SEC401: Security Essentials - Network, Endpoint, and Cloud

GIAC Security Essentials (GSEC)
GIAC Security Essentials (GSEC)
  • In Person (6 days)
  • Online
46 CPEs

Whether you're new to information security or a seasoned expert with a specialized focus, SEC401 provides the essential skills and techniques needed to secure critical information and technology assets, whether on-premises or in the cloud. The course teaches you how to apply these concepts directly into a winning defensive strategy, all framed in terms of combating today's adversaries. This is how we fight, and this is how we win! With 20 hands-on labs, SEC401 empowers you to implement these skills effectively in real-world scenarios.

What You Will Learn

Master the Essentials of Cybersecurity

Organizations are under constant threat, and it is critical to be prepared for eventual compromise. Now, more than ever, timely detection and response are essential. The longer an adversary remains in your environment, the greater the damage becomes. Perhaps the most vital question in information security today is: "How quickly can we detect, respond to, and remediate an adversary?"

Information security is about focusing your defenses on the areas that matter most, particularly as they relate to the unique needs of your organization. In SEC401, you will learn the foundational language and inner workings of computer and information security, and how to apply them effectively to your specific challenges. You'll acquire the critical knowledge needed to secure systems and organizations with confidence.

SEC401 teaches you the most effective steps to prevent attacks and detect adversaries, equipping you with actionable techniques you can immediately apply in your workplace. Through practical tips and insights, you'll be better prepared to win the ongoing battle against a broad range of cyber adversaries who seek to infiltrate your environment.

New and Enhanced Labs Overview

Unlock the critical skills needed to defend systems and networks with the latest additions to SEC401, now featuring 20 state-of-the-art labs. These labs have been carefully designed to offer hands-on experience, providing practical skills essential for addressing today's complex cybersecurity challenges.

New Lab Highlights:

  • Network Analysis: Dive deep into network traffic with labs on tcpdump and Wireshark and explore network flow information that is vital for detection and response, such as AWS VPC Flow Logs.
  • Advanced Threat Detection: Develop skills in SIEM Log Analysis and employ tools like Snort3 and Zeek for robust Intrusion Detection and Network Security Monitoring.
  • System Security: Sharpen your skills in Linux Logging and Auditing, Windows Process Exploration, and Windows Filesystem Permissions, ensuring comprehensive system oversight.
  • Audit and Compliance: Master Password Auditing, Binary File Analysis, and Data Loss Prevention to safeguard sensitive data against emerging threats.
  • Cryptography and Recovery: Get hands-on with Hashing and Cryptographic Validation, Encryption and Decryption, and Mobile Device Backup Recovery to secure and recover data.
  • Windows and Linux Security: Apply Windows System Security Policies, manage Linux Permissions, and explore Linux Containers for enhanced security posture.
  • Automation and Discovery: Utilize PowerShell for Speed and Scale and conduct Network Discovery to efficiently manage security tasks.
  • Exploitation and Protection: Learn to identify and exploit vulnerabilities in Web App Exploitation, and apply security best practices.

Each lab is crafted to build proficiency in using real-world tools and techniques, preparing you to effectively respond to a variety of security incidents. Whether you are new to cybersecurity or seeking to update your skills, these labs offer a practical, immersive learning experience in the critical aspects of security fundamentals.

"SEC401 covered a very wide range of security technologies, processes, and tools that will really open your eyes. I liked how the course shows that not everything is magic, and packets of data can be interpreted even without fancy tools. The labs were great for demonstrating the concepts, with flawless instruction and seamless packet capture." - Fei Ma, DESEI

Business Takeaways

  • How to address high-priority security concerns
  • Leverage security strengths and differences among the top cloud providers
  • Build a network visibility map to help validate attack surface
  • Reduce an organization's attack surface through hardening and configuration management

Skills Learned

  • How to create a security program that is built on a foundation of Detection, Response, and Prevention
  • Practical tips and tricks that focus on addressing high-priority security concerns within one's organization and doing the right things that lead to effective security solutions
  • How adversaries adapt their tactics, techniques, and procedures and how to adapt your defense accordingly
  • What ransomware is and how to better defend against it
  • How to leverage a defensible network architecture (VLANs, NAC, 802.1x, Zero Trust) based on indicators of compromise
  • Identity and Access Management (IAM) methodology and related aspects of strong authentication (MFA)
  • How to leverage the security strengths and differences among various cloud providers (including multi-cloud)
  • Realistic and practical applications of a capable vulnerability management program
  • How to sniff network communication protocols to determine the content of network communication (including access credentials) using tools such as tcpdump and Wireshark
  • How to use Windows, Linux, and macOS command line tools to analyze a system looking for high-risk indicators of compromise, as well as the concepts of basic scripting for the automation of continuous monitoring
  • How to build a network visibility map that can be used to validate attack surfaces and determine the best methodology to effectively reduce risk through hardening and configuration management
  • Why some organizations win and why some lose when it comes to cybersecurity

