3 Days Left! iPad Pro w/ Smart Keyboard, $400 Off, or ASUS Chromebook w/ Online Training!

London February 2018

London, United Kingdom | Mon, Feb 5 - Sat, Feb 10, 2018
Event starts in 56 Days
 

SEC401: Security Essentials Bootcamp Style

Very well rounded. Great that he(the instructor)was able to bring real world examples to class. Made the class flow smoothly.

Robin Mahon, Kapstone Paper

SEC401 took what I thought I knew and truly explained everything to me. Now, I also UNDERSTAND the security essentials fundamentals and how/why we apply them. Loved the training, cannot wait to come back for more.

Nicholas Blanton, ManTech International

Learn the most effective steps to prevent attacks and detect adversaries with actionable techniques that you can directly apply when you get back to work. Learn tips and tricks from the experts so that you can win the battle against the wide range of cyber adversaries that want to harm your environment.

Is SEC401: Security Essentials Bootcamp Style the right course for you?

STOP and ask yourself the following questions:

  1. Do you fully understand why some organizations get compromised and others do not?
  2. If there were compromised systems on your network, are you confident that you would be able to find them?
  3. Do you know the effectiveness of each security device and are you certain that they are all configured correctly?
  4. Are proper security metrics set up and communicated to your executives to drive security decisions?

If you do not know the answers to these questions, SEC401 course will provide the information security training you need in a bootcamp-style format that is reinforced with hands-on labs.

More

You Will Learn:

  • To develop effective security metrics that provide a focused playbook that IT can implement, auditors can validate, and executives can understand
  • To analyze and assess the risk to your environment in order to drive the creation of a security roadmap that focuses on the right areas of security
  • Practical tips and tricks to focus in on high-priority security problems within your organization and on doing the right things that will lead to security solutions that work
  • Why some organizations are winning and some are losing when it comes to security and, most importantly, how to be on the winning side
  • The core areas of security and how to create a security program that is anchored on PREVENT-DETECT-RESPOND.

Learn to build a security roadmap that can scale today and into the future.

SEC401: Security Essentials Bootcamp Style is focused on teaching you the essential information security skills and techniques you need to protect and secure your organization's critical information assets and business systems. Our course will show you how to prevent your organization's security problems from being headline news in the Wall Street Journal!

"Prevention is Ideal but Detection is a Must."

With the rise in advanced persistent threats, it is almost inevitable that organizations will be targeted. Whether the attacker is successful in penetrating an organization's network depends on the effectiveness of the organization's defense. Defending against attacks is an ongoing challenge, with new threats emerging all of the time, including the next generation of threats. Organizations need to understand what really works in cybersecurity. What has worked, and will always work, is taking a risk-based approach to cyber defense. Before your organization spends a dollar of its IT budget or allocates any resources or time to anything in the name of cybersecurity, three questions must be answered:

  1. What is the risk?
  2. Is it the highest priority risk?
  3. What is the most cost-effective way to reduce the risk?

Security is all about making sure you focus on the right areas of defense. In SEC401 you will learn the language and underlying theory of computer and information security. You will gain the essential and effective security knowledge you will need if you are given the responsibility for securing systems and/or organizations. This course meets both of the key promises SANS makes to our students: (1) You will learn up-to-the-minute skills you can put into practice immediately upon returning to work; and (2) You will be taught by the best security instructors in the industry.

Hide

Assessment Available

Test your security knowledge with our free SANS Security Essentials Assessment Test.

Notice:

This course prepares you for the GSEC certification that meets the requirement of the DoD 8570 IAT Level 2.

Notice:

Please plan to arrive early on Day 1 (8:30AM-Local Time) for lab preparation and set-up. The additional time is needed as the labs require the installation of both a Linux and Windows Virtual Machine (VM) and extensive copying of files in order to run and complete the labs successfully. The Instructor will be available to assist students with lab prep and set-up from 8:30AM-9:00AM. Class lecture will start at 9AM. (Excludes vLive and Mentor)

Course Content Overlap Notice:

Please note that some course material for SEC401 and MGT512 may overlap. We recommend SEC401 for those interested in a more technical course of study, and MGT512 for those primarily interested in a leadership-oriented but less technical learning experience.

