Cybera Partnership SEC401 - Hybrid

Hybrid Event Mon, May 01 - Sat, May 06, 2023

Welcome to SEC401: Security Essentials: Network, Endpoint, and Cloud

Instructor: Kevin Ripa | 46 CPEs
Whether you are new to information security or a seasoned practitioner with a specialized focus, SEC401 will provide the essential information security skills and techniques you need to protect and secure your critical information and technology assets, whether on-premise or in the cloud. SEC401 will also show you how to directly apply the concept learned into a winning defensive strategy, all in the terms of the modern adversary. This is how we fight; this is how we win! 18 Hands-On Labs

What You Will Learn

This course will teach you the most effective steps to prevent attacks and detect adversaries with actionable techniques that can be used as soon as you get back to work. You will learn tips and tricks designed to help you win the battle against the wide range of cyber adversaries that want to harm your environment.

Organizations are going to be targeted, so they must be prepared for eventual compromise. Today more than ever before, TIMELY detection and response is critical. The longer an adversary is present in your environment, the more devastating and damaging the impact becomes. The most important question in information security may well be, "How quickly can we detect, respond, and REMEDIATE an adversary?"

Information security is all about making sure you focus on the right areas of defense, especially as applied to the uniqueness of YOUR organization. In SEC401, you will learn the language and underlying workings of computer and information security, and how best to apply them to your unique needs. You will gain the essential and effective security knowledge you will need if you are given the responsibility to secure systems or organizations.

Whether you are new to information security or a seasoned practitioner with a specialized focus, SEC401 will provide the essential information security skills and techniques you need to protect and secure your critical information and technology assets, whether on-premise or in the cloud. SEC401 will also show you how to directly apply the concepts learned into a winning defensive strategy, all in the terms of the modern adversary. This is how we fight; this is how we win!


This course will help your organization:

  • Address high-priority security problems
  • Leverage the strengths and differences among the top three cloud providers (AWS, Microsoft Azure, and Google Cloud Platform)
  • Build a network visibility map to validate the attack surface
  • Reduce your organization's attack surface through hardening and configuration management

You will learn (applied to on-premise and in the Cloud)

  • The core areas of cybersecurity and how to create a security program that is built on a foundation of Detection, Response, and Prevention
  • Practical tips and tricks that focus on addressing high-priority security problems within your organization and doing the right things that lead to security solutions that work
  • How adversaries adapt tactics and techniques, and importantly how to adapt your defense accordingly
  • What ransomware is and how to better defend against it
  • How to leverage a defensible network architecture (VLANs, NAC, and 802.1x) based on advanced persistent threat indicators of compromise
  • The Identity and Access Management (IAM) methodology, including aspects of strong authentication (Multi-Factor Authentication)
  • How to leverage the strengths and differences among the top three cloud providers (Amazon, Microsoft, and Google), including the concepts of multi-cloud
  • How to identify visible weaknesses of a system using various tools and, once vulnerabilities are discovered, configure the system to be more secure (realistic and practical application of a capable vulnerability management program)
  • How to sniff network communication protocols to determine the content of network communication (including access credentials) using tools such as tcpdump and Wireshark
  • How to use Windows, Linux, and macOS command line tools to analyze a system looking for high-risk indicators of compromise, as well as the concepts of basic scripting for the automation of continuous monitoring
  • How to build a network visibility map that can be used to validate the attack surface and determine the best methodology to reduce the attack surface through hardening and configuration management
  • Why some organizations win and why some lose when it comes to security, and most importantly, how to be on the winning side

With the rise in advanced persistent threats, it is inevitable that organizations will be targeted. Defending against attacks is an ongoing challenge, with new threats emerging all the time, including a next generation of threats. In order to be successful in defending an environment, organizations need to understand what really works in cybersecurity. What has worked - and will always work - is taking a risk-based approach to cyber defense.

Hands-On Training

Our hands-on labs help students master the content and gain a deeper understanding of the concepts they are learning. We've built these labs to further develop skills in a controlled environment.

  • Section 1: tcpdump; Wireshark; Aircrack-ng
  • Section 2: hashcat; Cain and Abel; Application Control (Whitelisting)
  • Section 3: Nmap; Malicious Software; Command Injection; hping3
  • Section 4: Image Steganography; GNU Privacy Guard (GPG); Snort; Hashing
  • Section 5: Process Hacker; NTFS Permissions Reporter; SECEDIT.EXE; PowerShell Scripting

"SEC401 covered a very wide range of security technologies, processes, and tools that will really open your eyes. I liked how the course shows that not everything is magic, and packets of data can be interpreted even without fancy tools. The labs were great for demonstrating the concepts, with flawless instruction and seamless packet capture." - Fei Ma, DESE

What You Will Receive

Course books and labs

TCP IP reference guides

MP3 audio files of the complete course lecture


This course prepares you for the GSEC certification that meets the requirements of the DoD8140 IAT Level 2.

