University of California SEC401 | August 2021

Online, Virtual Event Mon, Aug 23 - Sat, Aug 28, 2021

Welcome to SEC401 - Security Essentials Bootcamp Style

Instructor: Chris Christianson | 46 CPEs
Associated Certification: GIAC Security Essentials (GSEC)

SEC401: Security Essentials Bootcamp Style is focused on providing you the essential information security skills and techniques you need to protect and secure your organization's critical information and technology assets. SEC401 will show you how to apply the knowledge you gain, forming it into a winning defensive strategy in the terms of the modern adversary. This is how we fight; this is how we win!

What You Will Learn

This course will show you the most effective steps to prevent attacks and detect adversaries with actionable techniques that can be used as soon as you get back to work. You'll learn tips and tricks designed to help you win the battle against the wide range of cyber adversaries that want to harm your environment.

Is SEC401: Security Essentials Bootcamp Style the right course for you?

STOP and ask yourself the following questions:

  • Do you fully understand why some organizations become compromised and others do not?
  • If there were compromised systems on your network, are you confident that you would be able to find them?
  • Do you know the effectiveness of each security device and are you certain that they are all configured correctly?
  • Are proper security metrics set up and communicated to your executives to drive security decisions?

SEC401 provides you with the information security knowledge needed to help you answer these questions for your environment, delivered in a bootcamp-style format reinforced with hands-on labs.

Test your security knowledge with our free SANS Security Essentials Assessment Test.

You will learn:

  • To develop effective security metrics that provide a focused playbook that the IT department can implement, auditors can validate, and executives can understand
  • To analyze the risk to your environment in order to drive the creation of a security roadmap that focuses on the right areas of security
  • Practical tips and tricks that focus on addressing high-priority security problems within your organization and doing the right things that lead to security solutions that work
  • Why some organizations win and why some lose when it comes to security and, most importantly, how to be on the winning side
  • The core areas of security and how to create a security program that is built on a foundation of Detection, Response, and Prevention


SEC401: Security Essentials Bootcamp Style is focused on providing you the essential information security skills and techniques you need to protect and secure your organization's critical information and technology assets. SEC401 will show you how to apply the knowledge you gain, forming it into a winning defensive strategy in the terms of the modern adversary. This is how we fight; this is how we win!


With the rise in advanced persistent threats, it is inevitable that organizations will be targeted. Defending against attacks is an ongoing challenge, with new threats emerging all the time, including the next generation of threats. In order to be successful in defending an environment, organizations need to understand what really works in cybersecurity. What has worked ... and will always work ... is taking a risk-based approach to cyber defense. Before your organization spends a dollar of its IT budget or allocates any resources or time to anything in the name of cybersecurity, three questions must be answered:

  1. What is the risk?
  2. Is it the highest priority risk?
  3. What is the most cost-effective way to reduce the risk?

All in all, however, organizations are going to be targeted AND broken into. Today, more than ever before, TIMELY detection and TIMELY response is critical. Once an adversary is inside the environment, damage will occur. In the near future, the key question in information security will become, "How quickly can we detect, respond, and remediate an adversary?" As counterintuitive as it may seem, it needs to be stated that you CANNOT secure what you don't know you have. Security is all about making sure you focus on the right areas of defense (especially as applied to the uniqueness of YOUR organization). In SEC401 you will learn the language and underlying workings of computer and information security, and how best to apply it to your unique needs. You will gain the essential and effective security knowledge you will need if you are given the responsibility to secure systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will learn up-to-the-minute skills that you can put into practice immediately upon returning to work; and (2) You will be taught by the best security professionals in the industry.

You Will Be Able To

  • Apply what you learn directly to your job when you go back to work
  • Design and build a network architecture using VLANs, NAC, and 802.1x based on advanced persistent threat indicators of compromise
  • Run Windows command line tools to analyze a system looking for high-risk items
  • Utilize Linux command line tools and basic scripting to automate the running of programs to perform continuous monitoring of systems
  • Create an effective policy that can be enforced within an organization and design a checklist to validate security and create metrics to tie into training and awareness
  • Identify visible weaknesses of a system using various tools and, once vulnerabilities are discovered, configure the system to be more secure
  • Build a network visibility map that can be used for hardening of a network - validating the attack surface and determining the best methodology to reduce the attack surface through hardening and patching
  • Sniff network communication protocols to determine the content of network communication (including unprotected access credentials), using tools such as tcpdump and Wireshark.