Course Syllabus


Ian Reynolds
Mon Feb 5th, 2018
9:00 AM - 7:00 PM

Overview

A key way that attackers gain access to a company's resources is through a network connected to the Internet. A company wants to try to prevent as many attacks as possible, but in cases where it cannot prevent an attack, it must detect it in a timely manner. Therefore, an understanding and ability to create and identify the goals of building a defensible network architecture are critical. It is just as important to know and understand the architecture of the system, types of designs, communication flow and how to protect against attacks using devices such as routers and firewalls. These essentials, and more, will be covered during 401.1, in order to provide a firm foundation for the consecutive days of training.

By the end of the 401.1, you will understand Defensible Network Architecture, Virtualization and Cloud Security (Lab Virtual Machine Setup), Network Device Security, Networking and Protocols (Lab - tcpdump), Securing Wireless Networks (Lab - Aircrack-ng), Securing Web Communications (Lab -Wireshark). In any organization whether large or small all data is not created equal. Some data is routine and incidental while other information can be very sensitive, the loss of which could cause irreparable harm to an organization.

Understanding attacks, the vulnerability behind those attacks and how to prioritize the information and steps to secure the systems will be essential. Common attacks occur with web applications, authentication and other forms of communication. It is imperative to gain familiarity with protocols and techniques used to monitor, stop and even perform attacks against systems.

CPE/CMU Credits: 8

Topics

SEC401.1 Network Security Essentials - Module Outline

  • Defensible Network Architecture
  • Virtualization and Cloud Security
    • Lab Virtual Machine Setup
  • Network Device Security
  • Networking and Protocols
    • Lab - tcpdump
  • Securing Wireless Networks
    • Lab - Aircrack-ng
  • Securing Web Communications
    • Lab -Wireshark

Module 1: Defensible Network Architecture

Involves the fundamentals of network architecture, including network architecture, attacks against network devices, network topologies and network design.

  • Network Architecture: Understand and identify the goals of building a defensible network architecture
    • Understanding the Architecture of the System
    • Conceptual Design
    • Logical Design
    • Physical Design
    • Understand Communication Flow
    • Know Where Your Valuable Data is
  • Attacks Against Network Device: Understand and identify the common types of attacks against networks
    • Networks Under Attack
    • Threat Enumeration
    • Threat Agents
    • Attacks Against Routers
    • Attacks against switches
  • Network Topologies: Understand and know the different types of topologies and the inherent security risks they create
    • Physical and Logical Topologies
    • Ethernet
    • Network Design
    • Approaches to Network Design
  • Network Design: Understanding and knowing how to design a secure network that incorporates both prevention and detection
    • Approaches to Network Design
    • Network Architecture Design
    • Network Design Objectives
    • Network Sections

Module 2: Virtualization and Cloud Security

Involves understanding and learning what virtualization is and how it works, the most common form of virtualization and how virtual machines interact with multiple operating systems.

  • Virtualization
  • Setting Up Virtualization
  • Virtualization Security
  • Virtualized Architectures
  • Cloud Overview
  • Cloud Security
  • Lab 1.1: Virtual Machine Setup: The purpose of this lab is to learn how to set up Windows and Linux virtual machines in a lab-based environment and understanding the fundamentals of the operating systems and how to run basic commands. Completing the lab, you will learn:
    • Copy and extract the SANS-supplied Windows 10 virtual machine and the Kali Linux virtual machine to your hard drive
    • Start the virtual machines with VMware Workstation, Player, or Fusion if on a Mac
    • Configure your Windows 10 licensing
    • Verify network connectivity between the two virtual machines

Module 3: Network and Device Security

Involves understanding the different devices that are deployed on a network and how they function.

  • Network Devices
  • Routing
  • How Routing Works
  • Device Security

Module 4: Networking and Protocols

Involves understanding the properties and functions of network protocols and the network protocol stacks

  • Network Protocols
  • Layer 3
    • Internet Protocol (IP)
    • Internet Control Message Protocol (ICMP)
  • Layer 4
    • Transmission Control Protocol (TCP)
    • User Datagram Protocol (UDP)
  • tcpdump
  • Lab1.2: tcpdump: The purpose of this lab is to learn how to use Kali and run a sniffer and understand how to decode packets. You will learn,
    • Introduction to tcpdump and basic commands
    • Running tcpdump and sniffing network traffic
    • Analyzing hex and ASCII data
    • Connecting to a non-listening TCP port

Module 5: Securing Wireless Networks

Involves the aspect of deploying and utilizing wireless networks. Student will understand wireless technologies.