Pricing & Registration

This course is part of the SANS Partnership Program. Students affiliated with an eligible institution* may enroll in this course at a discounted rate of $3450 USD. To receive this rate, enter the appropriate discount code when registering. **All registrations using a code will be audited to confirm that they are eligible to receive the discounted rate. On Demand 949 USD | GSEC 949 USD This class is a HYBRID event. Please click on the appropriate "Register" button below. If you are affiliated with a Partnership-eligible institution enter the following discount codes to receive your Partnership pricing! Discount code: 77935-IP (if you plan to attend In-Person) Discount code: 78380-LO (if you plan to attend Virtually-Live Online) *Eligible institutions include US and Canada-based educational Institutions (any accredited educational institution, including colleges, universities, technical training institutes and K-12 schools) and any North American State, Province, Municipal or Local Government agency.

Course Syllabus

SEC401.1: Network Security and Cloud Essentials


A typical way attackers can access companies' resources is through a network connected to the internet. Organizations try to prevent as many attacks as possible, but since not all attacks will ultimately be prevented, they must be detected in a timely manner. It is therefore critical to understand how to build a defensible network architecture, including the types of network designs and the relational communication flows.

In any organization large or small, all data is not created equal. Some data is routine and incidental, while other data can be vastly sensitive and critical, and its loss can cause irreparable harm to an organization. It is essential to understand how network-based attacks bring risk to critical data and how an organization is vulnerable to such attacks. To achieve this, we need to become familiar with communication protocols of modern networks.

Cloud computing becomes an obvious topic of discussion in relation to our modern public and private networks. A conversation on defensible networking would not be complete without an in-depth discussion of what the cloud is, and most importantly, the security abilities (and related concerns) of the cloud that must also be taken into account.

Adversaries need our networks just as much as we do. Adversaries live off the land, mercilessly pivoting from system to system on our network until they achieve their long-term goals. Said differently, adversaries need to use OUR network to achieve THEIR goals. By understanding how our networks function (relative to our unique needs), we can more easily uncover the activities of adversaries.

By the end of this section, you will understand Defensible Network Architecture, Protocols and Packet Analysis, Virtualization and Cloud Essentials, and Wireless Network Security.

  • Virtualized environment setup
  • Sniffing and analysis of network traffic including tcpdump
  • Sniffing, protocol decoding, and extraction of network traffic using Wireshark
  • Wireshark network communication attacks


Module 1: An Introduction to SE401

This course is unique in its coverage of more than 30 topics of information security. This introductory module reviews the structure of the course and the logistics of the class in concert with the "bootcamp" hours and provides an overall thematic view of the course topics.

Module 2: Defensible Network Architecture

To properly secure and defend a network, you must first have a clear and strong understanding of both the logical and physical components of network architecture. Above and beyond an understanding of network architecture, however, properly securing and defending a network will further require an understanding of how adversaries abuse the information systems of our network to achieve their goals.

  • Network Architecture
  • Attacks Against Network Devices
  • Network Topologies
  • Network Design

Module 3: Protocols and Packet Analysis

A solid understanding of the interworking of networks enables you to more effectively recognize, analyze, and respond to the latest (perhaps unpublished) attacks. This module introduces the core areas of computer networks and protocols.

  • Network Protocols Overview
  • Layer 3 Protocols
    • Internet Protocol
    • Internet Control Message Protocol
  • Layer 4 Protocols
    • Transmission Control Protocol
    • User Datagram Protocol
  • Tcpdump

Module 4: Virtualization and Cloud Essentials

This module will examine what virtualization is, the security benefits and the risks of a virtualized environment, and the differences in virtualization architecture. Because cloud computing is architected on virtualization, the module concludes with an extensive discussion of what the public and private cloud is, how it works, the services made available by the public cloud (including security offerings), and related security concepts.

  • Virtualization Overview
  • Virtualization Security
  • Cloud Overview
  • Cloud Security

Module 5: Securing Wireless Networks

This module will explain the differences between the various types of wireless communication technologies available today, the insecurities present in those communications, and approaches to reduce the risk of those insecurities to a more acceptable level.

