Major Update

SEC401: Security Essentials - Network, Endpoint, and Cloud

GIAC Security Essentials (GSEC)
GIAC Security Essentials (GSEC)
  • In Person (6 days)
  • Online
46 CPEs

Whether you are new to information security or a seasoned practitioner with a specialized focus, SEC401 will provide the essential information security skills and techniques you need to protect and secure your critical information and technology assets, whether on-premise or in the cloud. SEC401 will also show you how to directly apply the concept learned into a winning defensive strategy, all in the terms of the modern adversary. This is how we fight; this is how we win! 20 Hands-On Labs

What You Will Learn

Organizations are continually targeted and as such they must be prepared for eventual compromise. Today, more than ever before, TIMELY detection and TIMELY response is critical. The longer an adversary is present in your environment, the more devastating and damaging the impact becomes. It could well be that the most important question in information security is: "How quickly can we detect, respond, and REMEDIATE an adversary?"

Information security is all about making sure you focus on the right areas of defense, especially as applied to the uniqueness of YOUR organization. In SEC401, you will learn the language and underlying workings of computer and information security, and how best to apply them to your unique needs. You will gain the essential and effective security knowledge you will need if you are given the responsibility to secure systems or organizations.

SEC401 will teach you the most effective steps to prevent attacks and detect adversaries with actionable techniques that can be used as soon as you get back to work. You will learn tips and tricks designed to help you win the battle against the wide range of cyber adversaries that want to harm your environment.

"SEC401 covered a very wide range of security technologies, processes, and tools that will really open your eyes. I liked how the course shows that not everything is magic, and packets of data can be interpreted even without fancy tools. The labs were great for demonstrating the concepts, with flawless instruction and seamless packet capture." - Fei Ma, DESEI

Business Takeaways

  • How to address high-priority security concerns
  • Leverage security strengths and differences among the top cloud providers
  • Build a network visibility map to help validate attack surface
  • Reduce an organization's attack surface through hardening and configuration management

Skills Learned

  • How to create a security program that is built on a foundation of Detection, Response, and Prevention
  • Practical tips and tricks that focus on addressing high-priority security concerns within one's organization and doing the right things that lead to effective security solutions
  • How adversaries adapt their tactics, techniques, and procedures and how to adapt your defense accordingly
  • What ransomware is and how to better defend against it
  • How to leverage a defensible network architecture (VLANs, NAC, 802.1x, Zero Trust) based on indicators of compromise
  • Identity and Access Management (IAM) methodology and related aspects of strong authentication (MFA)
  • How to leverage the security strengths and differences among various cloud providers (including multi-cloud)
  • Realistic and practical applications of a capable vulnerability management program
  • How to sniff network communication protocols to determine the content of network communication (including access credentials) using tools such as tcpdump and Wireshark
  • How to use Windows, Linux, and macOS command line tools to analyze a system looking for high-risk indicators of compromise, as well as the concepts of basic scripting for the automation of continuous monitoring
  • How to build a network visibility map that can be used to validate attack surfaces and determine the best methodology to effectively reduce risk through hardening and configuration management
  • Why some organizations win and why some lose when it comes to cybersecurity

With the rise in advanced persistent threats, it is inevitable that organizations will be targeted. Defending against attacks is an ongoing challenge with next generation threats emerging all the time. In order to be successful in defending an environment, organizations need to understand what really works in cybersecurity. What has worked - and will always work - is taking a risk-based approach to cyber defense.

Hands-On Cybersecurity Training

The lab-based hands-on portion of the course allows students to apply and master course concepts. The labs follow the adventures of the security team at Alpha Incorporated, a fictitious organization that has suffered from a series of compromises. With the labs based upon four real-world scenarios that many organizations face in today's modern world, students walk away with a keen understanding of the real-world challenges they will face throughout their career. Mastering the course concepts by way of hands-on exercise facilitates the spirit of fulfilling the SANS promise: what is learned in the course is immediately applicable at work.

