New

AUD507: Auditing Systems, Applications, and the Cloud

GIAC Systems and Network Auditor (GSNA)
GIAC Systems and Network Auditor (GSNA)
  • In Person (6 days)
  • Online
36 CPEs

Performing IT security audits at the enterprise level can be an overwhelming task. It is difficult to know where to start and which controls should be audited first. Audits often focus on things that are not as important, wasting precious time and resources. Management is left in the dark about the real risk to the organization's mission. Operations staff can't use the audit report to reproduce or remediate findings. AUD507 gives the student the tools, techniques and thought processes required to perform meaningful risk assessments and audits. Learn to use risk assessments to recommend which controls should be used and where they should be placed. Know which tools will help you focus your efforts and learn how to automate those tools for maximum effectiveness. 20 Hands-On Exercises

What You Will Learn

Controls That Matter - Controls That Work

This course is organized specifically to provide a risk-driven method for tackling the enormous task of designing an enterprise security validation program, covering systems, applications, and the cloud. After covering a variety of high-level audit issues and general audit best practices, students will have the opportunity to delve into the technical "how-to" for determining the key controls that can be used to provide a high level of assurance to an organization. Real-world examples provide students with tips on how to verify these controls in a repeatable way, as well as many techniques for continuous monitoring and automatic compliance validation. These same real-world examples help the students learn how to be most effective in communicating risk to management and operations staff.

Students will leave the course with the know-how to perform effective tests of enterprise security in a variety of areas including systems, applications, and the cloud. The combination of high-quality course content, provided audit checklists, in-depth discussion of common audit challenges and solutions, and ample opportunities to hone their skills in the lab provides a unique setting for students to learn how to be an effective enterprise auditor.

"AUD507 has obvious practical applications, and it's great to see some of the most infamous hacking methods explained and executed in real time. In the labs, I'm getting hands-on experience with the tools. The opportunity to learn how to interpret the results taught me more in one afternoon than I've picked up here-and-there over an entire career." - Tyler Messa, AWS

BUSINESS TAKEAWAYS:

  • Gain confidence that you have the correct security controls and they are working well
  • Lower your audit costs with effective, efficient security audits
  • Improve relevance of IT audit reporting, allowing the organization to focus on what really matters
  • Improve security compliance while reducing compliance and security risks, protecting your reputation and bottom line

SKILLS LEARNED:

  • Apply risk-based decision making to the task of auditing enterprise security
  • Understand the different types of controls (e.g., technical vs. non-technical) essential to performing a successful audit
  • Conduct a proper risk assessment of an enterprise to identify vulnerabilities and develop audit priorities
  • Establish a well-secured baseline for computers and networks as a standard to conduct audit against
  • Perform cloud environment audits using automated tools and a repeatable process
  • Audit virtualization hosts and container environments to ensure properly deployment and configuration
  • Utilize vulnerability assessment tools effectively to provide management with the continuous remediation information necessary to make informed decisions about risk and resources
  • Audit a web application's configuration, authentication, and session management to identify vulnerabilities attackers can exploit
  • Utilize automated tools to audit Windows and Linux systems
  • Audit Active Directory Domains

HANDS-ON TRAINING:

This course goes beyond simply discussing the tools students could use; we give them the experience to use the tools and techniques effectively to measure and report on the risk in their organizations. AUD507 uses hands-on labs to reinforce the material discussed in class and develop the "muscle memory" needed to perform the required technical tasks during audits. In sections 1-5, students will spend about 25% of their time in lab exercises. The final section of the course is a full-day lab that lets students challenge themselves by solving realistic audit problems using and refining what they have learned in class.

Students learn how to use technical tests to develop the evidence needed to support their findings and recommendations. Each section affords students opportunities to use the tools and techniques discussed in class, with labs designed to simulate real-world enterprise auditing challenges and to allow the students to use appropriate tools and techniques to solve these problems.

