AUD507: Auditing & Monitoring Networks, Perimeters & Systems
The course is excellent as it covers most of the technical auditing techniques and tools used for auditing.
This course not only prepares you to perform a comprehensive audit but also provides excellent information to operations for improve network security posture.
One of the most significant obstacles facing many auditors today is how exactly to go about auditing the security of an enterprise. What systems really matter? How should the firewall and routers be configured? What settings should be checked on the various systems under scrutiny? Is there a set of processes that can be put into place to allow an auditor to focus on the business processes rather than the security settings? How do we turn this into a continuous monitoring process? All of these questions and more will be answered by the material covered in this course.
This track is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high level audit issues and general audit best practice, the students will have the opportunity to dive deep into the technical "how to" for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatably verify these controls and techniques for continuous monitoring and automatic compliance validation will be given from real world examples.
One of the struggles that IT auditors face today is assisting management to understand the relationship between the technical controls and the risks to the business that these affect. In this course these threats and vulnerabilities are explained based on validated information from real world situations. The instructor will take the time to explain how this can be used to raise the awareness of management and others within the organization to build an understanding of why these controls specifically and auditing in general is important. From these threats and vulnerabilities, we will explain how to build the ongoing compliance monitoring systems and how to automatically validate defenses through instrumentation and automation of audit checklists.
A Sampling of Topics
- Audit planning and techniques
- Effective risk assessment for control specification
- Firewall and perimeter auditing
- A proven six-step audit process
- Time based auditing
- Effective network population auditing
- How to perform useful vulnerability assessments
- Uncovering "Back Doors"
- Building an audit toolkit
- Detailed router auditing
- Technical validation of network controls
- Web application auditing
- Audit Tools
You'll be able to use what you learn the day you get home. Five of the six days in the track will either produce or provide you directly with continuous monitoring scripts and a general checklist that can be customized for your audit practice. Each of these days includes hands-on exercises with a variety of tools discussed during the lecture sections so that you will leave knowing how to verify each and every control described in the class and know what to expect as audit evidence. Each of the five hands on days gives you the chance to perform a thorough technical audit of the technology being considered by applying the checklists provided in class to sample audit problems in a virtualized environment. Each student is invited to bring her own Windows 7 Professional 64 bit or higher laptop for use during class. The ideal laptop will have at least 4 gigabytes of RAM. Laptops with less memory will function for the majority of the exercises, though one or two may be impossible to accomplish with less memory. Macintosh computers running OS X may also be used with VMWare Fusion.
A great audit is more than marks on a checklist; it is the understanding of the what the underlying controls are, what the best practices are and why. Sign up for this course and experience the mix of theory, hands-on, and practical knowledge.
Course Syllabus
AUD507.1: Effective Auditing, Risk Assessment, Reporting
Overview
After laying the foundation for the role and function of an auditor in the information security field, this day's material will give you two extremely useful risk assessment methods that are particularly effective for measuring the security of enterprise systems, identifying control gaps and risks, and assisting you to recommend additional compensating controls to address the risk. Nearly a third of the day is spent covering important audit considerations and questions when dealing with virtualization and with Cloud Computing.
In today's information security world, most enterprises are either already moving toward or seriously considering moving toward compliance with any number of a variety of security standards that represent best practice. Is your organization doing this today? Are you running up against any road blocks? Despite implementing controls, are you still dealing with significant compliance problems? The risk assessment discussions covered in this material is for you. One of the key topics covered in this material is an effective risk based method for the specification or selection of controls. Following this discussion, you will be able to analyze an existing set of controls, a business process, an audit exception or a security incident, identifying any missing or ineffective controls. More importantly, perhaps, you will be able to easily identify what corrective actions will eliminate the problem in the future. Included in this material is a tried and true method for conducting audits and presenting findings that will assist the organization to move toward compliance effectively.