With the rise in advanced persistent threats, it is inevitable that organizations will be targeted. Defending against attacks is an ongoing challenge with next generation threats regularly emerging. In order to be successful in defending an environment, organizations need to understand what really works in cybersecurity. What has worked - and will always work - is taking a risk-based approach to cyber defense.

Hands-On Cybersecurity Training

The lab-based hands-on portion of the course allows students to apply and master course concepts. The labs follow the adventures of the security team at Alpha Incorporated, a fictitious organization that has suffered from a series of compromises. With the labs based upon four real-world scenarios that many organizations face in today's modern world, students walk away with a keen understanding of the real-world challenges they will face throughout their career. Mastering the course concepts by way of hands-on exercise facilitates the spirit of fulfilling the SANS promise: what is learned in the course is immediately applicable at work.

  • Section 1: Tcpdump; Wireshark; AWS VPC Flow Logs
  • Section 2: Password Auditing; Data Loss Prevention; Mobile Device Backup Recovery
  • Section 3: Network Discovery; Binary File Analysis and Characterization; Web App Exploitation; SIEM Log Analysis
  • Section 4: Hashing and Cryptographic Validation; Encryption and Decryption; Intrusion Detection and Network Security Monitoring with Snort3 and Zeek
  • Section 5: Windows Process Exploration; Windows Filesystem Permissions; Applying Windows System Security Policies; Using PowerShell for Speed and Scale
  • Section 6: Linux Permissions; Linux Containers; Linux Logging and Auditing

What You Will Receive

  • Course books, lab workbook (more than 500 pages of hands-on exercises), virtual machines with tools pre-installed
  • TCP/IP reference guides
  • MP3 audio files of the complete course lecture

What Comes Next?

Depending on your current role or future plans, one of these courses is a great next step in your cybersecurity journey:

Syllabus (46 CPEs)

Download PDF
  • Overview

    In the first section, we explore the reality that while organizations strive to prevent as many attacks as possible, not all threats will be stopped. Therefore, timely detection becomes critical. Understanding how to construct a defensible network architecture—along with the various network designs and communication flows—is essential to responding effectively.

    Next, we examine how, within any organization, not all data holds equal value. Some information may be routine, while other data is highly sensitive and critical, with its loss potentially causing irreparable damage. It’s crucial to understand how network-based attacks introduce risk to this critical data and where vulnerabilities lie within an organization’s infrastructure. This requires a thorough understanding of modern network communication protocols.

    Cloud computing naturally comes into focus as part of modern public and private network discussions. No conversation about defensible networking would be complete without addressing the cloud—its security features, capabilities, and associated concerns. Additionally, we explore artificial intelligence (AI) in this context, discussing its fundamentals and what AI truly means versus common misconceptions. Understanding AI’s role in the cloud is essential, as many AI-driven solutions operate within cloud environments, further intertwining these two critical topics in modern cybersecurity.

    As we delve deeper, it becomes clear that adversaries rely on our networks as much as we do. They pivot relentlessly from system to system, exploiting our infrastructure to reach their objectives. By learning how our networks function in relation to our unique needs, we can better detect and mitigate adversarial activity.

    By the end of this section, you will have a solid understanding of defensible network architecture, protocols and packet analysis, virtualization and cloud fundamentals (including AI), and wireless network security.

    Exercises
    • Sniffing and analysis of network traffic including tcpdump
    • Sniffing, protocol decoding, and extraction of network traffic using Wireshark
    • Examination and interpretation of Amazon Web Services (AWS) VPC Flow Logs
    Topics

    Module: Defensible Network Architecture

    To properly secure and defend a network, you must first have a clear and strong understanding of both the logical and physical components of network architecture. Above and beyond an understanding of network architecture, however, properly securing and defending a network will further require an understanding of how adversaries abuse the information systems of our network to achieve their goals.

    • Network Architecture
    • Attacks Against Network Devices
    • Network Topologies
    • Network Design

    Module: Protocols and Packet Analysis

    A solid understanding of the interworking of networks enables you to more effectively recognize, analyze, and respond to the latest (perhaps unpublished) attacks. This module introduces the core concepts of computer networks and protocols.

