What You Will Learn
vThis course will show you the most effective steps to prevent attacks and detect adversaries with actionable techniques that can be used as soon as you get back to work. You'll learn tips and tricks designed to help you win the battle against the wide range of cyber adversaries that want to harm your environment.
Is SEC401: Security Essentials Bootcamp Style the right course for you?
STOP and ask yourself the following questions:
- Do you fully understand why some organizations become compromised and others do not?
- If there were compromised systems on your network, are you confident that you would be able to find them?
- Do you know the effectiveness of each security device and are you certain that they are all configured correctly?
- Are proper security metrics set up and communicated to your executives to drive security decisions?
SEC401 provides you with the information security knowledge needed to help you answer these questions for your environment, delivered in a bootcamp-style format reinforced with hands-on labs.
Test your security knowledge with our free SANS Security Essentials Assessment Test.
You will learn:
- To develop effective security metrics that provide a focused playbook that the IT department can implement, auditors can validate, and executives can understand
- To analyze the risk to your environment in order to drive the creation of a security roadmap that focuses on the right areas of security
- Practical tips and tricks that focus on addressing high-priority security problems within your organization and doing the right things that lead to security solutions that work
- Why some organizations win and why some lose when it comes to security and, most importantly, how to be on the winning side
- The core areas of security and how to create a security program that is built on a foundation of Detection, Response, and Prevention
LEARN TO BUILD A SECURITY ROADMAP THAT CAN SCALE TODAY AND INTO THE FUTURE
SEC401: Security Essentials Bootcamp Style is focused on providing you the essential information security skills and techniques you need to protect and secure your organization's critical information and technology assets. SEC401 will show you how to apply the knowledge you gain, forming it into a winning defensive strategy in the terms of the modern adversary. This is how we fight; this is how we win!
PREVENTION IS IDEAL BUT DETECTION AND RESPONSE IS A MUST
With the rise in advanced persistent threats, it is inevitable that organizations will be targeted. Defending against attacks is an ongoing challenge, with new threats emerging all the time, including the next generation of threats. In order to be successful in defending an environment, organizations need to understand what really works in cybersecurity. What has worked ... and will always work ... is taking a risk-based approach to cyber defense. Before your organization spends a dollar of its IT budget or allocates any resources or time to anything in the name of cybersecurity, three questions must be answered:
- What is the risk?
- Is it the highest priority risk?
- What is the most cost-effective way to reduce the risk?
All in all, however, organizations are going to be targeted AND broken into. Today, more than ever before, TIMELY detection and TIMELY response is critical. Once an adversary is inside the environment, damage will occur. In the near future, the key question in information security will become, "How quickly can we detect, respond, and remediate an adversary?" As counterintuitive as it may seem, it needs to be stated that you CANNOT secure what you don't know you have. Security is all about making sure you focus on the right areas of defense (especially as applied to the uniqueness of YOUR organization). In SEC401 you will learn the language and underlying workings of computer and information security, and how best to apply it to your unique needs. You will gain the essential and effective security knowledge you will need if you are given the responsibility to secure systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will learn up-to-the-minute skills that you can put into practice immediately upon returning to work; and (2) You will be taught by the best security professionals in the industry.
You Will Be Able To
- Apply what you learn directly to your job when you go back to work
- Design and build a network architecture using VLANs, NAC, and 802.1x based on advanced persistent threat indicators of compromise
- Run Windows command line tools to analyze a system looking for high-risk items
- Utilize Linux command line tools and basic scripting to automate the running of programs to perform continuous monitoring of systems
- Create an effective policy that can be enforced within an organization and design a checklist to validate security and create metrics to tie into training and awareness
- Identify visible weaknesses of a system using various tools and, once vulnerabilities are discovered, configure the system to be more secure
- Build a network visibility map that can be used for hardening of a network - validating the attack surface and determining the best methodology to reduce the attack surface through hardening and patching
- Sniff network communication protocols to determine the content of network communication (including unprotected access credentials), using tools such as tcpdump and Wireshark.
