Train at Home with Top Cybersecurity Experts - SANS OnDemand

Seattle 2012

Seattle, WA | Sun, Oct 14 - Fri, Oct 19, 2012
This event is over,
but there are more training opportunities.

AUD507: Auditing Networks, Perimeters, and Systems

Sun, October 14 - Fri, October 19, 2012

The course is excellent as it covers most of the technical auditing techniques and tools used for auditing.

Saeed, ADNOC Distribution

The entire course has been fantastic it far exceeded my expectations. I think SANS training is far superior to other training programs.

Paul Petrasko, Bemis Company

One of the most significant obstacles facing many auditors today is how exactly to go about auditing the security of an enterprise. What systems really matter? How should the firewall and routers be configured? What settings should be checked on the various systems under scrutiny? Is there a set of processes that can be put into place to allow an auditor to focus on the business processes rather than the security settings? All of these questions and more will be answered by the material covered in this course.

This course is organized specifically to provide a risk-driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high-level audit issues and general audit best practices, the students will have the opportunity to dive deep into the technical how-to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatedly verify these controls and techniques for automatic compliance validation will be given from real-world examples.

One of the struggles that IT auditors face today is assisting management to understand the relationship between the technical controls and the risks to the business that these affect. In this course these threats and vulnerabilities are explained based on validated information from real-world situations. The instructor will take the time to explain how this can be used to raise the awareness of management and others within the organization to build an understanding of why these controls specifically and auditing in general is important. From these threats and vulnerabilities, we will explain how to build the ongoing compliance monitoring systems and how to automatically validate defenses through instrumentation and automation of audit checklists.

You'll be able to use what you learn immediately. Five of the six days in the course will either produce or provide you directly with a general checklist that can be customized for your audit practice. Each of these days includes hands-on exercises with a variety of tools discussed during the lecture sections so that you will leave knowing how to verify each and every control described in the class. Each of the five hands-on days gives you the chance to perform a thorough technical audit of the technology being considered by applying the checklists provided in class to sample audit problems in a virtualized environment. Each student is invited to bring a Windows XP Professional or higher laptop for use during class. Macintosh computers running OS X may also be used with VMWare Fusion.

A great audit is more than marks on a checklist; it is the understanding of what the underlying controls are, what the best practices are, and why. Sign up for this course and experience the mix of theory, hands-on, and practical knowledge.


  • Audit planning and techniques
  • Effective risk assessment for control specification
  • Firewall and perimeter auditing
  • A proven six-step audit process
  • Time based auditing
  • Effective network population auditing
  • How to perform useful vulnerability assessments
  • Uncovering back doors
  • Building an audit toolkit
  • Detailed router auditing
  • Technical validation of network controls
  • Web application auditing
  • Audit tools


Course Syllabus

Tanya Baccam
Sun Oct 14th, 2012
9:00 AM - 5:00 PM


In addition to filling in any foundational gaps that you might have in auditing principles, this day's material will give you two extremely useful risk assessment methods that are effective in measuring the security of a system and identifying weak or non-existent controls.

In today's information security world, most enterprises are either already moving toward or seriously considering moving toward compliance with any number of a variety of security standards that represent best practice. Is your organization doing this today? Are you running up against any road blocks? Despite implementing controls, are you still dealing with significant compliance problems? The risk assessment discussions covered in this material are for you. One of the key topics covered in this material is an effective risk-based method for the specification or selection of controls. Following this discussion, you will be able to analyze an existing set of controls, a business process, an audit exception, or a security incident, identifying any missing or ineffective controls. More importantly, perhaps, you will be able to easily identify what corrective actions will eliminate the problem in the future.

Finally, the last two sections of this day will present you with a tried and true method for conducting audits and presenting findings that actually help to move the organization toward rapid compliance.

CPE/CMU Credits: 6


Auditor's role in relation to:

  • Policy creation
  • Policy conformance
  • Incident handling

Benefits of various auditing standards and certifications

  • ISACA and CISA
  • GSNA
  • CIA and the IIA

Basic auditing and assessing strategies

  • Baselines
  • Time-based security
  • Thinking like an auditor
  • Developing auditing checklists from policies and procedures
  • Effective risk assessment

Risk assessment

  • Standards adoption
  • Identifying existing controls
  • Determining root failure causes
  • Using risk assessment to specify new controls

The six-step audit process

  • How the steps interrelate
  • How to effectively conduct an audit
  • How to effectively report the findings

Tanya Baccam
Mon Oct 15th, 2012
9:00 AM - 5:00 PM


Focus on some of the most sensitive and important parts of our information technology infrastructure: routers and firewalls. In order to properly audit a firewall or router, we need to clearly understand the total information flow that is expected for the device. These diagrams will allow the auditor to identify what objectives the routers and firewalls are seeking to meet, thus allowing controls to be implemented which can be audited. Overall, this course will teach the student everything needed to audit routers, switches, and firewalls in the real world.

