new

SEC401: Security Essentials: Network, Endpoint, and Cloud

GIAC Security Essentials (GSEC)
GIAC Security Essentials (GSEC)
  • In Person (6 days)
  • Online
46 CPEs

Whether you are new to information security or a seasoned practitioner with a specialized focus, SEC401 will provide the essential information security skills and techniques you need to protect and secure your critical information and technology assets, whether on-premise or in the cloud. SEC401 will also show you how to directly apply the concept learned into a winning defensive strategy, all in the terms of the modern adversary. This is how we fight; this is how we win!

What You Will Learn

This course will teach you the most effective steps to prevent attacks and detect adversaries with actionable techniques that can be used as soon as you get back to work. You will learn tips and tricks designed to help you win the battle against the wide range of cyber adversaries that want to harm your environment.

Organizations are going to be targeted, so they must be prepared for eventual compromise. Today more than ever before, TIMELY detection and response is critical. The longer an adversary is present in your environment, the more devastating and damaging the impact becomes. The most important question in information security may well be, "How quickly can we detect, respond, and REMEDIATE an adversary?"

Information security is all about making sure you focus on the right areas of defense, especially as applied to the uniqueness of YOUR organization. In SEC401, you will learn the language and underlying workings of computer and information security, and how best to apply them to your unique needs. You will gain the essential and effective security knowledge you will need if you are given the responsibility to secure systems or organizations.

Whether you are new to information security or a seasoned practitioner with a specialized focus, SEC401 will provide the essential information security skills and techniques you need to protect and secure your critical information and technology assets, whether on-premise or in the cloud. SEC401 will also show you how to directly apply the concepts learned into a winning defensive strategy, all in the terms of the modern adversary. This is how we fight; this is how we win!

You will learn (applied to on-premise and in the Cloud)

  • The core areas of cybersecurity and how to create a security program that is built on a foundation of Detection, Response, and Prevention
  • Practical tips and tricks that focus on addressing high-priority security problems within your organization and doing the right things that lead to security solutions that work
  • How adversaries adapt tactics and techniques, and importantly how to adapt your defense accordingly
  • What ransomware is and how to better defend against it
  • How to leverage a defensible network architecture (VLANs, NAC, and 802.1x) based on advanced persistent threat indicators of compromise
  • The Identity and Access Management (IAM) methodology, including aspects of strong authentication (Multi-Factor Authentication)
  • How to leverage the strengths and differences among the top three cloud providers (Amazon, Microsoft, and Google), including the concepts of multi-cloud
  • How to identify visible weaknesses of a system using various tools and, once variabilities are discovered, configure the system to be more secure (realistic and practical application of a capable vulnerability management program)
  • How to sniff network communication protocols to determine the content of network communication (including access credentials) using tools such as tcpdump and Wireshark
  • How to use Windows, Linux, and macOS command line tools to analyze a system looking for high-risk indicators of compromise, as well as the concepts of basic scripting for the automation of continuous monitoring
  • How to build a network visibility map that can be used to validate the attack surface and determine the best methodology to reduce the attack surface through hardening and configuration management
  • Why some organizations win and why some lose when it comes to security, and most importantly, how to be on the winning side

With the rise in advanced persistent threats, it is inevitable that organizations will be targeted. Defending against attacks is an ongoing challenge, with new threats emerging all the time, including a next generation of threats. In order to be successful in defending an environment, organizations need to understand what really works in cybersecurity. What has worked - and will always work - is taking a risk-based approach to cyber defense.

Hands-On Training

Our hands-on labs help students master the content and gain a deeper understanding of the concepts they are learning. We've built these labs to further develop skills in a controlled environment.

  • Lab 1.2 tcpdump
  • Lab 1.3 Wireshark
  • Lab 1.4 Aircrack-ng
  • Lab 2.1 hashcat
  • Lab 2.2 Cain and Abel
  • Lab 2.3 Application Control (Whitelisting)
  • Lab 3.1 Nmap
  • Lab 3.2 Malicious Software
  • Lab 3.3 Command Injection
  • Lab 3.4 hping3
  • Lab 4.1 Image Steganography
  • Lab 4.2 GNU Privacy Guard (GPG)
  • Lab 4.3 Snort
  • Lab 4.4 Hashing
  • Lab 5.1 Process Hacker
  • Lab 5.2 NTFS Permissions Reporter
  • Lab 5.3 SECEDIT.EXE
  • Lab 5.4 PowerShell Scripting

"SEC401 covered a very wide range of security technologies, processes, and tools that will really open your eyes. I liked how the course shows that not everything is magic, and packets of data can be interpreted even without fancy tools. The labs were great for demonstrating the concepts, with flawless instruction and seamless packet capture." - Fei Ma, DESE

What You Will Receive

Course books and labs

TCP IP reference guides

MP3 audio files of the complete course lecture

Notice:

This course prepares you for the GSEC certification that meets the requirements of the DoD8140 IAT Level 2.