  • The Pervasiveness of Wireless Communications
  • Traditional Wireless: IEEE 802.11 and its Continual Evolution
  • Personal Area Networks
  • 5G Cellular (Mobile) Communications
  • The Internet of Things

SEC401.2: Defense in Depth


This section of the course looks at the big picture threats to our systems and how to defend against them. We will learn that protections need to be layered, leveraging a principle called defense in depth.

The section starts with information assurance foundations. We look at security threats and how they impact confidentiality, integrity, and availability. The most common aspect of defense in depth is predicated on access controls, and so we move into a discussion on the aspects of identity and access management (IAM). We will see that while passwords (the most common factor of authentication) were to be deprecated and moved away from, this has not been the case and we still struggle today with compromises that result from credential theft. What we can leverage for modern authentication becomes the focus of the discussion on authentication and password security, especially as it applies to cloud computing. Many consider that IAM is the new security perimeter for cloud-based functionality, so the importance of its strong application cannot be understated.

Toward the end of this section, we will shift the focus toward modern security controls that work in the presence of the modern adversary. This is done by leveraging Center for Internet Security (CIS) Controls, the NIST Cybersecurity Framework, and the MITRE ATT&CK knowledge base. In circling back to earlier course content on network architecture, we might naturally be curious as to what else can be done using an overall environmental focus to best secure our data in transit and at rest. This leads to a larger discussion on data loss protection techniques.

Last but certainly not least, a discussion of defense in depth would not be complete without touching on perhaps one of the most important techniques that is more heavily relied upon than ever before - mobile devices. The course section will conclude with a thorough discussion of the benefits (and security risks) of mobile devices ranging from Bring Your Own Device (BYOD) to Mobile Device Management (MDM).

  • Linux and bitcoin wallet password hash cracking with Hashcat
  • Windows password hash cracking with Cain and Abel
  • Application control with AppLocker by Microsoft

Module 6: Defense in Depth

This module examines threats to our systems and takes a big picture look at how to defend against them. We will learn that protections need to be layered, a principle called defense in depth, and explain some principles that will serve you well in protecting your systems.

  • Defense in Depth Overview
    • Risk = Threat x Vulnerability
    • Confidentiality, Integrity and Availability
  • Strategies for Defense in Depth
  • Core Security Strategies
  • Defense in Depth in the Cloud
  • Zero Trust Methodology
  • Variable Trust

Module 7: Identity and Access Management

This module discusses the principles of identity management and access control. Access control models vary in their approaches to security. We will explore their underlying principles, strengths, and weaknesses. The module includes a brief discussion on authentication and authorization protocols and control.

  • Digital Identity
    • Authentication
    • Authorization
    • Accountability
  • Identity Access Management
  • Single Sign On (SOS): On-Premise and Cloud
    • Traditional SSO
    • SAML 2.0
    • 0Auth 2.0
  • Access Control
    • Controlling Access
    • Managing Access
    • Monitoring Access
  • Privileged Access Management: On-Premise and Cloud

Module 8: Authentication and Password Security

A discussion of identity and access management naturally leads to a conversation on authentication and password security. We will spend time discussing the various types of authentication: something you know, something you have, and something you are. We will focus specifically on the most common (and problematic) example of something you know authentication type (the password).

  • Authentication Types
    • Something You Know
    • Something You Have
    • Something You Are
  • Password Management
  • Password Techniques
  • Password (Passphrase) Policies
  • Password Storage
  • Key Derivation Functions
  • How Password Assessment Works
  • Password Attack Tools
    • Hashcat
    • Mimikatz
  • Multi-Factor Authentication
  • Adaptive Authentication

Module 9: Security Frameworks

In implementing security, it is important to have a framework that includes proper metrics. As is often said, you cannot manage what you cannot measure. This module focuses on three frameworks: The Center for Internet Security (CIS) Controls (created to help organizations prioritize the most critical risks they face); the NIST Cybersecurity Framework (standards, guidelines, and best practices that can assist in managing overall cybersecurity risk); and the MITRE ATT&CK knowledge base (adversary tactics and techniques). Combining the prioritized actions of the CIS Controls with the understanding of overall risk from the NIST Cybersecurity Framework, all in consideration of adversarial tactics and techniques, will help put us in solid footing in defending against the modern adversary.

  • Introduction to the CIS Controls
    • Guiding Principles
    • Case Study: Sample CIS Control
    • Case Study: SolarWinds
  • NIST Cybersecurity Framework
    • Framework Core
    • Implementation Tiers
    • Framework Profiles
    • Techniques
    • Mapping to Known Adversaries

Module 10: Data Loss Prevention

Loss or leakage?