Hands-On Training

SEC401 is an interactive hands-on training course. The following is only a few of the lab activities that students will carry out:

  • Set up a virtual lab environment
  • Carry out tcpdump network analysis
  • Use Wireshark to decode network traffic
  • Crack passwords
  • Use hashing to preserve digital evidence
  • Analyze networks with hping3 and Nmap
  • Use steganography tools
  • Secure and audit a Windows system against a template

Pricing & Registration

This course is part of the SANS Partnership Program. Students affiliated with an eligible institution* may enroll in this course at a discounted rate of $2810. To receive this rate, enter the appropriate discount code when registering. All registrations using a code will be audited to confirm that they are eligible to receive the discounted rate. GSEC Certification 849 USD | OnDemand 849 USD This class is LIVE ONLINE, please click on the blue "Register Now" button below. If you are affiliated with a Partnership-eligible institution enter discount code 70030-OL to receive your Partnership pricing! *Eligible institutions include US and Canada-based educational Institutions (any accredited educational institution, including colleges, universities, technical training institutes and K-12 schools) and any US state or local government agency.

What You Will Receive

  • Course books with labs
  • USB
  • TCP/IP and tcpdump Reference Guide
  • IPv6 Pocket Guide
  • MP3 audio files of the complete course lecture


This course prepares you for the GSEC certification that meets the requirement of the DoD 8570 IAT Level 2.

Course Syllabus

SEC401.1: Network Security Essentials


A key way that attackers gain access to a company's resources is through a network connected to the internet. Organizations try to prevent as many attacks as possible. Unfortunately, not all attacks will be prevented, and as such, they must be detected it in a timely manner. Therefore, it is critical to be able to understand the goals of building a defensible network architecture. It is critically important to understand the architecture of the system, types of network designs, relational communication flows, and how to protect against attacks using devices such as routers and switches. These essentials and more will be covered during the first section of this course in order to provide a firm foundation for the remaining sections of this training.

In any organization large or small, all data are not created equal. Some data are routine and incidental while other data can be very sensitive, and loss of those data can cause irreparable harm to an organization. It is essential to understand attacks, the vulnerability behind those attacks, and how to prioritize the information and steps to secure the systems. To achieve this, you need to gain familiarity with the communication protocols of modern networks. Adversaries need our networks just as much as we do. Adversaries live off the land, mercilessly pivoting from system to system, on our network, until they can achieve the long-term goal for which they came. Being able to apply the concepts of 'knowing' our network, and how network operations are performed, will allow us to baseline 'normal'. Knowing normal allows 'abnormal' (the adversary) to stand out.

Cloud computing becomes an obvious topic of discussion in relation to our modern networks - public and private networks alike. A conversation on defensible networking would not be complete without an in-depth discussion of what cloud is, and more importantly, the important security considerations that must be taken into account.

By the end of this section, you will understand Defensible Network Architecture, Protocols and Packet Analysis, Network Device Security, Virtualization and Cloud, and Wireless Network Security.

Last, but certainly not least, all of the above wouldn't be as useful without applying the knowledge in our extensive hands-on lab-based environment. Each day of SEC401 is built on a foundation of how to apply key topics and concepts in real-world application.

By the end of Day 1, the adversary's game will be up. Adversaries need to use OUR network to achieve THEIR goals. By understanding how our networks function (relative to our unique needs), the adversary's activity will be revealed. Discovery of the adversary is only a small part of the overall battle; the remainder of SEC401 will show you how not only to defend, but better prevent (and remediate) the adversary.


SEC401.1: Outline: Network Security Essentials

  • SEC401: An Introduction
  • Defensible Network Architecture
  • Protocols and Packet Analysis
  • Network Device Security
  • Virtualization and Cloud
  • Securing Wireless Networks

Module 1: SEC401 - An Introduction

SEC401 is unique in its coverage of more than 30 topical areas of information security. In this introductory module we review the structure of the course, the logistics of the class schedule in concert with 'bootcamp' hours, and the overall thematic view of the course topics.

Module 2: Defensible Network Architecture

In order to properly secure and defend a network, you must first have a clear and strong understanding of both the logical and physical components of network architecture. Above and beyond an understanding of network architecture, however, properly securing and defending a network will further require an understanding of how the adversary abuses the information systems of our network to achieve their goals.