Syllabus (46 CPEs)

Download PDF
  • Overview

    A typical way attackers can access companies' resources is through a network connected to the internet. Organizations try to prevent as many attacks as possible, but since not all attacks will ultimately be prevented, they must be detected in a timely manner. It is therefore critical to understand how to build a defensible network architecture, including the types of network designs and the relational communication flows.

    In any organization large or small, all data is not created equal. Some data is routine and incidental, while other data can be vastly sensitive and critical, and its loss can cause irreparable harm to an organization. It is essential to understand how network-based attacks bring risk to critical data and how an organization is vulnerable to such attacks. To achieve this, we need to become familiar with communication protocols of modern networks.

    Cloud computing becomes an obvious topic of discussion in relation to our modern public and private networks. A conversation on defensible networking would not be complete without an in-depth discussion of what the cloud is, and most importantly, the security abilities (and related concerns) of the cloud that must also be taken into account.

    Adversaries need our networks just as much as we do. Adversaries live off the land, mercilessly pivoting from system to system on our network until they achieve their long-term goals. Said differently, adversaries need to use OUR network to achieve THEIR goals. By understanding how our networks function (relative to our unique needs), we can more easily uncover the activities of adversaries.

    By the end of this section, you will understand Defensible Network Architecture, Protocols and Packet Analysis, Virtualization and Cloud Essentials, and Wireless Network Security.

    Exercises
    • Virtualized environment setup
    • Sniffing and analysis of network traffic including tcpdump
    • Sniffing, protocol decoding, and extraction of network traffic using Wireshark
    • Wireshark network communication attacks

    Topics

    Module 1: An Introduction to SE401

    This course is unique in its coverage of more than 30 topics of information security. This introductory module reviews the structure of the course and the logistics of the class in concert with the "bootcamp" hours and provides an overall thematic view of the course topics.

    Module 2: Defensible Network Architecture

    To properly secure and defend a network, you must first have a clear and strong understanding of both the logical and physical components of network architecture. Above and beyond an understanding of network architecture, however, properly securing and defending a network will further require an understanding of how adversaries abuse the information systems of our network to achieve their goals.

    • Network Architecture
    • Attacks Against Network Devices
    • Network Topologies
    • Network Design

    Module 3: Protocols and Packet Analysis

    A solid understanding of the interworking of networks enables you to more effectively recognize, analyze, and respond to the latest (perhaps unpublished) attacks. This module introduces the core areas of computer networks and protocols.

    • Network Protocols Overview
    • Layer 3 Protocols
      • Internet Protocol
      • Internet Control Message Protocol
    • Layer 4 Protocols
      • Transmission Control Protocol
      • User Datagram Protocol
    • Tcpdump

    Module 4: Virtualization and Cloud Essentials

    This module will examine what virtualization is, the security benefits and the risks of a virtualized environment, and the differences in virtualization architecture. Because cloud computing is architected on virtualization, the module concludes with an extensive discussion of what the public and private cloud is, how it works, the services made available by the public cloud (including security offerings), and related security concepts.

    • Virtualization Overview
    • Virtualization Security
    • Cloud Overview
    • Cloud Security

    Module 5: Securing Wireless Networks

    This module will explain the differences between the various types of wireless communication technologies available today, the insecurities present in those communications, and approaches to reduce the risk of those insecurities to a more acceptable level.

    • The Pervasiveness of Wireless Communications
    • Traditional Wireless: IEEE 802.11 and its Continual Evolution
    • Personal Area Networks
    • 5G Cellular (Mobile) Communications
    • The Internet of Things
  • Overview

    This section of the course looks at the big picture threats to our systems and how to defend against them. We will learn that protections need to be layered, leveraging a principle called defense in depth.

    The section starts with information assurance foundations. We look at security threats and how they impact confidentiality, integrity, and availability. The most common aspect of defense in depth is predicated on access controls, and so we move into a discussion on the aspects of identity and access management (IAM). We will see that while passwords (the most common factor of authentication) were to be deprecated and moved away from, this has not been the case and we still struggle today with compromises that result from credential theft. What we can leverage for modern authentication becomes the focus of the discussion on authentication and password security, especially as it applies to cloud computing. Many consider that IAM is the new security perimeter for cloud-based functionality, so the importance of its strong application cannot be understated.

    Toward the end of this section, we will shift the focus toward modern security controls that work in the presence of the modern adversary. This is done by leveraging Center for Internet Security (CIS) Controls, the NIST Cybersecurity Framework, and the MITRE ATT&CK knowledge base. In circling back to earlier course content on network architecture, we might naturally be curious as to what else can be done using an overall environmental focus to best secure our data in transit and at rest. This leads to a larger discussion on data loss protection techniques.