    • Network Protocols Overview
    • Internet Protocol (IP)
    • Internet Control Message Protocol (ICMP)
    • Transmission Control Protocol (TCP)
    • User Datagram Protocol (UDP)
    • tcpdump

    Module: Virtualization, Cloud, and AI Essentials

    The module begins with an examination of what virtualization is, the security benefits and the risks of a virtualized environment, and the differences found in different types of virtualization architecture. Because cloud computing is architected on virtualization, the module contains an extensive discussion of what the public and private cloud is, how it works, the services made available by the public cloud (including security offerings), and related security concepts. Last, but not least, because much of our current AI functionality operates in the cloud, it makes sense to discuss in this module exactly what AI is, whether the hype is warranted (or not), and what AI currently means versus what it might mean in the future.

    • Virtualization Overview
    • Virtualization Security
    • Cloud Overview
    • Cloud Security
    • AI Overview
    • AI Security

    Module: Securing Wireless Networks

    This module helps the student to understand the differences of the various types of wireless communication technologies available today, the insecurities present in those communications, and approaches to reduce the risk of those insecurities to a more acceptable level.

    • The Pervasiveness of Wireless Communications
    • Traditional Wireless: IEEE 802.11 and its Continual Evolution
    • Personal Area Networks
    • 5G Cellular (Mobile) Communications
    • The Internet of Things
  • Overview

    This section of the course explores large-scale threats to our systems and the strategies for defending against them, emphasizing the need for layered protection, known as defense-in-depth. We begin by laying the groundwork for information assurance, examining how security threats impact the confidentiality, integrity, and availability of our systems.

    Since access controls are a fundamental component of defense-in-depth, we dive into the core aspects of identity and access management (IAM). Despite efforts to deprecate passwords as the primary authentication factor, they remain prevalent today, and many security breaches still stem from credential theft. This leads to an in-depth discussion on modern authentication methods and password security, particularly in the context of cloud computing. IAM is increasingly considered the new security perimeter for cloud-based systems, and its proper implementation is crucial for strong defense.

    Midway through this section, we shift focus to contemporary security controls that are effective against today's adversaries. We do this by examining frameworks such as the Center for Internet Security (CIS) Controls, the NIST Cybersecurity Framework, and the MITRE ATT&CK knowledge base.

    As we revisit earlier discussions on network architecture, we naturally explore additional ways to bolster network defensibility. This brings us to a broader environmental approach, emphasizing how best to secure data both in transit and at rest, leading to an in-depth conversation on data loss prevention (DLP) techniques.

    Finally, no discussion on defense-in-depth would be complete without addressing one of the most critical technologies in use today--mobile devices. We conclude this section with a dedicated module on mobile devices, examining both the benefits and the security risks they present. Topics such as Bring Your Own Device (BYOD) and Mobile Device Management (MDM) are explored in detail to round out the discussion.

    Exercises
    • Password Auditing
    • Investigative techniques using Data Loss Prevention capabilities
    • Investigation of artifacts found in mobile device backups
    Topics

    Module: Defense-in-Depth

    This module examines threats to our systems and takes a big picture look at how to defend against them. We will learn that protections need to be layered, a principle called defense-in-depth. We will also evaluate related principles (such as Zero Trust) that will further serve you well in protecting your systems.

    • Defense-in-Depth Overview
    • Constituents of Risk: Confidentiality, Integrity and Availability
    • Strategies for Defense-in-Depth
    • Core Security Strategies
    • Defense-in-Depth in the Cloud
    • Zero Trust Methodology
    • Variable Trust

    Module: IAM, Authentication, and Password Security

    This module discusses the principles of identity management and access control. As access control models vary in their approaches to security, we will explore their underlying principles, strengths, and weaknesses. The module also includes a brief discussion on authentication and authorization protocols and control. A discussion of identity and access management naturally leads to a conversation on authentication and password security. We will spend time discussing the various factors of authentication: something you know, something you have, and something you are. We conclude the module by focusing specifically on the most common (and problematic) example of something you know: the password.