  • Network Architecture
  • Attacks Against Network Devices
  • Network Topologies
  • Network Design

Module 3: Protocols and Packet Analysis

A solid understanding of the interworking of networks enables you to more effectively recognize, analyze, and respond to the latest (perhaps unpublished) attacks. This module introduces the core areas of computer networks and protocols.

Network Protocols Overview

Layer 3 Protocols

  • Internet Protocol
  • Internet Control Message Protocol

Layer 4 Protocols

  • Transmission Control Protocol
  • User Datagram Protocol


Module 4: Network Device Security

In order to implement proper network security, you have to understand the various components of modern networks. In this module, we will look at the core components of network infrastructure, how they work, and the methods needed to leverage them for modern cyber defense. Unfortunately everything on the network, including the network itself, is a target for the adversary. Our conversation on network device security would be incomplete without discussing how to properly secure our networking infrastructure itself.

  • Network Devices
  • Network Device Security

Module 5: Virtualization and Cloud

In this module, we will examine what virtualization is, the security benefits and risks of a virtualized environment, and the differences in virtualization architecture. Because cloud computing is architected on virtualization, the module concludes with an extensive discussion of what cloud is (public and private cloud), how it works, the services made available by public cloud, and related security concepts.

  • Virtualization Overview
  • Virtualization Security
  • Cloud Overview
  • Cloud Security

Module 6: Securing Wireless Networks

In this module, we will explain the differences between the various types of wireless communication technologies available today, the insecurities present in those communications, and approaches to mitigation to reduce the risk of those insecurities to a more acceptable level of risk.

  • The Pervasiveness of "Wireless" Communications
  • Traditional Wireless: IEEE 802.11 and Its Continual Evolution
  • Personal Area Networks
  • 5G Cellular (Mobile) Communication
  • The Internet of Things

SEC401.2: Defense-in-Depth


To secure an enterprise network, you must understand the general principles of network security. On Day 2, we look at the "big picture" threats to our systems and how to defend against them. We will learn that protections need to be layered leveraging a principle called defense-in-depth, and then explain the principles that will serve us well in protecting our systems.

The section starts with information assurance foundations. We look at security threats and how they have impacted confidentiality, integrity, and availability. The most commonly discussed aspect of defense-in-depth is predicated on access controls. As such, with a solid foundation on the aspects of information assurance in place, we move onto the aspects of identity and access management. Even though, for more than 30 years, passwords (the most commonly used form of authentication for access control) were to be deprecated and moved away from, we still struggle today with the compromises that result from credential theft. What we can do for modern authentication is the focus of our discussion on authentication and password security. Toward the end of the book we shift our focus to modern security controls that will work in the presence of the modern adversary. We do so by leveraging the Center for Internet Security (CIS) controls to help prioritize our risk reduction activities and gather metrics as we construct our security roadmap. While realizing that our networks are the foundation for both our (and the adversaries) activities, we might be naturally curious as to what else we can do from an overall environmental focus on how best to secure our data. This naturally leads to a discussion on Data Loss Prevention techniques. Last, but certainly not least, a discussion of defense-in-depth would not be complete without a discussion of, perhaps, the most important aspect of any security program - Security Plans and Risk Management. Cyber security is really just a different form of risk management. A modern-day defender will not be a capable defender without understanding the constitution of risk, how information security risk must tie back to organizational risk, and the methods used to appropriately address gaps in risk.


SEC401.2: Outline: Defense-in-Depth

  • Defense-in-Depth
  • Identity and Access Management
  • Authentication and Password Security
  • CIS Controls
  • Data Loss Prevention
  • Security Plans and Risk Management

Module 7: Defense-in-Depth

In this module, we look at threats to our systems and take a "big picture" look at how to defend against them. We will learn that protections need to be layered, a principle called defense-in-depth, and explain some principles that will serve you well in protecting your systems.

Defense-in-Depth Overview

  • Risk = Threats x Vulnerabilities
  • Confidentiality, Integrity, and Availability

Strategies for Defense-in-Depth

Core Security Strategies

Module 8: Identity and Access Management

This module discusses the principles of identity management and access control. Access control models vary in their approaches to security. We will explore their underlying principles, strengths, and weaknesses. The module includes a brief discussion on authentication and authorization protocols and control.