    Last but certainly not least, a discussion of defense in depth would not be complete without touching on perhaps one of the most important techniques that is more heavily relied upon than ever before - mobile devices. The course section will conclude with a thorough discussion of the benefits (and security risks) of mobile devices ranging from Bring Your Own Device (BYOD) to Mobile Device Management (MDM).

    Exercises
    • Linux and bitcoin wallet password hash cracking with Hashcat
    • Windows password hash cracking with Cain and Abel
    • Application control with AppLocker by Microsoft
    Topics

    Module 6: Defense in Depth

    This module examines threats to our systems and takes a big picture look at how to defend against them. We will learn that protections need to be layered, a principle called defense in depth, and explain some principles that will serve you well in protecting your systems.

    • Defense in Depth Overview
      • Risk = Threat x Vulnerability
      • Confidentiality, Integrity and Availability
    • Strategies for Defense in Depth
    • Core Security Strategies
    • Defense in Depth in the Cloud
    • Zero Trust Methodology
    • Variable Trust

    Module 7: Identity and Access Management

    This module discusses the principles of identity management and access control. Access control models vary in their approaches to security. We will explore their underlying principles, strengths, and weaknesses. The module includes a brief discussion on authentication and authorization protocols and control.

    • Digital Identity
      • Authentication
      • Authorization
      • Accountability
    • Identity Access Management
    • Single Sign On (SOS): On-Premise and Cloud
      • Traditional SSO
      • SAML 2.0
      • 0Auth 2.0
    • Access Control
      • Controlling Access
      • Managing Access
      • Monitoring Access
    • Privileged Access Management: On-Premise and Cloud

    Module 8: Authentication and Password Security

    A discussion of identity and access management naturally leads to a conversation on authentication and password security. We will spend time discussing the various types of authentication: something you know, something you have, and something you are. We will focus specifically on the most common (and problematic) example of something you know authentication type (the password).

    • Authentication Types
      • Something You Know
      • Something You Have
      • Something You Are
    • Password Management
    • Password Techniques
    • Password (Passphrase) Policies
    • Password Storage
    • Key Derivation Functions
    • How Password Assessment Works
    • Password Attack Tools
      • Hashcat
      • Mimikatz
    • Multi-Factor Authentication
    • Adaptive Authentication

    Module 9: Security Frameworks

    In implementing security, it is important to have a framework that includes proper metrics. As is often said, you cannot manage what you cannot measure. This module focuses on three frameworks: The Center for Internet Security (CIS) Controls (created to help organizations prioritize the most critical risks they face); the NIST Cybersecurity Framework (standards, guidelines, and best practices that can assist in managing overall cybersecurity risk); and the MITRE ATT&CK knowledge base (adversary tactics and techniques). Combining the prioritized actions of the CIS Controls with the understanding of overall risk from the NIST Cybersecurity Framework, all in consideration of adversarial tactics and techniques, will help put us in solid footing in defending against the modern adversary.

    • Introduction to the CIS Controls
      • Guiding Principles
      • Case Study: Sample CIS Control
      • Case Study: SolarWinds
    • NIST Cybersecurity Framework
      • Framework Core
      • Implementation Tiers
      • Framework Profiles
    • MITRE ATT&CK
      • Techniques
      • Mapping to Known Adversaries

    Module 10: Data Loss Prevention

    Loss or leakage?

    In essence, data loss is any condition that results in data being corrupted, deleted, or made unreadable in any way by a user and or software (application). A data breach is, in most cases, an intentional or unintentional security incident. Such incidents can lead to, among other things, unintentional information disclosure, data leakage, and data spill. This module covers exactly what constitutes data loss or leakage, and the methodologies that can be leveraged to implement an appropriate data-loss prevention capability.

    • Loss or Leakage
      • Data Loss
      • Data Leakage
      • Ransomware
    • Preventative Strategies
      • Redundancy (On-Premise and Cloud)
      • Data Recovery
    • Related Regulatory Requirements
      • GDPR
      • CCPA
    • Data Loss Prevention Tools
    • Defending Against Data Exfiltration
      • Honeypots
      • User Activity Monitoring

    Module 11: Mobile Device Security

    This module starts with a quick comparison of the Android and iOS mobile operating systems and what makes them so different. The module concludes with a brief discussion of the security features of both systems.

    • Android versus iOS
    • Android Security
      • Android Security Features
      • What You Need to Know About Android
      • Android Fragmentation
      • Android Security Fix Process
    • Apple iOS Security
      • Apple iOS Security Features
      • What to Know About iOS
      • iOS Updates
    • Mobile Problems and Opportunities
    • Mobile Device Management
    • Unlocking, Rooting, and Jailbreaking
    • Mitigating Mobile Malware
      • Android Malware
      • iOS Malware
  • Overview

    In this section the focus shifts to various areas of our environment where vulnerabilities arise. We will begin with an overall discussion of exactly what constitutes a vulnerability, and how to best implement a proper vulnerability assessment program.

