Train From Home with Top Cybersecurity Experts, Hands On Labs and 4 Months Access to Content - OnDemand
Train From Home with Top Cybersecurity Experts, Hands On Labs and 4 Months Access to Content - OnDemand


Washington, DC | Fri, Jun 14 - Sat, Jun 22, 2013
This event is over,
but there are more training opportunities.

SEC566: Implementing and Auditing the Critical Security Controls - In-Depth

Mon, June 17 - Fri, June 21, 2013

Provides greater structure to the basic controls good methodology provided in implementing controls.

Jalal Moloo, JB Shenker

Leaving the class with a great mind set for evaluating current environment and controls.

Tom Kozelsky, Nexeo Solution

In the last couple of years it has become obvious that in the world of information security, the offense is outperforming the defense. Even though budgets increase and management pays more attention to the risks of data loss and system penetration, data is still being lost and systems are still being penetrated. Over and over people are asking, "What can we practically do to protect our information?" The answer has come in the form of 20 information assurance controls known as the Consensus Audit Guidelines (CAG).

This course has been written to help those implementing or deploying a strategy for information assurance in their agency or organization by enabling them to better understand these guidelines. Specifically the course has been designed in the spirit of the offense teaching the defense to help security practitioners understand not only what to do to stop a threat, but why the threat exists and how later to audit to ensure that the organization is indeed in compliance with their standards.

At the end of Audit 566, students should better understand:

  • How to create a strategy for successfully defending their data
  • How to implement controls to prevent data from being compromised
  • How to audit systems to ensure compliance with the standard

And in SANS style, this course will not only provide a framework for better understanding, but will give you a hands-on approach to learning these objectives to ensure that what you learn today, you'll be able to put into practice in your organization tomorrow.

This course helps you master specific, proven techniques and tools needed to implement and audit the Top Twenty Most Critical Security Controls. These Top 20 Security Controls, listed below, are rapidly becoming accepted as the highest priority list of what must be done and proven before anything else at nearly all security-conscious organizations.

The US military and other government and private organizations, including the National Security Agency (NSA), Department of Homeland Security (DHS), and the U.S. Government Accountability Office (GAO) defined these top 20 controls as their consensus for the best way to block the known attacks and help find and mitigate damage from the attacks that get through.

For security professionals, the course enables you to see how to put the controls in place in your existing network though the effective and widespread use of cost-effective automation. For auditors, CIOs, and risk officers the course is the best way to understand how you will measure whether the Top 20 controls are effectively implemented. It closely reflects the Top 20 Critical Security Controls.


The Top 20 Critical Security Controls subject to collection, measurement, and validation are:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation
  5. Malware Defenses
  6. Application Software Security
  7. Wireless Device Control
  8. Data Recovery Capability (validated manually)
  9. Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually)
  10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  11. Limitation and Control of Network Ports, Protocols, and Services
  12. Controlled Use of Administrative Privileges
  13. Boundary Defense
  14. Maintenance, Monitoring, and Analysis of Security Audit Logs
  15. Controlled Access Based on the Need to Know
  16. Account Monitoring and Control
  17. Data Loss Prevention
  18. Incident Response Capability (validated manually)
  19. Secure Network Engineering (validated manually)
  20. Penetration Tests and Red Team Exercises (validated manually)


Course Syllabus

James Tarala
Mon Jun 17th, 2013
9:00 AM - 5:00 PM


During day 1, we will cover an introduction and overview of the 20 Critical Controls, laying the foundation for the rest of the class. For each control the following information will be covered, and we will follow the same outline for each control:

  1. Overview of the Control
  2. How it is Compromised
  3. Defensive Goals
  4. Quick Wins
  5. Visibility & Attribution
  6. Configuration & Hygiene
  7. Advanced
  8. Overview of Evaluating the Control
  9. Core Evaluation Test(s)
  10. Testing/Reporting Metrics
  11. Steps for Root Cause Analysis of Failures
  12. Audit/Evaluation Methodologies
  13. Evaluation Tools
  14. Exercise to Illustrate Implementation Or Steps for Auditing a Control

In addition, Critical Controls 1 and 2 will be covered in depth.