Digital Identity

  • Authentication
  • Authorization
  • Accountability

Identity Access Management

Access Control

  • Controlling Access
  • Managing Access
  • Monitoring Access

Module 9: Authentication and Password Security

A discussion of identity and access management naturally leads to a conversation on authentication and password security. We will spend time discussing the various types of authentication: Something you know, something you have, some place you are, and something you are. We will also spend considerable time discussing the most common (and problematic) example of the "something you know" authentication type: the password. We will spend time delving into password files, storage, and protection.

Authentication Types

Password Management

  • Password Techniques
  • Password (Passphrase) Policies
  • Password Storage
  • How Password Assessment Works

Password Cracking Tools

  • John the Ripper
  • Hashcat
  • Mimikatz

Multi-Factor Authentication

Adaptive Authentication

Module 10: Center for Internet Security (CIS) Controls

In implementing security, it is important to have a framework with proper metrics. As is often said, you cannot manage what you cannot measure. The CIS controls were created to help organizations prioritize the most critical risks they face. In addition to a framework, the CIS controls also provide details to help organizations put together an effective plan for implementation of the controls they need.

  • Introduction to the CIS Controls
  • The CIS Controls
  • Case Study: Sample CIS Control

Module 11: Data Loss Prevention

Loss or leakage?

In essence, data loss will be any condition that results in data being corrupted, deleted, or made unreadable in any way by a user and/or software (application). A data breach is, in most cases, a security incident that can be intentional or unintentional. Security incidents can lead to (among other things) unintentional information disclosure, data leakage, information leakage and data spill. In this module we cover exactly what constitutes data loss or leakage, the various ways to properly categorize different types of data loss and leakage, and the methodologies that can be leveraged to implement an appropriate data loss prevention capability.

Loss or Leakage

  • Data Loss
  • Data Leakage
  • Ransomware

Preventative Strategies

Redundancy (On-Premise and Cloud)

Data Recovery

Related Regulatory Requirements

  • GDPR
  • CCPA

Data Loss Prevention Tools

Defending Against Data Exfiltration

Module 12: Security Plans and Risk Management

In this module, we discuss the key elements of managing and governing risk within an organization. A key part of managing and governing risk is the formation of security plans built on a solid understanding of the "security risk' of the organization. We will learn how to identify a risk, quantify and assess the probability of the risk, and leverage the classification of an asset to determine impact.

Security Plans

Risk Management

Security Governance

How Do I Identify a Risk?

  • Quantifying Risk
  • Probability
  • Impact Types
  • Asset Classification

Risk-Level Matrices

Risk Treatment Actions

Security Policies

Security Standards

SEC401.3: Vulnerability Management and Response


On Day 3, our focus shifts to the various areas of our environment where vulnerabilities manifest. We will begin with an overall discussion of exactly what constitutes a vulnerability, and how to best implement a proper vulnerability assessment program. Penetration testing is often discussed in concert with vulnerability assessment, even though vulnerability assessment and penetration testing are quite distinct from each other.

In concluding our discussion of vulnerability assessments, we next move on to a proper and distinct discussion on what penetration testing is, and how best to leverage its benefits. Because vulnerabilities represent weaknesses that allow adversaries to manifest, a discussion of vulnerabilities would be incomplete without a serious discussion of modern attack methodologies based on real-world examples of real-world compromise. Of all the potential areas for vulnerabilities to manifest in our environment, web applications represent, perhaps, one of the most substantial areas of potential vulnerability and consequential risk. The extensive nature of the vulnerabilities that can manifest with ease from web applications dictate that we focus the attention of an entire module on web application security concepts. While it is true that vulnerabilities allow adversaries to manifest (perhaps with great ease), it is impossible for adversaries to remain entirely hidden - post-compromise. By leveraging the logging capacity of our hardware and software, we can more easily detect the adversary in a reduced period of time. How we achieve such a capacity is the subject of our penultimate module: Security Operations and Log Management. Last, and not least, we will need to have a plan of action for a proper response to the compromise of our environment. The methodology of an appropriate incident response is the subject of our final module of Day 3.


SEC401.3: Outline: Vulnerability Management and Response

  • Vulnerability Assessments
  • Penetration Testing
  • Attacks and Malicious Software
  • Web Application Security
  • Security Operations and Log Management
  • Digital Forensics and Incident Response

Module 13: Vulnerability Assessments

This module covers the tools, technology, and techniques used for reconnaissance (including gathering information, mapping networks, scanning for vulnerabilities, and applying mapping and scanning technology).

