Join us for in-depth talks, exclusive networking, and world-class training at Security Awareness Summit Dec 1-4!

SANS 2020 - Live Online

Virtual, US Eastern | Fri, Apr 3 - Fri, Apr 10, 2020

AUD507: Auditing & Monitoring Networks, Perimeters & Systems

Sun, April 5 - Fri, April 10, 2020

Associated Certification: GIAC Systems and Network Auditor (GSNA)

Performing IT security audits at the enterprise level can be a daunting task. How should you determine which systems to audit first? How do you assess the risk to the organization related to information systems and business processes? What settings should you check on the various systems under scrutiny? Is there a set of processes that can be put into place to allow an auditor to focus on the business processes rather than the security settings? How do you turn this into a continuous monitoring process? The material covered in this course will answer all of these questions and more.

AUD507 teaches students how to apply risk-based decision making to the task of auditing enterprise security.

This track is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high-level audit issues and general audit best practice, the students will have the opportunity to dive deep into the technical "how-to" for determining the key controls that can be used to provide a high level of assurance to an organization. Real-world examples provide students with tips on how to verify these controls in a repeatable way and many techniques for continuous monitoring and automatic compliance validation. These same real-world examples help the student learn how to be most effective in communicating risk to management and operations staff.

AUD507 allows students to practice new skills in realistic hands-on labs

Each day of the course affords students with opportunities to use the tools and techniques discussed in class. The labs are designed to simulate real-world enterprise auditing challenges and to allow the students to use appropriate tools and techniques to solve these problems. Students learn how to use technical tests to develop the evidence needed to support their findings and recommendations. We go beyond discussing the tools students could use; we give them the experience to use the tools and techniques effectively to measure and report on the risk in their organizations.

Day six of the course is an all-day lab! Students have the opportunity to challenge themselves by solving realistic audit problems using the tools and techniques they have learned in class.

The skills students learn in AUD507 can be used immediately after class

Students will leave the course with the know-how to perform effective tests of enterprise security in a variety of areas. The combination of high-quality course content, provided audit checklists, discussion of common audit challenges and solutions, and ample opportunities to hone their skills in the lab provides a unique opportunity for students to learn how to be an effective enterprise auditor.

A Sampling of Course Topics

  • Audit planning and techniques
  • Effective risk assessment for control specification
  • Time-based assessment and auditing
  • Delivering effective reports to management
  • Auditing virtualization hosts
  • Understanding and auditing cloud services and containers
  • Effective network population auditing
  • Performing useful vulnerability assessments
  • Detailed router, switch and firewall auditing
  • Technical validation of network controls
  • OWASP Top Ten Proactive Controls for web applications
  • Auditing traditional web applications
  • Auditing web APIs, AJAX, and single-page applications
  • Windows PowerShell
  • Windows system auditing & scaling to the enterprise
  • Auditing Active Directory
  • Building an audit toolkit
  • Linux/UNIX auditing

Course Syllabus

Clay Risenhoover
Sun Apr 5th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


Day one provides the "on-ramp" for the highly technical audit tools and techniques used later in the week. After laying the foundation for the role and function of an auditor in the information security field, this day's material provides practical, repeatable and useful risk assessment methods that are particularly effective for measuring the security of enterprise systems, identifying control gaps and risks, and enabling us to recommend additional controls to address the risk. We finish off the day with coverage of the security risks and associated audit techniques for virtualization hosts, cloud services and container systems.

The first part of this day is dedicated to defining the terms used in the class and setting the stage for performing highly effective technology security audits. We follow this with demonstrations of practical risk assessments using consequence/cause analysis and time-based security. We discuss what defense-in-depth really means and how to apply the results of our risk assessments to providing a well-reasoned deep defense of our enterprise systems and business processes. We apply these risk assessment and defense concepts to realistic case studies involving the controls commonly used by enterprises.