Critical Control 1 - Inventory of Authorized and Unauthorized Devices

Any time a new device is installed on a network, the risks of exposing the network to unknown vulnerabilities or hampering its operation are present. Malicious code can take advantage of new hardware that is not configured and patched with appropriate security updates at the time of installation. Attackers can use these vulnerable systems to install backdoors before they are hardened. In automating critical control 1, it's critical for all devices to have an accurate and up-to-date inventory control system in place. Any device not in the database should be prohibited from connecting to the network. Some organizations maintain asset inventories by using specific large-scale enterprise commercial products or by using free solutions to track and sweep the network periodically. To evaluate the implementation of Control 1 on a periodic basis, the evaluation team will connect hardened test systems to at least 10 locations on the network. This will include a selection of subnets associated with DMZs, workstations, and servers.

Critical Control 2 - Inventory of Authorized and Unauthorized Software

An organization without the ability to inventory and control its computer's installed programs makes its systems more vulnerable to attack. Furthermore, poorly controlled machines are more likely to be running software that is unneeded for business purposes, introducing potential security flaws. Compromised systems become a staging point for attackers to collect sensitive information. In order to combat this potential threat, an organization should scan a network and identify known or responding applications. Commercial software and asset inventory tools are widely available. The best tools provide an inventory check of hundreds of common applications, pulling information about the patch level of each installed program. This ensures that it's the latest version and that it leverages standardized application names, like those found in the Common Platform Enumeration (CPE) specification. In addition to inventory checks, tools that implement whitelists (allow) and blacklists (deny) of programs are included in many modern end-point security suites. To evaluate the implementation of Control 2 on a periodic basis, the team must move a benign software test program that is not included in the authorized software list on 10 systems on the network. The team must then verify that the software is blocked and unable to run.

CPE/CMU Credits: 6

James Tarala
Tue Jun 18th, 2013
9:00 AM - 5:00 PM


During day 2, we will cover Critical Controls 3, 4, 5 and 6.

Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

Default configurations of software are often geared to ease-of-deployment and ease-of-use and not security, leaving some systems exploitable in their default state. Attackers attempt to exploit both network-accessible services and client software using various forms of malware. Without the ability to inventory and control installed and running, enterprises make their systems more vulnerable. Organizations can implement this control by developing a series of images and secure storage servers for hosting these standard images. Configuration management tools can be employed to measure the settings of the installed software and to look for deviations from the standard image configurations used by the organization. To evaluate the implementation of Control 3 on a periodic basis, an evaluation team must move a benign test system (one that does not contain the official hardened image, but does contain additional services, ports, and configuration files changes) onto the network. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the changes to the software.

Critical Control 4: Continuous Vulnerability Assessment and Remediation

Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and launch it against targets of interest. Any significant delays finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through and gain control of vulnerable machines. A large number of vulnerability scanning tools are available to evaluate the security configuration of systems. The most effective vulnerability scanning tools compare the results of the current scan with previous scans to determine how the vulnerabilities in the environment have changed over time. All machines identified by the asset inventory system must be scanned for vulnerabilities. To evaluate the implementation of Control 4 on a periodic basis, the evaluation team must verify that scanning tools have successfully completed their weekly or daily scans.

Critical Control 5: Malware Defenses

Malicious software is an integral and dangerous aspect of Internet threats. It targets end users and organizations via Web browsing, e-mail attachments, mobile devices, and other vectors. Malicious code may tamper with a system's contents, capture sensitive data, and spread to other systems. To ensure anti-virus signatures are up-to-date, effective organizations use automation. They use the built-in administrative features of enterprise endpoint security suites to verify that anti-virus, anti-spyware, and host-based Intrusion Detection Systems (IDS) features are active on every managed system. They also run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections or do not have the latest malware definitions. The system must identify any malicious software that is either installed, attempted to be installed, executed, or attempted to be executed, on a computer system. To evaluate the implementation of Control 5 on a periodic basis, the evaluation team must move a benign software test program appearing to be malware onto a system and make sure it is properly discovered and remediated.

Critical Control 6: Application Software Security

Criminal organizations frequently attack vulnerabilities in both web-based and non-web-based application software. In fact, it's a top priority for criminals.

Application software is vulnerable to remote compromise in three ways:

  • It does not properly check the size of user input
  • It fails to sanitize user input by filtering out potentially malicious character sequences
  • It does not initialize and clear variables properly

To avoid attacks, internally developed and third party application software must be carefully tested to find security flaws. Source code testing tools, web application security scanning tools, and object code testing tools have proven useful in securing application software. Another useful tool is manual application security penetration testing by testers who have extensive programming knowledge and application penetration testing expertise. The system must be capable of detecting and blocking an application-level software attack, and must generate an alert or send e-mail to enterprise administrative personnel. To evaluate the implementation of Control 6 on a monthly basis, an evaluation team must use a web application vulnerability scanner to test software security flaws.