    • IAAA: Identification, Authentication, Authorization, Accountability
    • Single Sign On (SSO): Traditional On-Premise and Cloud (SAML and OAuth)
    • Password Management
    • Password Techniques
    • Password (Passphrase) Policies
    • Password Storage
    • Key Derivation Functions
    • How Password Assessment Works
    • Password Attack Tools (Hashcat and Mimikatz)
    • Multi-Factor Authentication
    • Adaptive Authentication
    • Privileged Access Management: On-Premise and Cloud

    Module: Security Frameworks

    In implementing security, it is important to have a framework that includes proper metrics. As is often said, you cannot manage what you cannot measure. This module focuses on three frameworks: The Center for Internet Security (CIS) Controls (created to help organizations prioritize the most critical risks they face); the NIST Cybersecurity Framework (standards, guidelines, and best practices that can assist in managing overall cybersecurity risk); and the MITRE ATT&CK knowledge base (adversary tactics and techniques). Combining the prioritized actions of the CIS Controls with the understanding of overall risk from the NIST Cybersecurity Framework, all in consideration of adversarial tactics and techniques, will help put us on solid footing in defending against the modern adversary.

    • Introduction to the CIS Controls
    • CIS Controls Guiding Principles
    • Case Study: Sample CIS Control
    • NIST Cybersecurity Framework
    • MITRE ATT&CK (TTP and Mapping to Known Adversaries)

    Module: Data Loss Prevention

    Loss or leakage?

    In essence, data loss is any condition that results in data being corrupted, deleted, or made unreadable in any way. A data breach is an incident that can lead to, among other things, unintentional information disclosure and data leakage. This module covers exactly what constitutes data loss or leakage, and the methodologies that can be leveraged to implement an appropriate data-loss prevention capability.

    • Loss or Leakage
    • Data Loss
    • Data Leakage
    • Ransomware
    • Preventative Strategies
    • Redundancy (On-Premise and Cloud)
    • Data Recovery
    • Related Regulatory Requirements (GDPR and CCPA)
    • Data Loss Prevention Tools
    • Defending Against Data Exfiltration
    • User Activity Monitoring

    Module: Mobile Device Security

    The first part of the module gives a comparison of the Android and iOS mobile operating systems and what makes them so different. The module concludes with a brief discussion of the security features of both mobile operating systems, along with the potential of damaging attacks from malware.

    • Android versus iOS
    • Android Security
    • Android Security Features
    • What You Need to Know About Android
    • Android Fragmentation
    • Android Security Fix Process
    • Apple iOS Security
    • Apple iOS Security Features
    • What to Know About iOS
    • iOS Updates
    • Mobile Problems and Opportunities
    • Mobile Device Management
    • Unlocking, Rooting, and Jailbreaking
    • Mitigating Mobile Malware
    • Android Malware
    • iOS Malware
  • Overview

    In this section, we turn our attention to the various areas within our environment where vulnerabilities can emerge. We begin by defining what constitutes a vulnerability and how to establish an effective vulnerability assessment program.

    Since vulnerabilities represent the weaknesses that adversaries exploit, a discussion on this topic must also include an in-depth examination of modern attack methodologies, with real-world examples of compromises. Among the potential areas for vulnerabilities, web applications pose some of the greatest risks, often leading to the most severe consequences. Due to the extensive vulnerabilities associated with web applications, an entire module is dedicated to exploring web application security concepts.

    While vulnerabilities may provide adversaries with easy access to systems, it's important to remember that their actions post-compromise can often be detected. By effectively leveraging the logging capabilities of hardware and software, we can detect adversarial activity more quickly. This capability is covered in our penultimate module, which focuses on Security Operations and Log Management.

    Finally, it's crucial to have a well-structured response plan for handling any compromises. The methodology for an appropriate incident response is the focus of the final module in this section.

    Exercises
    • System, Port, and Vulnerability Discovery with Nmap
    • Malware Analysis
    • Abusing Web Application Vulnerabilities for Exploitation
    • Leveraging SIEM Logs for Incident Response and Investigation
    Topics

    Module: Vulnerability Assessments

    This module covers the tools, technology, and techniques used for the mapping of networks and scanning of vulnerabilities, all within the scope of a proper vulnerability framework.

    • Introduction to Vulnerability Assessments
    • Steps to Perform a Vulnerability Assessment
    • Criticality and Risks

    Module: Penetration Testing

    The role of penetration testing, which is well understood by most organizations, gave rise to newer testing techniques such as red and purple teaming and adversary emulation. Often, penetration testing is limited in scope to where the testers are not truly able to emulate and mimic the behaviors of adversaries. This is where the red teaming and adversary emulation functions come into play. Furthermore, a methodical and meticulous approach to penetration testing is needed to provide value to your organization.

