Overview

Section one provides the "on-ramp" for the highly technical audit tools and techniques used later in the course. After laying the foundation for the role and function of an auditor in the information security field, this section's material provides practical, repeatable and useful risk assessment methods that are particularly effective for measuring the security of enterprise systems, identifying control gaps and risks, and enabling us to recommend additional controls to address the risk. We finish off the section with coverage of the security risks and associated audit techniques for virtualization hosts, cloud services and container systems.

The first part of this section is dedicated to defining the terms used in the class and setting the stage for performing highly effective technology security audits. We follow this with demonstrations of practical risk assessments using consequence/cause analysis and time-based security. We discuss what defense-in-depth really means and how to apply the results of our risk assessments to providing a well-reasoned deep defense of our enterprise systems and business processes. We apply these risk assessment and defense concepts to realistic case studies involving the controls commonly used by enterprises.

We present a proven six-step audit process and the qualities required of a technical auditor. We discuss how to plan for and manage audit engagements, how to gather useful audit evidence, and how to best present findings to management in both written reports and in-person presentations.

The last part of this section is spent covering the tools that will make your life much easier as an IT auditor. The first is NMAP, which can be used for host and service discovery, service and OS version identification, and even configuration checking. We present the "auditor's view" of NMAP, including the settings to use for more reliable audit results and the scripts which might speed up your evidence gathering. Then we move on to a discussion of vulnerability scanners and their use in audit, assurance and operations in the enterprise.

Overview

Section two focuses on securing the enterprise network. The days are gone when a good firewall at the edge of the network is all we really need. In fact, in many enterprises, the network has no real "edge". Auditors should encourage their organizations to focus on security within the network with the same diligence as they use at the perimeter.

We begin the section with a discussion of private and public cloud technologies used in the modern enterprise. First, we look at the security issues related to virtualization hosts and present a list of controls which auditors should examine for the most commonly used hypervisors. Next, we examine how enterprises integrate cloud technologies into their portfolios and look at how cloud providers and their customers should share security responsibilities. We examine guidance from the Cloud Security Alliance and major cloud vendors to develop a list of items to review when auditing an organization's use of cloud services.

The next part of the section is dedicated to understanding containers and container orchestration tools and how they should be deployed and configured. Using the Center for Internet Security's (CIS) Docker Benchmark as a guide, we take a deep look at how our container deployments should be secured and the important items to audit in those deployments. We continue with a discussion of container orchestration tools, like Kubernetes, and how to secure those tools for production use. We wrap up this section with a discussion of serverless functions and their use in the enterprise.

We continue the section with a discussion of Ethernet networks and then work our way up the networking stack. Students will learn how to identify insecurely configured VLANs, how to determine perimeter firewall requirements, how to examine enterprise routers and much more. We continue with a study of wireless networking and the best practices for defending it.

This section ends with an analysis of common security requirements for public services, focusing on the domain name system (DNS) and the simple mail transfer protocol (SMTP). Finally, students are guided through best practices for using network mapping tools like Nmap and vulnerability scanners to assist the organization in securing and continuously monitoring the network.

Many auditors confess that networking is one of their weakest topics. Therefore, each technology is fully explained using simple, everyday illustrations. Each topic is a component of a risk-driven framework for securing a network long-term and discussed in the context of a real security organization. How do we reconcile security concerns with operational requirements? What questions should a security auditor be asking? What should the answers to those questions be? How does continuous monitoring fit in and how do you architect those processes?

Students regularly describe section two in two ways. First, they say it's the most difficult section of the course; then they add that it filled in the gaps they had in understanding how networks really work and how they should be secured.

Overview

Web applications seem to stay at the top of the list of security challenges faced by enterprises today. The organization needs an engaging and cutting-edge web presence, but the very technologies which allow the creation of compelling and data-rich websites also make it very challenging to provide proper security for the enterprise and its customers. Unlike other enterprise systems, our web applications are freely shared with the world and exposed to the potential for constant attack.