We present a proven six-step audit process and the qualities required of a technical auditor. We discuss how to plan for and manage audit engagements, how to gather useful audit evidence, and how to best present findings to management in both written reports and in-person presentations.

The last part of the day is spent digging into virtualization and cloud technologies. We examine how enterprises integrate cloud technologies into their portfolios and look at how cloud providers and their customers should share security responsibilities. We examine guidance from the Cloud Security Alliance and major cloud vendors to develop a list of items to review when auditing an organization's cloud services. Finally, we delve into the security issues related to virtualization hosts and present a list of controls which auditors should examine for the most commonly used hypervisors.

  • Audit sampling: Calculating samples and margins of error
  • Examining hypervisors
    • Xen Server
    • VMWare ESXi Server

CPE/CMU Credits: 6

  • Auditor's Role as it Relates to:
    • Policy Creation
    • Policy Conformance
    • Incident Handling
  • Basic Auditing and Assessing Strategies
    • Baselines
    • Time-Based Security
    • Thinking like an Auditor
    • Developing Auditing Checklists from Policies and Procedures
    • Performing Effective Risk Assessments
  • Risk Assessment
    • Identifying Existing Controls
    • Determining Root Failure Causes
    • Using Risk Assessment to Specify New Controls
  • The Six-Step Audit Process
    • How the Steps Interrelate
    • How to Effectively Conduct an Audit
    • How to Effectively Report the Findings
  • Virtualization & Cloud Computing
    • Definitions
    • Challenges
    • Important Contractual Requirements
    • The Cloud Security Alliance Cloud Controls Matrix
    • Shared Responsibility Models
    • Technical testing of deployments
    • VMWare vSphere/ESXi auditing hands-on
    • Xen Server Auditing Hands-On

Clay Risenhoover
Mon Apr 6th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


Day two focuses on securing the enterprise network. The days are gone when a good firewall at the edge of the network is all we really need. In fact, in many enterprises, the network has no real "edge." Auditors should encourage their organizations to focus on security within the network with the same diligence as they use at the perimeter.

We begin the day with a discussion of Ethernet networks and then work our way up the networking stack. Students will learn how to identify insecurely configured VLANs, how to determine perimeter firewall requirements, how to examine enterprise routers and much more. We continue with a study of wireless networking and the best practices for defending it.

This day continues with an analysis of common security requirements for public services, focusing on the domain name system (DNS) and the simple mail transfer protocol (SMTP). Finally, students are guided through best practices for using network mapping tools like Nmap and vulnerability scanners to assist the organization in securing and continuously monitoring the network.

Many auditors confess that networking is one of their weakest topics. Therefore, each technology is fully explained using simple, everyday illustrations. Each topic is a component of a risk-driven framework for securing a network long term and discussed in the context of a real security organization. How do we reconcile security concerns with operational requirements? What questions should a security auditor be asking? What should the answers to those questions be? How does continuous monitoring fit in and how do you architect those processes?

Students regularly describe day two in two ways. First, they say it's the most difficult day of the course; then they add that it filled in the gaps they had in understanding how networks really work and how they should be secured.

  • Capturing and Analyzing Network Traffic
    • Wireshark Introduction
    • Finding Layer 2 Configuration Issues
  • Analyzing and Validating Device Configurations
    • Routers and Switches
    • Firewalls
  • Testing Public Services
    • DNS
    • SMTP
  • Network Mapping and Continuous Monitoring
    • Nmap for Population Auditing
    • Detecting and Reporting on Changes

CPE/CMU Credits: 6

  • Secure Layer 2 Configurations
    • VLANs
    • Spanning Tree
    • VLAN Trunking
    • Switching Topology Security
  • Router & Switch Configuration Security
    • Remote Administration
    • Logging Concerns and Practice
    • ACL Configuration & Validation
    • User Management
    • Evolving Technologies
  • Firewall Auditing, Validation & Monitoring
    • Information Flow Diagramming
    • Converting Requirements to ACLs
    • Understanding Firewall Design
    • Network Architecture Validation
    • Rules Review & Analysis
    • Technical Validation of the Firewall Rules
    • Next Generation Firewalls
  • Wireless
    • Secure Deployments Today
    • Identification of Wireless Security Issues
  • Network Population Monitoring
    • Robust Process for Node Identification
    • Network Population Change Management & Monitoring
    • Automated Notification Processes
  • Vulnerability Scanning
    • Effective Scanning
    • Effective, Business Aligned, Reporting