  • Section 1: Audit Tool Setup, Network scanning and Continuous Monitoring with Nmap, Network Discovery Scanning with Nessus, Configuring and Using Cloud Provider Tools, Cloud Provider Inventory
  • Section 2: Introduction to PowerShell, Windows System Measurements, Auditing Users, Permissions and Logging, Compliance and Testing at Scale
  • Section 3: Linux System Information and Permissions, File Integrity, Kernel Settings and Services, Linux Logging, Linux System Audits
  • Section 4: VMWare and Kubernetes, Cloud Identity and Access Management, Cloud Infrastructure, Cloud Benchmarks
  • Section 5: Web Auditing with Burp, Server Configuration and Static Analysis, Fuzzing with Burp, Injection Flaws
  • Section 6: Capture the Flag: Audit Essentials, Windows Systems, Windows Domains, Kubernetes, Linux, OSQuery and Fleet, Cloud Services, Web Applications

"The labs or exercises were Excellent because provides knowledge, information and experience." - Amjad Awdhah Saeed Alshahrani, Site

"Today's netwars was definitely a challenge and for me I needed the team so we could all use our strengths. Excellent coverage of everything we've learned without repeating exact exercises we had done in the week. Good way to know I did understand what we've been learning all week. The workbook was a good reference to return to." - Carmen Parrish, US Government

"The hands-on labs reinforce the learning from the book. I learn best when I can touch and feel the material being taught." - Rodney Newton, SAP

SYLLABUS SUMMARY:

  • Section 1: How to be an IT auditor; How to gain visibility for hybrid cloud environments
  • Section 2: Using PowerShell and native tools to measure security of Windows systems and domains
  • Section 3: Understanding Unix security and how to use built-in tools and scripting to measure it
  • Section 4: Auditing security of hybrid cloud environments and enterprise networks
  • Section 5: Understanding and auditing the OWASP proactive controls for web applications
  • Section 6: Full-day hands-on lab exercise using all the skills and tools learned during the course

ADDITIONAL FREE RESOURCES:

WHAT YOU WILL RECEIVE:

  • Printed and Electronic Courseware
  • MP3 audio file of the complete course lecture
  • Audit checklists

WHAT COMES NEXT:

Depending on your current role or future plans, one of these courses is a great next step in your leadership journey:

Compliance or Audit Professional

Technical Security Manager or InfoSec Technician:

Syllabus (36 CPEs)

Download PDF
  • Overview

    This section provides the "on-ramp" for the highly technical audit tools and techniques used later in the course. After laying the foundation for the role and function of an auditor in the information security field, this section's material provides practical, repeatable and useful risk assessment methods that are particularly effective for measuring the security of enterprise systems, identifying control gaps and risks, and enabling us to recommend additional controls to address the risk. We finish off the section with an introduction to the risks and audit techniques that are important in cloud environments.

    The first part of this section is dedicated to defining the terms used in the class and setting the stage for performing highly effective technology security audits. We follow this with demonstrations of practical risk assessments using consequence/cause analysis and time-based security. We discuss what defense-in-depth really means and how to apply the results of our risk assessments to providing a well-reasoned deep defense of our enterprise systems and business processes. We apply these risk assessment and defense concepts to realistic case studies involving the controls commonly used by enterprises.

    We present a proven audit process and the qualities required of a technical auditor. We discuss how to plan for and manage audit engagements, how to gather useful audit evidence, and how to best present findings to management in both written reports and in-person presentations.

    During the audit planning discussion, we focus on the importance of audit planning and inventory gathering for both private and public clouds. and how shared responsibility models affect our work as auditors for cloud customers. We also cover some of the tools that will make your life much easier as an IT auditor. The first is NMAP, which can be used for host and service discovery, service and OS version identification, and even configuration checking. We present the "auditor's view" of NMAP, including the settings to use for more reliable audit results and the scripts which might speed up your evidence gathering. Then we move on to a discussion of vulnerability scanners and their use in audit, assurance and operations in the enterprise.

    We finish the section with coverage of audit fieldwork and reporting, giving tips that you will use during the class exercises and in your job.