SEC401 is an interactive hands-on training course. The following is only a few of the lab activities that students will carry out:
- Set up a virtual lab environment
- Carry out tcpdump network analysis
- Use Wireshark to decode network traffic
- Crack passwords
- Use hashing to preserve digital evidence
- Analyze networks with hping3 and Nmap
- Use steganography tools
- Secure and audit a Windows system against a template
What You Will Receive
- Course books with labs
- TCP/IP and tcpdump Reference Guide
- IPv6 Pocket Guide
- MP3 audio files of the complete course lecture
This course prepares you for the GSEC certification that meets the requirement of the DoD 8570 IAT Level 2.
Syllabus (46 CPEs)Download PDF
A key way that attackers gain access to a company's resources is through a network connected to the internet. Organizations try to prevent as many attacks as possible. Unfortunately, not all attacks will be prevented, and as such, they must be detected it in a timely manner. Therefore, it is critical to be able to understand the goals of building a defensible network architecture. It is critically important to understand the architecture of the system, types of network designs, relational communication flows, and how to protect against attacks using devices such as routers and switches. These essentials and more will be covered during the first section of this course in order to provide a firm foundation for the remaining sections of this training.
In any organization large or small, all data are not created equal. Some data are routine and incidental while other data can be very sensitive, and loss of those data can cause irreparable harm to an organization. It is essential to understand attacks, the vulnerability behind those attacks, and how to prioritize the information and steps to secure the systems. To achieve this, you need to gain familiarity with the communication protocols of modern networks. Adversaries need our networks just as much as we do. Adversaries live off the land, mercilessly pivoting from system to system, on our network, until they can achieve the long-term goal for which they came. Being able to apply the concepts of 'knowing' our network, and how network operations are performed, will allow us to baseline 'normal'. Knowing normal allows 'abnormal' (the adversary) to stand out.
Cloud computing becomes an obvious topic of discussion in relation to our modern networks - public and private networks alike. A conversation on defensible networking would not be complete without an in-depth discussion of what cloud is, and more importantly, the important security considerations that must be taken into account.
By the end of this section, you will understand Defensible Network Architecture, Protocols and Packet Analysis, Network Device Security, Virtualization and Cloud, and Wireless Network Security.
Last, but certainly not least, all of the above wouldn't be as useful without applying the knowledge in our extensive hands-on lab-based environment. Each day of SEC401 is built on a foundation of how to apply key topics and concepts in real-world application.
By the end of Day 1, the adversary's game will be up. Adversaries need to use OUR network to achieve THEIR goals. By understanding how our networks function (relative to our unique needs), the adversary's activity will be revealed. Discovery of the adversary is only a small part of the overall battle; the remainder of SEC401 will show you how not only to defend, but better prevent (and remediate) the adversary.
SEC401.1: Outline: Network Security Essentials
- SEC401: An Introduction
- Defensible Network Architecture
- Protocols and Packet Analysis
- Network Device Security
- Virtualization and Cloud
- Securing Wireless Networks
Module 1: SEC401 - An Introduction
SEC401 is unique in its coverage of more than 30 topical areas of information security. In this introductory module we review the structure of the course, the logistics of the class schedule in concert with 'bootcamp' hours, and the overall thematic view of the course topics.
Module 2: Defensible Network Architecture
In order to properly secure and defend a network, you must first have a clear and strong understanding of both the logical and physical components of network architecture. Above and beyond an understanding of network architecture, however, properly securing and defending a network will further require an understanding of how the adversary abuses the information systems of our network to achieve their goals.
- Network Architecture
- Attacks Against Network Devices
- Network Topologies
- Network Design
Module 3: Protocols and Packet Analysis
A solid understanding of the interworking of networks enables you to more effectively recognize, analyze, and respond to the latest (perhaps unpublished) attacks. This module introduces the core areas of computer networks and protocols.
Network Protocols Overview
Layer 3 Protocols
- Internet Protocol
- Internet Control Message Protocol
Layer 4 Protocols
- Transmission Control Protocol
- User Datagram Protocol
Module 4: Network Device Security
In order to implement proper network security, you have to understand the various components of modern networks. In this module, we will look at the core components of network infrastructure, how they work, and the methods needed to leverage them for modern cyber defense. Unfortunately everything on the network, including the network itself, is a target for the adversary. Our conversation on network device security would be incomplete without discussing how to properly secure our networking infrastructure itself.