  • Wireless overview
  • Bluetooth and ZigBee
  • 802.11
  • Wireless security
    • Lab1.3: Aircrack-ng: In the lab, you will use the aircrack-ng tool suite to assess the security of both the Wired Equivalent Privacy (WEP) security algorithm and Wi-Fi Protected Access (WPA) protocol associated with 802.11 wireless network security. You will learn:
      • Introduction to the aircrack-ng suite
      • Cracking a WEP key
      • Cracking a WPA2 passphrase

Module 6: Securing Web Communications

Involves understanding how web applications work. Learn best practices for creating secure web applications and how to identify and fix vulnerabilities in web applications.

  • How Web Applications Work
  • Basics of Secure Coding
  • Web Application Vulnerabilities
  • Lab 1.4: WireShark: In this lab, you will learn how to use Wireshark and understand how to analyze packets.
    • Introduction to Wireshark and its GUI
    • Basic capture of an FTP connection
    • Analysis of a TFTP session

Ian Reynolds
Tue Feb 6th, 2018
9:00 AM - 7:00 PM

Overview

To secure an enterprise network, you must understand the general principles of network security. In 401.2, we look at threats to our systems and take a "big picture" look at how to defend against them. You will learn that protections need to be layered: a principle called defense-in-depth. We explain some principles that will serve you well in protecting your systems. You will also learn about key areas of network security.

The course starts with information assurance foundations. Students look at security threats, and how they have impacted confidentiality, integrity, and availability. The first half of the day also covers creating sound security policies and password management, including tools for password strength on both Unix and Windows platforms. The day draws to a close by looking at attack strategies and how the offense operates.

Students will understand to properly secure and defend a network, you must first have a clear and strong understanding of both the logical and physical components of an architecture. In security (and design), huge mistakes have been made because the security architect did not look at the system as a whole, but rather focused on a particular problem which weakened the overall analysis. It's always important to remember that analyzing the security of something as complex as a network is in itself a complex process.

CPE/CMU Credits: 8

Topics

SEC401.2 Defense-In-Depth and Attacks -Module Outline

  • Defense-in-Depth
  • Access Control & Password Management
    • Lab - John the Ripper
  • Security Policies
    • Lab - Cain & Abel
  • Critical Controls
  • Malicious Code and Exploit Mitigations
    • Lab - Malicious Software
  • Advanced Persistent Threat (APT)

Module 7: Defense-in-Depth

Involves understanding what defense in depth is and an overview of the key areas of security.

  • Defense-in-Depth Overview
    • Risk = Threats x Vulnerabilities
    • CIA Triad
  • Strategies for Defense in Depth
  • Core Security Strategies

Module 8: Access Control & Password Management: Involves understanding understand the fundamental theory of access control

  • Access control
    • Data classification
    • Managing access
    • Separation of duties
  • Password management
    • Password management technologies
    • How password assessment works
  • Lab 2.1 - John the Ripper: In this lab students will perform a lab using John the Ripper, a widely-used password cracking tool, which was covered in the module. Completing the lab, you will learn:
    • Introduction to John the Ripper and its various components
    • Cracking passwords with John the Ripper

Module 9: Security Privacy

Involves the understanding on how to assess a policy by establishing a baseline framework to work within, and by establishing a mission statement that defines your policies.

  • Security Policies
    • Need for policies
    • Policy Framework
    • Enforcement
  • Lab 2.2 - Cain & Abel: This lab is designed to help learn how to use a multi-purpose tool like Cain & Abel and understand the fundamentals of auditing the strength of passwords. In this lab, you will learn:
    • Introduction to Cain & Abel and its GUI
    • Extracting and cracking passwords from your Windows 10 SAM database
    • Cracking a password from a Cisco Router

Module 10: Critical Security Controls

Involves understanding the purpose and background of the Critical Security Controls.