Clay Risenhoover
Tue Apr 7th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


Web applications seem to stay at the top of the list of security challenges faced by enterprises today. The organization needs an engaging and cutting-edge web presence, but the very technologies which allow the creation of compelling and data-rich websites also make it very challenging to provide proper security for the enterprise and its customers. Unlike other enterprise systems, our web applications are freely shared with the world and exposed to the potential for constant attack.

We begin the day with a discussion of the suite of technologies which make modern web applications work and the tools which auditors can use to identify, analyze and manipulate these technologies as part of a well-designed and thorough security audit. We cover the technologies which make the web work: including HTML, HTTP, AJAX, web servers and databases. We also introduce the use of proxies in testing web applications by capturing, examining, and sometimes manipulating the traffic between a web client and the server.

We move on to introduce students to many of the resources available from the Open Web Application Security Project (OWASP), focusing on their Top 10 vulnerabilities list and the Top 10 Proactive Controls for web applications. From this foundation, we build a list of five critically important web development and deployment practices which serve as the basis for performing rigorous testing of web applications in the enterprise.

We dedicate most of Day Three to teaching the controls which can be used to secure applications and the skills needed to test and validate these controls. We develop and use a checklist for testing the most common and important security vulnerabilities. Throughout the day, students have the opportunity to use these tools to test sample web applications similar to those commonly deployed in today's enterprises. Throughout the day, we offer advice on how engineers, administrators, and developers can better secure the web technologies they design, implement and maintain. We also discuss the best ways to report on findings and make useful recommendations.

  • Introduction to Web and Testing Technologies
  • Secure Server Configurations - TLS
  • Secure Server Configurations - Information Disclosure
  • Authentication Attacks
  • Authentication Information Disclosure
  • Logic Flaws
  • Input/Output Flaws - Cross-Site Scripting
  • Input/Output Flaws - SQL Injections

CPE/CMU Credits: 6

  • Why Web Applications Are a Major Problem
  • Understanding HTTP, HTML, and related technologies
    • Hypertext Markup Language - HTML
    • Hypertext Transfer Protocol - HTTP
    • HTTP Requests and Responses
  • Related Technologies
    • WebDAV
    • RESTful APIs
    • Service Oriented Architecture/SOAP
    • AJAX
    • Single-Page Applications
    • Cascading Style Sheets
    • Cookies
  • The Burp Proxy
  • OWASP Top 10 List
  • OWASP Top 10 Proactive Controls
  • Server Configuration
    • Information Disclosures
    • HTTPS Settings
  • Secure Development Practices
    • Use of Security Frameworks
    • Dev/Test/Prod
    • Multi-Tier Development
    • Error Handling
    • Code Review
    • Static and Dynamic Analysis
    • Scanning Caveats
  • Authentication
    • HTTP Basic Authentication
    • Forms Authentication
    • Client Certificates
    • Username Harvesting
    • Brute Forcing
    • Password Security
  • Session Handling
    • Tracking Mechanisms
    • Session Defenses
    • Cross-Site Request Forgery
  • Data Handling
    • GET vs POST for Sensitive Data
    • Input/Output Flaws and Solutions
    • Injection Flaws - Cross-Site Scripting
    • Injection Flaws - SQL Injection
    • Other Injection Flaws
    • Sensitive Output
  • Logging and Monitoring
    • Log Everything
    • Don't Log Too Much
    • Auxiliary Logging Techniques

Clay Risenhoover
Wed Apr 8th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


The majority of systems encountered on most enterprise audits are running Microsoft Windows in some version or another. The centralized management available to administrators has made Windows a popular enterprise operating system. The sheer volume of settings and configurable controls, coupled with the large number of systems often in use, makes auditing Windows servers and workstations a huge undertaking.