    Penetration testing is often discussed in concert with vulnerability assessment, even though vulnerability assessment and penetration testing are quite distinct from each other. So, in concluding our discussion of vulnerability assessments, we move on to a proper and distinct discussion on what penetration testing is and how best to leverage its benefits.

    Because vulnerabilities represent weaknesses that adversaries exploit, a discussion of vulnerabilities would not be incomplete without a serious discussion of modern attack methodologies based on real-world examples of compromise. Of all the potential areas for vulnerabilities in our environment, web applications represent one of the most substantial, with the most consequential risk. The extensive nature of vulnerabilities that can arise from web applications dictate that we focus the attention of this entire module on web application security concepts.

    While it is true that vulnerabilities allow adversaries to penetrate our systems, sometimes with great ease, it is impossible for those adversaries to remain entirely hidden post-compromise. In leveraging the logging capabilities of our hardware and software, we might detect the adversary in a timely manner. How we achieve such a capacity is the subject of our penultimate module: Security Operations and Log Management.

    Last but not least, we will need to have a plan of action for a proper response to the compromise of our environment. The methodology for an appropriate incident response is the subject of the final module of this section.

    Exercises
    • System, port, and vulnerability discovery with Nmap
    • Trojan software
    • Leveraging application vulnerabilities for command injection
    • Malicious network packet crafting
    Topics

    Module 12: Vulnerability Assessments

    This module covers the tools, technology, and techniques used for reconnaissance (including gathering information), the mapping of networks, and scanning of vulnerabilities, all within the scope of a proper vulnerability framework.

    • Introduction to Vulnerability Assessments
    • Steps to Perform a Vulnerability Assessment
    • Criticality and Risks

    Module 13: Penetration Testing

    The role of penetration testing, which is well understood by most organizations, gave rise to newer testing techniques such as red and purple teaming and adversary emulation. Often, penetration testing is limited in scope to where the testers are not truly able to emulate and mimic the behaviors of adversaries. This is where the red teaming and adversary emulation come into play. A methodical and meticulous approach to penetration testing is needed to provide business value to your organization.

    • The What and Why of Penetration Testing
      • Red Team
      • Adversary Emulation
      • Purple Team
    • Types of Penetration Testing
      • External
      • Internal
      • Web Application
      • Social Engineering
      • Mobile Device Testing
      • Internet of Things Testing
    • Penetration Testing Process
    • Penetration Testing Tools
      • Nmap
      • Metasploit
      • Meterpreter
      • C2 Frameworks and Implants
    • Password Compromise, Reuse, Stuffing, and Spraying

    Module 14: Attacks and Malicious Software

    This module will examine the Marriott breach, which compromised millions of records globally, as well as ransomware attacks that continue to cripple hundreds and thousands of systems across different industries. We will describe the attacks in detail, discussing not only the conditions that made them possible, but also some strategies that can be used to help manage the risks associated with such attacks.

    • High-Profile Breaches and Ransomware
    • Ransomware as a Service
    • Common Attack Techniques
    • Malware and Analysis

    Module 15: Web Application Security

    This module looks at some of the most important things to know about designing and deploying secure web applications. We start with an examination of the basics of web communications, then move on to cover HTTP, HTTPS, HTML, cookies, authentication, and maintaining state. We conclude by looking at how to identify and fix vulnerabilities in web applications.

    • Web Communication Fundamentals
      • Cookies
      • HTTPS
    • Developing Secure Web Apps
      • OWASP Top Ten
      • Basics of Secure Coding
    • Web Application Vulnerabilities
      • Authentication
      • Access Control
      • Session Tracking/Maintaining State
    • Web Application Monitoring
      • Web Application Firewall (WAF)
      • Monolithic Architecture and Security Controls
      • Microservice Architecture and Related Attack Surface

    Module 16: Security Operations and Log Management

    This module covers the essential components of logging, how to properly manage logging, and the considerations that factor into leveraging logging to its fullest potential.

    • Logging Overview
      • Log Collection Architecture
      • Log Filtering
      • Lack of Accepted Log Standards
    • Setting Up and Configuring Log Standards
      • Log Analysis Tools
      • Phased Approach
      • Log Aggregation, Security Information, and Event Management
    • Key Logging Activity

    Module 17: Digital Forensics and Incident Response

    This module explores the fundamentals of incident handling and why it is important to an organization. We will outline a multi-step process to create our own incident handling procedures and response plans. Being able to leverage digital forensic methodologies to ensure that processes are repeatable and verifiable will also be a key focus of the material.