  • Section 1: Tcpdump; Wireshark; AWS VPC Flow Logs
  • Section 2: Password Auditing; Data Loss Prevention; Mobile Device Backup Recovery
  • Section 3: Network Discovery; Binary File Analysis and Characterization; Web App Exploitation; SIEM Log Analysis
  • Section 4: Hashing and Cryptographic Validation; Encryption and Decryption; Intrusion Detection and Network Security Monitoring with Snort3 and Zeek
  • Section 5: Windows Process Exploration; Windows Filesystem Permissions; Applying Windows System Security Policies; Using PowerShell for Speed and Scale
  • Section 6: Linux Permissions; Linux Containers; Linux Logging and Auditing

What You Will Receive

  • Course books, lab workbook (more than 500 pages of hands-on exercises), virtual machines with tools pre-installed
  • TCP/IP reference guides
  • MP3 audio files of the complete course lecture

Syllabus (46 CPEs)

Download PDF
  • Overview

    In this first section we learn that while organizations try to prevent as many attacks as possible, not all attacks will ultimately be prevented, and therefore must be detected in a timely manner. As such it is critical to understand how to build a defensible network architecture, including the types of network designs and the relational communication flows.

    We then move onto how in any organization, large or small, all data is not created equal. Some data is routine and incidental, while other data can be vastly sensitive and critical, and its loss can cause irreparable harm to an organization. It becomes essential to understand how network-based attacks bring risk to critical data and how an organization is vulnerable to such attacks. To achieve this, we need to become familiar with communication protocols of modern networks.

    Cloud computing becomes an obvious topic of discussion in relation to our modern public and private networks. A conversation on defensible networking would not be complete without an in-depth discussion of what the cloud is, and most importantly, its security capabilities and related concerns.

    Perhaps best stated, adversaries need our networks just as much as we do. Adversaries live off the land, mercilessly pivoting from system to system on our network until they achieve their long-term goals. Because adversaries need to use OUR network to achieve THEIR goals, by understanding how our networks function (relative to our unique needs), we can more easily uncover the activities of adversaries.

    By the end of this section, you will understand Defensible Network Architecture, Protocols and Packet Analysis, Virtualization and Cloud Essentials, and Wireless Network Security.

    • Sniffing and analysis of network traffic including tcpdump
    • Sniffing, protocol decoding, and extraction of network traffic using Wireshark
    • Examination and interpretation of Amazon Web Services (AWS) VPC Flow Logs


    Module: Defensible Network Architecture

    To properly secure and defend a network, you must first have a clear and strong understanding of both the logical and physical components of network architecture. Above and beyond an understanding of network architecture, however, properly securing and defending a network will further require an understanding of how adversaries abuse the information systems of our network to achieve their goals.

    • Network Architecture
    • Attacks Against Network Devices
    • Network Topologies
    • Network Design

    Module: Protocols and Packet Analysis

    A solid understanding of the interworking of networks enables you to more effectively recognize, analyze, and respond to the latest (perhaps unpublished) attacks. This module introduces the core concepts of computer networks and protocols.

    • Network Protocols Overview
    • Internet Protocol (IP)
    • Internet Control Message Protocol (ICMP)
    • Transmission Control Protocol (TCP)
    • User Datagram Protocol (UDP)
    • Tcpdump

    Module: Virtualization and Cloud Essentials

    The module begins with an examination of what virtualization is, the security benefits and the risks of a virtualized environment, and the differences found in different types of virtualization architecture. Because cloud computing is architected on virtualization, the module concludes with an extensive discussion of what the public and private cloud is, how it works, the services made available by the public cloud (including security offerings), and related security concepts.

    • Virtualization Overview
    • Virtualization Security
    • Cloud Overview
    • Cloud Security

    Module: Securing Wireless Networks

    This module helps the student to understand the differences of the various types of wireless communication technologies available today, the insecurities present in those communications, and approaches to reduce the risk of those insecurities to a more acceptable level.

    • The Pervasiveness of Wireless Communications
    • Traditional Wireless: IEEE 802.11 and its Continual Evolution
    • Personal Area Networks
    • 5G Cellular (Mobile) Communications
    • The Internet of Things
  • Overview

    This section of the course looks at the big picture threats to our systems and how to defend against them. We will learn that protections need to be layered, leveraging a principle called defense in depth.