During day 4, we teach students how to audit Windows systems and Active Directory domains at scale. We begin with an introduction to Windows PowerShell, covering how to use the shell and moving on to writing and editing scripts which allow the auditor to perform repetitive tasks quickly and reliably. Throughout the day we work to build a comprehensive baseline auditing script which can be used to audit all of the systems within a domain.

Most of the day is spent examining operating system security in general, and Windows security in particular. We demonstrate how to use PowerShell, Windows Management Instrumentation (WMI), command-line and graphical tools to obtain audit evidence from Windows systems. We move from there to auditing Microsoft Active Directory using PowerShell and command-line tools which access the Lightweight Directory Access Protocol (LDAP).

We continue with discussions of user management, user rights management, file, registry, and share permissions. Finally, we wrap up the day by exploring Windows logging options and how to use the tools and scripts developed during the day to perform meaningful continuous monitoring of the Windows domain and systems. One of the primary goals of the material presented is to allow the auditor to move from checking registry settings to helping administrators to create a comprehensive management process that automatically verifies settings. With this type of system in place, the auditor can step back and begin auditing the management processes which generally helps us to be far more effective.

  • Introduction to PowerShell and Scripting
    • Overview of PowerShell Environment and Commands
    • Scripting with PowerShell
  • Windows Management Instrumentation
    • PowerShell
    • WMI Command Line (WMIC)
    • WMI Explorer
  • System Information
    • Operating System Version and Service Pack
    • Running Services
    • Installed Software
    • Installed Patches
  • Open Ports
    • Netstat
    • Nmap
  • Users and Groups
    • PowerShell Active Directory Module
    • DSQuery Command Line Tool
    • Windows Password Assessment
  • Permissions and Rights Assignments
    • File and Share Permissions
    • Registry Permissions
    • Windows Share Security
    • Local Administrators
    • Querying Local User Rights
  • Windows Logging
    • Log Retention Settings
    • Querying Event Logs with PowerShell

CPE/CMU Credits: 6

  • Windows Support and End of Life
  • PowerShell Command Essentials
  • PowerShell Scripting
  • Windows Management Instrumentation (WMI)
    • WMI and PowerShell for Auditing
    • Operating System Information
    • Hardware Information
    • Patches Installed
    • Software Installed
    • Services
  • PowerShell, DSQuery and LDAP
    • Users
    • Group Membership
  • Password Management and Auditing
  • User Right Assignments

    • PowerShell Module for Easier Auditing
  • System Security Settings
    • Group Policy
    • Local Security Policy
    • Auditing Applied Settings
  • File and Share Permissions
  • Registry Permissions and Settings
  • Windows Logging
    • Retention Settings
    • Collection Options
    • Centralized Aggregation of Logs
  • Continuous Monitoring for Windows

Clay Risenhoover
Thu Apr 9th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


While many enterprises today use Microsoft Windows for their endpoint systems, Linux and other Unix variants are well-established as servers, security appliances and in many other roles. Given the nature of the work these Unix variants do, it is critical to ensure their security. Add to that the fact that mass centralized administration is less likely to occur with these systems, and auditing at scale becomes even more important.

Day five uses Debian and CentOS Linux as the example operating systems. We assume that students may have little or no Linux experience, and build skill during the day accordingly. We begin with a discussion of system accreditation in a field where many servers are "snowflakes" - uniquely designed and different from our other enterprise systems. Then, we move on to discuss the fundamentals of Linux/Unix operating systems and the tools available to auditors for system testing and for developing audit scripts.