CPE/CMU Credits: 6



  • Functions of a router, architectures, and components
  • How a router can play a role in your security infrastructure
  • Router technology, a TCP/IP perspective
  • Understanding the auditing issues with routers
  • Sample router architectures in corporate WANs

Detailed audit of a router

  • Security access controls performed by a router
  • Security of the router itself and auditing for router integrity
  • Identifying security vulnerabilities
  • Audit steps over routers
  • Sample audit outputs

Auditing switches

  • Layer 2 attacks
  • Audit steps for a switch

Testing the firewall

  • OS configuration
  • Firewall configuration
  • System administration

Testing the firewall rulebase

  • Identifying misconfigurations
  • Identifying vulnerabilities
  • Packet flow from all networks
  • Change control

Testing third party software

  • Encryption
  • Authentication
  • Virus scanning
  • URL redirection

Reviewing logs and alerts

  • Review IDS systems
  • Firewall logs
  • Firewall alerts

The tools used

  • Router Audit Tool (RAT)
  • Scanning tools for UNIX and Windows such as Nmap
  • Packet-building tools for UNIX and Windows such as -Hping2 and Nemesis
  • Sniffers such as Wire Shark
  • IDS Auditing Tools such as Fragroute

Tanya Baccam
Tue Oct 16th, 2012
9:00 AM - 5:00 PM


Network Auditing Essentials continues where day two left off, extending network and perimeter auditing to internal system validation and vulnerability testing and helping network security professionals to see how to use the tools and techniques described to audit, assess, and secure a network in record time. Following a defense-in-depth approach, learn how to audit perimeter devices, create maps of active hosts and services, and assess the vulnerability of those services. Hands-on exercises are conducted through out the day so students have the opportunity to use the tools.

CPE/CMU Credits: 6



  • What is a vulnerability assessment?
  • Why are vulnerability assessments important?
  • Survey of vulnerability assessment tools

Cloud Computing

  • Cloud architecture and deployments
  • Provider and Tenant responsibility considerations
  • Audit considerations for Iaas, Paas and SaaS
  • Audit risk considerations and questions


  • WAP
  • 802.11b security issues
  • Preventive measures
  • Wireless auditing tools: WSA, Airopeek, Net Stumbler

Mapping your network

  • Pre-mapping tasks
  • What the hackers want to know
  • Auditing perimeter defenses
  • Network mapping from outside your firewall
  • Network mapping from inside your firewall
  • Using nmap effectively

Configuration auditing of key services

  • Mail servers
  • DNS servers

Analyzing the results

  • Organizing the mapping results
  • Understanding the map
  • Identifying vulnerabilities

Follow-on activities

  • Penetration testing
  • Using vulnerability scanners and port mapping tools
  • Prioritizing vulnerability fixes
  • Validating fixes
  • Benefits of periodic network mapping
  • Looking for compromised hosts

Tanya Baccam
Wed Oct 17th, 2012
9:00 AM - 5:00 PM


Web applications have consistently rated one of the top five vulnerabilities that enterprises have faced for the past several years. Unlike the other top vulnerabilities, however, our businesses continue to accept this risk since most modern corporations need an effective Web presence to do business today. One of the most important lessons that we are learning as an industry is that installing an application firewall is not enough!

This course will spend the first half of the day covering all of the underlying principles of Web technology and introduce a set of tools that can be used to validate the security of these applications. The second half of the day will be spent building and working through a checklist for validating the existence and proper implementation of controls to mitigate the primary threats found in Web applications through the use of cutting-edge techniques and advanced testing methods.

During the afternoon, we will examine three separate Web applications with this audit program. The first is a system designed to reproduce many common flaws to introduce the testing concepts. The second is a widely used Web shopping cart that demonstrates the types of problems typically found in home grown code. The third is a professional Web application that is a widely deployed storefront used on the Internet today. By the end of the day each student will use the high-level checklist and detailed instructions provided throughout the day to perform a comprehensive validation of security controls in at least one of these sample applications.

In addition to designing an audit testing program, time will be spent discussing process remediation for project managers and coding teams.

CPE/CMU Credits: 6

  • Identify controls against information gathering attacks
  • Process controls to prevent hidden information disclosures
  • Control validation of the user sign-on process
  • Examining controls against user name harvesting
  • Validating protections against password harvesting
  • Best practices for OS and Web server configuration
  • How to verify session tracking and management controls
  • Identification of controls to handle unexpected user input
  • Server-side techniques for protecting your customers and their sensitive data

Tanya Baccam
Thu Oct 18th, 2012
9:00 AM - 5:00 PM


Systems based on the Windows NT line (XP, 2003, Vista, and 2008) make up a large part of the typical IT infrastructure. Quite often, these systems are also the most difficult to effectively secure and control because of the enormous number of controls and settings within the operating system. This class gives you the keys, techniques, and tools to build an effective long term audit program for your Microsoft Windows environment.