    • The What and Why of Penetration Testing
    • Red Team
    • Adversary Emulation
    • Purple Team
    • External and Internal Penetration Testing
    • Web Application Penetration Testing
    • Social Engineering
    • Mobile Device Testing
    • Internet of Things Testing
    • Penetration Testing Process
    • Penetration Testing Tools (Nmap, Metasploit, Meterpreter)
    • Password Compromise, Reuse, Stuffing, and Spraying

    Module: Attacks and Malicious Software

    This module will examine commonalities of well-known breaches as well as ransomware attacks that continue to cripple hundreds of thousands of systems across different industries. We will describe the attacks in detail, discussing not only the conditions that made them possible, but also strategies that can be used to help manage the risks associated with such attacks.

    • High-Profile Breaches and Ransomware
    • Ransomware as a Service
    • Common Attack Techniques
    • Malware and Analysis

    Module: Web Application Security

    This module looks at some of the most important things to know about designing and deploying secure web applications. We start with an examination of the basics of web communications, then move on to cover HTTP, HTTPS, HTML, cookies, authentication, and maintaining state. We conclude by looking at how to identify and fix vulnerabilities in web applications.

    • Web Communication Fundamentals
    • Cookies
    • HTTPS
    • Developing Secure Web Apps
    • OWASP Top Ten
    • Basics of Secure Coding
    • Web Application Vulnerabilities
    • Web Application Monitoring
    • Web Application Firewall (WAF)

    Module: Security Operations and Log Management

    This module covers the essential components of logging, how to properly manage logging, and the considerations that factor into leveraging logging to its fullest potential during incident response.

    • Logging Overview
    • Log Collection Architecture
    • Log Filtering
    • Problems with Logging Standards
    • Setting Up and Configuring Logging
    • Log Analysis Tools
    • Log Aggregation and SIEM
    • Key Logging Activities

    Module: Digital Forensics and Incident Response

    This module explores the fundamentals of incident handling and why it is important to an organization. We will outline a multi-step process to create our own incident handling procedures and response plans. Being able to leverage digital forensic methodologies to ensure that processes are repeatable and verifiable will also be a key focus of the material.

    • Introduction to Digital Forensics
    • What is Digital Forensics?
    • Digital Forensics in Practice
    • The Investigative Process
    • Remaining Forensically Sound
    • Examples of Examining Forensics Artifacts
    • DFIR (Digital Forensics and Incident Response) Subdisciplines
    • Digital Forensics Tools
    • Incident Handling Fundamentals
    • Multi-Step Process for Handling an Incident
    • Threat Hunting
  • Overview

    There is no single solution that guarantees complete security, but one technology that can address many security challenges--though often improperly deployed--is cryptography. In the first half of this section, we will delve into various cryptographic concepts and explore how they can be effectively used to safeguard an organization's assets.

    In the second half, our focus shifts to prevention technologies that can stop adversaries from gaining access to your organization. This includes the use of firewalls and intrusion prevention systems. We will also examine detection technologies, such as intrusion detection systems, which can identify the presence of an adversary. These prevention and detection methods can be deployed at both the network and endpoint levels, and we will discuss the similarities and differences in their implementation.

    Exercises
    • Hashing and Cryptographic Validation
    • Encryption, Decryption, and Digital Signature Techniques
    • Incident Detection Leveraging the Snort and Zeek Intrusion Detection Systems
    Topics

    Module: Cryptography

    Cryptography can provide the functional capabilities needed to achieve confidentiality, integrity, authentication, and non-repudiation. There are three general types of cryptographic systems: symmetric, asymmetric, and hashing. These systems are usually distinguished from one another by the number of keys employed, as well as the security goals they achieve. This module discusses these different types of cryptographic systems and how each type is used to provide a specific security function.

    • Cryptosystem Fundamentals
    • Cryptography
    • Cryptanalysis
    • General Types of Cryptosystems (Symmetric, Asymmetric, Hashing)
    • Digital Signatures

    Module: Cryptography Algorithms and Deployment

    The content of this module will help us gain a high-level understanding of the mathematical concepts that contribute to modern cryptography. We'll also identify common attacks used to subvert cryptographic defenses.

    • Mathematical Features of Strong Cryptography
    • AES
    • RSA
    • ECC
    • Cryptography Attacks (Cryptanalysis)

    Module: Applying Cryptography

    This module will discuss the practical applications of cryptography in terms of protection of data in transit and protection of data at rest. We conclude with an important discussion on the management of public keys (and the related concepts of certificates), all in terms of a Public Key Infrastructure.