- Network Devices
- Network Device Security
Module 5: Virtualization and Cloud
In this module, we will examine what virtualization is, the security benefits and risks of a virtualized environment, and the differences in virtualization architecture. Because cloud computing is architected on virtualization, the module concludes with an extensive discussion of what cloud is (public and private cloud), how it works, the services made available by public cloud, and related security concepts.
- Virtualization Overview
- Virtualization Security
- Cloud Overview
- Cloud Security
Module 6: Securing Wireless Networks
In this module, we will explain the differences between the various types of wireless communication technologies available today, the insecurities present in those communications, and approaches to mitigation to reduce the risk of those insecurities to a more acceptable level of risk.
- The Pervasiveness of "Wireless" Communications
- Traditional Wireless: IEEE 802.11 and Its Continual Evolution
- Personal Area Networks
- 5G Cellular (Mobile) Communication
- The Internet of Things
To secure an enterprise network, you must understand the general principles of network security. On Day 2, we look at the "big picture" threats to our systems and how to defend against them. We will learn that protections need to be layered leveraging a principle called defense-in-depth, and then explain the principles that will serve us well in protecting our systems.
The section starts with information assurance foundations. We look at security threats and how they have impacted confidentiality, integrity, and availability. The most commonly discussed aspect of defense-in-depth is predicated on access controls. As such, with a solid foundation on the aspects of information assurance in place, we move onto the aspects of identity and access management. Even though, for more than 30 years, passwords (the most commonly used form of authentication for access control) were to be deprecated and moved away from, we still struggle today with the compromises that result from credential theft. What we can do for modern authentication is the focus of our discussion on authentication and password security. Toward the end of the book we shift our focus to modern security controls that will work in the presence of the modern adversary. We do so by leveraging the Center for Internet Security (CIS) controls to help prioritize our risk reduction activities and gather metrics as we construct our security roadmap. While realizing that our networks are the foundation for both our (and the adversaries) activities, we might be naturally curious as to what else we can do from an overall environmental focus on how best to secure our data. This naturally leads to a discussion on Data Loss Prevention techniques. Last, but certainly not least, a discussion of defense-in-depth would not be complete without a discussion of, perhaps, the most important aspect of any security program - Security Plans and Risk Management. Cyber security is really just a different form of risk management. A modern-day defender will not be a capable defender without understanding the constitution of risk, how information security risk must tie back to organizational risk, and the methods used to appropriately address gaps in risk.
SEC401.2: Outline: Defense-in-Depth
- Identity and Access Management
- Authentication and Password Security
- CIS Controls
- Data Loss Prevention
- Security Plans and Risk Management
Module 7: Defense-in-Depth
In this module, we look at threats to our systems and take a "big picture" look at how to defend against them. We will learn that protections need to be layered, a principle called defense-in-depth, and explain some principles that will serve you well in protecting your systems.
- Risk = Threats x Vulnerabilities
- Confidentiality, Integrity, and Availability
Strategies for Defense-in-Depth
Core Security Strategies
Module 8: Identity and Access Management
This module discusses the principles of identity management and access control. Access control models vary in their approaches to security. We will explore their underlying principles, strengths, and weaknesses. The module includes a brief discussion on authentication and authorization protocols and control.
Identity Access Management
- Controlling Access
- Managing Access
- Monitoring Access
Module 9: Authentication and Password Security
A discussion of identity and access management naturally leads to a conversation on authentication and password security. We will spend time discussing the various types of authentication: Something you know, something you have, some place you are, and something you are. We will also spend considerable time discussing the most common (and problematic) example of the "something you know" authentication type: the password. We will spend time delving into password files, storage, and protection.
- Password Techniques
- Password (Passphrase) Policies
- Password Storage
- How Password Assessment Works
Password Cracking Tools
- John the Ripper
Module 10: Center for Internet Security (CIS) Controls
In implementing security, it is important to have a framework with proper metrics. As is often said, you cannot manage what you cannot measure. The CIS controls were created to help organizations prioritize the most critical risks they face. In addition to a framework, the CIS controls also provide details to help organizations put together an effective plan for implementation of the controls they need.