The last two sections of the day are spent digging into virtualization solutions. After first examining some of the huge issues and the biggest questions facing us when it comes to Cloud Computing, we dig into significant audit considerations when dealing with the market leader in private cloud implementations and enterprise virtualization solutions: VMWare.
CPE/CMU Credits: 6
Topics
Auditor's Role in Relation to
- Policy Creation
- Policy Conformance
- Incident Handling
Basic Auditing and Assessing Strategies
- Baselines
- Time Based Security
- Thinking like an Auditor
- Developing Auditing Checklists from Policies and Procedures
- Effective risk assessment
Risk Assessment
- Standards Adoption
- Identifying Existing Controls
- Determining Root Failure Causes
- Using Risk Assessment to Specify New Controls
The Six-Step Audit Process
- How the Steps Interrelate
- How to Effectively Conduct an Audit
- How to Effectively Report the Findings
Virtualization & Cloud Computing
- Definitions
- Challenges
- Important contractual requirements
- Technical testing of deployments
AUD507.2: Effective Network & Perimeter Auditing / Monitoring
Overview
Enterprise networks are under constant assault. A key foundation in the security of our enterprise is created by ensuring that we have a validated secure perimeter. As easy as this is to say, organizations struggle with this constantly. Forces such as wireless technologies, enterprise VPNs, business partner connections, BYOD policies and more can all erode the security of our perimeter networks.
In this day we will build from the ground up, dealing with security controls, proper deployment, effective auditing continuous monitoring of configuration from Layer 2 all the way up the stack. Students will learn how to identify insecurely configured VLANs, how to determine perimeter firewall requirements, how to examine enterprise routers and much more.
Each topic is placed into a risk driven framework for securing a network long term and discussed in the context of a real security organization. What role does the security officer play? How do we reconcile security concerns with operational requirements? What questions should a security auditor be asking? What should the answers to those questions be? How does continuous monitoring fit in and how do you architect those processes?
Many students describe this as the most difficult day of the entire course but the day that fills in all of the gaps that they have in networking technology, whether fundamentals, routers, switches, wireless or firewalls.
CPE/CMU Credits: 6
Topics
Specific topics covered include:
Secure Layer 2 Configurations
- VLANs
- Spanning Tree
- Network Trunking
- Switching Fiber Security
Router & Switch Configuration Security
- Remote Administration
- Logging Concerns and Practice
- ACL Configuration & Validation
- User Management
- Evolving Technologies
Firewall Auditing, Validation & Monitoring
- Information Flow Diagramming
- Converting Requirements to ACLs
- Understanding Firewall Design
- Network Architecture Validation
- Rules Review& Analysis
- Technical Validation of the Firewall Rules
- Next Generation Firewalls
Wireless
- Secure Deployments Today
- Identification of Wireless Security Issues
Network Population Monitoring
- Robust Process for Node Identification
- Network Population Change Management & Monitoring
- Automated Notification Processes
Vulnerability Scanning
- Effective Scanning
- Effective, Business Aligned, Reporting
AUD507.3: Web Application Auditing
Overview
Web Applications have consistently rated one of the top five vulnerabilities that enterprises face for the past several years. Unlike the other top vulnerabilities, however, our businesses continue to accept this risk since most modern corporations need an effective web presence to do business today. One of the most important lessons that we are learning as an industry is that installing an application firewall is not enough!
A portion of the morning will cover all of the underlying principles of web technology and introduce a set of tools that can be used to validate the security of these applications. Throughout the day, all of the OWASP Top Ten issues will be addressed, abstracted into five practical principles of web application design and deployment. The majority of the day will be spent building and working through a checklist for validating the existence and proper implementation of controls to mitigate the primary threats found in web applications through the use of cutting edge techniques and advanced testing methods. Throughout the material time is spent identifying key development requirements, allowing you to provide meaningful feedback into your organization's coding standards.
Several discrete web applications will be examined using these tools and the audit program developed. By the end of the day each student will use the provided high level checklist and detailed instructions throughout the day to perform a comprehensive validation of security controls in at least one full web application.