    The section starts with the foundations of information assurance. We look at security threats and how they impact confidentiality, integrity, and availability. Because the most common aspect of defense in depth is predicated on access controls, we move into a discussion on the aspects of identity and access management (IAM). We will see that while passwords (the most common factor of authentication) were to be deprecated and moved away from, this has not been the case and we still struggle today with compromises that result from credential theft. What we can leverage for modern authentication becomes the focus of a discussion on authentication and password security, especially as it applies to cloud computing. Many consider that IAM is the new security perimeter for cloud-based functionality, so the importance of its strong application cannot be understated.

    Toward the mid-part of the section, we shift the focus toward modern security controls that work in the presence of the modern adversary. This is done by leveraging Center for Internet Security (CIS) Controls, the NIST Cybersecurity Framework, and the MITRE ATT&CK knowledge base.

    In circling back to earlier course content on network architecture, we might naturally be curious as to what else can be done for network defensibility. This leads us to consider an overall environmental focus on how to best secure our data in transit (and correspondingly) at rest. A larger discussion on data loss protection techniques ensues.

    Last, but certainly not least, a discussion of defense in depth would not be complete without touching on perhaps one of the most important technologies that is more heavily relied upon than ever before - mobile devices. A dedicated module to mobile devices concludes with a thorough discussion of the benefits (and security risks) of mobile devices, including concepts such as Bring Your Own Device (BYOD) and Mobile Device Management (MDM).

    • Password Auditing
    • Investigative techniques using Data Loss Prevention capabilities
    • Investigation of artifacts found in mobile device backups

    Module: Defense in Depth

    This module examines threats to our systems and takes a big picture look at how to defend against them. We will learn that protections need to be layered, a principle called defense in depth. We will also evaluate related principles (such as Zero Trust) that will further serve you well in protecting your systems.

    • Defense in Depth Overview
    • Constituents of Risk: Confidentiality, Integrity and Availability
    • Strategies for Defense in Depth
    • Core Security Strategies
    • Defense in Depth in the Cloud
    • Zero Trust Methodology
    • Variable Trust

    Module: IAM, Authentication, and Password Security

    This module discusses the principles of identity management and access control. As access control models vary in their approaches to security, we will explore their underlying principles, strengths, and weaknesses. The module also includes a brief discussion on authentication and authorization protocols and control. A discussion of identity and access management naturally leads to a conversation on authentication and password security. We will spend time discussing the various factors of authentication: something you know, something you have, and something you are. We conclude the module by focusing specifically on the most common (and problematic) example of something you know: the password.

    • IAAA: Identification, Authentication, Authorization, Accountability
    • Single Sign On (SSO): Traditional On-Premise and Cloud (SAML and OATH)
    • Password Management
    • Password Techniques
    • Password (Passphrase) Policies
    • Password Storage
    • Key Derivation Functions
    • How Password Assessment Works
    • Password Attack Tools (Hashcat and Mimikatz)
    • Multi-Factor Authentication
    • Adaptive Authentication
    • Privileged Access Management: On-Premise and Cloud

    Module: Security Frameworks

    In implementing security, it is important to have a framework that includes proper metrics. As is often said, you cannot manage what you cannot measure. This module focuses on three frameworks: The Center for Internet Security (CIS) Controls (created to help organizations prioritize the most critical risks they face); the NIST Cybersecurity Framework (standards, guidelines, and best practices that can assist in managing overall cybersecurity risk); and the MITRE ATT&CK knowledge base (adversary tactics and techniques). Combining the prioritized actions of the CIS Controls with the understanding of overall risk from the NIST Cybersecurity Framework, all in consideration of adversarial tactics and techniques, will help put us on solid footing in defending against the modern adversary.

    • Introduction to the CIS Controls
    • CIS Controls Guiding Principles
    • Case Study: Sample CIS Control
    • NIST Cybersecurity Framework
    • MITRE ATT&CK (TTP and Mapping to Known Adversaries)

    Module: Data Loss Prevention

    Loss or leakage?

    In essence, data loss is any condition that results in data being corrupted, deleted, or made unreadable in any way. A data breach is an incident that can lead to, among other things, unintentional information disclosure and data leakage. This module covers exactly what constitutes data loss or leakage, and the methodologies that can be leveraged to implement an appropriate data-loss prevention capability.