- Introduction to the CIS Controls
- The CIS Controls
- Case Study: Sample CIS Control
Module 11: Data Loss Prevention
Loss or leakage?
In essence, data loss will be any condition that results in data being corrupted, deleted, or made unreadable in any way by a user and/or software (application). A data breach is, in most cases, a security incident that can be intentional or unintentional. Security incidents can lead to (among other things) unintentional information disclosure, data leakage, information leakage and data spill. In this module we cover exactly what constitutes data loss or leakage, the various ways to properly categorize different types of data loss and leakage, and the methodologies that can be leveraged to implement an appropriate data loss prevention capability.
Loss or Leakage
- Data Loss
- Data Leakage
Redundancy (On-Premise and Cloud)
Related Regulatory Requirements
Data Loss Prevention Tools
Defending Against Data Exfiltration
Module 12: Security Plans and Risk Management
In this module, we discuss the key elements of managing and governing risk within an organization. A key part of managing and governing risk is the formation of security plans built on a solid understanding of the "security risk' of the organization. We will learn how to identify a risk, quantify and assess the probability of the risk, and leverage the classification of an asset to determine impact.
How Do I Identify a Risk?
- Quantifying Risk
- Impact Types
- Asset Classification
Risk Treatment Actions
On Day 3, our focus shifts to the various areas of our environment where vulnerabilities manifest. We will begin with an overall discussion of exactly what constitutes a vulnerability, and how to best implement a proper vulnerability assessment program. Penetration testing is often discussed in concert with vulnerability assessment, even though vulnerability assessment and penetration testing are quite distinct from each other.
In concluding our discussion of vulnerability assessments, we next move on to a proper and distinct discussion on what penetration testing is, and how best to leverage its benefits. Because vulnerabilities represent weaknesses that allow adversaries to manifest, a discussion of vulnerabilities would be incomplete without a serious discussion of modern attack methodologies based on real-world examples of real-world compromise. Of all the potential areas for vulnerabilities to manifest in our environment, web applications represent, perhaps, one of the most substantial areas of potential vulnerability and consequential risk. The extensive nature of the vulnerabilities that can manifest with ease from web applications dictate that we focus the attention of an entire module on web application security concepts. While it is true that vulnerabilities allow adversaries to manifest (perhaps with great ease), it is impossible for adversaries to remain entirely hidden - post-compromise. By leveraging the logging capacity of our hardware and software, we can more easily detect the adversary in a reduced period of time. How we achieve such a capacity is the subject of our penultimate module: Security Operations and Log Management. Last, and not least, we will need to have a plan of action for a proper response to the compromise of our environment. The methodology of an appropriate incident response is the subject of our final module of Day 3.
SEC401.3: Outline: Vulnerability Management and Response
- Vulnerability Assessments
- Penetration Testing
- Attacks and Malicious Software
- Web Application Security
- Security Operations and Log Management
- Digital Forensics and Incident Response
Module 13: Vulnerability Assessments
This module covers the tools, technology, and techniques used for reconnaissance (including gathering information, mapping networks, scanning for vulnerabilities, and applying mapping and scanning technology).
- Introduction to Vulnerability Assessments
- Steps to Perform a Vulnerability Assessment
- Criticality and Risks
Module 14: Penetration Testing
The role of penetration testing is well-understood by the majority of organizations and gave birth to newer testing techniques such as Red Teaming, Adversary Emulation, and Purple Teaming. Each have their own unique approaches and benefits. Often, penetration testing is limited in scope to where the testers are not truly able to emulate and mimic the behavior of adversaries. This is where activities such as Red Teaming and Adversary Emulation come into play. A methodical and meticulous approach must be taken regarding penetration testing in order to provide the biggest business value to your organization.
- What and Why of Penetration Testing
- Types of Penetration Testing
- Penetration Testing Process
- Penetration Testing Tools
Module 15: Attacks and Malicious Software
In this module we will take a look at the Marriott breach (a breach that compromised millions of people globally), as well as ransomware attacks that continue to cripple hundreds of thousands of systems across different industries. We'll describe these attacks in detail, discussing not only the conditions that made them possible, but also some strategies that can be used to help manage the risks associated with such attacks.
