Train at Home with Top Cybersecurity Experts - SANS OnDemand

Cyber Defense Initiative® 2013

Washington, DC | Thu, Dec 12 - Thu, Dec 19, 2013
This event is over,
but there are more training opportunities.

AUD507: Auditing Networks, Perimeters, and Systems

Thu, December 12 - Tue, December 17, 2013

The course is excellent as it covers most of the technical auditing techniques and tools used for auditing.

Saeed, ADNOC Distribution

This course not only prepares you to perform a comprehensive audit but also provides excellent information to operations for improve network security posture.

Rifat Ikram, State Dept. FCU

One of the most significant obstacles facing many auditors today is how exactly to go about auditing the security of an enterprise. What systems really matter? How should the firewall and routers be configured? What settings should be checked on the various systems under scrutiny? Is there a set of processes that can be put into place to allow an auditor to focus on the business processes rather than the security settings? All of these questions and more will be answered by the material covered in this course.

This track is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high level audit issues and general audit best practice, the students will have the opportunity to dive deep into the technical √ʬ¬how to√ʬ¬ for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatably verify these controls and techniques for continuous monitoring and automatic compliance validation will be given from real world examples.

One of the struggles that IT auditors face today is assisting management to understand the relationship between the technical controls and the risks to the business that these affect. In this course these threats and vulnerabilities are explained based on validated information from real world situations. The instructor will take the time to explain how this can be used to raise the awareness of management and others within the organization to build an understanding of why these controls specifically and auditing in general is important. From these threats and vulnerabilities, we will explain how to build the ongoing compliance monitoring systems and how to automatically validate defenses through instrumentation and automation of audit checklists.


A Sampling of Topics

Audit planning and techniques

Effective risk assessment for control specification

Firewall and perimeter auditing

A proven six-step audit process

Time based auditing

Effective network population auditing

How to perform useful vulnerability assessments

Uncovering "Back Doors"

Building an audit toolkit

Detailed router auditing

Technical validation of network controls

Web application auditing

Audit Tools

You'll be able to use what you learn the day you get home. Five of the six days in the track will either produce or provide you directly with a general checklist that can be customized for your audit practice. Each of these days includes hands-on exercises with a variety of tools discussed during the lecture sections so that you will leave knowing how to verify each and every control described in the class and know what to expect as audit evidence. Each of the five hands on days gives you the chance to perform a thorough technical audit of the technology being considered by applying the checklists provided in class to sample audit problems in a virtualized environment. Each student is invited to bring her own Windows 7 Professional 64 bit or higher laptop for use during class. The ideal laptop will have at least 4 gigabytes of RAM. Laptops with less memory will function for the majority of the exercises, though one or two may be impossible to accomplish with less memory. Macintosh computers running OS X may also be used with VMware Fusion.

A great audit is more than marks on a checklist; it is the understanding of the what the underlying controls are, what the best practices are and why. Sign up for this course and experience the mix of theory, hands-on, and practical knowledge.


Course Syllabus

David Hoelzer
Thu Dec 12th, 2013
9:00 AM - 5:00 PM


After laying the foundation for the role and function of an auditor in the information security field, this day√ʬ¬s material will give you two extremely useful risk assessment methods that are particularly effective for measuring the security of enterprise systems, identifying control gaps and risks, and assisting you to recommend additional compensating controls to address the risk. Nearly a third of the day is spent covering important audit considerations and questions when dealing with virtualization and with Cloud Computing.

In today√ʬ¬s information security world, most enterprises are either already moving toward or seriously considering moving toward compliance with any number of a variety of security standards that represent best practice. Is your organization doing this today? Are you running up against any road blocks? Despite implementing controls, are you still dealing with significant compliance problems? The risk assessment discussions covered in this material is for you. One of the key topics covered in this material is an effective risk based method for the specification or selection of controls. Following this discussion, you will be able to analyze an existing set of controls, a business process, an audit exception or a security incident, identifying any missing or ineffective controls. More importantly, perhaps, you will be able to easily identify what corrective actions will eliminate the problem in the future. Included in this material is a tried and true method for conducting audits and presenting findings that will assist the organization to move toward compliance effectively.