  • Overview of the Critical Security Controls
  • The Critical Security Controls
  • Sample Critical Security Control

Module 11: Malicious Code and Exploit Mitigation

Involves understanding the details of the Mitnick-Shimomura attack, as well as what we can learn from this attack to appropriately protect our networks against these threats.

  • Mitnick-Shimomura
  • Defensive strategies
  • Common types of attacks
  • Lab 2.3 - Malicious Software: In this lab, you will learn how to defend against malicious software understand the operations of malicious software. You will also learn:
    • Analyzing the non-trojaned program
    • Analyzing the trojaned program and gaining privileged access
    • Checking for a buffer overflow

Module 12: Advanced Persistent Threat (APT)

Involves learning the new threats that exist in cyberspace and effective ways for dealing with these threats. Students will also understand what an APT is and the basic strategies of how they work and operate.

  • What are APTs and why are they so hard to manage?
  • Defending Against an APT
  • How can cyber remediation be approached?
  • Offensive Operations

Ian Reynolds
Wed Feb 7th, 2018
9:00 AM - 7:00 PM

Overview

Whether targeting a specific system or just searching the Internet for an easy target, an attacker uses an arsenal of tools to automate finding new systems; mapping out networks; and probing for specific, exploitable vulnerabilities. This phase of an attack is called reconnaissance, and it can be launched by an attacker any amount of time before exploiting vulnerabilities and gaining access to systems and networks. In fact, evidence of reconnaissance activity can be a clue that a targeted attack is on the horizon.

Those in charge of system and network security cannot afford to be any less proficient in discovering and eliminating these vulnerabilities than the attackers are at finding and exploiting them. One strategy is to make full use of the very tools being used against you and to do it regularly. With security, proper visibility is critical. If you do not understand or know about vulnerabilities, this puts you at a disadvantage, especially based on the fact that the adversary is usually aware of these exposures. The more you know about your environment, the better you can protect it.

This module covers technology, tools, and techniques used for information gathering, network mapping, vulnerability scanning, and the management application of mapping, scanning technology, including exploitation. First, let's set the stage in terms of the management expectation of such a program. Second, we define threat vectors and common sources of reconnaissance on your systems. Then, we examine some of the classic probing tools and their impact. We then show you how to use your own tools to find vulnerabilities before the attackers do. Finally, we will show the basic steps of how to do a penetration test to verify and validate the security of your organization.

CPE/CMU Credits: 8

Topics

SEC401.3 Threat Management - Module Outline

  • Vulnerability Scanning and Penetration Testing
    • Lab - nmap
  • Network Security Devices
    • Lab - Snort
  • Endpoint Security
    • Lab -hping
  • SIEM/log management
  • Active Defense
    • Lab - Command Injection

Module 13: Vulnerability Scanning and Penetration Testing

Involves understanding the concepts and relationships behind reconnaissance, resource protection, risks, threats and vulnerabilities.

  • Vulnerability management overview
  • Network scanning
  • Penetration Testing
  • Lab 3.1 - Nmap: The purpose of this lab is to identify open ports on a system and understand the operations of port-scanning software. Completing the lab, you will learn:
    • Introduction to Nmap and its features
    • Port scanning with Nmap
    • OS and application version scanning
    • Nmap Scripting Engine (NSE)

Module 14: Network Security Devices

Involves taking a look at the 3 main categories of network security devices: firewalls, NIDS and NIPS. Together they provide a complement of prevention and detection capabilities.

  • Firewalls
    • Overview
    • Types of Firewalls
    • Configuration and Deployment
  • NIDS
    • Types of NIDS
    • Snort as an NIDS
  • NIPS
    • Methods of Deployment
  • Lab 3.2: Snort: In this lab, you will learn how to run and configure Snort and understand how to utilize an IDS to detect attacks. Area's within the lab are:
    • Introduction to Snort and its features
    • Running Snort and triggering an alert
    • Reviewing Snort logs and the matched signatures

Module 15: Endpoint Security

Involves understanding the overall importance and concepts of endpoint security. This module, we will examine some of the key components, strategies, and solutions for implementing endpoint security.

  • Endpoint Security Overview
  • Endpoint Security Solutions
  • HIDS Overview
  • HIPS Overview
  • Lab 3.3 - hping 3: This lab teaches you how to craft packets and understand packet-creation software. Area's in the lab are:
    • Introduction to hping 3 and its features
    • Crafting packets with hping 3
    • Spoofing IP addresses with hping 3

Module 16: SIEM/Log Management

Involves student being able to obtain a high-level understanding of what logging is and why it is important. The student will also know have a high-level understanding of what logging is and why it is important.