- High-Profile Breaches and Ransomware
- Common Attack Techniques
- Malware and Analysis
Module 16: Web Application Security
In this module, we look at some of the most important things to know on designing and deploying secure web applications. We start with an explanation of the basics of web communications. We then move on to cover HTTP, HTTPS, HTML, cookies, authentication, and maintaining state. We conclude by looking at how to identify and fix vulnerabilities in web applications.
Web Application Basics
Developing Secure Web Apps
- OWASP Top Ten
- Basics of Secure Coding
- Web Application Vulnerabilities
- Access Control
- Session Tracking / Maintaining State
Web Application Monitoring
- Web Application Firewall (WAF)
Monolithic Architecture and Security Controls
- Attack Surface
Module 17: Security Operations and Log Management
In this module, we cover the essential components of logging, how to properly manage logging, and the considerations that must be understood in order to use the power of logging to its full potential.
- Logging Overview
- Setting Up and Configuring Logging
- Logging Management Basics
- Key Logging Activity
Module 18: Digital Forensics and Incident Response
In this module, we explore the fundamentals of incident handling and why it is important to our organization. We outline a multi-step process to help create our own incident-handling procedures. The module also covers how to leverage digital forensics methodologies to ensure our processes are repeatable and verifiable.
Introduction to Digital Forensics
- What is Digital Forensics?
- Digital Forensics in Practice
- The Investigative Process
- Remaining Forensically Sound
- Examples of Digital Forensics Artifacts
- DFIR Subdisciplines
- Digital Forensics Tools
Incident Handling Fundamentals
Multi-Step Process for Handling an Incident
Incident Response: Threat Hunting
There is no silver bullet when it comes to security. However, there is one technology that would help solve a lot of security issues - although few companies deploy it correctly. This technology is cryptography. Concealing the meaning of a message can prevent unauthorized parties from reading sensitive information. During the first half of Day 4 we'll look at various aspects of cryptographic concepts and how they can be used in securing an organization's assets. A related discipline called steganography, or information hiding, is also covered. During the second half of the day, we shift our focus to the various types of prevention technologies that can be used to stop an adversary from gaining access to our organization (firewalls, intrusion prevention systems) and the various types of detection technologies that can detect the presence of an adversary on our networks (intrusion detection systems). These preventative and detective techniques can be deployed from a network and/or endpoint perspective; the similarities and differences in the application of these techniques will be explored.
SEC401.4: Outline: Data Security Technologies
- Cryptography Algorithms and Deployment
- Applying Cryptography
- Network Security Devices
- Endpoint Security
Module 19: Cryptography
Cryptography can provide the functional capabilities needed to achieve confidentiality, integrity, authentication, and non-repudiation purposes. There are three general types of cryptographic systems: Symmetric, Asymmetric, and Hashing. These systems are usually distinguished from one another by the number of keys employed, and the security goals they achieve. This module discusses these different types of cryptographic systems and how each type is used to provide a specific security function. The module also introduces steganography, a means of hiding data in a carrier medium. Steganography can be used for a variety of reasons but is most often is used to conceal the fact that sensitive information is being sent or stored.
General Types of Cryptosystems
Module 20: Cryptography Algorithms and Deployment
In this module, we'll acquire a high-level understanding of the mathematical concepts that contribute to modern cryptography and a basic understanding of commonly used symmetric, asymmetric, and hashing algorithms. We'll also identify common attacks used to subvert cryptographic defenses.
- Cryptography Concepts
- Symmetric, Asymmetric, and Hashing Cryptosystems
- Cryptography Attacks
Module 21: Applying Cryptography
In this module, we'll discuss solutions for achieving our primary goals for using cryptography: protection of data in transit and protection of data at rest. We conclude with an important discussion on the management of public keys (and their related certificates) in terms of a Public Key Infrastructure (PKI).
Data in Transit
- Virtual Private Networks
Data at Rest
- Data Encryption
- Full Disk Encryption
- GNU Privacy Guard (GPG)
- Public Key Infrastructure (PKI)
- Digital Certificates
- Certificate Authorities
Module 22: Network Security Devices
This module will look at the three main categories of network security devices: Firewalls, Network Intrusion Detection Systems (NIDS), and Network Intrusion Prevention Systems (NIPS). Together, they provide a complement of prevention and detection capabilities.