The last two sections of the day are spent digging into virtualization solutions. After first examining some of the huge issues and the biggest questions facing us when it comes to Cloud Computing, we dig into significant audit considerations when dealing with the market leader in private cloud implementations: VMware.

CPE/CMU Credits: 6


Auditor's Role in Relation to

  • Policy Creation
  • Policy Conformance
  • Incident Handling

Basic Auditing and Assessing Strategies

  • Baselines
  • Time Based Security
  • Thinking like an Auditor
  • Developing Auditing Checklists from Policies and Procedures
  • Effective risk assessment

Risk Assessment

  • Standards Adoption
  • Identifying Existing Controls
  • Determining Root Failure Causes
  • Using Risk Assessment to Specify New Controls

The Six-Step Audit Process

  • How the Steps Interrelate
  • How to Effectively Conduct an Audit
  • How to Effectively Report the Findings

Virtualization & Cloud Computing

  • Definitions
  • Challenges
  • Important contractual requirements
  • Technical testing of deployments

David Hoelzer
Fri Dec 13th, 2013
9:00 AM - 5:00 PM


Focus on some of the most sensitive and important parts of our information technology infrastructure: routers and firewalls. In order to properly audit a firewall or router, we need to clearly understand the total information flow that is expected for the device. These diagrams will allow the auditor to identify what objectives the routers and firewalls are seeking to meet, thus allowing controls to be implemented which can be audited. Overall, this course will teach the student everything needed to audit routers, switches, and firewalls in the real world.

CPE/CMU Credits: 6



  • Functions of a router, architectures, and components
  • How a router can play a role in your security infrastructure
  • Router technology, a TCP/IP perspective
  • Understanding the auditing issues with routers
  • Sample router architectures in corporate WANs

Detailed audit of a router

  • Security access controls performed by a router
  • Security of the router itself and auditing for router integrity
  • Identifying security vulnerabilities
  • Audit steps over routers
  • Sample audit outputs

Auditing switches

  • Layer 2 attacks
  • Audit steps for a switch

Testing the firewall

  • OS configuration
  • Firewall configuration
  • System administration

Testing the firewall rulebase

  • Identifying misconfigurations
  • Identifying vulnerabilities
  • Packet flow from all networks
  • Change control

Testing third party software

  • Encryption
  • Authentication
  • Virus scanning
  • URL redirection

Reviewing logs and alerts

  • Review IDS systems
  • Firewall logs
  • Firewall alerts

The tools used

  • Router Audit Tool (RAT)
  • Scanning tools for UNIX and Windows such as Nmap
  • Packet-building tools for UNIX and Windows such as -Hping2 and Nemesis
  • Sniffers such as Wire Shark
  • IDS Auditing Tools such as Fragroute

David Hoelzer
Sat Dec 14th, 2013
9:00 AM - 5:00 PM


Web Applications have consistently rated one of the top five vulnerabilities that enterprises face for the past several years. Unlike the other top vulnerabilities, however, our businesses continue to accept this risk since most modern corporations need an effective web presence to do business today. One of the most important lessons that we are learning as an industry is that installing an application firewall is not enough!

A portion of the morning will cover all of the underlying principles of web technology and introduce a set of tools that can be used to validate the security of these applications. Throughout the day, all of the OWASP Top Ten issues will be addressed, abstracted into five practical principles of web application design and deployment. The majority of the day will be spent building and working through a checklist for validating the existence and proper implementation of controls to mitigate the primary threats found in web applications through the use of cutting edge techniques and advanced testing methods. Throughout the material time is spent identifying key development requirements, allowing you to provide meaningful feedback into your organization√ʬ¬s coding standards.