CPE/CMU Credits: 6

James Tarala
Wed Jun 19th, 2013
9:00 AM - 5:00 PM


During day 3, we will cover Critical Controls 7, 8, 9, 10 and 11.

Critical Control 7: Wireless Device Control

Attackers who gain wireless access to an organization from nearby parking lots have initiated major data thefts. This allows attackers to bypass an organization to maintain long-term access inside a target. Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems. The system must be capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's systems or connected to its networks. To evaluate the implementation of Control 7 on a periodic basis, the evaluation team staff must configure unauthorized but hardened wireless clients and wireless access points to the organization's network. It must also attempt to connect them to the organization's wireless networks. These access points must be detected and remediated in a timely manner.

Critical Control 8: Data Recovery Capability (validated manually)

When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. Once per quarter, a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment. The restored systems should be verified to ensure that the operating system, application, and datum from the backup are all intact and functional.

Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually)

An organization hoping to find and respond to attacks effectively relies on its employees and contractors to find the gaps and fill them. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved. It can also help determine proper allocation of limited resources to improve security practices. The key to upgrading skills is measurement, not with certification examinations, but with assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite knowledge can be called upon to mentor the employees who do not. The organization can also develop training programs that directly maintain employee readiness.

Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Attackers penetrate defenses by searching for electronic holes in firewalls, routers, and switches. Once these network devices have been exploited, attackers can gain access to target networks, redirect traffic on that network (to a malicious system masquerading as a trusted system), and intercept and alter information while in transmission. Organizations can use commercial tools that will evaluate the rule set of network filtering devices, which determine whether they are consistent or in conflict and provide an automated check of network filters. Additionally, these commercial tools search for errors in rule sets. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies. To evaluate the implementation of Control 10 on a periodic basis, an evaluation team must make a change to each type of network device plugged into the network. At a minimum, routers, switches, and firewalls need to be tested. If they exist, IPS, IDS, and other network devices must be included.

Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services

Attackers search for remotely accessible network services that are vulnerable to exploitation. Many software packages automatically install services and turn them on as part of the installation of the main software package. When this occurs, the software rarely informs a user that the services have been enabled. Port scanning tools are used to determine which services are listening on the network for a range of target systems. In addition to determining which ports are open, effective port scanners can be configured to identify the version of the protocol and service listening on each discovered open port. The system must be capable of identifying any new unauthorized listening network ports that are connected to the network. To evaluate the implementation of Control 11 on a periodic basis, the evaluation team must install hardened test services with network listeners on ten locations on the network, including a selection of subnets associated with DMZs, workstations, and servers.

CPE/CMU Credits: 6

James Tarala
Thu Jun 20th, 2013
9:00 AM - 5:00 PM


During day 4, we will cover Critical Controls 12, 13, 14 and 15.

Critical Control 12: Controlled Use of Administrative Privileges

The most common method attackers use to infiltrate a target enterprise is through an employee's own misuse of administrator privileges. An attacker can easily convince a workstation user to open a malicious e-mail attachment, download and open a file from a malicious site, or surf to a site that automatically downloads malicious content. If the user is logged in as an administrator, the attacker has full access to the system. Built-in operating system features can extract lists of accounts with superuser privileges, both locally on individual systems and on overall domain controllers. These accounts should be monitored and tracked very closely. To evaluate the implementation of Control 12 on a periodic basis, an evaluation team must verify that the organization's password policy is enforced and administrator accounts are carefully controlled. The evaluation team does this by creating a temporary, disabled, limited privilege test account on ten different systems. It then attempts to change the password on the account to a value that does not meet the organization's password policy.

Critical Control 13: Boundary Defense

By attacking Internet-facing systems, attackers can create a relay point to break into other networks or internal systems. Automated tools can be used to exploit vulnerable entry points into a network. To control the flow of traffic through network borders and to look for attacks and evidence of compromised machines, boundary defenses should be multi-layered. These boundaries should consist of firewalls, proxies, DMZ perimeter networks, and network-based intrusion prevention systems and intrusion detection systems. Organizations should regularly test these sensors by launching vulnerability-scanning tools. These tools verify that the scanner traffic triggers an appropriate alert. The captured packets of the Intrusion Detection Systems (IDS) sensors should be reviewed using an automated script each day, which ensures log volumes are within expected parameters, are formatted properly, and have not been corrupted. To evaluate the implementation of Control 13 on a periodic basis, an evaluation team must test boundary devices. This is done by sending packets from outside a trusted network, which ensures that only authorized packets are allowed through the boundary. All other packets must be dropped.

Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs

At times, audit logs provide the only evidence of a successful attack. Many organizations keep audit records for compliance purposes but rarely review them. When audit logs aren't reviewed, organizations don't know their systems have been compromised. Attackers rely on this. Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, and logs should be sent to centralized logging servers. The system must be capable of logging all events across the network. The logging must be validated across both network and host-based systems. To evaluate the implementation of Control 14 on a periodic basis, an evaluation team must review the security logs of various network devices, servers, and hosts.

Critical Control 15: Controlled Access Based On Need to Know

Some organizations do not carefully identify and separate sensitive data from less sensitive, publicly available information within an internal network. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. This control is often implemented using the built-in separation of administrator accounts from non-administrator accounts. The system must be able to detect all attempts by users to access files without the appropriate privileges and must generate an alert or e-mail for administrative personnel. This includes information on local systems or network accessible file shares. To evaluate the implementation of Control 15 on a periodic basis, the evaluation team must create test accounts with limited access and verify that the account is unable to access controlled information.

CPE/CMU Credits: 6

James Tarala
Fri Jun 21st, 2013
9:00 AM - 5:00 PM


During day 5, we will cover Critical Controls 16, 17, 18, 19 and 20.

Critical Control 16: Account Monitoring and Control

Attackers frequently impersonate legitimate users through inactive user accounts. This method makes it difficult for network watchers to identify attackers' behavior. Although most operating systems include capabilities for logging information about account usage, these features are sometimes disabled by default. Security personnel can configure systems to record more detailed information about account access and utilize homegrown scripts or third-party log analysis tools to analyze this information. The system must be capable of identifying unauthorized user accounts when they exist on the system. To evaluate the implementation of Control 16 on a periodic basis, the evaluation team must verify that the list of locked out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire has successfully been completed daily.

Critical Control 17: Data Loss Prevention

The loss of protected and sensitive data is a serious threat to business operations, and potentially, national security. While some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices. These include, but are not limited to, a lack of effective policy architectures and user error. The phrase "Data Loss Prevention" (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. The system must be capable of identifying unauthorized datum leaving the organization's systems whether via network file transfers or removable media. To evaluate the implementation of Control 17 on a periodic basis, the evaluation team must attempt to move test datum sets (that trigger DLP systems but do not contain sensitive data) outside of the trusted computing environment via both network file transfers and via removable media.

Critical Control 18: Incident Response Capability (validated manually)

Without an incident response plan, an organization may not discover an attack in the first place. Even if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker's presence, and recover in a secure fashion. Thus, the attacker may have far higher impact on the target organization, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible. After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training. This includes, but is not limited to, working through a series of attack scenarios that are fine-tuned to the threats and vulnerabilities the organization faces.

Critical Control 19: Secure Network Engineering (validated manually)

Security controls can be circumvented in networks that are poorly designed. Without carefully planned and properly implemented network architecture, attackers can pivot through the network to gain access to target machines. To help ensure a consistent, defensible network, the architecture of each network should be based on a template that describes the overall layout of the network and the services it provides. Organizations should prepare network diagrams for each of their networks. Network diagrams should show components such as routers, firewalls, switches, significant servers, and groups of client machines.

Critical Control 20: Penetration Tests and Red Team Exercises (validated manually)

Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Penetration testing involves mimicking the actions of computer attackers, and exploiting them to determine what kind of access an attacker can gain. Each organization should define a clear scope and the rules of engagement for penetration testing and red team analyses. The scope of such projects should include, at least, systems with the highest value information and production processing functionality.

CPE/CMU Credits: 6

Additional Information

SANS courses consist of instruction and hands-on sessions. The hands-on sessions are designed to allow students to utilize the knowledge gained throughout the course in an instructor-led environment. Students will have the opportunity to install, configure, and use the tools and techniques that they have learned. CD/DVDs will be provided that contain all of the tools required for the exercises.

Students attending this course are required to bring their own laptops that are properly configured. There is not enough time in class to help you install your laptop. Please note that your laptop must be properly installed and configured before you come to class. Students are also required to test their systems (as described below) prior to coming to class or they may lose out on the opportunity to fully participate in all of the hands-on exercises.

NOTE: Do not bring a regular production laptop for this class! When installing software, there is always a chance of breaking something else on the system. Students should assume that all data could be lost.