- Types of Firewalls
- Configuration and Deployment
- Types of NIDS
- Snort as a NIDS
- Methods of Deployment
Module 23: Endpoint Security
In this module, we will examine some of the key components, strategies, and solutions for implementing security from an endpoint perspective. This includes general approaches to endpoint security, strategies for baselining activity, and solutions like Host-based IDS (HIDS) and Host-based IPS (HIPS).
- Endpoint Security Overview
- Endpoint Security Solutions
- HIDS Overview
- HIPS Overview
Remember when Windows was simple? Windows XP desktops in a little workgroup...what could be easier? A lot has changed over time. Now, we have Windows tablets, Azure, Active Directory, PowerShell, Microsoft 365 (Office 365), Hyper-V, Virtual Desktop Infrastructure, and so on. Microsoft is battling Google, Apple, Amazon, and other cloud giants for cloud supremacy. The trick is to do cloud securely, of course.
Windows is the most widely used and targeted operating system on the planet. At the same time, the complexities of Active Directory, Public Key Infrastructure, BitLocker, AppLocker, and User Account Control represent both challenges and opportunities. Day 5 will help you quickly master the world of Windows security while showing you the tools that can simplify and automate your work. You will complete the section with a solid grounding in Windows security by looking at automation, auditing, and forensics.
SEC401.5: Outline: Windows Security
- Windows Security Infrastructure
- Windows as a Service
- Windows Access Controls
- Enforcing Security Policy
- Network Services and Cloud Computing
- Automation, Auditing, and Forensics
Module 24: Windows Security Infrastructure
This module discusses the infrastructure that supports Windows security. This is a big picture overview of the Windows security model. It provides the background concepts necessary to understand everything else that follows.
- Windows Family of Products
- Windows Workgroups and Accounts
- Windows Active Directory and Group Policy
Module 25: Windows as a Service
This module discusses techniques for managing updates to Windows.
- End of Support
- Servicing Channels
- Windows Update
- Windows Server Update Services
- Third Party Patch Management
Module 26: Windows Access Controls
This module focuses on understanding how permissions are applied in the Windows NT File System (NTFS), Shared Folders, Registry Keys, Active Directory, and Privileges. BitLocker Drive Encryption is discussed as another form of access control (for encrypted information), and as a tool to help maintain the integrity of the boot-up process if you have a Trusted Platform Module.
- NTFS Permissions
- Shared Folder Permissions
- Registry Key Permissions
- Active Directory Permissions
- BitLocker Drive Encryption
Module 27: Enforcing Security Policy
This module discusses one of the best tools for automating security configuration changes, SECEDIT.EXE, the command-line version of Microsoft's Security Configuration and Analysis snap-in. We'll look at some of the most important changes to make through the use of this tool, such as password policy, lockout policy, and null user session restrictions. We'll also briefly discuss Group Policy Objects (GPOs) and the many security configuration changes that they can help to enforce throughout the domain.
- Applying Security Templates
- Employing the Security Configuration and Analysis Snap-in
- Understanding Local Group Policy Objects
- Understanding Domain Group Policy Objects
- Administrative Users
- User Account Control
- Recommended GPO settings
Module 28: Network Services and Cloud Computing
It is important that we properly secure a system before we connect it to a network. Applying the latest updates isn't good enough: We want a machine that has been hardened specifically in anticipation of vulnerabilities that have not yet been discovered.
- Server Core and Server Nano
- Best Way to Secure a Service
- Packet Filtering
- IPsec Authentication and Encryption
- Internet Information Server (IIS)
- Remote Desktop Services
- Windows Firewall
- Microsoft Azure and Microsoft 365 (Office 365)
Module 29: Automation, Auditing, and Forensics
Automation, auditing, and forensics go together because, if we can't automate our work, the auditing and forensics work doesn't get done at all (or is done only sporadically), or we can't make it scale beyond the small number of machines that we can physically touch. Thankfully, modern Windows systems come with a very powerful automation capability: PowerShell. We will learn what PowerShell is and how to leverage it in our pursuit of deployment consistency, detection of change, remediation of systems, and even threat hunting!