    • Introduction to Digital Forensics
      • What is Digital Forensics?
      • Digital Forensics in Practice
      • The Investigative Process
      • Remaining Forensically Sound
      • Examples of Examining Forensics Artifacts
      • DFIR Subdisciplines
      • Digital Forensics Tools
    • Incident Handling Fundamentals
    • Multi-Step Process for Handling an Incident
    • Incident Response: Threat Hunting
  • Overview

    There is no silver bullet when it comes to security. However, there is one technology that would help solve a lot of security issues, though few companies deploy it correctly. This technology is cryptography. During the first half of this section, we will look at various aspects of cryptographic concepts and how they can be used to help secure an organization's assets. A related discipline, steganography (information hiding), will also be covered. During the second half of the section, we shift our focus to the various types of prevention technologies that can be used to stop an adversary from gaining access to our organization (firewalls, intrusion prevention systems). We will also look at the different detection technologies that can detect the presence of an adversary (intrusion detection systems). These prevention and detection techniques can be deployed from a network and/or endpoint perspective, and we will explore their similarities and differences.

    Exercises
    • Hiding communication and data using steganographic tools
    • Practical application of cryptographic capability with GPG
    • Triggering and analysis of detection alerts with the Snort IDS
    • Automated detection of adversarial activity with hashing

    Topics

    Module 18: Cryptography

    Cryptography can provide the functional capabilities needed to achieve confidentiality, integrity, authentication, and non-repudiation. There are three general types of cryptographic systems: symmetric, asymmetric, and hashing. These systems are usually distinguished from one another by the number of keys employed, as well as the security goals they achieve. This module discusses these different types of cryptographic systems and how each type is used to provide a specific security function. The module also introduces steganography, which is a means of hiding data in a carrier medium. Steganography can be used for a variety of purposes but is most often used to conceal the fact that information is being sent or stored.

    • Cryptosystem Fundamentals
      • Cryptography
      • Cryptanalysis
    • General Types of Cryptosystems
      • Symmetric
      • Asymmetric
      • Hashing
    • Digital Signatures
    • Steganography

    Module 19: Cryptography Algorithms and Deployment

    The content of this module will help us gain a high-level understanding of the mathematical concepts that contribute to modern cryptography. We'll also identify common attacks used to subvert cryptographic defenses.

    • Cryptography Concepts
    • Symmetric, Asymmetric, and Hashing Cryptosystems
      • AES
      • RSA
      • ECC
    • Cryptography Attacks (Cryptanalysis)

    Module 20: Applying Cryptography

    This module will discuss the practical applications of cryptography in terms of protection of data in transit and protection of data at rest. We conclude with an important discussion on the management of public keys (and the related concepts of certificates), all in terms of a Public Key Infrastructure.

    • Data in Transit

      • Virtual Private Networks (VPN)
        • IPsec
        • SSL-based
        • Security Implications
    • Data at Rest
      • File/Folder Level Encryption
      • Full Disk Encryption
      • GNU Privacy Guard (GPG)
    • Key Management
      • Public Key Infrastructure
      • Digital Certificates
      • Certificate Authorities

    Module 21: Network Security Devices

    Three main categories of network security devices will be discussed in this module: Firewalls, Network Intrusion Detection Systems (NIDS), and Network Intrusion Prevention Systems (NIPS). Together, they provide a complement of prevention and detection capabilities.

    • Firewalls
      • Overview
      • Types of Firewalls
      • Configuration and Deployment
    • NIDS
      • Types of NIDS
      • Snort as a NIDS
    • NIPS
      • Methods of Deployment
      • Security and Productivity Risk Considerations

    Module 22: Endpoint Security

    In this final module of the section, we examine some of the key components, strategies, and solutions for implementing security from an endpoint perspective. This includes general approaches to endpoint security, strategies for baselining activity, and solutions like Host-based IDS (HIDS) and Host-based IPS (HIPS).

    • Endpoint Security Overview
      • Core Components of Endpoint Security
      • Enhancing Endpoint Security
    • Endpoint Security Solutions
      • Anti-malware
      • Endpoint Firewalls
      • Integrity Checking
    • HIDS and HIPS
      • Overview
      • Practical Considerations

  • Overview

    Remember when Windows was simple? Windows XP desktops in a little workgroup... what could be easier? A lot has changed over time. Now, we are Windows tablets, Azure, Active Directory, PowerShell, Microsoft 365 (Office 365), Hyper-V, Virtual Desktop Infrastructure and so on. Microsoft is battling Google, Apple, Amazon and other cloud giants for cloud supremacy. The trick, of course, is to do cloud securely.

    Windows is the most widely used and targeted operating system on the planet. At the same time, the complexities of Active Directory, Public Key Infrastructure, BitLocker, AppLocker, and User Account Control represent both challenges and opportunities. This course section will help you quickly master the world of Windows security while showing you the tools that can simplify and automate your work - both on-premise and in the cloud (Microsoft Azure). You will complete the section with a good solid grounding in Windows security by looking at automation and auditing capabilities for the Windows ecosystem.