In essence, data loss is any condition that results in data being corrupted, deleted, or made unreadable in any way by a user and or software (application). A data breach is, in most cases, an intentional or unintentional security incident. Such incidents can lead to, among other things, unintentional information disclosure, data leakage, and data spill. This module covers exactly what constitutes data loss or leakage, and the methodologies that can be leveraged to implement an appropriate data-loss prevention capability.

  • Loss or Leakage
    • Data Loss
    • Data Leakage
    • Ransomware
  • Preventative Strategies
    • Redundancy (On-Premise and Cloud)
    • Data Recovery
  • Related Regulatory Requirements
    • GDPR
    • CCPA
  • Data Loss Prevention Tools
  • Defending Against Data Exfiltration
    • Honeypots
    • User Activity Monitoring

Module 11: Mobile Device Security

This module starts with a quick comparison of the Android and iOS mobile operating systems and what makes them so different. The module concludes with a brief discussion of the security features of both systems.

  • Android versus iOS
  • Android Security
    • Android Security Features
    • What You Need to Know About Android
    • Android Fragmentation
    • Android Security Fix Process
  • Apple iOS Security
    • Apple iOS Security Features
    • What to Know About iOS
    • iOS Updates
  • Mobile Problems and Opportunities
  • Mobile Device Management
  • Unlocking, Rooting, and Jailbreaking
  • Mitigating Mobile Malware
    • Android Malware
    • iOS Malware

SEC401.3: Vulnerability Management and Response


In this section the focus shifts to various areas of our environment where vulnerabilities arise. We will begin with an overall discussion of exactly what constitutes a vulnerability, and how to best implement a proper vulnerability assessment program.

Penetration testing is often discussed in concert with vulnerability assessment, even though vulnerability assessment and penetration testing are quite distinct from each other. So, in concluding our discussion of vulnerability assessments, we move on to a proper and distinct discussion on what penetration testing is and how best to leverage its benefits.

Because vulnerabilities represent weaknesses that adversaries exploit, a discussion of vulnerabilities would not be incomplete without a serious discussion of modern attack methodologies based on real-world examples of compromise. Of all the potential areas for vulnerabilities in our environment, web applications represent one of the most substantial, with the most consequential risk. The extensive nature of vulnerabilities that can arise from web applications dictate that we focus the attention of this entire module on web application security concepts.

While it is true that vulnerabilities allow adversaries to penetrate our systems, sometimes with great ease, it is impossible for those adversaries to remain entirely hidden post-compromise. In leveraging the logging capabilities of our hardware and software, we might detect the adversary in a timely manner. How we achieve such a capacity is the subject of our penultimate module: Security Operations and Log Management.

Last but not least, we will need to have a plan of action for a proper response to the compromise of our environment. The methodology for an appropriate incident response is the subject of the final module of this section.

  • System, port, and vulnerability discovery with Nmap
  • Trojan software
  • Leveraging application vulnerabilities for command injection
  • Malicious network packet crafting

Module 12: Vulnerability Assessments

This module covers the tools, technology, and techniques used for reconnaissance (including gathering information), the mapping of networks, and scanning of vulnerabilities, all within the scope of a proper vulnerability framework.

  • Introduction to Vulnerability Assessments
  • Steps to Perform a Vulnerability Assessment
  • Criticality and Risks

Module 13: Penetration Testing

The role of penetration testing, which is well understood by most organizations, gave rise to newer testing techniques such as red and purple teaming and adversary emulation. Often, penetration testing is limited in scope to where the testers are not truly able to emulate and mimic the behaviors of adversaries. This is where the red teaming and adversary emulation come into play. A methodical and meticulous approach to penetration testing is needed to provide business value to your organization.

  • The What and Why of Penetration Testing
    • Red Team
    • Adversary Emulation
    • Purple Team
  • Types of Penetration Testing
    • External
    • Internal
    • Web Application
    • Social Engineering
    • Mobile Device Testing
    • Internet of Things Testing
  • Penetration Testing Process
  • Penetration Testing Tools
    • Nmap
    • Metasploit
    • Meterpreter
    • C2 Frameworks and Implants
  • Password Compromise, Reuse, Stuffing, and Spraying

Module 14: Attacks and Malicious Software

This module will examine the Marriott breach, which compromised millions of records globally, as well as ransomware attacks that continue to cripple hundreds and thousands of systems across different industries. We will describe the attacks in detail, discussing not only the conditions that made them possible, but also some strategies that can be used to help manage the risks associated with such attacks.