We begin this section with a discussion of the suite of technologies which make modern web applications work and the tools which auditors can use to identify, analyze and manipulate these technologies as part of a well-designed and thorough security audit. We cover the technologies which make the web work: including HTML, HTTP, AJAX, web servers and databases. We also introduce the use of proxies in testing web applications by capturing, examining, and sometimes manipulating the traffic between a web client and the server.

We move on to introduce students to many of the resources available from the Open Web Application Security Project (OWASP), focusing on their Top 10 vulnerabilities list and the Top 10 Proactive Controls for web applications. From this foundation, we build a list of five critically important web development and deployment practices which serve as the basis for performing rigorous testing of web applications in the enterprise.

We dedicate most of section three to teaching the controls which can be used to secure applications and the skills needed to test and validate these controls. We develop and use a checklist for testing the most common and important security vulnerabilities. Throughout the section, students have the opportunity to use these tools to test sample web applications similar to those commonly deployed in today's enterprises. We also offer advice on how engineers, administrators, and developers can better secure the web technologies they design, implement and maintain. And finally, we discuss the best ways to report on findings and make useful recommendations.

Overview

The majority of systems encountered on most enterprise audits are running Microsoft Windows in some version or another. The centralized management available to administrators has made Windows a popular enterprise operating system. The sheer volume of settings and configurable controls, coupled with the large number of systems often in use, makes auditing Windows servers and workstations a huge undertaking.

In section four, we teach students how to audit Windows systems and Active Directory domains at scale. We begin with an introduction to Windows PowerShell, covering how to use the shell and moving on to writing and editing scripts which allow the auditor to perform repetitive tasks quickly and reliably. Throughout the section we work to build a comprehensive baseline auditing script which can be used to audit all of the systems within a domain.

Most of this course section is spent examining operating system security in general, and Windows security in particular. We demonstrate how to use PowerShell, Windows Management Instrumentation (WMI), command-line and graphical tools to obtain audit evidence from Windows systems. We move from there to auditing Microsoft Active Directory using PowerShell and command-line tools which access the Lightweight Directory Access Protocol (LDAP).

We continue with discussions of user management, user rights management, file, registry, and share permissions. Finally, we wrap up the section by exploring Windows logging options and how to use the tools and scripts developed during the day to perform meaningful continuous monitoring of the Windows domain and systems. One of the primary goals of the material presented is to allow the auditor to move from checking registry settings to helping administrators to create a comprehensive management process that automatically verifies settings. With this type of system in place, the auditor can step back and begin auditing the management processes which generally help us to be far more effective.

Overview

While many enterprises today use Microsoft Windows for their endpoint systems, Linux and other Unix variants are well-established as servers, security appliances and in many other roles. Given the nature of the work these Unix variants do, it is critical to ensure their security. Add to that the fact that mass centralized administration is less likely to occur with these systems, and auditing at scale becomes even more important.

Section five uses Debian and CentOS Linux as the example operating systems. We assume that students may have little or no Linux experience, and build skill during the day accordingly. We begin with a discussion of system accreditation in a field where many servers are "snowflakes" - uniquely designed and different from our other enterprise systems. Then, we move on to discuss the fundamentals of Linux/Unix operating systems and the tools available to auditors for system testing and for developing audit scripts.

The bulk of section four concentrates on understanding Linix/Unix operating systems and using native tools and scripts to gather system information, enumerate running services, determine software patch levels, audit user access and privilege management, examine system logs and examine configuration and hardening. Emphasis is placed throughout the day on developing reusable tools and scripts which can be used to gather audit evidence on a variety of Linux/Unix systems.

Neither Unix nor scripting experience is required for this section. The course book and hands-on exercises present an easy to follow method, and the instructor is prepared to help with any difficulty students have in this sometimes unfamiliar environment.

Overview

Section six is a capstone exercise which allows students to test and refine the skills learned throughout the course. Using an online "capture the flag" (CTF) engine, students are challenged to audit a simulated enterprise environment by answering a series of questions about the enterprise network, working through various technologies explored during the course.

At the conclusion of this section, students are asked to identify the most serious findings within the enterprise environment and to suggest possible root causes and potential mitigations.