    • Data in Transit
    • Virtual Private Networks (VPN), IPsec and SSL-based
    • Data at Rest
    • File/Folder Level Encryption
    • Full Disk Encryption
    • GNU Privacy Guard (GPG)
    • Key Management
    • Public Key Infrastructure (PKI)
    • Digital Certificates
    • Certificate Authorities

    Module: Network Security Devices

    Three main categories of network security devices will be discussed in this module: Firewalls, Network Intrusion Detection Systems (NIDS), and Network Intrusion Prevention Systems (NIPS). Together, they provide a complement of prevention and detection capabilities.

    • Overview of Firewalls
    • Types of Firewalls
    • Firewall Configuration and Deployment Considerations
    • NIDS
    • Types of NIDS
    • Snort as a NIDS
    • NIPS
    • Methods for NIPS Deployment
    • NIPS Security and Productivity Risk Considerations

    Module: Endpoint Security

    In this final module of the section, we examine some of the key components, strategies, and solutions for implementing security from an endpoint perspective. This includes general approaches to endpoint security, strategies for baselining activity, and solutions like Host-based IDS (HIDS) and Host-based IPS (HIPS).

    • Endpoint Security Overview
    • Core Components of Endpoint Security
    • Enhancing Endpoint Security
    • Endpoint Security Solutions
    • Anti-malware
    • Endpoint Firewalls
    • Integrity Checking
    • HIDS, HIPS, and EDR
  • Overview

    Remember when Windows was simple? Back in the days of Windows XP desktops in small workgroups, things seemed straightforward. But much has changed. Today, we manage Windows tablets, Azure, Active Directory, PowerShell, Microsoft 365 (formerly Office 365), Hyper-V, Virtual Desktop Infrastructure, and more. As Microsoft competes with cloud giants like Google and Amazon, securing the cloud has become a critical challenge.

    Windows remains the most widely used and targeted desktop operating system globally. At the same time, the complexities of Active Directory, Public Key Infrastructure (PKI), BitLocker, endpoint security, and user access control present both challenges and opportunities. This course section will guide you through mastering the essentials of Windows security while introducing tools that can streamline and automate your work, whether on-premises or in the cloud with Microsoft Azure. By the end of this section, you'll have a solid foundation in Windows security, including automation and auditing within the Windows ecosystem.

    Exercises
    • Process Observation and Analysis
    • NTFS File System Permissions Analysis as Part of Incident Response
    • Auditing and Enforcement of System Baseline Configurations with Security Templates
    • PowerShell Scripting and Automation Techniques for Speed and Scale
    Topics

    Module: Windows Security Infrastructure

    This module discusses the infrastructure that supports Windows security. This is a big picture overview of the Windows security model. It provides the background concepts necessary to understand everything else that follows.

    • Windows Family of Products
    • Windows Workgroups and Accounts
    • Windows Active Directory and Group Policy

    Module: Windows as a Service

    This module discusses techniques for managing Windows systems as it applies to updates (patches) as well as new cloud-based deployment methodology (Windows Autopilot, Windows Virtual Desktop and Windows 365).

    • End of Support
    • Servicing Channels
    • Windows Update
    • Windows Server Update Services
    • Windows Autopilot
    • Windows Virtual Desktop
    • Windows 365

    Module: Windows Access Controls

    This module focuses on understanding how permissions are applied in the Windows NT File System (NTFS), Shared Folders, Active Directory, and Privileges. BitLocker is discussed as another form of access control (encryption), and as a tool to help maintain the integrity of the boot-up process if you have a Trusted Platform Module (TPM).

    • NTFS Permissions
    • Shared Folder Permissions
    • Active Directory
    • Permissions
    • Privileges
    • BitLocker Drive Encryption
    • Personal Data Encryption (PDE)
    • Hardware-based security (Microsoft Pluton)

    Module: Enforcing Security Configurations

    This module discusses one of the best tools for automating security configuration changes, SecEdit.exe, which is the command-line version of Microsoft's Security Configuration and Analysis snap-in. We'll look at some of the most important changes that can be made by this tool, such as password and auditing policies. We'll also briefly discuss Group Policy Objects (GPOs) and the many best practice security configuration changes that they can help enforce throughout the domain.

    • Applying Security Templates
    • Employing the Security Configuration and Analysis Snap-in
    • Understanding Local Group Policy Objects
    • Understanding Domain Group Policy Objects
    • Administrative Users
    • Privileged Account Management
    • Reduction of Administrative Privileges
    • AppLocker
    • User Account Control
    • Windows Firewall
    • IPsec Authentication and Encryption
    • Remote Desktop Services
    • Recommended GPO Settings

    Module: Microsoft Cloud Computing

    Inside your LAN as well as in the cloud, you will likely have a mixture of servers. Microsoft's cloud is known as Azure. On top of Azure, Microsoft has implemented services such as Microsoft 365, Exchange Online, OneDrive, Intune, and many others. Microsoft has designed Windows 10 and Windows 11 for integration with Azure, so Windows security includes not just Windows alone, but also Azure. It's important for your career as a security professional to understand the essential concepts of Microsoft Azure.