    Exercises
    • Audit Tool Setup
    • Network Discovery and Inventory
    • Cloud Service Provider Tools
    • Cloud Service Provider Inventory

    Topics

    Auditor's Role as it Relates to:

    • Policy Creation
    • Policy Conformance
    • Incident Handling

    Basic Auditing and Assessing Strategies

    • Baselines
    • Time-Based Security
    • Thinking Like an Auditor
    • Developing Auditing Checklists from Policies and Procedures
    • Performing Effective Risk Assessments

    Risk Assessment

    • Identifying Existing Controls
    • Determining Root Failure Causes
    • Using Risk Assessment to Specify New Controls

    The Audit Process

    • How the Steps Interrelate
    • How to Effectively Conduct an Audit
    • How to Effectively Report the Findings

    Local Network Population Monitoring

    • Robust Process for Node Identification
    • Service and Version Detection
    • Network Population Change Management and Monitoring

    Gaining Visibility in the Cloud

    • Using Cloud Provider Tools
    • Gathering Cloud Inventory
    • Understanding Shared Responsibility

    Vulnerability Scanning

    • Effective Scanning
    • Effective, Business Aligned, Reporting

  • Overview

    The majority of systems encountered on most enterprise audits are running Microsoft Windows in some version or another. The centralized management available to administrators has made Windows a popular enterprise operating system. The sheer volume of settings and configurable controls, coupled with the large number of systems often in use, makes auditing Windows servers and workstations a huge undertaking.

    In this section, we teach students how to audit Windows systems and Active Directory domains at scale. We begin with an introduction to Windows PowerShell, covering how to use the shell and moving on to writing and editing scripts which allow the auditor to perform repetitive tasks quickly and reliably.

    Most of this course section is spent examining operating system security in general, and Windows security in particular. We demonstrate how to use PowerShell, Windows Management Instrumentation (WMI), command-line and graphical tools to obtain audit evidence from Windows systems. We move from there to auditing Microsoft Active Directory using PowerShell and command-line tools which access the Lightweight Directory Access Protocol (LDAP).

    We continue with discussions of user management, user rights management, file, registry, and share permissions. Finally, we wrap up the section by exploring Windows logging options and how to use the tools and scripts developed during the day to perform meaningful continuous monitoring of the Windows domain and systems. One of the primary goals of the material presented is to allow the auditor to move from checking registry settings to helping administrators to create a comprehensive management process that automatically verifies settings. With this type of system in place, the auditor can step back and begin auditing the management processes which generally help us to be far more effective.

    Exercises
    • Intro to PowerShell
    • Windows System Measurements
    • Users, Permissions and Logging
    • Compliance and Testing at Scale

    Topics

    Windows Support and End of Life

    PowerShell Command Essentials

    PowerShell Scripting

    Windows Management Instrumentation (WMI)

    Windows System Measurements

    • Operating System Information
    • Hardware Information
    • Patches Installed
    • Software Installed
    • Services

    Users and Groups

    • Local Users and Groups
    • Active Directory
    • Password Security

    Rights and Permissions

    Group Policy and Logging

    Auditing at Scale

  • Overview

    While many enterprises today use Microsoft Windows for their endpoint systems, Linux and other Unix variants are well-established as servers, security appliances and in many other roles. Given the nature of the work these Unix variants do, it is critical to ensure their security. Add to that the fact that mass centralized administration is less likely to occur with these systems, and auditing at scale becomes even more important.

    This section uses Ubuntu (Debian-based) and Alma (Redhat-based) Linux as the example operating systems. We assume that students may have little or no Linux experience and build skill during the day accordingly. We begin with a discussion of system accreditation in a field where many servers are "snowflakes" - uniquely designed and different from our other enterprise systems. Then, we move on to discuss the fundamentals of Linux/Unix operating systems and the tools available to auditors for system testing and for developing audit scripts.

    The bulk of the section concentrates on understanding Linix/Unix operating systems and using native tools and scripts to gather system information, enumerate running services, determine software patch levels, audit user access and privilege management, examine system logs and examine configuration and hardening. Emphasis is placed throughout the day on developing reusable tools and scripts which can be used to gather audit evidence on a variety of Linux/Unix systems.

    Neither Unix nor scripting experience is required for this section. The course book and hands-on exercises present an easy-to-follow method, and the instructor is prepared to help with any difficulty students have in this sometimes unfamiliar environment.