  • Logging Overview
  • Setting Up and Configuring Logging
  • Logging Analysis Basics
  • Key Logging Activity

Module 17: Active Defense

Involves explaining what active defense is and how it can be used. You will get an appreciation for new ways to approach security and how to make your defensive solutions more active.

  • Defining Active Defense
  • Active Defense Techniques
  • Active Defense Tools
  • Honeypots & Active Defense
  • Lab 3.4 - Command Injection: In this lab, you will Learn how to perform command injection and understand how attacks work and operate. Completing the lab, you will understand:
    • Normal operation
    • Injecting a command to break out of a restriction

Ian Reynolds
Thu Feb 8th, 2018
9:00 AM - 7:00 PM

Overview

There is no silver bullet when it comes to security. However, there is one technology that would help solve a lot of security issues, though few companies deploy it correctly. This technology is cryptography. Concealing the meaning of a message can prevent unauthorized parties from reading sensitive information. Sec401.4 looks at various aspects of encryption and how it can be used to secure a company's assets. A related area called steganography, or information hiding, is also covered.

Cryptography, the science of secret writing, helps us communicate without revealing the meaning of information to adversaries. It also potentially validates to whom we are communicating. It can protect any kind of data, from very sensitive information, such as Internet-based commerce and banking transactions, to harmless messages you would prefer that no one else knew about, such as a letter to a friend. Cryptography (abbreviated as crypto) can provide a great deal of confidentiality and integrity checks for information. However, it is not a silver bullet, and it can lead to a tremendous false sense of security unless used properly and implemented correctly. Cryptography should always be a part of a larger defense-in-depth strategy, providing just one layer of the security onion.

CPE/CMU Credits: 8

Topics

SEC401.4 Cryptography, Risk Management and Response - Module Outline

  • Cryptography
    • Lab - Stego
  • Cryptography Algorithms and Deployment
  • Applying Cryptography
    • Lab - GPG
  • Incident Handling and Response
    • Lab - Hashing
  • Contingency Planning - BCP/DRP
  • IT Risk Management

Module 18: Cryptography

Involves students having a basic understanding of the fundamental concepts of cryptography

  • Overview of Cryptology
  • Plaintext, Ciphertext, and Key
  • Types of Symmetric Encryption
  • Symmetric Encryption
  • Asymmetric Encryption
  • Hash
  • Lab 4.1 - Image Steganography: In this lab, you will understand the operations of data hiding program and learn how to utilize steganography programs. The topics will be:
    • Learn how to utilize steganography programs

Module 19: Cryptography Algorithms and Deployment

Involves students having a high-level understanding of the mathematical concepts that contribute to modern cryptography

  • Crypto Concepts
  • Symmetric and asymmetric cryptosystems
  • Crypto attacks

Module 20: Applying Cryptography

Involves having a high-level understanding of what VPNs are and how they operate. Students will also understand the functionality of the GPG cryptosystem and how they operate.

  • Data in transit
    • Virtual private networks (VPNs)
  • Data at rest
    • Data encryption
    • Full disk encryption
    • GNU Privacy Guard (GPG)
  • Key management
    • Public key infrastructure (PKI)
    • Digital certificates
    • Certificate authorities (CA)
  • Lab 4.2 - GNU Privacy Guard (GPG): In this lab, you will learn how to utilize GPG and understand the operations of cryptography algorithms.
    • Encryption
    • Decryption
    • Signing a message
    • Verifying a signature

Module 21: Incident-Handling Foundations

Involves understanding the concepts of incident handling and the six-step incident-handling process. Students will also be able to identify areas of law that are important to incident handling and understand important practices in handling evidence

  • Incident-handling fundamentals
  • Six step processes for handling an incident
  • Legal aspects of incident handling
  • Lab 4.3 - Hashing: In this lab, you will learn how to utilize hashing programs and understand the operations of cryptography algorithms. Completing the lab, students will review:
    • Introduction to hashing tools and file integrity validation
    • Automating file integrity checks