- Verifying Policy Compliance
- Creating Baseline System Snapshots
- Gathering Ongoing Operational Data
- Employing Change Detection and Analysis (Threat Hunting)
While organizations do not have as many Linux systems, the Linux systems that they do have are often some of the most critical systems that need to be protected. Day 6 provides guidance to improve the security of any Linux system. The day combines practical "how to" instructions with background information for Linux beginners, as well as security advice and best practices for administrators with various levels of expertise. With the idea of Linux being a 'free' operating system, it isn't a surprise that many advanced security concepts are first developed for Linux. Containers is one example of such. Containers provide powerful and flexible concepts for cloud computing deployments. Containers, while not specifically designed for information security purposes, are built on elements of minimization and that is something we can leverage in an overall information security methodology (as a part of defense-in-depth). Containers, what they do and do not represent for information security, and the best practice for their management will be fully discussed. A discussion of Linux and UNIX concepts would not be complete without a discussion of the macOS (which is based on UNIX). Apple's venerable macOS provides extensive opportunity for hardware and software security but is often misunderstood from what can and cannot be achieved. Because the majority of our modern-day mobile operating systems have a Linux and/or UNIX background, we end our Day 6 with a discussion on mobile device security.
SEC401.6: Outline: Linux, Mac and Smartphone Security
- Linux Fundamentals: Structure, Permissions, and Access Controls
- Linux Security Enhancements and Infrastructure
- Containerized Security
- macOS Security
- Mobile Device Security
Module 30: Linux Fundamentals
This module discusses the foundational items that are needed to understand how to configure and secure a Linux system.
Operating System Comparison
Linux Operating System
- Linux Unified Key Setup
Linux Security Permissions
Linux User Accounts
Pluggable Authentication Modules
- Windows / *NIX Comparison
- Leveraging Built-in Commands for Threat Hunting
Module 31: Linux Security Enhancements and Infrastructure
This module discusses security-enhancement utilities that provide additional security and lockdown capabilities for modern Linux systems. As discussed earlier in the course, taking advantage of logging capabilities is an incredibly important aspect of our modern cyber defense. Linux's support for the well-known Syslog logging standard (and its related features) will discussed. As Syslog continues to age it may end up being unable to provide the logging features that modern-day cyber defense might demand. As such, additional logging enhancements - from syslog-ng to auditd - will be explored.
Operating System Enhancements
- Source Routing
- Address Space Layout Randomization (ASLR)
- Kernel Module Security
- SSH Hardening
- CIS Hardening Guides and Utilities
- Key Log Files
- Syslog Security
- Log Rotation
- Centralized Logging
Firewalls: Network and Endpoint
Module 32: Containerized Security
The importance of segmentation and isolation techniques cannot be understated. Isolation techniques can help to mitigate the initial damage caused by an adversary giving us more time for detection. In this module we discuss the various types of isolation techniques: Chroot, virtualization, and containers. Containers are a relatively new concept (as applied to information security perspectives). There can be a lot of misunderstanding as to what security benefits are truly afforded by the use of containers, and the potential security issues that might manifest within containers themselves. Containers, what they are, deployment best practice, and how to secure them will be explored.
- Containers vs. Virtual Machines
- Cgroups and Namespaces
- Docker Images
- Docker Best Practices
- Vulnerability Scanning Tools
- Secure Configuration Baselines
Module 33: macOS Security
This module focuses on an overview of the security features which are built into macOS systems. Although macOS is a relatively secure system and has different security features, it can also be flawed just like any other software.
macOS Security Features
- What is macOS?
- Privacy Controls
- Strong Passwords
- Anti-Phishing and Download Protection
- Sandboxing and Runtime Protection
- Security enclaves
macOS Vulnerabilities and Malware
- GateKeeper Bypass
Module 34: Mobile Device Security
This module starts with a quick comparison of the Android and iOS mobile operating systems and what makes them so different. The module concludes with a brief discussion of the security features of both systems.