Several discrete web applications will be examined using these tools and the audit program developed. By the end of the day each student will use the provided high level checklist and detailed instructions throughout the day to perform a comprehensive validation of security controls in at least one full web application.

In addition to designing an audit testing program, time will be spent discussing process remediation for project managers and coding teams.

CPE/CMU Credits: 6

  • Identify controls against information gathering attacks
  • Process controls to prevent hidden information disclosures
  • Control validation of the user sign-on process
  • Examining controls against user name harvesting
  • Validating protections against password harvesting
  • Best practices for OS and web server configuration
  • How to verify session tracking and management controls
  • Identification of controls to handle unexpected user input
  • Server-side Techniques for Protecting Your Customers and Their Sensitive Data

David Hoelzer
Sun Dec 15th, 2013
9:00 AM - 5:00 PM


Microsoft√ʬ¬s business class system make up a large part of the typical IT infrastructure. Quite often, these systems are also the most difficult to effectively secure and control because of the enormous number of controls and settings within the operating system. This class gives you the keys, techniques and tools to build an effective long term audit program for your Microsoft Windows environment. More importantly, during the course a continuous monitoring and reporting system is built out, allowing you to easily and effectively scale the testing discussed within your enterprise when you return home.

During the course of this day, attendees will have the opportunity to perform a thorough hands on audit of Active Directory servers in class, in addition to the laptop that they bring to class. In addition to covering all of the major audit points in a stand alone Windows system, the course will scale these methods for use within a domain. One of the primary goals of the material presented is to allow the auditor to get away from checking registry settings, helping administrators to create a comprehensive management process that automatically verifies settings. With this type of system in place, the auditor can step back and begin auditing the management processes which generally helps us to be far more effective.

Finally, the course will spend a significant amount of time discussing the more important aspects of Active Directory from an auditor√ʬ¬s perspective. We will cover and give you the opportunity to try your hand at querying useful data out of the Active Directory. Throughout the day we will work to build a comprehensive baseline auditing script to automatically audit all of the systems within a domain.

CPE/CMU Credits: 6

  • Progressive construction of a comprehensive audit program
    • Basic system information
    • Patch levels
    • Network based services
    • Local services
    • Installed software
    • Security configuration
    • Identifying & mitigating system specific vulnerabilities
    • Group policy management
    • Log aggregation, management and analysis
  • Automating the audit process
  • Windows security tips and tricks
  • Maintaining a secure enterprise

David Hoelzer
Mon Dec 16th, 2013
9:00 AM - 5:00 PM


Students will gain a deeper understanding of the inner workings and fundamentals of the Unix operating system as applied to the major Unix environments in use in business today. Students will have the opportunity to explore, assess and audit Unix systems hands-on. Lectures describe the different audit controls that are available on standard Unix systems, as well as, access controls and security models.

The majority of the day will be spent working hands on with the instructor to create a comprehensive set of auditing scripts that can be used on virtually any Unix system. This set of scripts can be used to either check the security of a system, report on the compliance of the system to a baseline or be used in a change control process to validate a system before patching and subsequently re-generate the system baseline.

Neither Unix nor scripting experience is required for this day√ʬ¬s course. The course book and hands on exercises present an easy to follow method with the assistance of the instructor that will allow you to cover scripting and more advanced topics like regular expressions.

CPE/CMU Credits: 6


Auditing to Create a Secure Configuration

  • Building Your Own Auditing Toolkit
  • File Integrity Assessment
  • Fine Points of √ʬ¬find√ʬ¬
  • Regex Basics

Auditing to Maintain a Secure Configuration

  • Reading Logfiles
  • Password Assessment Tools
  • Risk Assessment
  • What Tools to Use
  • How to Go About It
  • Building a Baseline
  • Building an Audit Script
  • Auditing with Accreditation Systems

Auditing to Determine What Went Wrong

  • Finding Hidden Disk Space
  • Event Reconstruction
  • Identifying Back Doors
  • Anatomy of a Rootkit
  • Creating a Unix Tools CD

David Hoelzer
Tue Dec 17th, 2013
9:00 AM - 5:00 PM


This final day of the course presents a capstone experience with additional learning opportunities. Leveraging the well known NetWars engine, students have the opportunity to connect to a simulated enterprise network environment. Building on the tools and techniques learned throughout the week, each student is challenged to answer a series of questions about the enterprise network, working through various technologies explored during the course.