    • Microsoft All-In Bet on Cloud Computing
    • Microsoft Cloud Types: IaaS, PaaS, SaaS, and DaaS
    • Microsoft Azure
    • Entra ID (Azure Active Directory)
    • Entra ID Single Sign-On
    • Multi-Factor Authentication
    • Administrative Role Reduction
    • Endpoint Security Enforcement
    • Microsoft Intune
    • Azure Conditional Access
    • Azure Monitor
    • Azure Sentinel (SIEM and SOAR)
    • Azure Policy
    • Azure Security Center

    Module: Automation, Logging, and Auditing

    Automation, logging, and auditing go together because if we can't automate our work, the auditing work doesn't get done at all (or is done only sporadically). Also, if we can't automate our work, we can't make our work scale beyond the small number of machines that we can physically touch. Thankfully, modern Windows systems come with a very powerful automation capability: PowerShell. We will learn what PowerShell is and how to leverage it in our pursuit of deployment consistency, detection of change, remediation of systems, and even threat hunting!

    • What Is Windows PowerShell?
    • Windows PowerShell versus PowerShell Core
    • Windows Subsystem for Linux (WSL)
    • Automation and Command-Line Capability in Azure (PowerShell Az Module and Azure CLI)
    • Azure Cloud Shell
    • Runbooks
    • Gathering Ongoing Operational Data Employing Change Detection and Analysis
  • Overview

    While organizations may not have a large number of Linux systems, those they do have are often the most critical and require the highest levels of protection. This course section focuses on providing practical guidance to enhance the security of any Linux system. It offers step-by-step instructions with foundational background for Linux beginners, as well as advanced security advice and best practices for administrators of varying expertise levels.

    Given Linux's reputation as a free and open-source operating system, it's no surprise that many advanced security concepts are first developed for Linux. One notable example is containers, which offer powerful and flexible capabilities for cloud computing deployments. Although containers weren't initially designed for security purposes, they are built on the principle of minimization, which can be leveraged as part of a defense-in-depth security strategy. We will explore what containers represent for information security, what they do not, and best practices for their management.

    Finally, we conclude this section with a review of Apple's macOS, which is built on a UNIX foundation. Despite its robust hardware and software security features, macOS is often misunderstood regarding what it can and cannot achieve in terms of security.

    Exercises
    • Linux Permissions
    • Containers and Logging Concepts
    • Linux Logging and Auditing Capabilities
    Topics

    Module: Linux Fundamentals

    This module discusses the foundational items that are needed to understand how to configure and secure a Linux system.

    • Operating System Comparison
    • Linux Vulnerabilities
    • Linux Operating System
    • Shells
    • Linux Kernel
    • Linux Filesystem and Intrinsic Security Capabilities
    • Encryption at Rest
    • Permissions
    • User Accounts
    • PAM Subsystem
    • Command-Line Capabilities
    • Service Hardening
    • Package Management

    Module: Containerized Security

    The importance of segmentation and isolation techniques cannot be understated. Isolation techniques can help mitigate the initial damage caused by an adversary, giving us more time for detection. In this module, we will discuss various types of isolation techniques, including virtualization and containers. Containers are a relatively new concept (as applied to information security perspectives). There can be a lot of misunderstanding as to what security benefits are truly afforded by containers, and the potential security issues that may arise within containers themselves. We will discuss what containers are, best practices to deploy them, and how to secure them.

    • Virtualization
    • Containers versus VMs
    • Containers and Orchestration
    • LXC
    • Cgroups and Namespaces
    • Docker
    • Docker Images
    • Kubernetes
    • Container Security
    • Docker Best Practices
    • Vulnerability Management and Secure Configuration Baselines

    Module: Linux Security Enhancements and Infrastructure

    This module discusses security enhancement utilities that provide additional security and lockdown capabilities for modern Linux systems. As discussed earlier in the course, taking advantage of logging capabilities is an incredibly important aspect of our modern cyber defense. Linux supports the well-known Syslog logging standard (and its related features) and will be discussed in this module. As Syslog continues to age, it may end up being unable to provide the logging features that modern day cyber defense demands. Because of this, we will also explore additional logging enhancements ranging from Syslog-ng to Auditd.