  • High-Profile Breaches and Ransomware
  • Ransomware as a Service
  • Common Attack Techniques
  • Malware and Analysis

Module 15: Web Application Security

This module looks at some of the most important things to know about designing and deploying secure web applications. We start with an examination of the basics of web communications, then move on to cover HTTP, HTTPS, HTML, cookies, authentication, and maintaining state. We conclude by looking at how to identify and fix vulnerabilities in web applications.

  • Web Communication Fundamentals
    • Cookies
    • HTTPS
  • Developing Secure Web Apps
    • OWASP Top Ten
    • Basics of Secure Coding
  • Web Application Vulnerabilities
    • Authentication
    • Access Control
    • Session Tracking/Maintaining State
  • Web Application Monitoring
    • Web Application Firewall (WAF)
    • Monolithic Architecture and Security Controls
    • Microservice Architecture and Related Attack Surface

Module 16: Security Operations and Log Management

This module covers the essential components of logging, how to properly manage logging, and the considerations that factor into leveraging logging to its fullest potential.

  • Logging Overview
    • Log Collection Architecture
    • Log Filtering
    • Lack of Accepted Log Standards
  • Setting Up and Configuring Log Standards
    • Log Analysis Tools
    • Phased Approach
    • Log Aggregation, Security Information, and Event Management
  • Key Logging Activity

Module 17: Digital Forensics and Incident Response

This module explores the fundamentals of incident handling and why it is important to an organization. We will outline a multi-step process to create our own incident handling procedures and response plans. Being able to leverage digital forensic methodologies to ensure that processes are repeatable and verifiable will also be a key focus of the material.

  • Introduction to Digital Forensics
    • What is Digital Forensics?
    • Digital Forensics in Practice
    • The Investigative Process
    • Remaining Forensically Sound
    • Examples of Examining Forensics Artifacts
    • DFIR Subdisciplines
    • Digital Forensics Tools
  • Incident Handling Fundamentals
  • Multi-Step Process for Handling an Incident
  • Incident Response: Threat Hunting

SEC401.4: Data Security Technologies


There is no silver bullet when it comes to security. However, there is one technology that would help solve a lot of security issues, though few companies deploy it correctly. This technology is cryptography. During the first half of this section, we will look at various aspects of cryptographic concepts and how they can be used to help secure an organization's assets. A related discipline, steganography (information hiding), will also be covered. During the second half of the section, we shift our focus to the various types of prevention technologies that can be used to stop an adversary from gaining access to our organization (firewalls, intrusion prevention systems). We will also look at the different detection technologies that can detect the presence of an adversary (intrusion detection systems). These prevention and detection techniques can be deployed from a network and/or endpoint perspective, and we will explore their similarities and differences.

  • Hiding communication and data using steganographic tools
  • Practical application of cryptographic capability with GPG
  • Triggering and analysis of detection alerts with the Snort IDS
  • Automated detection of adversarial activity with hashing


Module 18: Cryptography

Cryptography can provide the functional capabilities needed to achieve confidentiality, integrity, authentication, and non-repudiation. There are three general types of cryptographic systems: symmetric, asymmetric, and hashing. These systems are usually distinguished from one another by the number of keys employed, as well as the security goals they achieve. This module discusses these different types of cryptographic systems and how each type is used to provide a specific security function. The module also introduces steganography, which is a means of hiding data in a carrier medium. Steganography can be used for a variety of purposes but is most often used to conceal the fact that information is being sent or stored.

  • Cryptosystem Fundamentals
    • Cryptography
    • Cryptanalysis
  • General Types of Cryptosystems
    • Symmetric
    • Asymmetric
    • Hashing
  • Digital Signatures
  • Steganography

Module 19: Cryptography Algorithms and Deployment

The content of this module will help us gain a high-level understanding of the mathematical concepts that contribute to modern cryptography. We'll also identify common attacks used to subvert cryptographic defenses.

  • Cryptography Concepts
  • Symmetric, Asymmetric, and Hashing Cryptosystems
    • AES
    • RSA
    • ECC
  • Cryptography Attacks (Cryptanalysis)

Module 20: Applying Cryptography

This module will discuss the practical applications of cryptography in terms of protection of data in transit and protection of data at rest. We conclude with an important discussion on the management of public keys (and the related concepts of certificates), all in terms of a Public Key Infrastructure.

  • Data in Transit
      • IPsec
      • SSL-based
      • Security Implications
  • Data at Rest
    • File/Folder Level Encryption
    • Full Disk Encryption
    • GNU Privacy Guard (GPG)
  • Key Management
    • Public Key Infrastructure
    • Digital Certificates
    • Certificate Authorities

Module 21: Network Security Devices

Three main categories of network security devices will be discussed in this module: Firewalls, Network Intrusion Detection Systems (NIDS), and Network Intrusion Prevention Systems (NIPS). Together, they provide a complement of prevention and detection capabilities.