NOTE: It is critical that students have administrator access to the operating system and all security software installed.

NOTE: Changes will likely need to be made to personal firewalls and other host-based software in order for the labs to work. Any anti-malware software may need to be disabled in order to install some of the tools. Therefore students must also be able to uninstall any anti-malware software or have the specific anti-malware software administrator passwords prior to coming to class.

RECOMMENDATION: For maximum flexibility, students can run both Microsoft Windows and Linux operating systems under virtual machines as long as the hardware on the laptop can support this. The host operating system can be Windows, Linux, or Apple OSX, as long as it supports to most recent version of VMware software (Player, Workstation, or Fusion depending on the OS).

Bring a laptop loaded with either Microsoft Windows XP SP3, Microsoft Windows Vista, or Microsoft Windows 7 or create a Microsoft Windows virtual machine, according to the instructions. This should be a default installation of the operating system with all of the options loaded. This system should be up to date on operating system patches prior to coming to class, including all updates for the .NET Framework and Microsoft Windows PowerShell. Either 32-bit or 64-bit systems will work fine for class, but the student should know which version of the operating system they have with them.

For the Linux portion of the exercises, Linux can be run from VMware image that will be provided in class. VMware can be downloaded/purchased from the vmware website. For students bringing a laptop with Microsoft Windows as the host operating system, they may either choose to download the latest version of the free VMware Player software (3.x or later) or bring the latest version of VMware Workstation (6.x or later). For students bringing a laptop with Apple OSX as the host operating system, they should download and install the latest version of VMware Fusion instead. Other virtualization hypervisors are not supported at this time.

Your laptop should also have a properly configured CD-ROM drive, (optional) 802.11 wireless card that works only under the host operating system, and Ethernet NIC (network interface card). In addition, the system should have a minimum of 1GB of hardware RAM, but the more RAM that is available, the easier it will be for students to complete the hands-on exercises. Be sure to check that the CD-ROM and Ethernet card work properly under the appropriate operating systems. Prior to coming to class, the network interfaces should be tested to prove that they can be configured and that all of the proper drivers have been installed.

The other requirement for this course is an understanding of both Microsoft Windows (XP, Vista, and 7) and Linux. We provide a document that introduces you to both of these operating systems. The document also gives an overview of the commands you need to understand for the class. This document is available here. You should review this document before attending the class and ensure that you know how to run the commands on your laptop.

In summary, before you arrive at the conference you should:

  1. Download the introduction to Linux and Microsoft Windows document here
  2. Have a properly configured system CD-ROM drive and NIC
  3. Run the proper tests

It is critical that you work through the documents before class so that you arrive with a properly configured laptop and a base understanding of Microsoft Windows and Linux.

By properly preparing, we know that you will have a knowledge rich and enjoyable hands-on session.

If you have additional questions about the laptop specifications, please contact

Who Should Attend:

  • Apply a security framework based on actual threats that is measurable, scalable, and reliable in stop- ping known attacks and protecting organizationsā important information and systems
  • Understand the importance of each control, how it is compromised if ignored, and explain the defesive goals that result in quick wins and increased visibility of network and systems
  • Identify and utilize tools that implement controls through automation
  • Learn how to create a scoring tool for measuring the effectiveness of each controls the effectiveness of each control
  • Employ specific metrics to establish a baseline and measure the effectiveness of security controls
  • Understand how critical controls map to standards such as NIST 800-53, ISO 27002, the Australian Top 35, and more
  • Audit each of the critical security controls, with specific, proven templates, checklists, and scripts provided to facilitate the audit process

Author Statement

As we've had the opportunity to talk with information assurance engineers, auditors, and managers over the past ten years, we've seen frustration in the eyes of these hardworking individuals who are trying to make a difference in their organizations by better defending their data systems. It has even come to the point where some organizations have decided that it's simply too hard to protect their information, and many have started to wonder, is the fight really worth it? Will we ever succeed? We see companies and agencies making headway, but the offense keeps pushing. The goal of this course is to give direction and a realistic hope to organizations attempting to secure their systems.

The 20 Critical Security Controls: Planning, Implementing, and Auditing offers direction and guidance from those in the industry who think through the eyes of the attacker as to what security controls will make the most impact. What better way to play defense than by understanding the mindset of the offense? By implementing our defense methodically and with the mindset of a hacker, we think organizations have a chance to succeed in this fight. We hope this course helps turn the tide.

- Eric Cole, Ph.D. and James Tarala