnamurthy
Mon Aug 4th, 2014
6:30 PM - 8:30 PM
Sundar Krishnamurthy
Mon Aug 11th, 2014
6:30 PM - 8:30 PM
Sundar Krishnamurthy
Additional Information
 
  Laptop Required

Security 401: SANS Security Essentials courses consist of instruction and hands-on sessions. The lab sessions are designed to allow students to utilize the knowledge gained throughout the course in an instructor-led environment. Students will have the opportunity to install, configure, and use the tools and techniques that they have learned.

NOTE: Do not bring a regular production laptop for this class! When installing software, there is always a chance of breaking something else on the system. Students should assume that all data could be lost.

NOTE: It is critical that students have administrator access to the operating system and all security software installed. Changes need to be made to personal firewalls and other host-based software in order for the labs to work.

NOTE: Anti-virus software will need to be disabled in order to install some of the tools.

NOTE: A DVD player is required to install the tools that will be provided in class.

Students attending this course are required to bring their own laptops that are properly configured. There is not enough time in class to help you install your laptop. Please note that your laptop must be properly installed and configured before you come to class. Students are also required to test their systems (as described below) prior to coming to class.

The students must bring a laptop with Windows 7 installed (the specific version does not matter). The recommended configuration is Windows 7 as the host operating system running BackTrack 5 (or Kali Linux) as a virtual machine with VMWare Player. The student can use a Mac or Linux system with a different virtual machine product running both Windows and BackTrack 5 (or Kali Linux) in virtual machines, but the specific details for setting it up are left to the student.

The student MUST also download/install VMWare Player and BackTrack 5 (or Kali Linux) prior to coming to class. In addition, the DVD's provided to students contain BackTrack 5 and can be installed by the student on the first day of class.

In summary, before you arrive at the conference you should:

  • Confirm that Windows 7 is installed and working
  • Download and install VMWare Player and BackTrack 5 (or Kali Linux)
  • Confirm that you can start up Back Track (or Kali Linux) and run a program

By properly preparing, we know that you will have a knowledge rich and enjoyable lab experience.

If you have any questions, feel free to contact us.

Dr. Eric Cole

Track Lead/Course Author

eric@sans.org

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Security professionals who want to fill the gaps in their understanding of technical information security
  • Managers who want to understand information security beyond simple terminology and concepts
  • Operations personnel that do not have security as their primary job function but need an understanding of security to be effective
  • IT engineers and supervisors that need to know how to build a defensible network against attacks
  • Administrators responsible for building and maintaining systems that are being targeted by attackers
  • Forensic analysts, penetration testers, auditors who need a solid foundational of security principles so they can be as effective as possible at their jobs
  • Anyone new to information security with some background in information systems and networking

 
  Prerequisites

SEC401 Security Essentials covers all of the core areas of security and assumes a basic understanding of technology, networks and security. For those that are brand new to the field with no background knowledge, SEC301 Intro to Information Security would be the recommended starting point. While SEC301 is not a prerequisite, it will provide introductory knowledge for those that are new to the field to help maximize their experience with SEC401.

 
  You Will Be Able To
  • Design and build a network architecture using VLAN's, NAC and 802.1x based on APT indicator of compromise
  • Run Windows command line tools to analyze the system looking for high-risk items
  • Run Linux command line tools (ps, ls, netstat, ect) and basic scripting to automate the running of programs to perform continuous monitoring of various tools
  • Install VMWare and create virtual machines to create a virtual lab to test and evaluate tools/security of systems
  • Create an effective policy that can be enforced within an organization and determine a checklist that can be used to validate the security, creating metrics to tie into training and awareness
  • Identify visible weaknesses of a system utilizing various tools to include dumpsec and OpenVAS and once vulnerabilities are discovered cover ways to configure the system to be more secure
  • Determine overall scores for systems utilizing CIS Scoring Tools and create a system baseline across the organization
  • Build a network visibility map that can be used for hardening of a network - validating the attack sur- face and covering ways to reduce the attack surface through hardening and patching
  • Sniff open protocols like telnet and ftp and determine the content, passwords and vulnerabilities utilizing WireShark

 
  What To Take Next?

 

Author Statement

One of the things I love to hear from students after teaching Security 401 is "I have worked in security for many years and after taking this course I realized how much I did not know." With the latest version of Security Essentials and the Bootcamp, we have really captured the critical aspects of security and enhanced those topics with examples to drive home the key points. After attending Security 401, I am confident you will walk away with solutions to problems you have had for a while plus solutions to problems you did not even know you had.

- Eric Cole

Venue Information

  • IMS Appature Inc
  • 1633, Westlake Ave N,
    Suite 400,
    Seattle, WA 98109