    • Operating System Enhancements
    • SELinux
    • AppArmor
    • Linux Hardening
    • Kernel Module Security
    • SSH Hardening
    • CIS Hardening Guides and Utilities
    • Log Files
    • Syslog
    • Syslog Security
    • Log Rotation
    • Auditd
    • Firewalls: Network and Endpoint

    Module: macOS Security

    This module focuses on the security features that are built into macOS systems. Although macOS is a relatively secure system that provides many different features, it can also be flawed just like any other operating system.

    • What is macOS?
    • Privacy Controls
    • Keychain
    • Strong Passwords
    • Gatekeeper
    • Anti-Phishing and Download Protection
    • XProtect
    • Firewall Capabilities
    • FileVault
    • Sandboxing and Runtime Protection
    • Security Enclaves
    • macOS Vulnerabilities and Malware

GIAC Security Essentials

The GIAC Security Essentials (GSEC) certification validates a practitioner's knowledge of information security beyond simple terminology and concepts. GSEC certification holders are demonstrating that they are qualified for hands-on IT systems roles with respect to security tasks.

  • Defense in depth, access control and password management
  • Cryptography: basic concepts, algorithms and deployment, and application
  • Cloud: AWS and Azure operations
  • Defensible network architecture, networking and protocols, and network security
  • Incident handling and response, data loss prevention, mobile device security, vulnerability scanning and penetration testing
  • Linux: Fundamentals, hardening and securing
  • SIEM, critical controls, and exploit mitigation
  • Web communication security, virtualization and cloud security, and endpoint security
  • Windows: access controls, automation, auditing, forensics, security infrastructure, and services
More Certification Details

Prerequisites

SEC401 covers all of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, SEC275: Foundations - Computers, Technology and Security or SEC301: Introduction to Cyber Security would be the recommended starting point. While these courses are not a prerequisite for SEC401, they do provide the introductory knowledge to help maximize the experience with SEC401.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

Mandatory SEC401 System Hardware Requirements

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 100GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

Mandatory SEC401 Host Configuration And Software Requirements

  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ (for macOS hosts) prior to class beginning.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact customer service.

Author Statement

"From observing the world around us, it seems we may be living in an era of never-ending compromise. At first glance, the rise in compromises could be attributed to the sheer increase in systems being connected to more networks than ever before. Upon deeper reflection, however, poor security practices might also bear much of the blame.

If more systems being connected to more networks directly leads to more compromises, we face a significant problem. The number of interconnected systems will only continue to grow in an increasingly connected world. With more security tools and technologies available today than at any other time in computing history, surely poor security practices alone can't explain the rise in compromises. Or can they?

The reality is complex. It's possible we live in a world of ever-expanding security capabilities and, simultaneously, ever-increasing compromises. As unsettling as this might be, the key takeaway could lie in the simple idea that 'Offense informs Defense.' In that spirit, SEC401 offers real-world, immediately actionable knowledge that will empower you and your organization to better defend against modern adversaries. Join us to learn how to fight--and how to win."

-Bryan Simon, GSE, Course Author, SEC401

"Bryan Simon's knowledge and personal experience continue to astound me. SEC401 course content has been incredibly useful and will be directly applicable to my job, and the labs have practical use and are great demonstrations of the concepts presented in lectures." - Thomas Wilson, Agile Systems

Reviews

The class, instructor, and organizers were amazing throughout this SEC401 bootcamp! I learned a lot of useful information and look forward to reviewing the recordings soon.
Tamie Wade-Britton
Sutter Health
SEC401 gives you a fantastic knowledge base to build on, and I would say it's essential for anyone working in cybersecurity.
Thomas Wilson
Agile Systems
SEC401 provides an excellent overview of security fundamentals delivered by experienced industry professionals.
Jason W.
US Federal Agency
SEC401 has been excellent experience all around. It is content-heavy and rich, and regardless of your technical ability and experience, you will leave with a far better understanding of many aspects of cyber security.
Paul F
Australian Federal Government
Excellent material for security professionals wanting a deeper level of knowledge on how to implement security policies, procedures, and defensive mechanisms in an organization.
Brandon Smit
Dynetics
I am beyond impressed with SEC401, and this experience far exceeded my expectations. I began this course in having generalist knowledge and finished equipped with new knowledge and distilled prior knowledge.
Paul Farthing
Very well rounded training. Great that he(the instructor) was able to bring real world examples to class. Made the class flow smoothly.
Robin Mahon
Kapstone Paper

    Register for SEC401

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...