    • Loss or Leakage
    • Data Loss
    • Data Leakage
    • Ransomware
    • Preventative Strategies
    • Redundancy (On-Premise and Cloud)
    • Data Recovery
    • Related Regulatory Requirements (GDPR and CCPA)
    • Data Loss Prevention Tools
    • Defending Against Data Exfiltration
    • User Activity Monitoring

    Module: Mobile Device Security

    The first part of the module gives a comparison of the Android and iOS mobile operating systems and what makes them so different. The module concludes with a brief discussion of the security features of both mobile operating systems, along with the potential of damaging attacks from malware.

    • Android versus iOS
    • Android Security
    • Android Security Features
    • What You Need to Know About Android
    • Android Fragmentation
    • Android Security Fix Process
    • Apple iOS Security
    • Apple iOS Security Features
    • What to Know About iOS
    • iOS Updates
    • Mobile Problems and Opportunities
    • Mobile Device Management
    • Unlocking, Rooting, and Jailbreaking
    • Mitigating Mobile Malware
    • Android Malware
    • iOS Malware
  • Overview

    In this section the focus shifts to the various areas of our environment where vulnerabilities arise. We will begin with an overall discussion of exactly what constitutes a vulnerability, and how to best implement a proper vulnerability assessment program.

    Because vulnerabilities represent weaknesses that adversaries exploit, a discussion of vulnerabilities would not be complete without a serious discussion of modern attack methodologies based on real-world examples of compromise. Of all the potential areas for vulnerabilities in our environment, web applications represent one of the most substantial, with the most consequential risk. The extensive nature of vulnerabilities that can arise from web applications dictate that we focus the attention of an entire module on web application security concepts.

    While it is true that vulnerabilities allow adversaries to penetrate our systems, sometimes with great ease, it is impossible for those adversaries to remain entirely hidden post-compromise. In leveraging the logging capabilities of our hardware and software, we might detect the adversary in a more timely manner. How we achieve such a capacity is the subject of our penultimate module: Security Operations and Log Management.

    Last, but not least, we will need to have a plan of action for a proper response to the compromise of our environment. The methodology for an appropriate incident response is the subject of the final module of this section.

    • System, Port, and Vulnerability Discovery with Nmap
    • Malware Analysis
    • Abusing Web Application Vulnerabilities for Exploitation
    • Leveraging SIEM Logs for Incident Response and Investigation

    Module: Vulnerability Assessments

    This module covers the tools, technology, and techniques used for the mapping of networks and scanning of vulnerabilities, all within the scope of a proper vulnerability framework.

    • Introduction to Vulnerability Assessments
    • Steps to Perform a Vulnerability Assessment
    • Criticality and Risks

    Module: Penetration Testing

    The role of penetration testing, which is well understood by most organizations, gave rise to newer testing techniques such as red and purple teaming and adversary emulation. Often, penetration testing is limited in scope to where the testers are not truly able to emulate and mimic the behaviors of adversaries. This is where the red teaming and adversary emulation functions come into play. Furthermore, a methodical and meticulous approach to penetration testing is needed to provide value to your organization.

    • The What and Why of Penetration Testing
    • Red Team
    • Adversary Emulation
    • Purple Team
    • External and Internal Penetration Testing
    • Web Application Penetration Testing
    • Social Engineering
    • Mobile Device Testing
    • Internet of Things Testing
    • Penetration Testing Process
    • Penetration Testing Tools (Nmap, Metasploit, Meterpreter)
    • Password Compromise, Reuse, Stuffing, and Spraying

    Module: Attacks and Malicious Software

    This module will examine commonalities of well-known breaches as well as ransomware attacks that continue to cripple hundreds of thousands of systems across different industries. We will describe the attacks in detail, discussing not only the conditions that made them possible, but also strategies that can be used to help manage the risks associated with such attacks.

    • High-Profile Breaches and Ransomware
    • Ransomware as a Service
    • Common Attack Techniques
    • Malware and Analysis

    Module: Web Application Security

    This module looks at some of the most important things to know about designing and deploying secure web applications. We start with an examination of the basics of web communications, then move on to cover HTTP, HTTPS, HTML, cookies, authentication, and maintaining state. We conclude by looking at how to identify and fix vulnerabilities in web applications.