CPE/CMU Credits: 6
Topics
In addition to designing an audit testing program, time will be spent discussing process remediation for project managers and coding teams.
- Identify controls against information gathering attacks
- Process controls to prevent hidden information disclosures
- Control validation of the user sign-on process
- Examining controls against user name harvesting
- Validating protections against password harvesting
- Best practices for OS and web server configuration
- How to verify session tracking and management controls
- Identification of controls to handle unexpected user input
- Server-side Techniques for Protecting Your Customers and Their Sensitive Data
AUD507.4: Advanced Windows Auditing & Monitoring
Overview
Microsoft's business class system make up a large part of the typical IT infrastructure. Quite often, these systems are also the most difficult to effectively secure and control because of the enormous number of controls and settings within the operating system. This class gives you the keys, techniques and tools to build an effective long term audit program for your Microsoft Windows environment. More importantly, during the course a continuous monitoring and reporting system is built out, allowing you to easily and effectively scale the testing discussed within your enterprise when you return home.
During the course of this day, attendees will have the opportunity to perform a thorough hands on audit of Active Directory servers in class, in addition to the laptop that they bring to class. In addition to covering all of the major audit points in a stand alone Windows system, the course will scale these methods for use within a domain. One of the primary goals of the material presented is to allow the auditor to get away from checking registry settings, helping administrators to create a comprehensive management process that automatically verifies settings. With this type of system in place, the auditor can step back and begin auditing the management processes which generally helps us to be far more effective.
Finally, the course will spend a significant amount of time discussing the more important aspects of Active Directory from an auditor's perspective. We will cover and give you the opportunity to try your hand at querying useful data out of the Active Directory. Throughout the day we will work to build a comprehensive baseline auditing script to automatically audit all of the systems within a domain.
CPE/CMU Credits: 6
Topics
- Progressive construction of a comprehensive audit program
- Basic system information
- Patch levels
- Network based services
- Local services
- Installed software
- Security configuration
- Identifying & mitigating system specific vulnerabilities
- Group policy management
- Log aggregation, management and analysis
- Automating the audit process
- Windows security tips and tricks
- Maintaining a secure enterprise
AUD507.5: Advanced Unix Auditing & Monitoring
Overview
Students will gain a deeper understanding of the inner workings and fundamentals of the Unix operating system as applied to the major Unix environments in use in business today. Students will have the opportunity to explore, assess and audit Unix systems hands-on. Lectures describe the different audit controls that are available on standard Unix systems, as well as, access controls and security models.
The majority of the day will be spent working hands on with the instructor to create a comprehensive set of auditing scripts that can be used on virtually any Unix system. This set of scripts can be used to either check the security of a system, report on the compliance of the system to a baseline or be used in a change control process to validate a system before patching and subsequently re-generate the system baseline.
Neither Unix nor scripting experience is required for this day's course. The course book and hands on exercises present an easy to follow method with the assistance of the instructor that will allow you to cover scripting and more advanced topics like regular expressions.
CPE/CMU Credits: 6
Topics
Auditing to Create a Secure Configuration
- Building Your Own Auditing Toolkit
- File Integrity Assessment
- Fine Points of 'find'
- Regex Basics
Auditing to Maintain a Secure Configuration
- Reading Logfiles
- Password Assessment Tools
- Risk Assessment
- What Tools to Use
- How to Go About It
- Building a Baseline
- Building an Audit Script
- Auditing with Accreditation Systems
Auditing to Determine What Went Wrong
- Finding Hidden Disk Space
- Event Reconstruction
- Identifying Back Doors
- Anatomy of a Rootkit
- Creating a Unix Tools CD
AUD507.6: Audit the Flag: A NetWars Experience
Overview
This final day of the course presents a capstone experience with additional learning opportunities. Leveraging the well known NetWars engine, students have the opportunity to connect to a simulated enterprise network environment. Building on the tools and techniques learned throughout the week, each student is challenged to answer a series of questions about the enterprise network, working through various technologies explored during the course.