Android vs. iOS
- Android Security Features
- What You Need to Know About Android
- Android Fragmentation
- Android Security Fix Process
Apple iOS Security
- Apple iOS Security Features
- What You Need to Know About iOS
- iOS Updates
Mobile Problems and Opportunities
Mobile Device Management (MDM)
Unlocking, Rooting, and Jailbreaking
Mitigating Mobile Malware
- Android Malware
- iOS Malware
GIAC Security Essentials
The GIAC Security Essentials (GSEC) certification validates a practitioner’s knowledge of information security beyond simple terminology and concepts. GSEC certification holders are demonstrating that they are qualified for hands-on IT systems roles with respect to security tasks.
Active defense, defense in depth, access control & password management
Cryptography: basic concepts, algorithms and deployment, and application
Defensible network architecture, networking & protocols, and network security
Incident handling & response, vulnerability scanning and penetration testing
Linux security: structure, permissions, & access; hardening & securing; monitoring & attack detection; & security utilities
Security policy, contingency plans, critical controls and IT risk management
Web communication security, virtualization and cloud security, and endpoint security
Windows: access controls, automation, auditing, forensics, security infrastructure, & securing network services
SEC401: Security Essentials Bootcamp Style covers all of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, SEC301: Introduction to Cyber Security would be the recommended starting point. While SEC301 is not a prerequisite for SEC401, it will provide the introductory knowledge to help maximize the experience with SEC401.
Important! Bring your own system configured according to these instructions!
We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link: https://sansurl.com/sans-setup-videos.
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
SEC401: Security Essentials Bootcamp Style consists of course instruction and integrated hands-on sessions. The labs reinforce the skills covered in class and enable students to use the knowledge and tools learned throughout the course in an instructor-led environment. Students will have the opportunity to install and configure a virtual lab environment and will utilize the tools and techniques that have been presented. During the course students will receive a USB with two virtual machines; it is critical that you have a properly configured system prior to class.
IMPORTANT: Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. You must also have a minimum of 8 GB of RAM or higher for the virtual machines to function properly. Verify that under BIOS, Virtualization Support is ENABLED.
Your CPU and OS MUST be 64-bit so that our 64-bit guest virtual machines will run on your laptop, and so you can access at least 8 GB of memory. This article provides instructions on how to determine if you have both a 64-bit CPU and OS.
Mandatory Laptop Requirements / Checklist
64-bit capable laptop running a 64-bit OS (Windows 10 x64 is recommended) configured as follows:
- 8 GB physical memory (minimum: this requires you to be running a 64-bit OS)
- 50 GB of available disk space (minimum)
- An available/active USB Type-A port (or both a USB Type-C port and a USB Type-A to USB Type-C adapter)
- In BIOS (UEFI), Virtualization Support must be ENABLED
- Windows Credential Guard must be DISABLED (if running Windows as your host OS)
Download and install the latest version of either VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to the start of the class.
If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from the VMware website.
You must have administrator access to the host OS and to all security software installed.
You must have the ability to reboot the laptop and login (i.e., you must have valid credentials for any drive encryption or other security software installed)
Your laptop should NOT contain any personal or company data.
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"From all observations of the world around us, it would appear that we might be living in a world of never-ending compromise. It seems to be that a day no longer goes by without hearing of yet another compromise. On initial glance, an increase in compromise might be attributed to having more systems than ever before connected to more and more computer networks. On second glance, an increase in compromise might be attributed to poor security practices.
If having more systems connected to more networks results in more compromise, we are in serious trouble. An ever-increasing number of systems will continue to be connected to more computer networks in an ever-increasingly connected world. And surely today, with more security at our avail than at any other point in the history of computing, an ever-continuing increase in worldwide compromise can't be attributed to poor security practice, can it? The truth is always more complicated.
The truth is that we now live in a world of ever-increasing security capability, AND ever-increasing compromise. However... how can that be? How is it possible to have ever more compromise in the presence of ever more security?
While the truth is often complicated, fortunately for us, the answer is simple. Offense informs the defense.
SEC401 will provide you with real-world, immediately actionable knowledge and information, to put you and your organization on the best footing possible to counter the modern adversary. Join us to learn how to fight, and how to win."
Bryan Simon, Lead Author, SEC401
"Bryan Simon's knowledge and personal experience continue to astound me. SEC401 course content has been incredibly useful and will be directly applicable to my job, and the labs have practical use and are great demonstrations of the concepts presented in lectures." - Thomas Wilson, Agile Systems