    • Web Communication Fundamentals
    • Cookies
    • HTTPS
    • Developing Secure Web Apps
    • OWASP Top Ten
    • Basics of Secure Coding
    • Web Application Vulnerabilities
    • Web Application Monitoring
    • Web Application Firewall (WAF)

    Module: Security Operations and Log Management

    This module covers the essential components of logging, how to properly manage logging, and the considerations that factor into leveraging logging to its fullest potential during incident response.

    • Logging Overview
    • Log Collection Architecture
    • Log Filtering
    • Problems with Logging Standards
    • Setting Up and Configuring Logging
    • Log Analysis Tools
    • Log Aggregation and SIEM
    • Key Logging Activities

    Module: Digital Forensics and Incident Response

    This module explores the fundamentals of incident handling and why it is important to an organization. We will outline a multi-step process to create our own incident handling procedures and response plans. Being able to leverage digital forensic methodologies to ensure that processes are repeatable and verifiable will also be a key focus of the material.

    • Introduction to Digital Forensics
    • What is Digital Forensics?
    • Digital Forensics in Practice
    • The Investigative Process
    • Remaining Forensically Sound
    • Examples of Examining Forensics Artifacts
    • DFIR (Digital Forensics and Incident Response) Subdisciplines
    • Digital Forensics Tools
    • Incident Handling Fundamentals
    • Multi-Step Process for Handling an Incident
    • Threat Hunting
  • Overview

    There is no silver bullet when it comes to security. However, there is one technology that would help solve a lot of security issues, though few companies deploy it correctly. This technology is cryptography. During the first half of this section, we will look at various aspects of cryptographic concepts and how they can be used to help secure an organization's assets. During the second half of the section, we shift our focus to the various types of prevention technologies that can be used to stop an adversary from gaining access to our organization (firewalls and intrusion prevention systems). We will also look at the different detection technologies that can detect the presence of an adversary (intrusion detection systems). These prevention and detection techniques can be deployed from a network and/or endpoint perspective, and we will explore the similarities and differences of each.

    • Hashing and Cryptographic Validation
    • Encryption, Decryption, and Digital Signature Techniques
    • Incident Detection Leveraging the Snort and Zeek Intrusion Detection Systems

    Module: Cryptography

    Cryptography can provide the functional capabilities needed to achieve confidentiality, integrity, authentication, and non-repudiation. There are three general types of cryptographic systems: symmetric, asymmetric, and hashing. These systems are usually distinguished from one another by the number of keys employed, as well as the security goals they achieve. This module discusses these different types of cryptographic systems and how each type is used to provide a specific security function.

    • Cryptosystem Fundamentals
    • Cryptography
    • Cryptanalysis
    • General Types of Cryptosystems (Symmetric, Asymmetric, Hashing)
    • Digital Signatures

    Module: Cryptography Algorithms and Deployment

    The content of this module will help us gain a high-level understanding of the mathematical concepts that contribute to modern cryptography. We'll also identify common attacks used to subvert cryptographic defenses.

    • Mathematical Features of Strong Cryptography
    • AES
    • RSA
    • ECC
    • Cryptography Attacks (Cryptanalysis)

    Module: Applying Cryptography

    This module will discuss the practical applications of cryptography in terms of protection of data in transit and protection of data at rest. We conclude with an important discussion on the management of public keys (and the related concepts of certificates), all in terms of a Public Key Infrastructure.

    • Data in Transit
    • Virtual Private Networks (VPN), IPsec and SSL-based
    • Data at Rest
    • File/Folder Level Encryption
    • Full Disk Encryption
    • GNU Privacy Guard (GPG)
    • Key Management
    • Public Key Infrastructure (PKI)
    • Digital Certificates
    • Certificate Authorities

    Module: Network Security Devices

    Three main categories of network security devices will be discussed in this module: Firewalls, Network Intrusion Detection Systems (NIDS), and Network Intrusion Prevention Systems (NIPS). Together, they provide a complement of prevention and detection capabilities.