  • Firewalls
    • Overview
    • Types of Firewalls
    • Configuration and Deployment
  • NIDS
    • Types of NIDS
    • Snort as a NIDS
  • NIPS
    • Methods of Deployment
    • Security and Productivity Risk Considerations

Module 22: Endpoint Security

In this final module of the section, we examine some of the key components, strategies, and solutions for implementing security from an endpoint perspective. This includes general approaches to endpoint security, strategies for baselining activity, and solutions like Host-based IDS (HIDS) and Host-based IPS (HIPS).

  • Endpoint Security Overview
    • Core Components of Endpoint Security
    • Enhancing Endpoint Security
  • Endpoint Security Solutions
    • Anti-malware
    • Endpoint Firewalls
    • Integrity Checking
  • HIDS and HIPS
    • Overview
    • Practical Considerations

SEC401.5: Windows and Azure Security


Remember when Windows was simple? Windows XP desktops in a little workgroup... what could be easier? A lot has changed over time. Now, we are Windows tablets, Azure, Active Directory, PowerShell, Microsoft 365 (Office 365), Hyper-V, Virtual Desktop Infrastructure and so on. Microsoft is battling Google, Apple, Amazon and other cloud giants for cloud supremacy. The trick, of course, is to do cloud securely.

Windows is the most widely used and targeted operating system on the planet. At the same time, the complexities of Active Directory, Public Key Infrastructure, BitLocker, AppLocker, and User Account Control represent both challenges and opportunities. This course section will help you quickly master the world of Windows security while showing you the tools that can simplify and automate your work - both on-premise and in the cloud (Microsoft Azure). You will complete the section with a good solid grounding in Windows security by looking at automation and auditing capabilities for the Windows ecosystem.

  • Process observation and analysis with Process Hacker
  • NTFS file system practical using NTFS Permissions Reporter
  • Auditing and enforcement of system baseline configurations with security templates
  • PowerShell scripting and automation techniques


Module 23: Windows Security Infrastructure

This module discusses the infrastructure that supports Windows security. This is a big picture overview of the Windows security model. It provides the background concepts necessary to understand everything else that follows.

  • Windows Family of Products
  • Windows Workgroups and Accounts
  • Windows Active Directory and Group Policy

Module 24: Windows as a Service

This module discusses techniques for managing Windows systems as it applies to updates (patches) as well as new cloud-based deployment methodology (Windows Autopilot and Windows Virtual Desktop).

  • End of Support
  • Servicing Channels
  • Windows Update
  • Windows Server Update Services
  • Windows Autopilot
  • Windows Virtual Desktop
  • Third-Party Patch Management

Module 25: Windows Access Controls

This module focuses on understanding how permissions are applied in the Windows NT File System (NTFS), Shared Folders, Registry Keys, Active Directory, and Privileges. BitLocker is discussed as another form of access control (for encrypted information), and as a tool to help maintain the integrity of the boot-up process if you have a Trusted Platform Module.

  • NTFS Permissions
  • Shared Folder Permissions
  • Registry Key Permissions
  • Active Directory Permissions
  • Privileges
  • BitLocker Drive Encryption
  • Secure Boot

Module 26: Enforcing Security Policy

This module discusses one of the best tools for automating security configuration changes, SECEDIT.EXE, which is the command-line version of Microsoft's Security Configuration and Analysis snap-in. We'll look at some of the most important changes that can be made through the use of this tool, such as password policy, lockout policy, and null user session restrictions. We'll also briefly discuss Group Policy Objects (GPOs) and the many best practice security configuration changes that they can help enforce throughout the domain.

  • Applying Security Templates
  • Employing the Security Configuration and Analysis Snap-in
  • Understanding Local Group Policy Objects
  • Understanding Domain Group Policy Objects
  • Administrative Users
    • Privileged Account Management
    • Reduction of Administrative Privileges
  • AppLocker
  • User Account Control
  • Windows Firewall
  • IPsec Authentication and Encryption
  • Remote Desktop Services
  • Recommended GPO Settings

Module 27: Microsoft Cloud Computing

Inside your LAN as well as in the cloud, you will likely have a mixture of servers. Microsoft's cloud is known as Azure. On top of Azure, Microsoft has implemented services such as Microsoft 365, Exchange Online, OneDrive, Intune, and many others. Microsoft has designed Windows 10 and later versions for integration with Azure, so Windows security includes not just Windows alone, but also Azure. It's important for your career as a security professional to understand the essential concepts of Microsoft Azure.