    Exercises
    • Process observation and analysis with Process Hacker
    • NTFS file system practical using NTFS Permissions Reporter
    • Auditing and enforcement of system baseline configurations with security templates
    • PowerShell scripting and automation techniques

    Topics

    Module 23: Windows Security Infrastructure

    This module discusses the infrastructure that supports Windows security. This is a big picture overview of the Windows security model. It provides the background concepts necessary to understand everything else that follows.

    • Windows Family of Products
    • Windows Workgroups and Accounts
    • Windows Active Directory and Group Policy

    Module 24: Windows as a Service

    This module discusses techniques for managing Windows systems as it applies to updates (patches) as well as new cloud-based deployment methodology (Windows Autopilot and Windows Virtual Desktop).

    • End of Support
    • Servicing Channels
    • Windows Update
    • Windows Server Update Services
    • Windows Autopilot
    • Windows Virtual Desktop
    • Third-Party Patch Management

    Module 25: Windows Access Controls

    This module focuses on understanding how permissions are applied in the Windows NT File System (NTFS), Shared Folders, Registry Keys, Active Directory, and Privileges. BitLocker is discussed as another form of access control (for encrypted information), and as a tool to help maintain the integrity of the boot-up process if you have a Trusted Platform Module.

    • NTFS Permissions
    • Shared Folder Permissions
    • Registry Key Permissions
    • Active Directory Permissions
    • Privileges
    • BitLocker Drive Encryption
    • Secure Boot

    Module 26: Enforcing Security Policy

    This module discusses one of the best tools for automating security configuration changes, SECEDIT.EXE, which is the command-line version of Microsoft's Security Configuration and Analysis snap-in. We'll look at some of the most important changes that can be made through the use of this tool, such as password policy, lockout policy, and null user session restrictions. We'll also briefly discuss Group Policy Objects (GPOs) and the many best practice security configuration changes that they can help enforce throughout the domain.

    • Applying Security Templates
    • Employing the Security Configuration and Analysis Snap-in
    • Understanding Local Group Policy Objects
    • Understanding Domain Group Policy Objects
    • Administrative Users
      • Privileged Account Management
      • Reduction of Administrative Privileges
    • AppLocker
    • User Account Control
    • Windows Firewall
    • IPsec Authentication and Encryption
    • Remote Desktop Services
    • Recommended GPO Settings

    Module 27: Microsoft Cloud Computing

    Inside your LAN as well as in the cloud, you will likely have a mixture of servers. Microsoft's cloud is known as Azure. On top of Azure, Microsoft has implemented services such as Microsoft 365, Exchange Online, OneDrive, Intune, and many others. Microsoft has designed Windows 10 and later versions for integration with Azure, so Windows security includes not just Windows alone, but also Azure. It's important for your career as a security professional to understand the essential concepts of Microsoft Azure.

    • Microsofts All-In Bet on Cloud Computing
    • Microsoft Cloud Types: IaaS, PaaS, SaaS, and DaaS
    • Microsoft Azure
    • Azure Active Directory (Azure AD)
    • Azure AD Single Sign-On
    • Multi-Factor Authentication
    • Administrative Role Reduction
    • Endpoint Security Enforcement
    • Microsoft Intune
    • Azure Conditional Access
    • Azure Key Vault
    • Azure Monitor
    • Azure Sentinel (SIEM and SOAR)
    • Azure Policy
    • Azure Security Center

    Module 28: Automation, Logging, and Auditing

    Automation, logging, and auditing go together because if we can't automate our work, the auditing work doesn't get done at all (or is done only sporadically). Also, if we can't automate our work, we can't make our work scale beyond the small number of machines that we can physically touch. Thankfully, modern Windows systems come with a very powerful automation capability: PowerShell. We will learn what PowerShell is and how to leverage it in our pursuit of deployment consistency, detection of change, remediation of systems, and even threat hunting!

    • What Is Windows PowerShell?
    • Windows PowerShell versus PowerShell Core
    • Windows Subsystem for Linux (WSL)
    • Automation and Command-Line Capability in Azure
      • PowerShell Az Module
      • Azure CLI
      • Azure Cloud Shell
      • Azure Resource Manager Templates
      • Runbooks
    • Gathering Ongoing Operational Data
    • Employing Change Detection and Analysis
  • Overview

    While organizations may not have many Linux systems, the Linux systems that they do have are often the most critical systems that need to be protected. This course section focuses on the practical guidance necessary to improve the security of any Linux system. The day provides practical how-to instructions with background information for Linux beginners as well as security advice and best practices for administrators with various levels of expertise.