    • Overview of Firewalls
    • Types of Firewalls
    • Firewall Configuration and Deployment Considerations
    • NIDS
    • Types of NIDS
    • Snort as a NIDS
    • NIPS
    • Methods for NIPS Deployment
    • NIPS Security and Productivity Risk Considerations

    Module: Endpoint Security

    In this final module of the section, we examine some of the key components, strategies, and solutions for implementing security from an endpoint perspective. This includes general approaches to endpoint security, strategies for baselining activity, and solutions like Host-based IDS (HIDS) and Host-based IPS (HIPS).

    • Endpoint Security Overview
    • Core Components of Endpoint Security
    • Enhancing Endpoint Security
    • Endpoint Security Solutions
    • Anti-malware
    • Endpoint Firewalls
    • Integrity Checking
    • HIDS, HIPS, and EDR
  • Overview

    Remember when Windows was simple? Windows XP desktops in a little workgroup... what could be easier? A lot has changed over time. Now, we have Windows tablets, Azure, Active Directory, PowerShell, Microsoft 365 (Office 365), Hyper-V, Virtual Desktop Infrastructure and so on. Microsoft is battling Google, Amazon, and other cloud giants for cloud supremacy. The trick, of course, is to do cloud securely.

    Windows is the most widely used and targeted operating system on the planet. At the same time, the complexities of Active Directory, Public Key Infrastructure, BitLocker, endpoint security, and User Account Control represent both challenges and opportunities. This course section will help you quickly master the world of Windows security while showing you the tools that can simplify and automate your work, both on-premise and in the cloud (Microsoft Azure). You will complete the section with a good solid grounding in Windows security by looking at automation and auditing capabilities for the Windows ecosystem.

    • Process Observation and Analysis
    • NTFS File System Permissions Analysis as Part of Incident Response
    • Auditing and Enforcement of System Baseline Configurations with Security Templates
    • PowerShell Scripting and Automation Techniques for Speed and Scale

    Module: Windows Security Infrastructure

    This module discusses the infrastructure that supports Windows security. This is a big picture overview of the Windows security model. It provides the background concepts necessary to understand everything else that follows.

    • Windows Family of Products
    • Windows Workgroups and Accounts
    • Windows Active Directory and Group Policy

    Module: Windows as a Service

    This module discusses techniques for managing Windows systems as it applies to updates (patches) as well as new cloud-based deployment methodology (Windows Autopilot and Windows Virtual Desktop).

    • End of Support
    • Servicing Channels
    • Windows Update
    • Windows Server Update Services
    • Windows Autopilot
    • Windows Virtual Desktop

    Module: Windows Access Controls

    This module focuses on understanding how permissions are applied in the Windows NT File System (NTFS), Shared Folders, Active Directory, and Privileges. BitLocker is discussed as another form of access control (encryption), and as a tool to help maintain the integrity of the boot-up process if you have a Trusted Platform Module (TPM).

    • NTFS Permissions
    • Shared Folder Permissions
    • Active Directory
    • Permissions
    • Privileges
    • BitLocker Drive Encryption

    Module: Enforcing Security Policy

    This module discusses one of the best tools for automating security configuration changes, SECEDIT.EXE, which is the command-line version of Microsoft's Security Configuration and Analysis snap-in. We'll look at some of the most important changes that can be made by this tool, such as password and auditing policies. We'll also briefly discuss Group Policy Objects (GPOs) and the many best practice security configuration changes that they can help enforce throughout the domain.

    • Applying Security Templates
    • Employing the Security Configuration and Analysis Snap-in
    • Understanding Local Group Policy Objects
    • Understanding Domain Group Policy Objects
    • Administrative Users
    • Privileged Account Management
    • Reduction of Administrative Privileges
    • AppLocker
    • User Account Control
    • Windows Firewall
    • IPsec Authentication and Encryption
    • Remote Desktop Services
    • Recommended GPO Settings

    Module: Microsoft Cloud Computing

    Inside your LAN as well as in the cloud, you will likely have a mixture of servers. Microsoft's cloud is known as Azure. On top of Azure, Microsoft has implemented services such as Microsoft 365, Exchange Online, OneDrive, Intune, and many others. Microsoft has designed Windows 10 and later versions for integration with Azure, so Windows security includes not just Windows alone, but also Azure. It's important for your career as a security professional to understand the essential concepts of Microsoft Azure.