    Exercises
    • Linux System Information and Permissions
    • File Integrity, Kernel Settings and Services
    • Linux Logging
    • Linux System Audits

    Topics

    Accreditation and Snowflakes

    Linux Audit Introduction

    • System Accreditation
    • Bash and Linux Tools
    • System Information
    • Filesystems

    Bash Scripting

    System Hardening

    • Hardening Settings
    • File Integrity Assessment

    Services, Network Configuration and Logging

    • Services
    • Patching
    • Network Settings
    • Linux Logging

    User and Privilege Management

    • Local Passwords
    • Pluggable Authentication Modules
    • SSH and Sudo Configuration

    Full System Audits

  • Overview

    This section focuses on securing the enterprise network. The days are gone when a good firewall at the edge of the network is all we really need. In fact, in many enterprises, the network has no real "edge". Auditors should encourage their organizations to focus on security within the network with the same diligence as they use at the perimeter.

    We begin the section with a discussion of private cloud technologies used in the modern enterprise. First, we look at the security issues related to virtualization hosts and present a list of controls which auditors should examine for the most commonly used hypervisors, with an emphasis on VMware products.

    The next part of the section is dedicated to understanding containers and container orchestration tools and how they should be deployed and configured. Using the Center for Internet Security's (CIS) Benchmarks as guides, we take a look at how our container deployments should be secured and the important items to audit in those deployments. We wrap up this section with a discussion of serverless functions and their use in the enterprise.

    Then, we examine how enterprises integrate cloud technologies into their portfolios and look at how cloud providers and their customers should share security responsibilities. We examine guidance from the Cloud Security Alliance and major cloud vendors to develop a list of items to review when auditing an organization's use of cloud services. We cover audit and security concerns with identity and access management, logging and monitoring, networking, infrastructure, compute resources, infrastructure as code, storage and databases. We examine the CIS benchmarks for the three largest cloud providers and review data gathering techniques to audit all three.

    Exercises
    • VMware and Kubernetes
    • Cloud Identity and Access Management
    • Cloud Infrastructure
    • Cloud Benchmarks
    Topics

    Private Clouds and Hypervisor Security

    • Common Hypervisors
    • Useful Hypervisor Audit Tools

    Public Cloud Audit Toolkit

    Auditing the Public Cloud: Part 1

    • Shared Responsibility
    • Identity and Access Management

    Auditing the Public Cloud: Part 2

    • Logging and Monitoring
    • Networking and Infrastructure
    • Compute
    • Infrastructure as Code

    Auditing the Public Cloud: Part 3

    • Storage and Databases
    • Benchmarks and Beyond
  • Overview

    Web applications seem to stay at the top of the list of security challenges faced by enterprises today. The organization needs an engaging and cutting-edge web presence, but the very technologies which allow the creation of compelling and data-rich websites also make it very challenging to provide proper security for the enterprise and its customers. Unlike other enterprise systems, our web applications are freely shared with the world and exposed to the potential for constant attack.

    We begin this section with a discussion of the suite of technologies which make modern web applications work and the tools which auditors can use to identify, analyze, and manipulate these technologies as part of a well-designed and thorough security audit. We cover the technologies which make the web work: including HTML, HTTP, AJAX, web servers and databases. We also introduce the use of proxies in testing web applications by capturing, examining, and sometimes manipulating the traffic between a web client and the server.

    We move on to introduce students to many of the resources available from the Open Web Application Security Project (OWASP), focusing on their Top 10 vulnerabilities list and the Top 10 Proactive Controls for web applications. From this foundation, we build a list of five critically important web development and deployment practices which serve as the basis for performing rigorous testing of web applications in the enterprise.

    We dedicate most of the section to teaching the controls which can be used to secure applications and the skills needed to test and validate these controls. We develop and use a checklist for testing the most common and important security vulnerabilities. Throughout the section, students have the opportunity to use these tools to test sample web applications similar to those commonly deployed in today's enterprises. We also offer advice on how engineers, administrators, and developers can better secure the web technologies they design, implement and maintain. And finally, we discuss the best ways to report on findings and make useful recommendations.