The bulk of the class on day four concentrates on understanding Linix/Unix operating systems and using native tools and scripts to gather system information, enumerate running services, determine software patch levels, audit user access and privilege management, examine system logs and examine configuration and hardening. Emphasis is placed throughout the day on developing reusable tools and scripts which can be used to gather audit evidence on a variety of Linux/Unix systems.

Neither Unix nor scripting experience is required for this day's course. The course book and hands-on exercises present an easy to follow method, and the instructor is prepared to help with any difficulty students have in this sometimes unfamiliar environment.

  • Scripting

    • Use of the vi editor
  • System Information Gathering
    • Distribution/Release Information
    • Kernel version
    • Mounted Filesystems
    • Disk Usage
    • Installed Package Versions
    • File Integrity Monitoring with Tripwire

CPE/CMU Credits: 6

  • Accreditation and Snowflakes
  • Linux Basics
  • Command Line Tools and Scripting
    • Grep
    • Sed/Awk
    • Script
    • Command Substitution
  • Scripting
    • Vi Editor
    • Scripting Commands and Syntax
  • System Information
    • Distribution Version
    • Kernel Version
    • Memory
    • Disk Space
    • Package Versions
    • Non-Package Daemon Versions
  • File Permissions
    • Overview
    • Find Command
    • SUID/SGID/Sticky Bits
  • File Integrity
    • Tripwire
    • OSSec
  • Services
    • Startup Methods
    • Netstat
    • Nmap
  • Patching
    • Kernel Patching Without Rebooting
    • Configuration Management
  • Users, Groups and Privilege Management
    • Passwd and Shadow Files
    • John the Ripper
    • Centralized Authentication
    • SSH Server Configuration
    • Sudo and Sudoreplay
  • Logging and Monitoring
  • System Audit Tools
    • Lynis
    • Authenticated Vulnerability Scanning
  • Continuous Monitoring

Clay Risenhoover
Fri Apr 10th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


Day six is a full-day capstone exercise which allows students to test and refine the skills learned throughout the week. Using an online "capture the flag" (CTF) engine, students are challenged to audit a simulated enterprise environment by answering a series of questions about the enterprise network, working through various technologies explored during the course.

At the conclusion of the day, students are asked to identify the most serious findings within the enterprise environment and to suggest possible root causes and potential mitigations.

  • Full-Day Capture the Flag
    • Audit Essentials
    • Network Devices and Firewalls
    • Web Applications
    • Windows
    • Unix

CPE/CMU Credits: 6


Technologies included in the capstone exercise include:

  • Network Devices
    • Firewalls
    • Cisco Switches & Routers
  • Servers
    • Active Directory domain controllers
    • DNS servers
    • Web servers
    • Linux Servers
  • Applications
    • Intranet web applications
    • Internet web applications
  • Workstations

Additional Information

AUD507 requires a laptop with at least the following specifications:

  • CPU: A 64-bit x64 processor. Some of the virtual machines used for labs REQUIRE a 64-bit processor to run. Students who bring a non-64-bit system to class will not be able to complete all the exercise. Determine if you have a 64-bit processor and operating system using the following links:
  • BIOS/UEFI Hardware Settings: 64-bit virtualization features must be enabled in the laptop's BIOS/UEFI settings. Check your settings using the free tool from VMWare here
  • RAM: 8 GB of RAM minimum. Laptops with less than 8GB of RAM may not be able to run all of the virtual machines required for labs and are unsupported for this course.
  • Operating System: Fully patched Windows 10 or MacOS 10.14, capable of running the most current version of VMWare virtualization products (Fusion, Player or Workstation). Linux operating systems are not supported for this class since we are unable to test against all distributions and versions. Advanced students who choose to bring a Linux laptop anyway must ensure that the system meets all hardware requirements, is running the current version of VMWare Workstation or Player for Linux, and is capable of mounting ExFAT filesystems from USB to be able to participate in the course labs.
  • Required Software: The current version of VMWare Workstation, Player or Fusion.
  • Administrative Access: The student must be a local administrator on the system. The labs require changes to VMWare's network settings which can only be accomplished by a local administrator. Ensure that you can run an "elevated command prompt" on your system before the beginning of class.
  • Disable Windows Credential Guard: Credential Guard is installed with Windows Hyper-V services and is incompatible with VMWare virtualization products. SANS instructor Rob Lee has instructions available at
  • Hard Drive: At least 50GB of free hard disk space to allow room for virtual machines used in class.
  • Networking: Wireless 802.11 B, G, or N