    • Microsoft s All-In Bet on Cloud Computing
    • Microsoft Cloud Types: IaaS, PaaS, SaaS, and DaaS
    • Microsoft Azure
    • Entra ID (Azure Active Directory)
    • Entra ID Single Sign-On
    • Multi-Factor Authentication
    • Administrative Role Reduction
    • Endpoint Security Enforcement
    • Microsoft Intune
    • Azure Conditional Access
    • Azure Monitor
    • Azure Sentinel (SIEM and SOAR)
    • Azure Policy
    • Azure Security Center

    Module: Automation, Logging, and Auditing

    Automation, logging, and auditing go together because if we can't automate our work, the auditing work doesn't get done at all (or is done only sporadically). Also, if we can't automate our work, we can't make our work scale beyond the small number of machines that we can physically touch. Thankfully, modern Windows systems come with a very powerful automation capability: PowerShell. We will learn what PowerShell is and how to leverage it in our pursuit of deployment consistency, detection of change, remediation of systems, and even threat hunting!

    • What Is Windows PowerShell?
    • Windows PowerShell versus PowerShell Core
    • Windows Subsystem for Linux (WSL)
    • Automation and Command-Line Capability in Azure (PowerShell Az Module and Azure CLI)
    • Azure Cloud Shell
    • Runbooks
    • Gathering Ongoing Operational Data Employing Change Detection and Analysis
  • Overview

    While organizations may not have many Linux systems, the Linux systems they do have are often the most critical systems that need to be protected. This course section focuses on the practical guidance necessary to improve the security of any Linux system. The section provides practical how-to instructions with background information for Linux beginners as well as security advice and best practices for administrators with various levels of expertise.

    Since Linux is perceived as being a free operating system, it is not a surprise that many advanced security concepts are first developed for Linux. One example is containers, which provide powerful and flexible concepts for cloud computing deployments. While not specifically designed for information security purposes, containers are built on elements of minimization, and that is something we can leverage in an overall information security methodology (as part of defense in depth). We will discuss what containers do and do not represent for information security, as well as best practices for their management.

    Last, but not least, we conclude the section with a review of Apple's macOS (which is based on UNIX). Apple's venerable macOS provides extensive opportunities for hardware and software security but is often misunderstood in terms of what can and cannot be achieved.

    • Linux Permissions
    • Containers and Logging Concepts
    • Linux Logging and Auditing Capabilities

    Module: Linux Fundamentals

    This module discusses the foundational items that are needed to understand how to configure and secure a Linux system.

    • Operating System Comparison
    • Linux Vulnerabilities
    • Linux Operating System
    • Shells
    • Linux Kernel
    • Linux Filesystem and Intrinsic Security Capabilities
    • Encryption at Rest
    • Permissions
    • User Accounts
    • PAM Subsystem
    • Command-Line Capabilities
    • Service Hardening
    • Package Management

    Module: Containerized Security

    The importance of segmentation and isolation techniques cannot be understated. Isolation techniques can help mitigate the initial damage caused by an adversary, giving us more time for detection. In this module, we will discuss various types of isolation techniques, including virtualization and containers. Containers are a relatively new concept (as applied to information security perspectives). There can be a lot of misunderstanding as to what security benefits are truly afforded by containers, and the potential security issues that may arise within containers themselves. We will discuss what containers are, best practices to deploy them, and how to secure them.

    • Virtualization
    • Containers versus VMs
    • Containers and Orchestration
    • LXC
    • Cgroups and Namespaces
    • Docker
    • Docker Images
    • Kubernetes
    • Container Security
    • Docker Best Practices
    • Vulnerability Management and Secure Configuration Baselines

    Module: Linux Security Enhancements and Infrastructure

    This module discusses security enhancement utilities that provide additional security and lockdown capabilities for modern Linux systems. As discussed earlier in the course, taking advantage of logging capabilities is an incredibly important aspect of our modern cyber defense. Linux supports the well-known Syslog logging standard (and its related features) and will be discussed in this module. As Syslog continues to age, it may end up being unable to provide the logging features that modern day cyber defense demands. Because of this, we will also explore additional logging enhancements ranging from Syslog-ng to Auditd.