  • Microsofts All-In Bet on Cloud Computing
  • Microsoft Cloud Types: IaaS, PaaS, SaaS, and DaaS
  • Microsoft Azure
  • Azure Active Directory (Azure AD)
  • Azure AD Single Sign-On
  • Multi-Factor Authentication
  • Administrative Role Reduction
  • Endpoint Security Enforcement
  • Microsoft Intune
  • Azure Conditional Access
  • Azure Key Vault
  • Azure Monitor
  • Azure Sentinel (SIEM and SOAR)
  • Azure Policy
  • Azure Security Center

Module 28: Automation, Logging, and Auditing

Automation, logging, and auditing go together because if we can't automate our work, the auditing work doesn't get done at all (or is done only sporadically). Also, if we can't automate our work, we can't make our work scale beyond the small number of machines that we can physically touch. Thankfully, modern Windows systems come with a very powerful automation capability: PowerShell. We will learn what PowerShell is and how to leverage it in our pursuit of deployment consistency, detection of change, remediation of systems, and even threat hunting!

  • What Is Windows PowerShell?
  • Windows PowerShell versus PowerShell Core
  • Windows Subsystem for Linux (WSL)
  • Automation and Command-Line Capability in Azure
    • PowerShell Az Module
    • Azure CLI
    • Azure Cloud Shell
    • Azure Resource Manager Templates
    • Runbooks
  • Gathering Ongoing Operational Data
  • Employing Change Detection and Analysis

SEC401.6: Linux, AWS, and Mac Security


While organizations may not have many Linux systems, the Linux systems that they do have are often the most critical systems that need to be protected. This course section focuses on the practical guidance necessary to improve the security of any Linux system. The day provides practical how-to instructions with background information for Linux beginners as well as security advice and best practices for administrators with various levels of expertise.

Since Linux is a perceived as being a free operating system, it is not a surprise that many advanced security concepts are first developed for Linux. One example is containers, which provide powerful and flexible concepts for cloud computing deployments. While not specifically designed for information security purposes, containers are built on elements of minimizations, and that is something we can leverage in an overall information security methodology (as part of defense in depth). In this section we will discuss what containers do and do not represent for information security, as well as best practices for their management.

A discussion of Linux and UNIX concepts would not be complete without a comparison discussion of AWS in relation to Microsoft Azure discussion in section five of this course. We will examine fundamentals of AWS and discuss the impressive security controls available. Last, but not least, we conclude the section with a review of Apple's macOS (which is based on UNIX). Apple's venerable macOS provides extensive opportunities for hardware and software security, but is often misunderstood in terms of what can and cannot actually be achieved.


Module 29: Linux Fundamentals

This module discusses the foundational items that are needed to understand how to configure and secure a Linux system.

  • Operating System Comparison
  • Linux Vulnerabilities
  • Linux Operating System
    • Shell
    • Kernel
    • Filesystem
    • Linux Unified Key Setup
  • Linux Security Permissions
  • Linux User Accounts
  • Pluggable Authentication Modules
  • Built-in Command-Line Capability
  • Service Hardening
  • Package Management

Module 30: Linux Security Enhancements and Infrastructure

This module discusses security enhancement utilities that provide additional security and lockdown capabilities for modern Linux systems. As discussed earlier in the course, taking advantage of logging capabilities is an incredibly important aspect of our modern cyber defense. Linux supports the well-known Syslog logging standard (and its related features) and will be discussed in this module. As Syslog continues to age, it may end up being unable to provide the logging features that modern day cyber defense demand. Because of this, we will explore additional logging enhancements ranging from Syslog-ng to Auditd.

  • Operating System Enhancements
    • SELinux
    • AppArmor
  • Linux Hardening
    • Address Space Layout Randomization
    • Kernel Module Security
    • SSH Hardening
    • CIS Hardening Guides and Utilities
  • Log Files
    • Key Log Files
    • Syslog
    • Syslog Security
    • Log Rotation
    • Centralized
    • Logging
    • Auditid
    • Firewalls: Network and Endpoint
    • Rootkit Detection

Module 31: Containerized Security

The importance of segmentation and isolated techniques cannot be understated. Isolation techniques can help mitigate the initial damage caused by an adversary, giving us more time for detection. In this module, we will discuss various types of isolation techniques, including virtualization and containers. Containers are a relatively new concept (as applied to information security perspectives). There can be a lot of misunderstanding as to what security benefits are truly afforded by containers, and the potential security issues that may come up within containers themselves. We will discuss what containers are, best practices to deploy them, and how to secure them.