  • Introduction to Vulnerability Assessments
  • Steps to Perform a Vulnerability Assessment
  • Criticality and Risks

Module 14: Penetration Testing

The role of penetration testing is well-understood by the majority of organizations and gave birth to newer testing techniques such as Red Teaming, Adversary Emulation, and Purple Teaming. Each have their own unique approaches and benefits. Often, penetration testing is limited in scope to where the testers are not truly able to emulate and mimic the behavior of adversaries. This is where activities such as Red Teaming and Adversary Emulation come into play. A methodical and meticulous approach must be taken regarding penetration testing in order to provide the biggest business value to your organization.

  • What and Why of Penetration Testing
  • Types of Penetration Testing
  • Penetration Testing Process
  • Penetration Testing Tools

Module 15: Attacks and Malicious Software

In this module we will take a look at the Marriott breach (a breach that compromised millions of people globally), as well as ransomware attacks that continue to cripple hundreds of thousands of systems across different industries. We'll describe these attacks in detail, discussing not only the conditions that made them possible, but also some strategies that can be used to help manage the risks associated with such attacks.

  • High-Profile Breaches and Ransomware
  • Common Attack Techniques
  • Malware and Analysis

Module 16: Web Application Security

In this module, we look at some of the most important things to know on designing and deploying secure web applications. We start with an explanation of the basics of web communications. We then move on to cover HTTP, HTTPS, HTML, cookies, authentication, and maintaining state. We conclude by looking at how to identify and fix vulnerabilities in web applications.

Web Application Basics

  • Cookies

Developing Secure Web Apps

  • OWASP Top Ten
  • Basics of Secure Coding
  • Web Application Vulnerabilities
  • Authentication
  • Access Control
  • Session Tracking / Maintaining State

Web Application Monitoring

  • Web Application Firewall (WAF)

Monolithic Architecture and Security Controls

Microservice Architecture

  • Attack Surface

Module 17: Security Operations and Log Management

In this module, we cover the essential components of logging, how to properly manage logging, and the considerations that must be understood in order to use the power of logging to its full potential.

  • Logging Overview
  • Setting Up and Configuring Logging
  • Logging Management Basics
  • Key Logging Activity

Module 18: Digital Forensics and Incident Response

In this module, we explore the fundamentals of incident handling and why it is important to our organization. We outline a multi-step process to help create our own incident-handling procedures. The module also covers how to leverage digital forensics methodologies to ensure our processes are repeatable and verifiable.

Introduction to Digital Forensics

  • What is Digital Forensics?
  • Digital Forensics in Practice
  • The Investigative Process
  • Remaining Forensically Sound
  • Examples of Digital Forensics Artifacts
  • DFIR Subdisciplines
  • Digital Forensics Tools

Incident Handling Fundamentals

Multi-Step Process for Handling an Incident

Incident Response: Threat Hunting

SEC401.4: Data Security Technologies


There is no silver bullet when it comes to security. However, there is one technology that would help solve a lot of security issues - although few companies deploy it correctly. This technology is cryptography. Concealing the meaning of a message can prevent unauthorized parties from reading sensitive information. During the first half of Day 4 we'll look at various aspects of cryptographic concepts and how they can be used in securing an organization's assets. A related discipline called steganography, or information hiding, is also covered. During the second half of the day, we shift our focus to the various types of prevention technologies that can be used to stop an adversary from gaining access to our organization (firewalls, intrusion prevention systems) and the various types of detection technologies that can detect the presence of an adversary on our networks (intrusion detection systems). These preventative and detective techniques can be deployed from a network and/or endpoint perspective; the similarities and differences in the application of these techniques will be explored.


SEC401.4: Outline: Data Security Technologies

  • Cryptography
  • Cryptography Algorithms and Deployment
  • Applying Cryptography
  • Network Security Devices
  • Endpoint Security

Module 19: Cryptography

Cryptography can provide the functional capabilities needed to achieve confidentiality, integrity, authentication, and non-repudiation purposes. There are three general types of cryptographic systems: Symmetric, Asymmetric, and Hashing. These systems are usually distinguished from one another by the number of keys employed, and the security goals they achieve. This module discusses these different types of cryptographic systems and how each type is used to provide a specific security function. The module also introduces steganography, a means of hiding data in a carrier medium. Steganography can be used for a variety of reasons but is most often is used to conceal the fact that sensitive information is being sent or stored.