    Since Linux is a perceived as being a free operating system, it is not a surprise that many advanced security concepts are first developed for Linux. One example is containers, which provide powerful and flexible concepts for cloud computing deployments. While not specifically designed for information security purposes, containers are built on elements of minimizations, and that is something we can leverage in an overall information security methodology (as part of defense in depth). In this section we will discuss what containers do and do not represent for information security, as well as best practices for their management.

    A discussion of Linux and UNIX concepts would not be complete without a comparison discussion of AWS in relation to Microsoft Azure discussion in section five of this course. We will examine fundamentals of AWS and discuss the impressive security controls available. Last, but not least, we conclude the section with a review of Apple's macOS (which is based on UNIX). Apple's venerable macOS provides extensive opportunities for hardware and software security, but is often misunderstood in terms of what can and cannot actually be achieved.

    Topics

    Module 29: Linux Fundamentals

    This module discusses the foundational items that are needed to understand how to configure and secure a Linux system.

    • Operating System Comparison
    • Linux Vulnerabilities
    • Linux Operating System
      • Shell
      • Kernel
      • Filesystem
      • Linux Unified Key Setup
    • Linux Security Permissions
    • Linux User Accounts
    • Pluggable Authentication Modules
    • Built-in Command-Line Capability
    • Service Hardening
    • Package Management

    Module 30: Linux Security Enhancements and Infrastructure

    This module discusses security enhancement utilities that provide additional security and lockdown capabilities for modern Linux systems. As discussed earlier in the course, taking advantage of logging capabilities is an incredibly important aspect of our modern cyber defense. Linux supports the well-known Syslog logging standard (and its related features) and will be discussed in this module. As Syslog continues to age, it may end up being unable to provide the logging features that modern day cyber defense demand. Because of this, we will explore additional logging enhancements ranging from Syslog-ng to Auditd.

    • Operating System Enhancements
      • SELinux
      • AppArmor
    • Linux Hardening
      • Address Space Layout Randomization
      • Kernel Module Security
      • SSH Hardening
      • OpenSCAP
      • CIS Hardening Guides and Utilities
    • Log Files
      • Key Log Files
      • Syslog
      • Syslog Security
      • Log Rotation
      • Centralized
      • Logging
      • Auditid
      • Firewalls: Network and Endpoint
      • Rootkit Detection

    Module 31: Containerized Security

    The importance of segmentation and isolated techniques cannot be understated. Isolation techniques can help mitigate the initial damage caused by an adversary, giving us more time for detection. In this module, we will discuss various types of isolation techniques, including chroot, virtualization, and containers. Containers are a relatively new concept (as applied to information security perspectives). There can be a lot of misunderstanding as to what security benefits are truly afforded by containers, and the potential security issues that may come up within containers themselves. We will discuss what containers are, best practices to deploy them, and how to secure them.

    • Chroot
      • Virtualization
      • Containers versus Virtual Machines
    • Containers and Orchestration
      • LXC
      • Cgroups and Namespaces
      • Docker
      • Docker Images
      • Kubernetes
    • Container Security
      • Docker Best Practices
      • Vulnerability Management
      • Secure Configuration Baselines
      • Terraform

    Module 32: AWS Fundamentals

    This module discusses the foundational concepts of Amazon Web Services (AWS), necessary to provide a better understanding of the interaction among AWS and its more commonly used services. This will provide a strong foundation in anticipation of a discussion on AWS Security Controls.

    • Identity and Access Management in AWS
      • AWS IAM Key Concepts
      • Identity Federations and External Access
      • Amazon Cognito
    • Management Tools Within AWS
      • AWS Console
      • AWS CLI
    • AWS Commonly Used Services and Functionality
      • High-Availability
      • EC2
      • S3
      • Lambda
      • CloudFront
      • AWS Config
      • Amazon RDS

    Module 33: AWS Security Controls

    This module provides an overview of some of the specific security capabilities and services made through AWS.

    • Network Protection

      • NACLs versus Security Groups
    • AWS Network Firewall
    • AWS Shield and AWS Web Application Firewall
    • Amazon Macie
    • Key Management Service
      • Amazon Managed
      • Customer Managed
      • HSM
    • Amazon CloudWatch
    • Amazon CloudTrail
    • Amazon GuardDuty

    Module 34: AWS Hardening

    The AWS Well-Architected Framework provides best practice guidance and recommendations for the design, delivery, and maintenance of secure AWS workloads. It helps customers design and operate reliable, secure, efficient, and cost-effective workloads in the cloud. The framework is divided into five pillars, one of which is focused on security. This security pillar is the focus of the module.

    • AWS Well-Architected Framework (Security Pillar)
    • Implement a Strong Identity Model
    • Enable Traceability
    • Apply Security at All Layer
      • Network
      • Compute
    • Automate Security Best Practices
    • Protect Data at Rest and in Transit
    • Keep People Away from Data
    • Collect, Prepare, and Respond

    Module 35: macOS Security

    This module focuses on the security features that are built into macOS systems. Although macOS is a relatively secure system that provides many different features, it can also be flawed just like any other operating system.