  • Virtualization
    • Containers versus Virtual Machines
  • Containers and Orchestration
    • LXC
    • Cgroups and Namespaces
    • Docker
    • Docker Images
    • Kubernetes
  • Container Security
    • Docker Best Practices
    • Vulnerability Management
    • Secure Configuration Baselines
    • Terraform

Module 32: AWS Essentials, Controls, and Best Practices

In this extensive module, we discuss the foundational concepts of Amazon Web Services (AWS) necessary to provide a better understanding of the interaction among AWS and its more commonly used services. These foundational concepts lend themselves to an overview of some of the specific security capabilities and services made through AWS. Furthermore, we discuss these aspects of AWS in the terms of cloud best practice, detailed by Amazon in its Well-Architected Framework.

  • Identity and Access Management in AWS
    • AWS IAM Key Concepts
    • Identity Federations and External Access
    • Amazon Cognito
  • Management Tools Within AWS
    • AWS Console
    • AWS CLI
  • AWS Commonly Used Services and Functionality
    • High-Availability
    • EC2
    • S3
    • Lambda
    • CloudFront
    • AWS Config
    • Amazon RDS
    • AWS Security Controls
    • NACLs versus Security Groups
    • AWS Network Firewall
    • AWS Shield and AWS Web Application Firewall
    • Amazon Macie
    • Key Management Service
      • Amazon Managed
      • Customer Managed
      • HSM
    • Amazon CloudWatch
    • Amazon CloudTrail
    • Amazon GuardDuty
  • AWS Well-Architected Framework (Security Pillar)
    • Implement a Strong Identity Foundation
    • Enable Traceability
    • Apply Security at All Layers
      • Network
      • Compute
    • Automate Security Best Practices
    • Protect Data in Transit and at Rest
    • Keep People Away from Data
    • Prepare for Security Events

Module 33: macOS Security

This module focuses on the security features that are built into macOS systems. Although macOS is a relatively secure system that provides many different features, it can also be flawed just like any other operating system.

  • What is macOS?
  • Privacy Controls
    • Keychain
    • Strong Passwords
  • Gatekeeper
  • Anti-Phishing and Download Protection
  • XProtect
  • Firewall
  • FireVault
  • Sandboxing and Runtime Protection
  • Security Enclaves
  • macOS Vulnerabilities and Malware

GIAC Security Essentials

The GIAC Security Essentials (GSEC) certification validates a practitioner's knowledge of information security beyond simple terminology and concepts. GSEC certification holders are demonstrating that they are qualified for hands-on IT systems roles with respect to security tasks.

  • Defense in depth, access control and password management
  • Cryptography: basic concepts, algorithms and deployment, and application
  • Cloud: AWS fundamentals, Microsoft cloud
  • Defensible network architecture, networking and protocols, and network security
  • Incident handling and response, data loss prevention, mobile device security, vulnerability scanning and penetration testing
  • Linux: Fundamentals, hardening and securing
  • SIEM, critical controls, and exploit mitigation
  • Web communication security, virtualization and cloud security, and endpoint security
  • Windows: access controls, automation, auditing, forensics, security infrastructure, and services
More Certification Details


SEC401 covers all of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, SEC275: Foundations - Computers, Technology and Security or SEC301: Introduction to Cyber Security would be the recommended starting point. While these courses are not a prerequisite for SEC401, they do provide the introductory knowledge to help maximize the experience with SEC401.

Lab Requirements

CRITICAL NOTE: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.

Operating System

  • Your system must be running either the latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
  • Windows Credential Guard must be DISABLED (if running Windows as your host OS)
  • CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.


  • 64-bit Intel i5/i7 2.0+ GHz processor
  • Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".


  • Enabled "Intel-VT"
  • Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.


  • 16 GB RAM (or more) is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".

Hard Drive Free Space

  • 100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Additional Requirements

The requirements below are in addition to the baseline requirements provided above. Prior to the start of class, you must install VMware virtualization software and meet the additional software requirements as described below.

  • VMware Player Install
    • VMware Workstation Player 15.5+, VMware Workstation Pro 15.5.+, or VMware Fusion 11.5+.
    • If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation Pro. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.
  • You must have administrator access to the host OS and to all installed security software.
  • You must have the ability to reboot the laptop and login (i.e., you must have valid credentials for any drive encryption or other security software installed)

Your course media will be delivered via download. The media files for class can be large, some in the 20 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads when you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using electronic workbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact

In Person Classroom Location:

University of Alberta - Main Campus

ECHA 1-498

Address: TBD

Parking: TBD