Cryptosystem Fundamentals

General Types of Cryptosystems

  • Symmetric
  • Asymmetric
  • Hashing


Module 20: Cryptography Algorithms and Deployment

In this module, we'll acquire a high-level understanding of the mathematical concepts that contribute to modern cryptography and a basic understanding of commonly used symmetric, asymmetric, and hashing algorithms. We'll also identify common attacks used to subvert cryptographic defenses.

  • Cryptography Concepts
  • Symmetric, Asymmetric, and Hashing Cryptosystems
  • Cryptography Attacks

Module 21: Applying Cryptography

In this module, we'll discuss solutions for achieving our primary goals for using cryptography: protection of data in transit and protection of data at rest. We conclude with an important discussion on the management of public keys (and their related certificates) in terms of a Public Key Infrastructure (PKI).

Data in Transit

  • Virtual Private Networks

Data at Rest

  • Data Encryption
  • Full Disk Encryption
  • GNU Privacy Guard (GPG)

Key Management

  • Public Key Infrastructure (PKI)
  • Digital Certificates
  • Certificate Authorities

Module 22: Network Security Devices

This module will look at the three main categories of network security devices: Firewalls, Network Intrusion Detection Systems (NIDS), and Network Intrusion Prevention Systems (NIPS). Together, they provide a complement of prevention and detection capabilities.


  • Overview
  • Types of Firewalls
  • Configuration and Deployment


  • Types of NIDS
  • Snort as a NIDS


  • Methods of Deployment

Module 23: Endpoint Security

In this module, we will examine some of the key components, strategies, and solutions for implementing security from an endpoint perspective. This includes general approaches to endpoint security, strategies for baselining activity, and solutions like Host-based IDS (HIDS) and Host-based IPS (HIPS).

  • Endpoint Security Overview
  • Endpoint Security Solutions
  • HIDS Overview
  • HIPS Overview

SEC401.5: Windows Security


Remember when Windows was simple? Windows XP desktops in a little workgroup...what could be easier? A lot has changed over time. Now, we have Windows tablets, Azure, Active Directory, PowerShell, Microsoft 365 (Office 365), Hyper-V, Virtual Desktop Infrastructure, and so on. Microsoft is battling Google, Apple, Amazon, and other cloud giants for cloud supremacy. The trick is to do cloud securely, of course.

Windows is the most widely used and targeted operating system on the planet. At the same time, the complexities of Active Directory, Public Key Infrastructure, BitLocker, AppLocker, and User Account Control represent both challenges and opportunities. Day 5 will help you quickly master the world of Windows security while showing you the tools that can simplify and automate your work. You will complete the section with a solid grounding in Windows security by looking at automation, auditing, and forensics.


SEC401.5: Outline: Windows Security

  • Windows Security Infrastructure
  • Windows as a Service
  • Windows Access Controls
  • Enforcing Security Policy
  • Network Services and Cloud Computing
  • Automation, Auditing, and Forensics

Module 24: Windows Security Infrastructure

This module discusses the infrastructure that supports Windows security. This is a big picture overview of the Windows security model. It provides the background concepts necessary to understand everything else that follows.

  • Windows Family of Products
  • Windows Workgroups and Accounts
  • Windows Active Directory and Group Policy

Module 25: Windows as a Service

This module discusses techniques for managing updates to Windows.

  • End of Support
  • Servicing Channels
  • Windows Update
  • Windows Server Update Services
  • Third Party Patch Management

Module 26: Windows Access Controls

This module focuses on understanding how permissions are applied in the Windows NT File System (NTFS), Shared Folders, Registry Keys, Active Directory, and Privileges. BitLocker Drive Encryption is discussed as another form of access control (for encrypted information), and as a tool to help maintain the integrity of the boot-up process if you have a Trusted Platform Module.

  • NTFS Permissions
  • Shared Folder Permissions
  • Registry Key Permissions
  • Active Directory Permissions
  • Privileges
  • BitLocker Drive Encryption

Module 27: Enforcing Security Policy

This module discusses one of the best tools for automating security configuration changes, SECEDIT.EXE, the command-line version of Microsoft's Security Configuration and Analysis snap-in. We'll look at some of the most important changes to make through the use of this tool, such as password policy, lockout policy, and null user session restrictions. We'll also briefly discuss Group Policy Objects (GPOs) and the many security configuration changes that they can help to enforce throughout the domain.