If you have additional questions about the laptop specifications, please contact

  • Auditors seeking to identify key controls in IT systems
  • Audit professionals looking for technical details on auditing
  • Managers responsible for overseeing the work of an audit or security team
  • Security professionals newly tasked with audit responsibilities
  • System and network administrators looking to understand better what an auditor is trying to achieve, how they think and how to better prepare for an audit
  • System and network administrators seeking to create strong change control management and detection systems for the enterprise
  • Anyone looking to implement effective continuous monitoring processes within the enterprise

AUD507 assumes that the student is capable of:

  • Navigating the filesystem in Microsoft Windows
  • Launching the command prompt and PowerShell in Windows
  • Running commands from the command line in Windows

The ability to navigate the command line and run simple commands in Linux will be helpful but not required. The courseware and instruction provide the student with the information necessary to use the Linux systems utilized in class.

In this course, you will receive the following:

  • MP3 audio files of the complete course lecture

  • Understand the different types of controls (e.g., technical vs. non-technical) essential to performing a successful audit
  • Conduct a proper risk assessment of an enterprise to identify vulnerabilities and develop audit priorities
  • Establish a well-secured baseline for computers and networks as a standard to conduct audit against
  • Perform a network and perimeter audit using a repeatable process
  • Audit firewalls to validate that rules/settings are working as designed, blocking traffic as required
  • Utilize vulnerability assessment tools effectively to provide management with the continuous remediation information necessary to make informed decisions about risk and resources
  • Audit a web application's configuration, authentication, and session management to identify vulnerabilities attackers can exploit
  • Utilize scripting to build a system which will baseline and automatically audit Active Directory and all systems in a Windows domain
  • Utilize scripting to build a system which will baseline and automatically audit Linux systems

AUD507 uses hands-on labs every day to reinforce the material discussed in class and develop the "muscle memory" needed to perform the required technical tasks during audits. An abbreviated sampling of the many lab topics includes:

  • Calculating audit sample sizes and margins of error
  • Understanding hypervisors
  • Validating firewalls
  • Population scanning and monitoring
  • Auditing network device configurations
  • Testing SMTP and DNS server settings
  • Using the Burp proxy to analyze and modify web traffic
  • Auditing of web session handling mechanisms
  • Performing brute force attacks against websites
  • Testing website input handling
  • Scripting with PowerShell
  • Auditing Active Directory
  • Querying Windows system information
  • Determining installed software on Windows
  • Auditing Windows patching
  • Working with Linux logs
  • Scripting Linux with Bash
  • Using Tripwire to ensure file integrity

Author Statement

"Being an excellent information technology auditor requires a special mix of skills. An effective auditor will know how to assess organizational risk, scope, plan and execute an audit engagement properly. They must have the technical skills to design and perform tests of controls. Then, they must have the business communication skills to report risks to the business in a clear, actionable format. Auditors require the ability to work "in the weeds" when necessary with systems and network engineers and administrators, and then walk into the boardroom and deliver their findings and recommendations in a way that enables business leaders to make well-informed decisions regarding the risk faced by their enterprise.

AUD507 is designed to allow students from diverse backgrounds to learn the skills they need to design and deliver high-quality audits of organizations' IT systems, networks, and web applications. From day one, we teach students the thought processes, technical tools, and communications techniques to become a world-class auditor. When they leave the class, they have the technical skills and the mindset required to identify and report on risk in any organization."

-Clay Risenhoover