During the course of this day, attendees will have the opportunity to perform a thorough audit of the laptop they bring to class as we develop an overall audit program. In addition to covering all of the major audit points in a stand alone Windows system, the course will either directly apply or scale these methods for use within a domain. One of the primary goals of the material presented is to allow the auditor to get away from checking registry settings, helping administrators to create a comprehensive management process that automatically verifies settings. With this type of system in place, the auditor can step back and begin auditing the management processes which generally help us to be far more effective.

Another key benefit to this course is an in-depth discussion on effective log management. Is your organization struggling with how to gather and analyze all of the events being generated within your network? We will present a GPL/FOSS solution that scales well for enterprises today.

Finally, the course will spend a significant amount of time discussing the more important aspects of Active Directory from an auditor's perspective. We will cover and give you the opportunity to try your hand at querying useful data out of the Active Directory. Throughout the day we will work to build a comprehensive baseline auditing script to automatically audit all of the systems within a domain.

CPE/CMU Credits: 6


Progressive construction of a comprehensive audit program

  • Basic system information
  • Patch levels
  • Network based services
  • Local services
  • Installed software
  • Security configuration
  • Group policy management
  • Log aggregation, management and analysis
  • Automating the audit process
  • Windows security tips and tricks
  • Maintaining a secure enterprise

Tanya Baccam
Fri Oct 19th, 2012
9:00 AM - 5:00 PM


Students will gain a deeper understanding of the inner workings and fundamentals of the Unix operating system as applied to the major Unix environments in use in business today. Students will have the opportunity to explore, assess, and audit Unix systems hands on. Lectures describe the different audit controls that are available on standard Unix systems as well as access controls and security models.

The majority of the day will be spent working hands on with the instructor to create a comprehensive set of auditing scripts that can be used on virtually any Unix system. This set of scripts can be used to check the security of a system, to report on the compliance of the system to a baseline, or in a change control process to validate a system before patching and subsequently re-generate the system baseline.

Neither Unix nor scripting experience is required for this day. The course book and hands-on exercises present an easy to follow method with the assistance of the instructor that will allow you to cover scripting and more advanced topics like regular expressions.

CPE/CMU Credits: 6


Auditing to create a secure configuration

  • Building your own auditing toolkit
  • File integrity assessment
  • Fine points of 'find'
  • Regex basics

Auditing to maintain a secure configuration

  • Reading log files
  • Password assessment tools
  • Risk assessment
  • What tools to use
  • How to go about it
  • Building a baseline
  • Building an audit script
  • Auditing with accreditation systems

Auditing to determine what went wrong

  • Finding hidden disk space
  • Event reconstruction
  • Identifying back doors
  • Anatomy of a rootkit
  • Creating a Unix tools CD

Additional Information

Audit 507 requires that you bring a laptop with at least 10 gigabytes of free hard disk space, a CD-ROM drive, a minimum of 1 gigabyte of RAM, and a recommended processor speed of 1 GHz. The memory minimum is an absolutely requirement! Some of the labs will not function with less than 1 gigabyte of RAM. You should have Windows XP Professional Service Pack 2 or higher installed on your system (Windows Server 2003 is acceptable). If you do not have Windows XP Professional or higher (will work with 2003, 2008, Vista, Windows 7) installed, please do not expect all of the labs to function correctly; some may not function at all.

Laptops must be able to run VMware Player 4.0. Administrative privileges are needed for all labs to function properly.

If you have additional questions about the laptop specifications, please contact

  • Auditors seeking to identify key controls in IT systems
  • Audit professionals looking for technical details on auditing
  • Managers responsible for overseeing the work of an audit or security team
  • Security professionals newly tasked with audit responsibilities
  • System and network administrators looking to better understand what an auditor is trying to achieve, how they think, and how to better prepare for an audit
  • System and network administrators seeking to create strong change control management and detection systems for the enterprise

Author Statement

This advanced systems audit course stands alone in the information assurance arena as the only comprehensive source for hands-on audit how-to. Past students have included long-time auditors and those new to the field, both of whom have found significant benefit from the refresher material. One individual, a vice president with the Institute of Internal Auditors, said, I've been auditing systems for a very long time, and no one ever actually gave me a formal process that I can apply to conducting technical audits. Thank you! While we don't require a high level of technical experience as a prerequisite to this course, we have worked hard to make sure that anyone who comes to the course walks away with a wealth of material that they can go back to their office and apply tomorrow. We realistically address the problem, How do I get there from here? by offering short-term goal solutions, which, when combined, will allow you to achieve your goal: identify, report on, and reduce risk in your enterprise.

- David Hoelzer