  • Applying Security Templates
  • Employing the Security Configuration and Analysis Snap-in
  • Understanding Local Group Policy Objects
  • Understanding Domain Group Policy Objects
  • Administrative Users
  • AppLocker
  • User Account Control
  • Recommended GPO settings

Module 28: Network Services and Cloud Computing

It is important that we properly secure a system before we connect it to a network. Applying the latest updates isn't good enough: We want a machine that has been hardened specifically in anticipation of vulnerabilities that have not yet been discovered.

  • Server Core and Server Nano
  • Best Way to Secure a Service
  • Packet Filtering
  • IPsec Authentication and Encryption
  • Internet Information Server (IIS)
  • Remote Desktop Services
  • Windows Firewall
  • Microsoft Azure and Microsoft 365 (Office 365)

Module 29: Automation, Auditing, and Forensics

Automation, auditing, and forensics go together because, if we can't automate our work, the auditing and forensics work doesn't get done at all (or is done only sporadically), or we can't make it scale beyond the small number of machines that we can physically touch. Thankfully, modern Windows systems come with a very powerful automation capability: PowerShell. We will learn what PowerShell is and how to leverage it in our pursuit of deployment consistency, detection of change, remediation of systems, and even threat hunting!

  • Verifying Policy Compliance
  • Creating Baseline System Snapshots
  • Gathering Ongoing Operational Data
  • Employing Change Detection and Analysis (Threat Hunting)

SEC401.6: Linux, Mac and Smartphone Security


While organizations do not have as many Linux systems, the Linux systems that they do have are often some of the most critical systems that need to be protected. Day 6 provides guidance to improve the security of any Linux system. The day combines practical "how to" instructions with background information for Linux beginners, as well as security advice and best practices for administrators with various levels of expertise. With the idea of Linux being a 'free' operating system, it isn't a surprise that many advanced security concepts are first developed for Linux. Containers is one example of such. Containers provide powerful and flexible concepts for cloud computing deployments. Containers, while not specifically designed for information security purposes, are built on elements of minimization and that is something we can leverage in an overall information security methodology (as a part of defense-in-depth). Containers, what they do and do not represent for information security, and the best practice for their management will be fully discussed. A discussion of Linux and UNIX concepts would not be complete without a discussion of the macOS (which is based on UNIX). Apple's venerable macOS provides extensive opportunity for hardware and software security but is often misunderstood from what can and cannot be achieved. Because the majority of our modern-day mobile operating systems have a Linux and/or UNIX background, we end our Day 6 with a discussion on mobile device security.


SEC401.6: Outline: Linux, Mac and Smartphone Security

  • Linux Fundamentals: Structure, Permissions, and Access Controls
  • Linux Security Enhancements and Infrastructure
  • Containerized Security
  • macOS Security
  • Mobile Device Security

Module 30: Linux Fundamentals

This module discusses the foundational items that are needed to understand how to configure and secure a Linux system.

Operating System Comparison

Linux Vulnerabilities

Linux Operating System

  • Shell
  • Kernel
  • Filesystem
  • Linux Unified Key Setup

Linux Security Permissions

Linux User Accounts

Pluggable Authentication Modules

Built-in Commands

  • Windows / *NIX Comparison
  • Leveraging Built-in Commands for Threat Hunting

Service Hardening

Package Management

Module 31: Linux Security Enhancements and Infrastructure

This module discusses security-enhancement utilities that provide additional security and lockdown capabilities for modern Linux systems. As discussed earlier in the course, taking advantage of logging capabilities is an incredibly important aspect of our modern cyber defense. Linux's support for the well-known Syslog logging standard (and its related features) will discussed. As Syslog continues to age it may end up being unable to provide the logging features that modern-day cyber defense might demand. As such, additional logging enhancements - from syslog-ng to auditd - will be explored.