    • What is macOS?
    • Privacy Controls
      • Keychain
      • Strong Passwords
    • Gatekeeper
    • Anti-Phishing and Download Protection
    • XProtect
    • Firewall
    • FireVault
    • Sandboxing and Runtime Protection
    • Security Enclaves
    • macOS Vulnerabilities and Malware

GIAC Security Essentials

The GIAC Security Essentials (GSEC) certification validates a practitioner’s knowledge of information security beyond simple terminology and concepts. GSEC certification holders are demonstrating that they are qualified for hands-on IT systems roles with respect to security tasks. 

  • Active defense, defense in depth, access control & password management

  • Cryptography: basic concepts, algorithms and deployment, and application

  • Defensible network architecture, networking & protocols, and network security

  • Incident handling & response, vulnerability scanning and penetration testing

  • Linux security: structure, permissions, & access; hardening & securing; monitoring & attack detection; & security utilities

  • Security policy, contingency plans, critical controls and IT risk management

  • Web communication security, virtualization and cloud security, and endpoint security

  • Windows: access controls, automation, auditing, forensics, security infrastructure, & securing network services

Prerequisites

SEC401 covers all of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, SEC275: Foundations - Computers, Technology and Security or SEC301: Introduction to Cyber Security would be the recommended starting point. While these courses are not a prerequisite for SEC401, they do provide the introductory knowledge to help maximize the experience with SEC401.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.

Operating System

  • Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
  • Windows Credential Guard must be DISABLED (if running Windows as your host OS)
  • Apple computers with the M1 processor (Apple Silicon) are NOT supported for use in class. Apple does not provide support for x86-based virtual machines under its Rosetta 2 x86 translation capability. Apple computers that use Intel processors are not affected by this issue and are still supported for use in-class.

CPU

  • 64-bit Intel i5/i7 2.0+ GHz processor
  • Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".

BIOS

  • Enabled "Intel-VT"
  • Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.

RAM

  • 8 GB RAM (or more) is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".

Hard Drive Free Space

  • 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Additional Requirements

The requirements below are in addition to the baseline requirements provided above. Prior to the start of class, you must install VMware virtualization software and meet the additional software requirements as described below.

  • VMware Player Install
    • VMware Workstation Player 15.5+, VMware Workstation Pro 15.5.+, or VMware Fusion 11.5+.
    • If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation Pro. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.
  • You must have administrator access to the host OS and to all installed security software.
  • You must have the ability to reboot the laptop and login (i.e., you must have valid credentials for any drive encryption or other security software installed)

Your course media will be delivered via download. The media files for class can be large, some in the 20 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads when you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using electronic workbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Author Statement

"From all observations of the world around us, it would appear that we might be living in a world of never-ending compromise. At first glance, an increase in compromise might be attributed to having more systems than ever before connected to more and more computer networks. On second glance, an increase in compromise might be attributed to poor security practices. If having more systems connected to more networks results in more compromise, we are in serious trouble. An ever-increasing number of systems will continue to be connected in an increasingly connected world.

Surely today, with more security available to us than at any other time in the history of computing, an ever-continuing increase in worldwide compromise can't be attributed to poor security practices. Or can it? The truth is always complicated. It might be that we now live simultaneously in a world of ever-increasing security capability AND ever-increasing compromise. As distressing as that might be, the answer might be as simple as the notion that 'Offense informs Defense.'

In the spirt of that notion, SEC401 will provide you with real-world, immediately actionable knowledge and information that will put you and your organization on the best footing possible to better counter the modern adversary. Join us to learn how to fight, and how to win."

Bryan Simon, Lead Course Author, SEC401

"Bryan Simon's knowledge and personal experience continue to astound me. SEC401 course content has been incredibly useful and will be directly applicable to my job, and the labs have practical use and are great demonstrations of the concepts presented in lectures." - Thomas Wilson, Agile Systems

Reviews

Excellent material for security professionals wanting a deeper level of knowledge on how to implement security policies, procedures, and defensive mechanisms in an organization.
Brandon Smit
Dynetics
SEC401 gives you a fantastic knowledge base to build on, and I would say it's essential for anyone working in cybersecurity.
Thomas Wilson
Agile Systems
SEC401 provides an excellent overview of security fundamentals delivered by experienced industry professionals.
Jason W.
US Federal Agency
Very well rounded training. Great that he(the instructor) was able to bring real world examples to class. Made the class flow smoothly.
Robin Mahon
Kapstone Paper

    Register for SEC401

    • In Person

    Training events and topical summits feature presentations and courses in classrooms around the world.

    Learn more
    • Live Online

    Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

    Learn more
    • OnDemand

    Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

    Learn more

    Loading...