Module 22: Contingency Planning - BCP/DRP

Involves understanding the critical aspect of contingency planning with a business continuity plan (BCP) and disaster recovery plan (DRP)

  • Contingency Planning
  • Business Continuity Planning (BCP)
  • Disaster Recovery Planning (DRP)

Module 23: Risk Management

Involves understanding the terminology and basic approaches to cyber security risk management

  • Risk management overview
  • Best-practice approach to risk management
  • Threat assessment, analysis, and report to management

Ian Reynolds
Fri Feb 9th, 2018
9:00 AM - 7:00 PM

Overview

Remember when Windows was simple? Windows XP desktops in a little workgroup... what could be easier? A lot has changed over time. Now, we have Windows tablets, Azure, Active Directory, PowerShell, Office 365, Hyper-V, Virtual Desktop Infrastructure (VDI), and so on. Microsoft is battling Google, Apple, Amazon.com, and other cloud giants for supremacy. The trick is to do it securely, of course.

Windows is the most widely-used and targeted operating system on the planet. At the same time, the complexities of Active Directory, PKI, BitLocker, AppLocker, and User Account Control represent both challenges and opportunities. This section will help you quickly master the world of Windows security while showing you the tools that can simplify and automate your work. You will complete the day with a solid grounding in Windows security, by looking at automation, auditing and forensics.

This module discusses the infrastructure that supports Windows security. This is the big-picture overview of the Windows security model, and it provides the background concepts necessary to understand everything else that follows. Because it is the big picture, we can't talk about everything, but many of the details will be filled in throughout the following modules.

CPE/CMU Credits: 8

Topics

SEC401.5 Windows Security - Module Outline

  • Windows Security Infrastructure
    • Lab - Process Hacker
  • Service packs, hot fixes, and backups
  • Windows access controls
    • Lab - Microsoft Baseline Security Analyzer
  • Enforcing security policy
    • Lab - Secedit
  • Securing Windows Network Services
  • Automation, auditing, and forensics
    • Lab - PowerShell Scripting

Module 24: The Windows Security Infrastructure

Involves the ability to identify the different types of Windows operating systems and the differences between them. Students will also be able to identify the different types of Windows operating systems and the differences between them.

  • Three classes of operating system:
    • Client
    • Server
    • Embedded
  • Lab 5.1 - Process Hacker: This lab teaches how to utilize a tool like Process Hacker and understand the operations of Windows and how it works.
    • Install and launch Process Hacker
    • Examine the details of a process, such as its modules and memory regions
    • Inject a DLL into a process and then aggressively terminate that process

Module 25: Service Packs, Hotfixes, and Backups:

Involves the understanding of how to manage Windows Service Packs and Hotfixes for a network of Windows hosts.

  • Service packs
  • E-mail security bulletins
  • Patch installation
  • Automatic updates
  • Windows server update services
  • Windows backup
  • System restore
  • Device driver rollback

Module 26: Windows Access Controls

Involves understanding how permissions are applied in the Windows NT File System, Shared Folders, Printers, Registry Keys, and Active Directory, and how Privileges are applied.

  • NTFS Permissions
  • Shared Folder Permissions
  • Registry Key Permissions
  • Active Directory Permissions
  • Privileges
  • BitLocker Drive Encryption
  • Lab 5.2 - Microsoft Baseline Security Analyzer: Learn to utilize a tool like Microsoft Baseline Security Analyzer and operations of Windows and how to properly secure the operating system. Completing the lab, students will understand the following topics:
    • Install the Microsoft Baseline Security Analyzer (MBSA)
    • Scan the local computer for vulnerabilities
    • Examine an MBSA vulnerability report
    • Remediate an identified vulnerability using the NET.EXE utility
    • Scan local system again to confirm remediation

Module 27: Enforcing Security Policy

Involves having a high-level understanding of the features of Group Policy and working with INF security templates

  • Applying security templates
  • Employing the Security Configuration and Analysis snap-in
  • Understanding Local Group Policy Objects
  • Understanding Domain Group Policy Objects
  • Administrative Users
  • AppLocker
  • User Account Control
  • Checking Recommended GPO settings, including
    • Password Policy
    • Account Lockout Policy
    • Security Options
    • Internet Explorer Security
    • Miscellaneous Administrative Templates
    • Other Settings
  • Lab 5.3 - Secedit: In this lab, students will learn to utilize a tool like Secedit and understand the operations of security templates and how to analyze a system
    • Open the PowerShell ISE desktop application
    • Compare current state of system against an INF security template
    • Apply the INF security template to the local computer to reconfigure it
    • Re-examine current state to confirm changes made