Operating System Enhancements

  • SELinux
  • AppArmor

Linux Hardening

  • Source Routing
  • IPv6
  • Address Space Layout Randomization (ASLR)
  • Kernel Module Security
  • SSH Hardening
  • CIS Hardening Guides and Utilities

Log Files

  • Key Log Files
  • Syslog
  • Syslog Security
  • Log Rotation
  • Centralized Logging
  • Auditd

Firewalls: Network and Endpoint

File-integrity Checking

Rootkit Detectors

Module 32: Containerized Security

The importance of segmentation and isolation techniques cannot be understated. Isolation techniques can help to mitigate the initial damage caused by an adversary giving us more time for detection. In this module we discuss the various types of isolation techniques: Chroot, virtualization, and containers. Containers are a relatively new concept (as applied to information security perspectives). There can be a lot of misunderstanding as to what security benefits are truly afforded by the use of containers, and the potential security issues that might manifest within containers themselves. Containers, what they are, deployment best practice, and how to secure them will be explored.



  • Containers vs. Virtual Machines


  • LXC
  • Cgroups and Namespaces
  • Docker
  • Docker Images

Container Orchestration

  • Kubernetes

Container Security

  • Docker Best Practices
  • Vulnerability Scanning Tools
  • Secure Configuration Baselines
  • Terraform

Module 33: macOS Security

This module focuses on an overview of the security features which are built into macOS systems. Although macOS is a relatively secure system and has different security features, it can also be flawed just like any other software.

macOS Security Features

  • What is macOS?
  • Privacy Controls
  • Keychain
  • Strong Passwords
  • Gatekeeper
  • Anti-Phishing and Download Protection
  • XProtect
  • Firewall
  • FileVault
  • Sandboxing and Runtime Protection
  • Security enclaves

macOS Vulnerabilities and Malware

  • BuggyCow
  • GateKeeper Bypass
  • FlashBack
  • CrescentCore

Module 34: Mobile Device Security

This module starts with a quick comparison of the Android and iOS mobile operating systems and what makes them so different. The module concludes with a brief discussion of the security features of both systems.

Android vs. iOS

Android Security

  • Android Security Features
  • What You Need to Know About Android
  • Android Fragmentation
  • Android Security Fix Process

Apple iOS Security

  • Apple iOS Security Features
  • What You Need to Know About iOS
  • iOS Updates

Mobile Problems and Opportunities

Mobile Device Management (MDM)

Unlocking, Rooting, and Jailbreaking

Mitigating Mobile Malware

  • Android Malware
  • iOS Malware


SEC401: Security Essentials Bootcamp Style covers all of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, SEC301: Introduction to Cyber Security would be the recommended starting point. While SEC301 is not a prerequisite for SEC401, it will provide the introductory knowledge to help maximize the experience with SEC401.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

SEC401: Security Essentials Bootcamp Style consists of course instruction and integrated hands-on sessions. The labs reinforce the skills covered in class and enable students to use the knowledge and tools learned throughout the course in an instructor-led environment. Students will have the opportunity to install and configure a virtual lab environment and will utilize the tools and techniques that have been presented. During the course students will receive a USB with two virtual machines; it is critical that you have a properly configured system prior to class.

IMPORTANT: Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. You must also have a minimum of 8 GB of RAM or higher for the virtual machines to function properly. Verify that under BIOS, Virtualization Support is ENABLED. Note: Apple computers with the M1 processor (Apple Silicon) are NOT supported for use in class. Apple does not support x86-based virtual machines under their Rosetta 2 capability for translation to their new Apple M1 processor. Apple computers that come with Intel processors are not affected by this issue and are still supported for in-class use.

Your CPU and OS MUST be 64-bit so that our 64-bit guest virtual machines will run on your laptop, and so you can access at least 8 GB of memory. This article provides instructions on how to determine if you have both a 64-bit CPU and OS.

Mandatory Laptop Requirements / Checklist

64-bit capable laptop running a 64-bit OS (Windows 10 x64 is recommended) configured as follows:

  • 8 GB physical memory (minimum: this requires you to be running a 64-bit OS)
  • 50 GB of available disk space (minimum)
  • An available/active USB Type-A port (or both a USB Type-C port and a USB Type-A to USB Type-C adapter)
  • In BIOS (UEFI), Virtualization Support must be ENABLED
  • Windows Credential Guard must be DISABLED (if running Windows as your host OS)

Download and install the latest version of either VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to the start of the class.

If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from the VMware website.

You must have administrator access to the host OS and to all security software installed.

You must have the ability to reboot the laptop and login (i.e., you must have valid credentials for any drive encryption or other security software installed)

Your laptop should NOT contain any personal or company data.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.