This allows students to immediately put the knowledge gained into practice with these guided challenges. At the conclusion of the day, students are asked to identify the most serious findings within the enterprise environment and to suggest possible root causes and potential mitigations.
CPE/CMU Credits: 6
Topics
Technologies included in the capstone challenges include:
Network Devices
- Firewalls
- Cisco Switches & Routers
Servers
- Active Directory domain controllers
- DNS servers
- Mail servers
- Web servers
Applications
- Intranet web applications
- Internet web applications
Workstations
Additional Information
Laptop Required
Audit 507 requires that you bring a fairly modern laptop running a 64 bit business or professional (or better) version of Windows 7 (or higher, including Windows 8 and Windows 10). Your computer should additionally have a minimum of 2 gigabytes of RAM, though 4 gigabytes or more is preferred. A computer not meeting the RAM and operating system requirements will not be able to run all of the hands-on exercises. Your computer will also need the ability to mount a USB stick and a wireless adapter for you to participate in the exercises in class.
Your laptop must be capable of running the most current version of VMware Workstation Player (http://www.vmware.com/products/player/). It is strongly advised that you attempt to download and install VMware Workstation Player before coming to class to verify that your laptop can indeed run it successfully. Additionally, the Virtualization Extensions (VT-x) must be enabled in the BIOS of the computer.
It is absolutely necessary that you have full administrative rights on your computer for this class. We would strongly recommend that you work with your help desk to have a clean laptop built for the purpose of attending this class. Full administrative rights means that you will need the ability to install software, change system settings, manipulate the registry, possibly disable antivirus, etc. Of course, you can meet this requirement by bringing a laptop with VMware Player already installed and a Windows XP or higher virtual machine installed inside of a virtual machine to which you have full and complete access.
If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.
Who Should Attend
- Auditors seeking to identify key controls in IT systems
- Audit professionals looking for technical details on auditing
- Managers responsible for overseeing the work of an audit or security team
- Security professionals newly tasked with Audit responsibilities
- System and Network Administrators looking to better understand what an auditor is trying to achieve, how they think and how to better prepare for an audit
- System and Network Administrators seeking to create strong change control management and detection systems for the enterprise
What You Will Receive
In this course, you will receive the following:
- MP3 audio files of the complete course lecture
You Will Be Able To
- Understand the different types of controls (e.g., technical vs. non-technical) essential to performing a successful audit
- Conduct a proper risk assessment of network to identify vulnerabilities and prioritize what will be audited
- Establish a well-secured baseline for computers and networks, a standard to conduct audit against
- Perform a network and perimeter audit using a seven step process
- Audit firewalls to validate that rules/settings are working as designed, blocking traffic as required
- Utilize vulnerability assessment tools effectively to provide management with the continuous remediation information necessary to make informed deci- sions about risk and resources.
- Audit web application's configuration, authentication, and session management identify vulnerabilities attackers can exploit
- Utilize scripting to build a system to baseline and automatically audit Active Directory and all systems in a Windows domain
Author Statement
The SANS Advanced Systems Audit track stands alone in the Information Assurance arena as the only comprehensive source for hands on audit "How To." Past students have included long time auditors and those new to the field, both of whom have found significant benefit from the refresher material. One individual, a vice president with the IIA (Institute of Internal Auditors) said, "I've been auditing systems for a very long time and no one ever actually gave me a formal process that I can apply to conducting technical audits. Thank you!" While we don't require a high level of technical experience as a prerequisite to this course, we have worked hard to make sure that anyone who comes to the course walks away with a wealth of material that they can go back to their office and apply tomorrow. We realistically address the "How do I get there from here?" problem by offering short-term goal solutions which, when combined, will allow you to achieve your goal: identify, report on and reduce risk in your enterprise. - DAVID HOELZER
*CPE/CMU credits not offered for the SelfStudy delivery method