Module 28: Securing Windows Network Services

Involves the understanding on how to take basic measures in securing Windows network services

  • Best way to secure a service
  • Packet filtering
  • IPsec authentication and encryption
  • Internet Information Server (IIS)
  • Remote Desktop Services
  • Windows Firewall

Module 29: Automation, Auditing, and Forensics

Involves Introduction to the techniques and technologies used to audit Windows hosts.

  • Verifying Policy Compliance
  • Vulnerability Scanning and Reporting
  • Creating Baseline System Snapshots
  • Gathering Ongoing Operational Data
  • Employing Change Detection and Analysis
  • Lab 5.4 - PowerShell Scripting: In this lab, students will learn to utilize PowerShell scripting and understand the operations of scripting and automation.
    • Open the graphical PowerShell ISE editor (ISE = Integrated Scripting Environment)
    • List and manipulate processes and services
    • Interact with the file system, such as sorting and hashing files
    • Export data to HTML and comma-delimited CSV text files
    • Query the Windows Management Instrumentation (WMI) service
    • Query a local or remote Windows Event Log messages

Ian Reynolds
Sat Feb 10th, 2018
9:00 AM - 5:00 PM

Overview

While organizations do not have as many Unix/Linux systems, those that they do have are often some of the most critical systems that need to be protected. Sec401.6 provides step-by-step guidance to improve the security of any Linux system. The course combines practical "how to" instructions with background information for Linux beginners, as well as security advice and best practices for administrators of all levels of expertise.

This module discusses the foundational items that are needed to understand how to configure and secure a Linux system. It also provides an overview of the operating system and mobile markets. To lay a foundation, it provides an overview of the different operating systems that are based on Linux.

CPE/CMU Credits: 6

Topics

Sec401.6 Linux Security - Module Outline

  • Linux Security: Structure, Permissions and Access
  • Hardening and Securing Linux Services
  • Monitoring and Attack Detection
  • Security Utilities

Module 30: Linux Security: Structure, Permissions and Access

Involves the foundational items that are needed to understand how to configure and secure a Linux system. It also provides an overview of the operating system and mobile markets. To lay a foundation, it provides an overview of the different operating systems that are based on Linux.

  • Operating System comparison
  • Linux security
  • Apple Mac OS security
  • Mobile security
  • Linux shells
  • Linux kernel
  • Permissions
  • User accounts

Module 31: Hardening and Securing Linux Services

Involves methods, tips, and tricks for hardening and securing Linux services. The Golden Rule to always remember is: The best way to secure a service is to turn it off.

  • Starting services at boot time
  • Package control
  • Kernel security
  • Port control and port restriction

Module 32: Monitoring and Attack Detection

Involves, Configuring and monitoring logs, logging with syslog and alternatives, parsing and filtering logs with grep, sed, awk, and cut and monitoring and accounting with uditd.

  • Log Aggregation and SIEM
  • Log Files
  • Log Parsing

Module 33: Security Utilities

Involves some security-enhancement utilities, capabilities, and patch-management applications.

  • Using built-in commands and security features
  • Configuring integrity checkers
  • Integrating host-based firewalls and managing them to provide security
  • Using hardening scripts
  • Deploying package management strategies
  • Understanding other tools for increasing security

Additional Information

To give you an idea of the effectiveness of the course, here is what a few former students have said about it:

"SEC401 provides an excellent overview of security fundamentals delivered by experienced industry professionals." - Jathan Watso, Department of Finance

"Excellent material for security professionals wanting a deeper level of knowledge on how to implement security policies, procedures, and defensive mechanisms in an org." - Brandon Smit, Dynetics

"SEC401 took what I thought I knew and truly explained everything to me. Now, I also UNDERSTAND the security essentials fundamentals and how/why we apply them. Loved the training, cannot wait to come back for more." - Nicholas Blanton, ManTech International

Security 401: Security Essentials Bootcamp Style consists of course instructions and hands-on sessions. To reinforce the skills covered in class and gain experience with the tools needed to implement effective security, there are hands-on labs every day. These lab sessions are designed to enable students to use the knowledge gained throughout the course in an instructor-led environment. Students will have the opportunity to install, configure, and utilize the tools and techniques that they have learned. In class, you will receive a USB drive with 2 virtual machines, but it is critical that you have a properly configured system prior to class.

IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VM's to function properly in the class. A VMware product must also be installed prior to coming to class. Verify that under BIOS, Virtual Support is ENABLED.

Mandatory System Requirements

  • System running Windows 64-bit version
  • At least 8 GB RAM
  • 50 GB of available disk space (more space is recommended)
  • Administrator access to the operating system and all security software installed.
  • Anti-virus software will need to be disabled in order to install some of the tools.
  • An available USB port.
  • Machines should NOT contain any personal or company data.
  • Verify that under BIOS, Virtual Support is ENABLED.

Mandatory Downloads prior to coming to class:

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

SEC401 Checklist

I have confirmed that:

  • The system is running a 64-bit operating system
  • I have administrator access to the operating system
  • Anti-virus is disabled
  • The system includes a working USB port
  • I downloaded and installed the VMWare Player

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Anyone who works in security, is interested in security, or has to understand security should take this course, including:

  • Security professionals who want to fill the gaps in their understanding of technical information security
  • Managers who want to understand information security beyond simple terminology and concepts
  • Operations personnel who do not have security as their primary job function but need an understanding of security to be effective
  • IT engineers and supervisors who need to know how to build a defensible network against attacks
  • Administrators responsible for building and maintaining systems that are being targeted by attackers
  • Forensic analysts, penetration testers, and auditors who need a solid foundation of security principles so they can be as effective as possible at their jobs
  • Anyone new to information security with some background in information systems and networking.

SEC401 Security Essentials Bootcamp Style covers all of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are brand new to the field with no background knowledge, SEC301: Intro to Information Security would be the recommended starting point. While SEC301 is not a prerequisite, it will provide the introductory knowledge that will help maximize the experience with SEC401.

Other Courses People Have Taken

For those who are more advanced, SEC501: Enterprise Defender might be the more appropriate course to take.

  • Course books with labs
  • USB
  • Windows 10 license
  • TCP/IP reference guide
  • MP3 audio files of the complete course lecture
  • Apply what you learned directly to your job when you go back to work
  • Design and build a network architecture using VLANs, NAC, and 802.1x based on advanced persistent threat indicators of compromise
  • Run Windows command line tools to analyze the system looking for high-risk items
  • Run Linux command line tools (ps, ls, netstat, etc.) and basic scripting to automate the running of programs to perform continuous monitoring of various tools
  • Install VMWare and create virtual machines to create a virtual lab to test and evaluate tools/security of systems
  • Create an effective policy that can be enforced within an organization and design a checklist to validate security and create metrics to tie into training and awareness
  • Identify visible weaknesses of a system using various tools and, once vulnerabilities are discovered, cover ways to configure the system to be more secure
  • Build a network visibility map that can be used for hardening of a network - validating the attack surface and covering ways to reduce that surface by hardening and patching
  • Sniff open protocols like telnet and ftp and determine the content, passwords, and vulnerabilities using WireShark.

SEC401 is an interactive hands-on training course. The following are some of the lab activities that students will carry out:

  • Setup of virtual lab environment
  • Windows/Linux tutorial
  • TCP dump analysis
  • WireShark decoding of VoIP traffic
  • Password cracking
  • Host-based discovery with Dumpsec
  • Hashing to preserve digital evidence
  • Analyzing networks with hping and nmap
  • Event correlation with Splunk
  • Use of steganography tools
  • Securing a Windows system with MBSA and SCA

Author Statement

"One of the things I love to hear from students after teaching Security 401 is 'I have worked in security for many years and after taking this course I realized how much I did not know.' With the latest version of Security Essentials and the Bootcamp, we have really captured the critical aspects of security and enhanced those topics with examples to drive home the key points. After you have attended Security 401, I am confident you will walk away with solutions to problems you have had for a while, plus solutions to problems you did not even know you had."

- Eric Cole