This allows students to immediately put the knowledge gained into practice with these guided challenges. At the conclusion of the day, students are asked to identify the most serious findings within the enterprise environment and to suggest possible root causes and potential mitigations.

CPE/CMU Credits: 6


Technologies included in the capstone challenges include:

  • Network Devices
    • Firewalls
    • Cisco Switches & Routers
  • Servers
    • Active Directory domain controllers
    • DNS servers
    • Mail servers
    • Web servers
  • Applications
    • Intranet web applications
    • Internet web applications
  • Workstations

Additional Information

Audit 507 requires that you bring a fairly modern laptop running 64 bit Windows 7 Business (or higher) operating system. Your computer should additionally have a minimum of 2 gigabytes of RAM. A computer not meeting the RAM and operating system requirements will not be able to run all of the hands-on exercises. Your computer will need a DVD drive and a wireless adapter for you to participate in the exercises in class.

Your laptop must be capable of running the most current version of VMware Player ( It is strongly advised that you attempt to download and install VMware Player before coming to class to verify that your laptop can indeed run it successfully.

It is absolutely necessary that you have full administrative rights on your computer for this class. We would strongly recommend that you work with your help desk to have a clean laptop built for the purpose of attending this class. Full administrative rights means that you will need the ability to install software, change system settings, manipulate the registry, possibly disable antivirus, etc. Of course, you can meet this requirement by bringing a laptop with VMware Player already installed and a Windows XP or higher virtual machine installed inside of a virtual machine to which you have full and complete access.

If you have additional questions about the laptop specifications, please contact

  • Auditors seeking to identify key controls in IT systems
  • Audit professionals looking for technical details on auditing
  • Managers responsible for overseeing the work of an audit or security team
  • Security professionals newly tasked with Audit responsibilities
  • System and Network Administrators looking to better understand what an auditor is trying to achieve, how they think and how to better prepare for an audit
  • System and Network Administrators seeking to create strong change control management and detection systems for the enterprise

  • Understand the different types of controls (e.g., technical vs. non-technical) essential to performing a successful audit
  • Conduct a proper risk assessment of network to identify vulnerabilities and prioritize what will be audited
  • Establish a well-secured baseline for computers and networks, a standard to conduct audit against
  • Perform a network and perimeter audit using a seven step process
  • Audit firewalls to validate that rules/settings are working as designed, blocking traffic as required
  • Utilize vulnerability assessment tools effectively to provide management with the continuous remediation information necessary to make informed deci- sions about risk and resources.
  • Audit web application√ʬ¬s configuration, authentication, and session management identify vulnerabilities attackers can exploit
  • Utilize scripting to build a system to baseline and automatically audit Active Directory and all systems in a Windows domain

Author Statement

The SANS Advanced Systems Audit track stands alone in the Information Assurance arena as the only comprehensive source for hands on audit "How To." Past students have included long time auditors and those new to the field, both of whom have found significant benefit from the refresher material. One individual, a vice president with the IIA (Institute of Internal Auditors) said, "I've been auditing systems for a very long time and no one ever actually gave me a formal process that I can apply to conducting technical audits. Thank you!" While we don't require a high level of technical experience as a prerequisite to this course, we have worked hard to make sure that anyone who comes to the course walks away with a wealth of material that they can go back to their office and apply tomorrow. We realistically address the "How do I get there from here?" problem by offering short-term goal solutions which, when combined, will allow you to achieve your goal: identify, report on and reduce risk in your enterprise. - David Hoelzer