    Exercises
    • Web App Auditing with Burp
    • Server Configuration and Static Analysis
    • Fuzzing with Burp
    • Injection Flaws
    Topics

    Understanding Web Applications

    Server Configuration

    • Information Disclosures
    • HTTPS Settings

    Secure Development Practices

    • Use of Security Frameworks
    • Dev/Test/Prod
    • Multi-Tier Development
    • Error Handling
    • Code Review
    • Static and Dynamic Analysis
    • Scanning Caveats

    Authentication

    • HTTP Basic Authentication
    • Forms Authentication
    • Client Certificates
    • Username Harvesting
    • Brute Forcing
    • Password Security

    Session Tracking

    • Tracking Mechanisms
    • Session Defenses
    • Cross-Site Request Forgery

    Data Handling

    • GET vs. POST for Sensitive Data
    • Input/Output Flaws and Solutions
    • Injection Flaws - Cross-Site Scripting
    • Injection Flaws - SQL Injection
    • Other Injection Flaws
    • Sensitive Output

    Logging and Monitoring

    • Log Everything
    • Don't Log Too Much
    • Auxiliary Logging Techniques
  • Overview

    Audit Wars is a capstone exercise which allows students to test and refine the skills learned throughout the course. Using an online "capture the flag" (CTF) engine, students are challenged to audit a simulated enterprise environment by answering a series of questions about the enterprise network, working through various technologies explored during the course.

    At the conclusion of this section, students are asked to identify the most serious findings within the enterprise environment and to suggest possible root causes and potential mitigations.

    Exercises

    Full-day Capture the Flag

    • Audit Essentials
    • Windows Systems
    • Windows Domains
    • Kubernetes
    • OSQuery and Fleet
    • Web Applications
    • Cloud Services
    • Linux
    Topics

    Technologies included in the capstone exercise include:

    • Cloud Services
    • Kubernetes
    • Windows Active Directory
    • Windows Workstations
    • Web Applications
    • OSQuery
    • Fleet DM
    • Linux

GIAC Systems and Network Auditor

The GIAC Systems and Network Auditor (GSNA) certification validates a practitioner's ability to apply basic risk analysis techniques and to conduct technical audits of essential information systems. GSNA certification holders have demonstrated knowledge of network, perimeter, and application auditing as well as risk assessment and reporting.

  • Auditing, risk assessments, and reporting
  • Network and perimeter auditing and monitoring, web application auditing
  • Auditing and monitoring in windows and Unix environments
More Certification Details

Prerequisites

  • AUD507 assumes that the student is capable of:
  • Navigating the filesystem in Microsoft Windows
  • Launching the command prompt and PowerShell in Windows
  • Running commands from the command line in Windows
  • Navigating the command line and running simple commands in Linux

Deeper Linux experience will be helpful but is not required. The courseware and instruction provide the student with the information necessary to use the Linux systems and tools utilized in class.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY AUD507 SYSTEM HARDWARE REQUIREMENTS
  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 100GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
MANDATORY AUD507 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

"Being an excellent information technology auditor requires a special mix of skills. An effective auditor will know how to assess organizational risk, scope, plan and execute an audit engagement properly. They must have the technical skills to design and perform tests of controls. Then, they must have the business communication skills to report risks to the business in a clear, actionable format. Auditors require the ability to work "in the weeds" when necessary with systems and network engineers and administrators, and then walk into the boardroom and deliver their findings and recommendations in a way that enables business leaders to make well-informed decisions regarding the risk faced by their enterprise.

AUD507 is designed to allow students from diverse backgrounds to learn the skills they need to design and deliver high-quality audits of organizations' IT systems, cloud services, and web applications. From day one, we teach students the thought processes, technical tools, and communications techniques to become a world-class auditor. When they leave the class, they have the technical skills and the mindset required to identify and report on risk in any organization."

- Clay Risenhoover

"Clay did an outstanding job of being able to teach to people with the lowest level of knowledge to those with the technical acumen to know how to utilize all the tools right up front."

- Heather Brewer, NAVSEA

Reviews

Keep up the materials and examples and I will take the course again in a couple of years to capture the newest information and solidify existing information.
Andrew B.
U.S. Federal Agency
I would recommend this to anyone who wants a real-world auditing experience. The closest to a "Live Fire" exercise as possible.
Vic N.
U.S. Federal Agency
The material you learn is practical and the student can use immediately after taking this class.
Peter Kiilu
Niche Assurance LLC
The entire course has been fantastic. It far exceeded my expectations. I think SANS training is far superior to other training programs.
Paul Petrasko
Bemis Company
This course is not only relevant to my current vulnerability management role, but it will also enhance my skills and open up future roles.
Frederick Young, Jr.
BD

    Register for AUD507

    Loading...