    • Operating System Enhancements
    • SELinux
    • AppArmor
    • Linux Hardening
    • Kernel Module Security
    • SSH Hardening
    • CIS Hardening Guides and Utilities
    • Log Files
    • Syslog
    • Syslog Security
    • Log Rotation
    • Auditd
    • Firewalls: Network and Endpoint

    Module: macOS Security

    This module focuses on the security features that are built into macOS systems. Although macOS is a relatively secure system that provides many different features, it can also be flawed just like any other operating system.

    • What is macOS?
    • Privacy Controls
    • Keychain
    • Strong Passwords
    • Gatekeeper
    • Anti-Phishing and Download Protection
    • XProtect
    • Firewall Capabilities
    • FileVault
    • Sandboxing and Runtime Protection
    • Security Enclaves
    • macOS Vulnerabilities and Malware

GIAC Security Essentials

The GIAC Security Essentials (GSEC) certification validates a practitioner's knowledge of information security beyond simple terminology and concepts. GSEC certification holders are demonstrating that they are qualified for hands-on IT systems roles with respect to security tasks.

  • Defense in depth, access control and password management
  • Cryptography: basic concepts, algorithms and deployment, and application
  • Cloud: AWS and Azure operations
  • Defensible network architecture, networking and protocols, and network security
  • Incident handling and response, data loss prevention, mobile device security, vulnerability scanning and penetration testing
  • Linux: Fundamentals, hardening and securing
  • SIEM, critical controls, and exploit mitigation
  • Web communication security, virtualization and cloud security, and endpoint security
  • Windows: access controls, automation, auditing, forensics, security infrastructure, and services
More Certification Details


SEC401 covers all of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, SEC275: Foundations - Computers, Technology and Security or SEC301: Introduction to Cyber Security would be the recommended starting point. While these courses are not a prerequisite for SEC401, they do provide the introductory knowledge to help maximize the experience with SEC401.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.


  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 100GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"From all observations of the world around us, it would appear that we might be living in a world of never-ending compromise. At first glance, an increase in compromise might be attributed to having more systems than ever before connected to more and more computer networks. On second glance, an increase in compromise might be attributed to poor security practices.

If having more systems connected to more networks results in more compromise, we are in serious trouble. An ever-increasing number of systems will continue to be connected in an increasingly connected world. Surely today, with more security available to us than at any other time in the history of computing, an ever-continuing increase in worldwide compromise can't be attributed to poor security practices. Or can it?

The truth is always complicated. It might be that we now live simultaneously in a world of ever-increasing security capability AND ever-increasing compromise. As distressing as that might be, the answer might be as simple as the notion that 'Offense informs Defense.' In the spirt of that notion, SEC401 will provide you with real-world, immediately actionable, knowledge and information that will put you and your organization on the best footing possible to better counter the modern adversary. Join us to learn how to fight, and how to win."

-Bryan Simon, Course Author, SEC401

"Bryan Simon's knowledge and personal experience continue to astound me. SEC401 course content has been incredibly useful and will be directly applicable to my job, and the labs have practical use and are great demonstrations of the concepts presented in lectures." - Thomas Wilson, Agile Systems


The class, instructor, and organizers were amazing throughout this SEC401 bootcamp! I learned a lot of useful information and look forward to reviewing the recordings soon.
Tamie Wade-Britton
Sutter Health
SEC401 has been excellent experience all around. It is content-heavy and rich, and regardless of your technical ability and experience, you will leave with a far better understanding of many aspects of cyber security.
Paul F
Australian Federal Government
SEC401 gives you a fantastic knowledge base to build on, and I would say it's essential for anyone working in cybersecurity.
Thomas Wilson
Agile Systems
Excellent material for security professionals wanting a deeper level of knowledge on how to implement security policies, procedures, and defensive mechanisms in an organization.
Brandon Smit
SEC401 provides an excellent overview of security fundamentals delivered by experienced industry professionals.
Jason W.
US Federal Agency
I am beyond impressed with SEC401, and this experience far exceeded my expectations. I began this course in having generalist knowledge and finished equipped with new knowledge and distilled prior knowledge.
Paul Farthing
Very well rounded training. Great that he(the instructor) was able to bring real world examples to class. Made the class flow smoothly.
Robin Mahon
Kapstone Paper

    Register for SEC401

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.